Pārlūkot izejas kodu

updated authentik deployment

Christian Lempa 1 gadu atpakaļ
vecāks
revīzija
742c603f27

+ 73 - 53
docker-compose/authentik/compose.yaml

@@ -1,35 +1,5 @@
 ---
 services:
-  postgres:
-    image: docker.io/library/postgres:16.6
-    container_name: authentik-db
-    environment:
-      - POSTGRES_USER=${POSTGRES_USER:-authentik}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?error}
-      - POSTGRES_DB=${POSTGRES_DB:-authentik}
-      - TZ=${TZ:-UTC}
-    healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U "${POSTGRES_USER:-authentik}"']
-      start_period: 30s
-      interval: 10s
-      timeout: 10s
-      retries: 5
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-    restart: unless-stopped
-  redis:
-    image: docker.io/library/redis:7.4.2
-    container_name: authentik-redis
-    command: --save 60 1 --loglevel warning
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 3s
-    volumes:
-      - redis_data:/data
-    restart: unless-stopped
   server:
     image: ghcr.io/goauthentik/server:2024.12.2
     container_name: authentik-server
@@ -44,19 +14,33 @@ services:
       #             echo $(openssl rand -base64 32)
       - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:?error}
       # (Optional)  Enable Error Reporting
-      # - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
       # (Optional)  Enable Email Sending
-      # - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
-      # - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
-      # - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
-      # - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
-      # - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
-      # - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
-      # - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
-      # - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
+      #             Highly recommended to notify you about alerts and configuration issues. 
+      - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
+      - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
+      - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
+      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
+      - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
+      - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
+      - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
+      - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
     ports:
+      # (Optional)  Remove these, if you're using a reverse proxy like Traefik.
       - 9000:9000
       - 9443:9443
+    labels:
+      # (Optional)  Enable Traefik integration for the Authentik Web UI. For more information
+      #             about integrating other services with Traefik and Authentik, see the
+      #             documentation at https://goauthentik.io/docs/outposts/integrations/traefik
+      #             and the middleware example files in `docker-compose/traefik/config`.
+      - traefik.enable=true
+      - traefik.http.services.authentik.loadbalancer.server.port=9000
+      - traefik.http.services.authentik.loadbalancer.server.scheme=http
+      - traefik.http.routers.authentik.entrypoints=websecure
+      - traefik.http.routers.authentik.rule=Host(`your-authentik-fqdn`)
+      - traefik.http.routers.authentik.tls=true
+      - traefik.http.routers.authentik.tls.certresolver=cloudflare
     volumes:
       - ./media:/media
       - ./custom-templates:/templates
@@ -64,6 +48,7 @@ services:
       - postgres
       - redis
     restart: unless-stopped
+
   worker:
     image: ghcr.io/goauthentik/server:2024.12.2
     container_name: authentik-worker
@@ -78,23 +63,22 @@ services:
       #             echo $(openssl rand -base64 32)
       - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:?error}
       # (Optional)  Enable Error Reporting
-      # - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
       # (Optional)  Enable Email Sending
-      # - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
-      # - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
-      # - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
-      # - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
-      # - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
-      # - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
-      # - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
-      # - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
-    # (Optional)  When using the docker socket integration
-    #             See more for the docker socket integration here:
+      #             Highly recommended to notify you about alerts and configuration issues. 
+      - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
+      - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
+      - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
+      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
+      - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
+      - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
+      - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
+      - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
+    # (Optional)  See more for the docker socket integration here:
     #             https://goauthentik.io/docs/outposts/integrations/docker
-    # user: root
+    user: root
     volumes:
-      # (Optional)  When using the docker socket integration
-      # - /run/docker.sock:/run/docker.sock
+      - /run/docker.sock:/run/docker.sock
       - ./media:/media
       - ./certs:/certs
       - ./custom-templates:/templates
@@ -103,6 +87,42 @@ services:
       - redis
     restart: unless-stopped
 
+  redis:
+    image: docker.io/library/redis:7.4.2
+    container_name: authentik-redis
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis_data:/data
+    restart: unless-stopped
+
+  postgres:
+    # (Optional) Add a PostgreSQL Database for Authentik
+    #   Alternatively, you can host your PostgreSQL database externally, and
+    #   change the connection settings in the `authentik-server` and
+    #   `authentik-worker`.
+    image: docker.io/library/postgres:17.2
+    container_name: authentik-db
+    environment:
+      - POSTGRES_USER=${POSTGRES_USER:-authentik}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?error}
+      - POSTGRES_DB=${POSTGRES_DB:-authentik}
+      - TZ=${TZ:-UTC}
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U "${POSTGRES_USER:-authentik}"']
+      start_period: 30s
+      interval: 10s
+      timeout: 10s
+      retries: 5
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    restart: unless-stopped
+
 volumes:
   postgres_data:
     driver: local

+ 12 - 0
kubernetes/authentik/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: your-authentik-certificate
+  namespace: authentik
+spec:
+  secretName: your-authentik-tls-secret
+  issuerRef:
+    name: cloudflare-clusterissuer
+    kind: ClusterIssuer
+  dnsNames:
+    - your-authentik-fqdn

+ 21 - 0
kubernetes/authentik/example.middleware.yaml

@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: service-middleware
+  namespace: service-namespace
+spec:
+  forwardAuth:
+    address: "http://your-authentik-outpost-name.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

+ 45 - 0
kubernetes/authentik/helm/values.yaml

@@ -0,0 +1,45 @@
+global:
+  image: 
+    repository: "ghcr.io/goauthentik/server"
+    tag: "2024.12.2"
+    pullPolicy: IfNotPresent
+authentik:
+  # (Required)  To generate a secret key run the following command:
+  #             echo $(openssl rand -base64 32)
+  secret_key: ""
+  postgresql:
+    host: ""
+    name: ""
+    user: ""
+    password: ""
+    port: 5432
+  email:
+    # (Optional)  Enable Email Sending
+    #             Highly recommended to notify you about alerts and configuration issues. 
+    host: ""
+    port: 587
+    username: ""
+    password: ""
+    use_tls: true
+    from: ""
+  error_reporting:
+    enabled: true
+  log_level: error
+server:
+  ingress:
+    # (Optional)  If you want to securely expose Authentik in Traefik you can enable the
+    #             Ingress settings, alternatively, you can use the template in the
+    #             `authentik/ingressroute.yaml` file to create an IngressRoute.
+    ingressClassName: traefik
+    enabled: true
+    hosts:
+      - your-authentik-fqdn
+    tls:
+      - hosts:
+          - your-authentik-fqdn
+        # (Optional)  If you want to use a custom TLS secret you can specify it here.
+        secretName: your-authentik-tls-secret
+postgresql:
+  enabled: false
+redis:
+  enabled: true

+ 17 - 0
kubernetes/authentik/ingressroute.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`your-authentik-fqdn`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+  tls:
+    # (Optional)  If you want to use a custom TLS secret you can specify it here.
+    secretName: your-authentik-tls-secret

+ 4 - 0
kubernetes/authentik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik