Authentik bootstrapping

README.md

@@ -45,11 +45,16 @@ openssl req -x509 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY
 kubectl -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY"
 kubectl -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active
 kubectl -n "$NAMESPACE" delete pod -l name=app.kubernetes.io/name=sealed-secrets 
-kubectl -n "$NAMESPACE" logs -l name=sealed-secrets-controller
 ```
+
 #### Sealing a secret
 ```
-kubeseal --cert "./${PUBLICKEY}" --scope cluster-wide < mysecret.yaml | kubectl apply -f-
+
+echo -n "PASSWORD" \
+    | kubectl create secret generic xxx --dry-run=client --from-file=KEY=/dev/stdin -o yaml \
+    | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml --merge-into ./secrets/authentik-kaisers-info-automated-install-sealed.yaml
+
+kubectl apply -f sealed-secret.yaml
 ```
 
 ## Services

cloud-kaisers-info/templates/nextcloud.yaml

@@ -17,7 +17,7 @@ spec:
   source:
     chart: "nextcloud"
     repoURL: "https://nextcloud.github.io/helm/"
-    targetRevision: "2.14.3"
+    targetRevision: "2.14.4"
     helm:
       releaseName: "nextcloud"
       values: |
@@ -34,7 +34,10 @@ spec:
 
           nextcloud:
             host: "newcloud.kaisers.info"
-            username: "admin"
+            existingSecret:
+              enabled: 'true'
+              secretName: 'nextcloud-kaisers-info-secrets'
+            username: "ndadmin"
             password: "changeme"
             mail:
               enabled: "true"

gitops-kaisers-info/k8-kaisers-info-sealedsecret.crt

@@ -1,28 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE3DCCAsQCCQCsG9gJvmZ1XjANBgkqhkiG9w0BAQsFADAwMRYwFAYDVQQDDA1z
-ZWFsZWQtc2VjcmV0MRYwFAYDVQQKDA1zZWFsZWQtc2VjcmV0MB4XDTIyMDUzMTE2
-MDIwN1oXDTIyMDYzMDE2MDIwN1owMDEWMBQGA1UEAwwNc2VhbGVkLXNlY3JldDEW
-MBQGA1UECgwNc2VhbGVkLXNlY3JldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
-AgoCggIBAMB988b3SmVJKeWmMgaCzLkO/iWiXofsl6jzpHTMbFuctLJQvnXLzZ8b
-0lEL50KVE/KBvt+1p+0eWObNREAHva2zQh07BwjHjkxR6Z086lnUGeacOyx4wd13
-/H6yxZpZahbKruE+Awd6sspti71LZ7PcafLw8+HjGiftF+jeLj3A5a3U1yE1WVIk
-eB4ypxf7XRScZBjrL0LNN7S63lsc0vrjmphmj47hhWsVkAEDOrP5RSGu6R7d/caO
-ECCxXBx+NCKf7ARdTxo0gGPOCa2TnVsFkncUXolGpHEQwLAWMubv94SE4PMcGSbU
-xZbSd+/y9yHTBmYSz1xxpx0iDLmjuhD7axZpvwFW8/u5kbWIvIp1a2kIPOdfUgbM
-emxYyVCBcgfNBv0274n0bI4KmImY60/QdTifLiVujUP7R0h721FckqlLwZ8sskte
-dQZ0LTMMNjaGqKhWKeCxNbbH1VQDbMAJZR2omamK7VbXa2BX9z6c4ILtDf9vBCuS
-4x+V99iQJNVeqCLhq0hykMxKrCUccRd+IXw1PUAp1Ng05VasDul3znpKA1x6hxvV
-S+o8w6vC2yNkmvgy86S4TJlwzikDXS55B4TqOgrj6IhnFzcdp/HTxeAzqT8ETZ32
-gfT2pvWZDKnYbyWgMd/N4pQv6W7DlrPib/0YiXPvGfGZEU6e7j5JAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggIBAJKYhggjjhbavqiukBAeXyH2u9y/Ush60K0uAVcs6ZtG
-gh0Bz5kERAIpgrUD7oFuHknPQ8LsLzzwxMGzXBj2jHNNkKR0SWZdq5KHO/cluby/
-qBfUOGEI8Em5KLFVxa1YnQnPZZrhmHxd3t/cL0QG8c89hhohG8C1IlJT8WN5zM0h
-LXyXUPwfynXW0W0IILPWlNWkxBS3aDTWyoZo3gKu2YKQRH/4VV3yXoGVJWyETz7X
-MRPaatqqK56mxa+ZDrjoA9Ff+lmO3ixSbGX9bWesUiaOdzXZLzv1SRCu5vlLO3QJ
