# Authentik OIDC Provider for Cameleer # Provides external identity management with role-based access. # # After deployment: # 1. Access Authentik at http://192.168.50.86:30900/if/flow/initial-setup/ # 2. Create an admin account # 3. Create an OAuth2/OIDC Provider + Application for Cameleer (see HOWTO.md) # 4. Set CAMELEER_OIDC_* env vars on the server deployment # --- PostgreSQL for Authentik --- apiVersion: apps/v1 kind: StatefulSet metadata: name: authentik-postgresql namespace: cameleer spec: serviceName: authentik-postgresql replicas: 1 selector: matchLabels: app: authentik-postgresql template: metadata: labels: app: authentik-postgresql spec: containers: - name: postgresql image: postgres:16-alpine ports: - containerPort: 5432 env: - name: POSTGRES_DB value: authentik - name: POSTGRES_USER valueFrom: secretKeyRef: name: authentik-credentials key: PG_USER - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: authentik-credentials key: PG_PASSWORD volumeMounts: - name: data mountPath: /var/lib/postgresql/data subPath: pgdata resources: requests: memory: "128Mi" cpu: "50m" limits: memory: "512Mi" cpu: "500m" livenessProbe: exec: command: ["pg_isready", "-U", "authentik"] initialDelaySeconds: 15 periodSeconds: 10 readinessProbe: exec: command: ["pg_isready", "-U", "authentik"] initialDelaySeconds: 5 periodSeconds: 5 volumeClaimTemplates: - metadata: name: data spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi --- apiVersion: v1 kind: Service metadata: name: authentik-postgresql namespace: cameleer spec: clusterIP: None selector: app: authentik-postgresql ports: - port: 5432 targetPort: 5432 # --- Redis for Authentik --- --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-redis namespace: cameleer spec: replicas: 1 selector: matchLabels: app: authentik-redis template: metadata: labels: app: authentik-redis spec: containers: - name: redis image: redis:7-alpine command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"] ports: - containerPort: 6379 volumeMounts: - name: data mountPath: /data resources: requests: memory: "64Mi" cpu: "25m" limits: memory: "256Mi" cpu: "250m" livenessProbe: exec: command: ["redis-cli", "ping"] initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: exec: command: ["redis-cli", "ping"] initialDelaySeconds: 5 periodSeconds: 5 volumes: - name: data emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: authentik-redis namespace: cameleer spec: selector: app: authentik-redis ports: - port: 6379 targetPort: 6379 # --- Authentik Server --- --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server namespace: cameleer spec: replicas: 1 selector: matchLabels: app: authentik-server template: metadata: labels: app: authentik-server spec: containers: - name: server image: ghcr.io/goauthentik/server:2024.12 args: ["server"] ports: - containerPort: 9000 name: http - containerPort: 9443 name: https env: - name: AUTHENTIK_POSTGRESQL__HOST value: authentik-postgresql - name: AUTHENTIK_POSTGRESQL__NAME value: authentik - name: AUTHENTIK_POSTGRESQL__USER valueFrom: secretKeyRef: name: authentik-credentials key: PG_USER - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-credentials key: PG_PASSWORD - name: AUTHENTIK_REDIS__HOST value: authentik-redis - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-credentials key: AUTHENTIK_SECRET_KEY resources: requests: memory: "512Mi" cpu: "100m" limits: memory: "1Gi" cpu: "1000m" livenessProbe: httpGet: path: /-/health/live/ port: 9000 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 5 readinessProbe: httpGet: path: /-/health/ready/ port: 9000 initialDelaySeconds: 15 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 --- apiVersion: v1 kind: Service metadata: name: authentik namespace: cameleer spec: type: NodePort selector: app: authentik-server ports: - port: 9000 targetPort: 9000 nodePort: 30900 name: http - port: 9443 targetPort: 9443 nodePort: 30943 name: https # --- Authentik Worker --- --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-worker namespace: cameleer spec: replicas: 1 selector: matchLabels: app: authentik-worker template: metadata: labels: app: authentik-worker spec: containers: - name: worker image: ghcr.io/goauthentik/server:2024.12 args: ["worker"] env: - name: AUTHENTIK_POSTGRESQL__HOST value: authentik-postgresql - name: AUTHENTIK_POSTGRESQL__NAME value: authentik - name: AUTHENTIK_POSTGRESQL__USER valueFrom: secretKeyRef: name: authentik-credentials key: PG_USER - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-credentials key: PG_PASSWORD - name: AUTHENTIK_REDIS__HOST value: authentik-redis - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-credentials key: AUTHENTIK_SECRET_KEY resources: requests: memory: "256Mi" cpu: "50m" limits: memory: "512Mi" cpu: "500m"