feat: add Authentik main server deployment and configuration

chart/templates/authentik/redis-deployment.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.authentik.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ok8s.fullname" . }}-authentik-redis
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      containers:
+      - name: redis
+        image: "{{ .Values.authentik.redis.image.repository }}:{{ .Values.authentik.redis.image.tag }}"
+        command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"]
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "ok8s.fullname" . }}-authentik-redis
+              key: password
+        ports:
+        - containerPort: 6379
+        resources: {{ toYaml .Values.authentik.redis.resources | nindent 10 }}
+{{- end }}

chart/templates/authentik/redis-service.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.authentik.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ok8s.fullname" . }}-authentik-redis
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379
+  selector:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

chart/templates/authentik/secret.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.authentik.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ok8s.fullname" . }}-authentik
+type: Opaque
+data:
+  # Authentik secret key for encryption
+  secretKey: {{ randAlphaNum 32 | b64enc }}
+  # PostgreSQL password
+  postgresPassword: {{ .Values.authentik.postgres.password | b64enc }}
+  # Redis password
+  redisPassword: {{ .Values.authentik.redis.password | b64enc }}
+  # OIDC client secret (if provided)
+  {{- if .Values.authentik.oidc.clientSecret }}
+  oidcClientSecret: {{ .Values.authentik.oidc.clientSecret | b64enc }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ok8s.fullname" . }}-authentik-postgres
+type: Opaque
+data:
+  password: {{ .Values.authentik.postgres.password | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ok8s.fullname" . }}-authentik-redis
+type: Opaque
+data:
+  password: {{ .Values.authentik.redis.password | b64enc }}
+{{- end }}

chart/values.yaml

@@ -298,3 +298,42 @@ kubedock:
     DOCKER_HOST: "tcp://kubedock-service:2475"
     TESTCONTAINERS_RYUK_DISABLED: "true"
     TESTCONTAINERS_CHECKS_DISABLE: "true"
+
+# -- Authentik identity provider configuration
+authentik:
+  enabled: false
+  # -- CRITICAL: Authentik secret key used for encryption. MUST be set to a cryptographically strong random string (at least 32 characters).
+  # Generate with: openssl rand -base64 32
+  # This value cannot be empty and must be unique per installation.
+  secretKey: ""
+  postgres:
+    image:
+      repository: postgres
+      tag: "15-alpine"
+    database: "authentik"
+    username: "authentik"
+    password: "change-me-in-production"
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+    persistence:
+      enabled: true
+      size: 10Gi
+  redis:
+    image:
+      repository: redis
+      tag: "7-alpine"
+    password: "change-me-in-production"
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+  oidc:
+    clientSecret: ""