diff --git a/deploy/authentik.yaml b/deploy/authentik.yaml deleted file mode 100644 index 7d358068..00000000 --- a/deploy/authentik.yaml +++ /dev/null @@ -1,287 +0,0 @@ -# Authentik OIDC Provider for Cameleer -# Provides external identity management with role-based access. -# -# After deployment: -# 1. Access Authentik at http://192.168.50.86:30950/if/flow/initial-setup/ -# 2. Create an admin account -# 3. Create an OAuth2/OIDC Provider + Application for Cameleer (see HOWTO.md) -# 4. Set CAMELEER_OIDC_* env vars on the server deployment - -# --- PostgreSQL for Authentik --- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: authentik-postgresql - namespace: cameleer -spec: - serviceName: authentik-postgresql - replicas: 1 - selector: - matchLabels: - app: authentik-postgresql - template: - metadata: - labels: - app: authentik-postgresql - spec: - containers: - - name: postgresql - image: postgres:16-alpine - ports: - - containerPort: 5432 - env: - - name: POSTGRES_DB - value: authentik - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_USER - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_PASSWORD - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - subPath: pgdata - resources: - requests: - memory: "128Mi" - cpu: "50m" - limits: - memory: "512Mi" - cpu: "500m" - livenessProbe: - exec: - command: ["pg_isready", "-U", "authentik"] - initialDelaySeconds: 15 - periodSeconds: 10 - readinessProbe: - exec: - command: ["pg_isready", "-U", "authentik"] - initialDelaySeconds: 5 - periodSeconds: 5 - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: authentik-postgresql - namespace: cameleer -spec: - clusterIP: None - selector: - app: authentik-postgresql - ports: - - port: 5432 - targetPort: 5432 - -# --- Redis for Authentik --- ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-redis - namespace: cameleer -spec: - replicas: 1 - selector: - matchLabels: - app: authentik-redis - template: - metadata: - labels: - app: authentik-redis - spec: - containers: - - name: redis - image: redis:7-alpine - command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"] - ports: - - containerPort: 6379 - volumeMounts: - - name: data - mountPath: /data - resources: - requests: - memory: "64Mi" - cpu: "25m" - limits: - memory: "256Mi" - cpu: "250m" - livenessProbe: - exec: - command: ["redis-cli", "ping"] - initialDelaySeconds: 10 - periodSeconds: 10 - readinessProbe: - exec: - command: ["redis-cli", "ping"] - initialDelaySeconds: 5 - periodSeconds: 5 - volumes: - - name: data - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: authentik-redis - namespace: cameleer -spec: - selector: - app: authentik-redis - ports: - - port: 6379 - targetPort: 6379 - -# --- Authentik Server --- ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-server - namespace: cameleer -spec: - replicas: 1 - selector: - matchLabels: - app: authentik-server - template: - metadata: - labels: - app: authentik-server - spec: - containers: - - name: server - image: ghcr.io/goauthentik/server:2024.12 - args: ["server"] - ports: - - containerPort: 9000 - name: http - - containerPort: 9443 - name: https - env: - - name: AUTHENTIK_POSTGRESQL__HOST - value: authentik-postgresql - - name: AUTHENTIK_POSTGRESQL__NAME - value: authentik - - name: AUTHENTIK_POSTGRESQL__USER - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_USER - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_PASSWORD - - name: AUTHENTIK_REDIS__HOST - value: authentik-redis - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: authentik-credentials - key: AUTHENTIK_SECRET_KEY - resources: - requests: - memory: "512Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1000m" - livenessProbe: - httpGet: - path: /-/health/live/ - port: 9000 - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /-/health/ready/ - port: 9000 - initialDelaySeconds: 15 - periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 3 ---- -apiVersion: v1 -kind: Service -metadata: - name: authentik - namespace: cameleer -spec: - type: NodePort - selector: - app: authentik-server - ports: - - port: 9000 - targetPort: 9000 - nodePort: 30950 - name: http - - port: 9443 - targetPort: 9443 - nodePort: 30943 - name: