diff --git a/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml b/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml new file mode 100644 index 00000000..2712bc40 --- /dev/null +++ b/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml @@ -0,0 +1,99 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: dex + namespace: authentication +spec: + interval: 5m + chart: + spec: + chart: dex + version: 0.15.3 + sourceRef: + kind: HelmRepository + name: dex + namespace: flux-system + interval: 5m + values: + image: + repository: ghcr.io/dexidp/dex + tag: v2.37.0 + env: + KUBERNETES_POD_NAMESPACE: authentication + envFrom: + - secretRef: + name: github-oauth-client + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + hosts: + - host: &host auth.immich.cloud + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + secretName: dex-tls + + config: + issuer: &issuer https://auth.immich.cloud + + storage: + type: kubernetes + config: + inCluster: true + + web: + http: 0.0.0.0:5556 + + frontend: + issuer: immich + issuerUrl: *issuer + logoUrl: https://github.com/immich-app/immich/raw/main/design/immich-logo-no-outline.png + + expiry: + signingKeys: "6h" + idTokens: "24h" + + logger: + level: debug + format: text + + oauth2: + responseTypes: ["code", "token", "id_token"] + skipApprovalScreen: true + alwaysShowLoginScreen: false + + enablePasswordDB: false + + connectors: + # GitHub configure 'OAuth Apps' -> 'New OAuth App', add callback URL + # https://github.com/settings/developers + - type: github + id: github + name: GitHub + config: + clientID: $GITHUB_CLIENT_ID + clientSecret: $GITHUB_CLIENT_SECRET + redirectURI: https://auth.immich.cloud/callback + orgs: + - name: immich-app + + staticClients: [] + # - id: grafana + # name: grafana + # secret: ${DEX_GRAFANA_AUTHENTICATOR_CLIENT_SECRET} + # redirectURIs: + # - "https://grafana.${SECRET_DOMAIN}/login/generic_oauth" + + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + memory: 100Mi \ No newline at end of file diff --git a/kubernetes/apps/authentication/dexidp/app/kustomization.yaml b/kubernetes/apps/authentication/dexidp/app/kustomization.yaml new file mode 100644 index 00000000..051da8f6 --- /dev/null +++ b/kubernetes/apps/authentication/dexidp/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml \ No newline at end of file diff --git a/kubernetes/apps/authentication/dexidp/ks.yaml b/kubernetes/apps/authentication/dexidp/ks.yaml new file mode 100644 index 00000000..94dfce78 --- /dev/null +++ b/kubernetes/apps/authentication/dexidp/ks.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://github.com/fluxcd-community/flux2-schemas/raw/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app dexidp + namespace: flux-system +spec: + targetNamespace: authentication + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cluster-apps-onepassword + path: ./kubernetes/apps/authentication/dexidp/app + prune: true + sourceRef: + kind: GitRepository + name: immich-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/authentication/kustomization.yaml b/kubernetes/apps/authentication/kustomization.yaml new file mode 100644 index 00000000..a0ac3f40 --- /dev/null +++ b/kubernetes/apps/authentication/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./secrets.yaml + - ./dexidp/ks.yaml diff --git a/kubernetes/apps/authentication/namespace.yaml b/kubernetes/apps/authentication/namespace.yaml new file mode 100644 index 00000000..5dc0ee96 --- /dev/null +++ b/kubernetes/apps/authentication/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: authentication \ No newline at end of file diff --git a/kubernetes/apps/authentication/secrets.yaml b/kubernetes/apps/authentication/secrets.yaml new file mode 100644 index 00000000..a2ce3e34 --- /dev/null +++ b/kubernetes/apps/authentication/secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: github-oauth-client + namespace: authentication +spec: + itemPath: "vaults/Kubernetes/items/github-oauth-client" diff --git a/kubernetes/flux/repositories/helm/dex.yaml b/kubernetes/flux/repositories/helm/dex.yaml new file mode 100644 index 00000000..baa18880 --- /dev/null +++ b/kubernetes/flux/repositories/helm/dex.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: dex + namespace: flux-system +spec: + interval: 30m + url: https://charts.dexidp.io + timeout: 3m \ No newline at end of file