-z6gbJa8StmwFg5VGkBM66WnV0PE7dmiU48VjFRM1Ptp/BSTuhoZPJb8ccFIRMro7
-Q+Aopc2Vp0hvx/gGgDSHLfh23j60QC41kCRp8Y7cAvYmyl0TO0yw+CqIz+/LqBIU
-GwXGFIG+gju5JBAKD/NvAD0IT1c5DPAIEJBB9hk5SF9/CxNOD8VPGfQqAhofN3gD
-fA4/65xAQRWjTwvCuCwYkKfBjAEv3+43ixDjO+DZhI1H5o5uEQgyFXGvitobDhAP
-zJZZJiWWY+tr9feUkaEMwGJn4X38A/ocI7J44vWqLk0WcakUd2sykMeZTEL9c9Oj
-MPutKHHEIOWybWzUut4c3O9TZwdq77mRzWCXhNBxvly6L3o5wly356jOOvlxC0Rw
------END CERTIFICATE-----

secrets/authentik-kaisers-info-secrets-sealed.yaml

@@ -0,0 +1,22 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authentik-kaisers-info-secrets
+  namespace: authentik
+spec:
+  encryptedData:
+    AUTHENTIK_BOOTSTRAP_PASSWORD: AgBh++7B43ehbsIKG/8O46LcQ6FQ4OzSzwrtjF4KE+rydSUDG5sB7UK/IlMCdJENU0WpFK8/EUC7UCCv26U75l94khIcLqXn9cwgSdFr++mljIeqWPHAEwg5TMzfhYJsWsUO5KTQiNGxxXLY8ZcEb6UqMbRptW2titfejJkViu887ZyTLhWC7cEwxJTXUD3AEp3sLHSE/kTMP1p1OYah2NE1t30etQJKjHLqd3WH+JL8i/SHufDSu7D7joj05fa5bSZQIOrB9XtMubhn7eaXkG7T2Fr5PylgkyIX8wEK8/U+b15TQA/5+N0B1mjm/IvH/G6afcnvRAvKKzCzBJSEiAgdF0XIk5pk+j8AfV7Fc1V3sFDjCdrM/r5q4Eo1KSTPw4N9FyYcRN2l1aZwv5jSxd+kK30MHw0uqZHcy/586O0jIyrCRB45p8ocHALXIHFQuOGoUjiqCHEV1G5uSXP1aHBmrJdelOq1yqWYWmDxvADCDECWe64YET/Zh15sGN8WQ7ODQfSyWUp5tQ0CqIWqF+0z7ZCW7nSF4L4qd/lv5h1W3CcbZ4Agv+JqLEl+wG0O6Gx12G+DVXe3fUxLNFKWJFoc9oW9mpbYyZlgtmsA7f2mBwZnd71A2eq4kcoKaGH5xK0hROL1sLWJeSAdL2T8RkcMvF+VxeWG7z/5RNF8o7G47f65OTIHez3ivCMBbO+CunIpWJE3/L2JKCFZ+ZIWMFZHArgL
+    AUTHENTIK_BOOTSTRAP_TOKEN: AgAlwinI1rQbJBuWDD3JtNbTPDy/KuGsTrE4/7OxzTVV+QKEItRpTLpgdkzitDt24SDMokoL6J9L/9fJcWz6V/AtJ4+oxAC/fuqHqqBQ1lsQaFqBB/ubhBZZMcJIE/djn/iKNLBvtvdc2iduYKJ812Ojbt6pIQ/1X+Zp9nJTUo22iC/mRebC9anYwO14qCLEIv6+7kuTO8LmMiqOKjcjGuCD/xNxGAzFCSzwpayZG6BIcmsH5YclU3iY1R15bbPfa46wxliylv1d1WD2HkAf1d8Bi6jgZYaUGhbQ5IWWaA4bIFVQPGrBpNzW0g46/wqj2v+KBQTXZqofT0Q3iCvFQUtTmiQkK3grRdBzvj3ZugynjpGniajPlHOBXJP1i9ty3z/+bJJ+OBLyZ57cRQo6YW1PDyx91p9ulYyAAIX6oLnQeCO5pKJaHGbbfpSPXJJWRsYFkenpa2wl/d8YMA0+ZsnxYtYIziR4nJImx99ob9dnc1sm29rNi3bhVAO9e/AhQkx1SKA+h7oQBEJuLNnRkvRcl5cv4E58OkIep958k/LcUpCcUoANqldWrlZvRD8rPwzlH4zKH0f3Qx1N3hGSJyXzndE8b076g9lVuHVa0ASvSjLBiMrC+feL2oCLBh535HVJ/Hj19YS9an9qWbw8YyZKs9zAASH4Y8r+fDGoD/AQwJw754icTJTLK7IhINfITE1cBJrCnroTUbA1eVF3e3D29PgGen+oa070OihLkW43A1Y=
+    AUTHENTIK_EMAIL__PASSWORD: AgCC1aqlpLBwzLlslf6d9Mj5eYi7y15DqnixIKA+QhQ3wmZJ2MeCX1yrJwt5HByqiSi1KwQsumAWqKqfVCC+l8ZzDvLBqPHukD9ZPHP7oa+qvDuo94JsqBBUyaNM6gDAA92IyQOiMJQFhNNPvaPKo1qH6HzO+C6oj4Amen+qZM7CePtnAKe03zJddDkbJHsKq/8mV6OTEGOJsLk6sv8PbFCNHiAsJ59ElzC++7L4fYbG00OH5bt6HmXh2Ow6P5ndhrX9Zus1AFoP8tK6JKAaDObEDah/ckDKnL+4qE2LD58oJhjbB/2u6ps11Tk1ifnnlmHEvj/1XSkqIXYfvKiOhuamueucln0G0EqDse6UbAkKL3FxQnes6LDC3eZqXh+DpdBCaPUenMh2suzqeQEuVbkGlMqDY0F7fv6Kt7ft6kT0PoUASBTgTfK2ezzwqDWMCM7qQNrlAFQg+1TFKIwTia43hGSdOXgNEaDRbQLJ5a94MAz7Gg8I5vmzDwjUzvYDHszNFqfWhfZBQOgT1/Z7aOyqgfLVjubz4iKdjFxnpKn6WCfC1Culo4hTua5mr4Hsw/J7qPWxSGI1uMqrv1MrSoXlRzR6Z5V7tPLf09H8cr4LH7YzQmwoiqhf8mgdARqfWxMT98WGB+v1dQwU6JKjCpstKwCdmMfhSINSIW/lK55ZF2qRnxkDnbSuDtWQYk7OD+hK9F2QSt9DkbBw7CzkJGLn
