bcf22640b2
Per user decision, removed authentik, kyverno, metallb-system, external-secrets, proxmox-csi, nfs-csi, vpa, sealed-secrets, infra-maintenance from the policy-level exclude list, and added keel.sh/enrolled=true to aiostreams (alive — 1/1 Running, despite being earlier flagged as scaled-to-0) and woodpecker. Net cluster coverage: 197/227 workloads on safe-force (86%), up from 170/227 (74%). All 197 are paired with match-tag=true (digest-only). Remaining 7 namespaces in Kyverno exclude list (irreducible): - keel (self-update) - calico-system + tigera-operator (operator-managed Installation CR) - cnpg-system + dbaas (state-coupled) - nvidia (chart-pinned at 570.195.03 per code-8vr0 until NVIDIA ships ubuntu26.04 driver images) - kube-system (k8s built-ins) Files: - stacks/kyverno/modules/kyverno/keel-annotations.tf — exclude list trimmed from 16 → 7 - stacks/authentik, kyverno, proxmox-csi, nfs-csi, vpa, sealed-secrets, servarr/aiostreams, metallb (creates ns "metallb-system"), woodpecker — added keel.sh/enrolled=true label on kubernetes_namespace resource - infra-maintenance was in the policy exclude but the namespace doesn't actually exist in the cluster; the removal is a no-op there Applied via kubectl patch on the live ClusterPolicy + kubectl label on namespaces because the kubernetes provider v3.1.0 panics on Kyverno ClusterPolicy refresh — TF source has the desired state for next clean apply on a fixed provider. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
113 lines
3.8 KiB
HCL
113 lines
3.8 KiB
HCL
variable "tls_secret_name" {}
|
|
variable "secret_key" {}
|
|
variable "postgres_password" {}
|
|
variable "tier" { type = string }
|
|
variable "redis_host" { type = string }
|
|
variable "homepage_token" {
|
|
type = string
|
|
default = ""
|
|
sensitive = true
|
|
}
|
|
|
|
|
|
module "tls_secret" {
|
|
source = "../../../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
# The embedded outpost auto-creates an ingress expecting this secret name
|
|
module "tls_secret_outpost" {
|
|
source = "../../../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
tls_secret_name = "authentik-outpost-tls"
|
|
}
|
|
|
|
resource "kubernetes_namespace" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
labels = {
|
|
tier = var.tier
|
|
"resource-governance/custom-quota" = "true"
|
|
"keel.sh/enrolled" = "true"
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
|
|
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_resource_quota" "authentik" {
|
|
metadata {
|
|
name = "authentik-quota"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
}
|
|
spec {
|
|
hard = {
|
|
"requests.cpu" = "16"
|
|
"requests.memory" = "16Gi"
|
|
"limits.memory" = "96Gi"
|
|
pods = "50"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "helm_release" "authentik" {
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
create_namespace = true
|
|
name = "goauthentik"
|
|
|
|
repository = "https://charts.goauthentik.io/"
|
|
chart = "authentik"
|
|
# version = "2025.10.3"
|
|
# version = "2025.12.4"
|
|
version = "2026.2.2"
|
|
atomic = true
|
|
timeout = 6000
|
|
|
|
values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })]
|
|
}
|
|
|
|
|
|
module "ingress" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
# Authentik's own UI cannot be gated by Authentik forward-auth — that
|
|
# creates a chicken-and-egg loop (users can't reach the login page).
|
|
# auth = "none": Authentik UI cannot be gated by Authentik forward-auth (chicken-and-egg loop prevents login).
|
|
auth = "none"
|
|
dns_type = "proxied"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
name = "authentik"
|
|
service_name = "goauthentik-server"
|
|
tls_secret_name = var.tls_secret_name
|
|
anti_ai_scraping = false
|
|
extra_annotations = {
|
|
"gethomepage.dev/enabled" = "true"
|
|
"gethomepage.dev/name" = "Authentik"
|
|
"gethomepage.dev/description" = "Identity provider"
|
|
"gethomepage.dev/icon" = "authentik.png"
|
|
"gethomepage.dev/group" = "Identity & Security"
|
|
"gethomepage.dev/pod-selector" = ""
|
|
"gethomepage.dev/widget.type" = "authentik"
|
|
"gethomepage.dev/widget.url" = "http://goauthentik-server.authentik.svc.cluster.local"
|
|
"gethomepage.dev/widget.key" = var.homepage_token
|
|
}
|
|
}
|
|
|
|
module "ingress-outpost" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
# Authentik forward-auth outpost callback path — protecting this with
|
|
# forward-auth would loop the outpost back onto itself.
|
|
# auth = "none": Authentik outpost callback path for forward-auth flow; protecting with forward-auth creates circular dependency.
|
|
auth = "none"
|
|
namespace = kubernetes_namespace.authentik.metadata[0].name
|
|
name = "authentik-outpost"
|
|
host = "authentik"
|
|
service_name = "ak-outpost-authentik-embedded-outpost"
|
|
port = 9000
|
|
ingress_path = ["/outpost.goauthentik.io"]
|
|
tls_secret_name = var.tls_secret_name
|
|
anti_ai_scraping = false
|
|
exclude_crowdsec = true
|
|
}
|