Documentation
Devops
Installing Authentik into Kubernetes

Installing Authentik into Kubernetes

Overview

Authentik provides SSO and a unified authentication platform. There are a bunch of integrations to most self-hosted systems, and provides forward-authentication as well.

Installation

Postgres

In my environment, I’m attaching PVs via NFS, and as such, I have a mapall user set up in TrueNAS. By default, the postgres image included is the Bitnami one, which will pitch a fit when running as a non-root user, and the PVs are mounted as the root user. As such, I will be running the Postgres portion on my external database server.

We will modify the helm values file to take this into account, but first we need to set up the user and the database on the postgres server.

Log into the database server via psql and run the following:

CREATE DATABASE authentik;
CREATE USER authentik WITH PASSWORD 'Password123';
GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
\c authentik
GRANT ALL ON SCHEMA public TO authentik;
\q

This will create the database, the user, and give the necessary grants to let the migrations happen during installation.

Helm Installation

First, we need to generate the password we will be using with Authentik

openssl rand 60 | base64 -w 0

ydisLG/piBGcMFbbMX7neiykjkWZGQw1PtIGUHZ4WW6ELbv4QEDfTs7S4Lmc2hUepLeeDp0cUXyKkj2z

Next, we will pre-populate a values file to use with the Authentik helm chart. This will give us access to our external postgres server, as well as connect up to our mail server so we can send emails from Authentik. Finally, we are also enabling the the traefik ingress so it will natively populate into our reverse proxy.

values.yaml

authentik:
  secret_key: "Password123!!"
  error_reporting:
    enabled: true
  postgresql:
    host: "wn-postgres-01.weepynet.com"
    user: "authentik"
    password: "Password123"
    database: "authentik"
  email:
    host: "smtp.server.fqdn"
    port: 587
    username: "e@mail.com"
    password: "password"
    use_tls: true
    use_ssl: false
    timeout: 30
    from: "authentik@mail.com"

server:
  ingress:
    ingressClassName: traefik
    enabled: true
    hosts:
      - auth.weepynet.com

postgresql:
  enabled: false
redis:
  enabled: true

Now, we will install authentik via the helm chart:

helm repo add authentik https://charts.goauthentik.io
helm repo update
helm upgrade --install authentik authentik/authentik -f values.yaml

You can use kubectl get pods to watch the pods and wait for them to be in a running state. It will take a couple minutes for all the DB migrations to run and the server/worker to be good to go.

Logging into the UI

Open a browser, and go to https://auth.weepynet.com/if/flow/initial-setup/

Follow the on-screen instructions to set up the akadmin account. Best practices dictate creating an admin account for yourself, adding it to the admin group, logging in as that user and disable (NOT DELETE) the akadmin account.

Installing Modern Monitoring Stack into KubernetesInstalling ArgoCD into Kubernetes