https - -# --- Authentik Worker --- ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authentik-worker - namespace: cameleer -spec: - replicas: 1 - selector: - matchLabels: - app: authentik-worker - template: - metadata: - labels: - app: authentik-worker - spec: - containers: - - name: worker - image: ghcr.io/goauthentik/server:2024.12 - args: ["worker"] - env: - - name: AUTHENTIK_POSTGRESQL__HOST - value: authentik-postgresql - - name: AUTHENTIK_POSTGRESQL__NAME - value: authentik - - name: AUTHENTIK_POSTGRESQL__USER - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_USER - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: authentik-credentials - key: PG_PASSWORD - - name: AUTHENTIK_REDIS__HOST - value: authentik-redis - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: authentik-credentials - key: AUTHENTIK_SECRET_KEY - resources: - requests: - memory: "256Mi" - cpu: "50m" - limits: - memory: "512Mi" - cpu: "500m" diff --git a/deploy/logto.yaml b/deploy/logto.yaml new file mode 100644 index 00000000..774dc7c8 --- /dev/null +++ b/deploy/logto.yaml @@ -0,0 +1,181 @@ +# Logto OIDC Provider for Cameleer +# Provides external identity management with OAuth2/OIDC. +# +# After deployment: +# 1. Access Logto admin console at http://192.168.50.86:30952 +# 2. Complete initial setup (create admin account) +# 3. Create an Application for Cameleer (see HOWTO.md) +# 4. Create an API Resource with scopes (admin, operator, viewer) +# 5. Create an M2M Application for the SaaS platform + +# --- PostgreSQL for Logto --- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: logto-postgresql + namespace: cameleer +spec: + serviceName: logto-postgresql + replicas: 1 + selector: + matchLabels: + app: logto-postgresql + template: + metadata: + labels: + app: logto-postgresql + spec: + containers: + - name: postgresql + image: postgres:16-alpine + ports: + - containerPort: 5432 + env: + - name: POSTGRES_DB + value: logto + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: logto-credentials + key: PG_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: logto-credentials + key: PG_PASSWORD + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + subPath: pgdata + resources: + requests: + memory: "128Mi" + cpu: "50m" + limits: + memory: "512Mi" + cpu: "500m" + livenessProbe: + exec: + command: ["pg_isready"] + initialDelaySeconds: 15 + periodSeconds: 10 + readinessProbe: + exec: + command: ["pg_isready"] + initialDelaySeconds: 5 + periodSeconds: 5 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: logto-postgresql + namespace: cameleer +spec: + clusterIP: None + selector: + app: logto-postgresql + ports: + - port: 5432 + targetPort: 5432 + +# --- Logto Server --- +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logto + namespace: cameleer +spec: + replicas: 1 + selector: + matchLabels: + app: logto + template: + metadata: + labels: + app: logto + spec: + containers: + - name: logto + image: ghcr.io/logto-io/logto:latest + command: ["sh", "-c", "npm run cli db seed -- --swe && npm start"] + ports: + - containerPort: 3001 + name: api + - containerPort: 3002 + name: admin + env: + - name: TRUST_PROXY_HEADER + value: "1" + - name: DB_URL + value: "postgresql://$(PG_USER):$(PG_PASSWORD)@logto-postgresql:5432/logto" + - name: ENDPOINT + valueFrom: + secretKeyRef: + name: logto-credentials + key: ENDPOINT + - name: ADMIN_ENDPOINT + valueFrom: + secretKeyRef: + name: logto-credentials + key: ADMIN_ENDPOINT + - name: PG_USER + valueFrom: + secretKeyRef: + name: logto-credentials + key: PG_USER + - name: PG_PASSWORD + valueFrom: + secretKeyRef: + name: logto-credentials + key: PG_PASSWORD + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + livenessProbe: + httpGet: + path: /api/status + port: 3001 + initialDelaySeconds: 60 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /api/status + port: 3001 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 +--- +apiVersion: v1 +kind: Service +metadata: + name: logto + namespace: cameleer +spec: + type: NodePort + selector: + app: logto + ports: + - port: 3001 + targetPort: 3001 + nodePort: 30951 + name: api + - port: 3002 + targetPort: 3002 + nodePort: 30952 + name: admin