infra/stacks/platform/modules/authentik/main.tf

variable "tls_secret_name" {}
variable "secret_key" {}
variable "postgres_password" {}
variable "tier" { type = string }
variable "redis_host" { type = string }
variable "homepage_token" {
  type      = string
  default   = ""
  sensitive = true
}


module "tls_secret" {
  source          = "../../../../modules/kubernetes/setup_tls_secret"
  namespace       = kubernetes_namespace.authentik.metadata[0].name
  tls_secret_name = var.tls_secret_name
}

resource "kubernetes_namespace" "authentik" {
  metadata {
    name = "authentik"
    labels = {
      tier                               = var.tier
      "resource-governance/custom-quota" = "true"
    }
  }
}

resource "kubernetes_resource_quota" "authentik" {
  metadata {
    name      = "authentik-quota"
    namespace = kubernetes_namespace.authentik.metadata[0].name
  }
  spec {
    hard = {
      "requests.cpu"    = "16"
      "requests.memory" = "16Gi"
      "limits.cpu"      = "48"
      "limits.memory"   = "96Gi"
      pods              = "50"
    }
  }
}

resource "helm_release" "authentik" {
  namespace        = kubernetes_namespace.authentik.metadata[0].name
  create_namespace = true
  name             = "goauthentik"

  repository = "https://charts.goauthentik.io/"
  chart      = "authentik"
  # version    = "2025.8.1"
  version = "2025.10.3"
  atomic  = true
  timeout = 6000

  values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })]
}


module "ingress" {
  source          = "../../../../modules/kubernetes/ingress_factory"
  namespace       = kubernetes_namespace.authentik.metadata[0].name
  name            = "authentik"
  service_name    = "goauthentik-server"
  tls_secret_name = var.tls_secret_name
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Authentik"
    "gethomepage.dev/description"  = "Identity provider"
    "gethomepage.dev/icon"         = "authentik.png"
    "gethomepage.dev/group"        = "Identity & Security"
    "gethomepage.dev/pod-selector" = ""
    "gethomepage.dev/widget.type"  = "authentik"
    "gethomepage.dev/widget.url"   = "http://goauthentik-server.authentik.svc.cluster.local"
    "gethomepage.dev/widget.key"   = var.homepage_token
  }
}

module "ingress-outpost" {
  source          = "../../../../modules/kubernetes/ingress_factory"
  namespace       = kubernetes_namespace.authentik.metadata[0].name
  name            = "authentik-outpost"
  host            = "authentik"
  service_name    = "ak-outpost-authentik-embedded-outpost"
  port            = 9000
  ingress_path    = ["/outpost.goauthentik.io"]
  tls_secret_name = var.tls_secret_name
}
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`variable "tls_secret_name" {}`
			`variable "secret_key" {}`
			`variable "postgres_password" {}`
add tier to all deployments [ci skip] 2026-01-10 16:28:12 +00:00			`variable "tier" { type = string }`
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules 2026-02-23 22:05:28 +00:00			`variable "redis_host" { type = string }`
[ci skip] add Homepage widget credentials for Authentik, Shlink, Home Assistant Wire homepage_credentials tokens through platform stack to enable live widgets for Authentik, Shlink (URL shortener), and Home Assistant London. Update SOPS with new credential entries. 2026-03-07 16:47:10 +00:00			`variable "homepage_token" {`
			`type = string`
			`default = ""`
			`sensitive = true`
			`}`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00

			`module "tls_secret" {`
[ci skip] Move Terraform modules into stack directories Move all 88 service modules (66 individual + 22 platform) from modules/kubernetes/<service>/ into their corresponding stack directories: - Service stacks: stacks/<service>/module/ - Platform stack: stacks/platform/modules/<service>/ This collocates module source code with its Terragrunt definition. Only shared utility modules remain in modules/kubernetes/: ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy. All cross-references to shared modules updated to use correct relative paths. Verified with terragrunt run --all -- plan: 0 adds, 0 destroys across all 68 stacks. 2026-02-22 14:38:14 +00:00			`source = "../../../../modules/kubernetes/setup_tls_secret"`
replace hardcoded namespace with module reference [ci skip] 2025-12-29 10:23:42 +00:00			`namespace = kubernetes_namespace.authentik.metadata[0].name`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`tls_secret_name = var.tls_secret_name`
			`}`

			`resource "kubernetes_namespace" "authentik" {`
			`metadata {`
			`name = "authentik"`
add tier to all deployments [ci skip] 2026-01-10 16:28:12 +00:00			`labels = {`
[ci skip] Flatten module wrappers into stack roots Remove the module "xxx" { source = "./module" } indirection layer from all 66 service stacks. Resources are now defined directly in each stack's main.tf instead of through a wrapper module. - Merge module/main.tf contents into stack main.tf - Apply variable replacements (var.tier -> local.tiers.X, renamed vars) - Fix shared module paths (one fewer ../ at each level) - Move extra files/dirs (factory/, chart_values, subdirs) to stack root - Update state files to strip module.<name>. prefix - Update CLAUDE.md to reflect flat structure Verified: terragrunt plan shows 0 add, 0 destroy across all stacks. 2026-02-22 15:13:55 +00:00			`tier = var.tier`
[ci skip] Add custom resource quota for authentik namespace Authentik runs ~10 pods (3 server + 3 worker + 3 pgbouncer + outpost) which exceeds the default tier-1-cluster quota limits. Add custom-quota label to opt out of Kyverno-generated quotas and define a Terraform-managed ResourceQuota with limits appropriate for authentik's workload. 2026-02-21 23:44:05 +00:00			`"resource-governance/custom-quota" = "true"`
			`}`
			`}`
			`}`

