cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
554d6822c0da43bac5e3ece00ea2ff33bb50a027
cameleer-server/deploy/authentik.yaml
hsiegeln 554d6822c0
Some checks failed
CI / build (push) Successful in 1m11s
Details
CI / docker (push) Successful in 40s
Details
CI / deploy (push) Failing after 8s
Details
Add Authentik OIDC provider K8s manifests and wire deployment 
- deploy/authentik.yaml: PostgreSQL StatefulSet, Redis, Authentik
  server (NodePort 30900) and worker, all in cameleer namespace
- deploy/server.yaml: Add CAMELEER_JWT_SECRET and CAMELEER_OIDC_*
  env vars from secrets (all optional for backward compat)
- ci.yml: Create authentik-credentials and cameleer-oidc secrets,
  deploy Authentik before the server
- HOWTO.md: Authentik setup instructions, updated architecture
  diagram and Gitea secrets list

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 12:45:02 +01:00

288 lines
7.1 KiB
YAML
Raw Blame History

# Authentik OIDC Provider for Cameleer
# Provides external identity management with role-based access.
#
# After deployment:
# 1. Access Authentik at http://192.168.50.86:30900/if/flow/initial-setup/
# 2. Create an admin account
# 3. Create an OAuth2/OIDC Provider + Application for Cameleer (see HOWTO.md)
# 4. Set CAMELEER_OIDC_* env vars on the server deployment
# --- PostgreSQL for Authentik ---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: authentik-postgresql
namespace: cameleer
spec:
serviceName: authentik-postgresql
replicas: 1
selector:
matchLabels:
app: authentik-postgresql
template:
metadata:
labels:
app: authentik-postgresql
spec:
containers:
- name: postgresql
image: postgres:16-alpine
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: authentik
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_PASSWORD
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
subPath: pgdata
resources:
requests:
memory: "128Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
exec:
command: ["pg_isready", "-U", "authentik"]
initialDelaySeconds: 15
periodSeconds: 10
readinessProbe:
exec:
command: ["pg_isready", "-U", "authentik"]
initialDelaySeconds: 5
periodSeconds: 5
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: authentik-postgresql
namespace: cameleer
spec:
clusterIP: None
selector:
app: authentik-postgresql
ports:
- port: 5432
targetPort: 5432
# --- Redis for Authentik ---
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-redis
namespace: cameleer
spec:
replicas: 1
selector:
matchLabels:
app: authentik-redis
template:
metadata:
labels:
app: authentik-redis
spec:
containers:
- name: redis
image: redis:7-alpine
command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
ports:
- containerPort: 6379
volumeMounts:
- name: data
mountPath: /data
resources:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "250m"
livenessProbe:
exec:
command: ["redis-cli", "ping"]
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
exec:
command: ["redis-cli", "ping"]
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: authentik-redis
namespace: cameleer
spec:
selector:
app: authentik-redis
ports:
- port: 6379
targetPort: 6379
# --- Authentik Server ---
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-server
namespace: cameleer
spec:
replicas: 1
selector:
matchLabels:
app: authentik-server
template:
metadata:
labels:
app: authentik-server
spec:
containers:
- name: server
image: ghcr.io/goauthentik/server:2024.12
args: ["server"]
ports:
- containerPort: 9000
name: http
- containerPort: 9443
name: https
env:
- name: AUTHENTIK_POSTGRESQL__HOST
value: authentik-postgresql
- name: AUTHENTIK_POSTGRESQL__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_USER
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_PASSWORD
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-credentials
key: AUTHENTIK_SECRET_KEY
resources:
requests:
memory: "512Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: /-/health/live/
port: 9000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
readinessProbe:
httpGet:
path: /-/health/ready/
port: 9000
initialDelaySeconds: 15
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
---
apiVersion: v1
kind: Service
metadata:
name: authentik
namespace: cameleer
spec:
type: NodePort
selector:
app: authentik-server
ports:
- port: 9000
targetPort: 9000
nodePort: 30900
name: http
- port: 9443
targetPort: 9443
nodePort: 30943
name: https
# --- Authentik Worker ---
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-worker
namespace: cameleer
spec:
replicas: 1
selector:
matchLabels:
app: authentik-worker
template:
metadata:
labels:
app: authentik-worker
spec:
containers:
- name: worker
image: ghcr.io/goauthentik/server:2024.12
args: ["worker"]
env:
- name: AUTHENTIK_POSTGRESQL__HOST
value: authentik-postgresql
- name: AUTHENTIK_POSTGRESQL__NAME
value: authentik
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_USER
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-credentials
key: PG_PASSWORD
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-credentials
key: AUTHENTIK_SECRET_KEY
resources:
requests:
memory: "256Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
Reference in New Issue View Git Blame Copy Permalink