+    AUTHENTIK_SECRET_KEY: AgAmpYdqEEpK2LOpbMx83NQKV4N8Nu4QJehUa4mt7D7UnjYBkVmnePa9UmLtK5JurYVF9EpkEmpY9a/32vFhj/FuuWRGZTcP0Ws6oqaN1+KPYx6KvINNh8Fnfwn38l3PhdNo3N3Sc+JtXOKFzgz+0nrlpiHYT3+GCqCc1utiScD4IBFPD2xXKN/pQYVUURrm+5CNj4srQrbxJa+z5jpSctm6MSP8i9nSM4Rph9gVZzTlnNxa8anSHx4DY/VVg7VNxIemB5gevvbRoZToPDKNy2fmgQZlp6tRERHNp7qYp+FZbXTTZCR78dvp1Xgbjs5h1m2nPKg4oSqTJHy1HvpnXtjY80CrVg1KGLNNb9Y7SFxMXdZg561dWF2Fh8VwIPl5INc1IlE9bqvaXBXFiAH2yHSQMJ/6EBjS9ZFSnY9HlSEf6V37mQQOGQJLp+8UgsczIkEiLVkrM9t0/9p+LkMP6WVSTsJezSA4py7r0Cudoquzm8d2KwUDbjkzVJW+q2waKOSRMxpSw7BVjRMJSampScZ+XvTZtn+WTPjCPtAVRqVxgZvKQqemn0BnQ/sqjerrepv0lRtUccQukKVZipLHvsdaH1m+sWDbdIAAqpmdhRfT30LBB8c5FQQ9BoFniIK7FLuByfMafgJsbhQO2LsIL4lYj60oCy6LdiVIXom1tnSk/upC9XfZ/XgdVHiIe/xjxLFKqNY6eDRhnwlpC9pC
+  template:
+    data: null
+    metadata:
+      annotations:
+        argocd.argoproj.io/sync-wave: "-1"
+      creationTimestamp: null
+      name: authentik-kaisers-info-secrets
+      namespace: authentik
+    type: Opaque
+

services-kaisers-info/templates/authentik.yaml

@@ -16,23 +16,16 @@ spec:
       selfHeal: true
   source:
     chart: "authentik"
-    repoURL: "https://charts.goauthentik.io"
-    targetRevision: "5.2.1"
+    repoURL: "https://charts.goauthentik.io/"
+    targetRevision: "2022.6.1"
     helm:
       releaseName: "authentik"
       values: |
         authentik:
-          env: {
-            AK_ADMIN_PASS: 'SIMON',
-            AK_ADMIN_TOKEN: 'SIMON'
-          }
-          secret_key: "qlfgmSJ8GT/EoE3JsphrM81KzyYqoDYif7u59m/sVL4EQ6MO"
           # This sends anonymous usage-data, stack traces on errors and
           # performance data to sentry.beryju.org, and is fully opt-in
           error_reporting:
             enabled: false
-          postgresql:
-            password: "ThisIsNotASecurePasswordEither"
           
           email:
             # -- SMTP Server emails are sent from, fully optional
@@ -40,14 +33,16 @@ spec:
             port: 587
             # -- SMTP credentials, when left empty, not authentication will be done
             username: "authentik@kaisers.info"
-            # -- SMTP credentials, when left empty, not authentication will be done
-            password: "6qL3XdwQUw2UJ75U"
             # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
             use_tls: true
             # -- Connection timeout
             timeout: 30
             # -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
             from: "authentik <authentik@kaisers.info>"
+        
+        envFrom:
+          - secretRef:
+              name: 'authentik-kaisers-info-secrets'
 
         ingress:
           enabled: true
@@ -63,10 +58,8 @@ spec:
             - secretName: "authentik-kaisers-info-tls"
               hosts:
                 - "authentik.kaisers.info"
-              
 
         postgresql:
           enabled: true
-          postgresqlPassword: "ThisIsNotASecurePasswordEither"
         redis:
           enabled: true