			`resource "kubernetes_resource_quota" "authentik" {`
			`metadata {`
			`name = "authentik-quota"`
			`namespace = kubernetes_namespace.authentik.metadata[0].name`
			`}`
			`spec {`
			`hard = {`
[ci skip] Increase authentik ResourceQuota limits Authentik is a critical auth service that was at 83% CPU/memory quota utilization. Double all limits to prevent throttling. 2026-02-22 17:28:41 +00:00			`"requests.cpu" = "16"`
			`"requests.memory" = "16Gi"`
			`"limits.cpu" = "48"`
			`"limits.memory" = "96Gi"`
			`pods = "50"`
add tier to all deployments [ci skip] 2026-01-10 16:28:12 +00:00			`}`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`}`
			`}`

			`resource "helm_release" "authentik" {`
replace hardcoded namespace with module reference [ci skip] 2025-12-29 10:23:42 +00:00			`namespace = kubernetes_namespace.authentik.metadata[0].name`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`create_namespace = true`
			`name = "goauthentik"`

			`repository = "https://charts.goauthentik.io/"`
			`chart = "authentik"`
add debug option in authentik helm [ci skip] 2025-12-28 20:03:37 +00:00			`# version = "2025.8.1"`
			`version = "2025.10.3"`
			`atomic = true`
			`timeout = 6000`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules 2026-02-23 22:05:28 +00:00			`values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })]`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`}`


[ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. 2026-02-10 21:11:46 +00:00			`module "ingress" {`
[ci skip] Move Terraform modules into stack directories Move all 88 service modules (66 individual + 22 platform) from modules/kubernetes/<service>/ into their corresponding stack directories: - Service stacks: stacks/<service>/module/ - Platform stack: stacks/platform/modules/<service>/ This collocates module source code with its Terragrunt definition. Only shared utility modules remain in modules/kubernetes/: ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy. All cross-references to shared modules updated to use correct relative paths. Verified with terragrunt run --all -- plan: 0 adds, 0 destroys across all 68 stacks. 2026-02-22 14:38:14 +00:00			`source = "../../../../modules/kubernetes/ingress_factory"`
[ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. 2026-02-10 21:11:46 +00:00			`namespace = kubernetes_namespace.authentik.metadata[0].name`
			`name = "authentik"`
			`service_name = "goauthentik-server"`
			`tls_secret_name = var.tls_secret_name`
[ci skip] add Homepage gethomepage.dev annotations to all services Add Kubernetes ingress annotations for Homepage auto-discovery across ~88 services organized into 11 groups. Enable serviceAccount for RBAC, configure group layouts, and add Grafana/Frigate/Speedtest widgets. 2026-03-07 16:41:36 +00:00			`extra_annotations = {`
			`"gethomepage.dev/enabled" = "true"`
			`"gethomepage.dev/name" = "Authentik"`
			`"gethomepage.dev/description" = "Identity provider"`
			`"gethomepage.dev/icon" = "authentik.png"`
			`"gethomepage.dev/group" = "Identity & Security"`
			`"gethomepage.dev/pod-selector" = ""`
[ci skip] add Homepage widget credentials for Authentik, Shlink, Home Assistant Wire homepage_credentials tokens through platform stack to enable live widgets for Authentik, Shlink (URL shortener), and Home Assistant London. Update SOPS with new credential entries. 2026-03-07 16:47:10 +00:00			`"gethomepage.dev/widget.type" = "authentik"`
			`"gethomepage.dev/widget.url" = "http://goauthentik-server.authentik.svc.cluster.local"`
			`"gethomepage.dev/widget.key" = var.homepage_token`
[ci skip] add Homepage gethomepage.dev annotations to all services Add Kubernetes ingress annotations for Homepage auto-discovery across ~88 services organized into 11 groups. Enable serviceAccount for RBAC, configure group layouts, and add Grafana/Frigate/Speedtest widgets. 2026-03-07 16:41:36 +00:00			`}`
[ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. 2026-02-10 21:11:46 +00:00			`}`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00
[ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. 2026-02-10 21:11:46 +00:00			`module "ingress-outpost" {`
[ci skip] Move Terraform modules into stack directories Move all 88 service modules (66 individual + 22 platform) from modules/kubernetes/<service>/ into their corresponding stack directories: - Service stacks: stacks/<service>/module/ - Platform stack: stacks/platform/modules/<service>/ This collocates module source code with its Terragrunt definition. Only shared utility modules remain in modules/kubernetes/: ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy. All cross-references to shared modules updated to use correct relative paths. Verified with terragrunt run --all -- plan: 0 adds, 0 destroys across all 68 stacks. 2026-02-22 14:38:14 +00:00			`source = "../../../../modules/kubernetes/ingress_factory"`
[ci skip] Refactor raw ingresses to use ingress_factory module Enhance ingress_factory with full_host, extra_middlewares, and skip_default_rate_limit variables. Fix TLS hosts bug to use effective_host. Migrate 13 services from raw kubernetes_ingress_v1 resources to centralized ingress_factory module calls, removing manual rybbit middleware CRDs where the factory now handles them. 2026-02-10 21:11:46 +00:00			`namespace = kubernetes_namespace.authentik.metadata[0].name`
			`name = "authentik-outpost"`
			`host = "authentik"`
			`service_name = "ak-outpost-authentik-embedded-outpost"`
			`port = 9000`
			`ingress_path = ["/outpost.goauthentik.io"]`
			`tls_secret_name = var.tls_secret_name`
add authentik [ci skip] 2024-11-12 20:20:10 +00:00			`}`