feat: export all K8 Plus cluster manifests

Namespaces: argocd, authentik, backup-system, cloudflare-ddns, gitea, homarr, monitoring, n8n, openclaw, polymarket-bot, vaultwarden Cluster-wide: clusterissuers, namespaces Secrets: redacted (structure only, data=REDACTED)
2026-04-10 08:57:02 +00:00
commit ff2e6cc985
163 changed files with 10979 additions and 0 deletions
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: '1'
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"authentik-redis","namespace":"authentik"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"authentik-redis"}},"template":{"metadata":{"labels":{"app":"authentik-redis"}},"spec":{"containers":[{"command":["redis-server","--save","60","1","--loglevel","warning"],"image":"redis:alpine","name":"redis","ports":[{"containerPort":6379}],"resources":{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"25m","memory":"64Mi"}}}]}}}}
+
+      '
+  name: authentik-redis
+  namespace: authentik
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: authentik-redis
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: authentik-redis
+    spec:
+      containers:
+      - command:
+        - redis-server
+        - --save
+        - '60'
+        - '1'
+        - --loglevel
+        - warning
+        image: redis:alpine
+        imagePullPolicy: IfNotPresent
+        name: redis
+        ports:
+        - containerPort: 6379
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 100m
+            memory: 128Mi
+          requests:
+            cpu: 25m
+            memory: 64Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+
@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: '15'
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"authentik-server","namespace":"authentik"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"authentik-server"}},"template":{"metadata":{"labels":{"app":"authentik-server"}},"spec":{"containers":[{"args":["server"],"env":[{"name":"AUTHENTIK_REDIS__HOST","value":"authentik-redis"},{"name":"AUTHENTIK_POSTGRESQL__HOST","value":"postgresql"},{"name":"AUTHENTIK_POSTGRESQL__USER","value":"authentik"},{"name":"AUTHENTIK_POSTGRESQL__NAME","value":"authentik"},{"name":"AUTHENTIK_POSTGRESQL__PASSWORD","valueFrom":{"secretKeyRef":{"key":"POSTGRES_PASSWORD","name":"authentik-secrets"}}},{"name":"AUTHENTIK_SECRET_KEY","valueFrom":{"secretKeyRef":{"key":"AUTHENTIK_SECRET_KEY","name":"authentik-secrets"}}},{"name":"AUTHENTIK_ERROR_REPORTING__ENABLED","value":"false"}],"image":"ghcr.io/goauthentik/server:2024.12.3","name":"server","ports":[{"containerPort":9000},{"containerPort":9443}],"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"512Mi"}},"volumeMounts":[{"mountPath":"/media","name":"media"}]}],"initContainers":[{"command":["sh","-c","until
+      pg_isready -h postgresql -U authentik; do echo waiting; sleep 2; done"],"image":"postgres:17-alpine","name":"wait-postgres"}],"volumes":[{"name":"media","persistentVolumeClaim":{"claimName":"authentik-media-pvc"}}]}}}}
+
+      '
+  name: authentik-server
+  namespace: authentik
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: authentik-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/restartedAt: '2026-04-09T11:10:52Z'
+      labels:
+        app: authentik-server
+    spec:
+      containers:
+      - args:
+        - server
+        env:
+        - name: AUTHENTIK_REDIS__HOST
+          value: authentik-redis
+        - name: AUTHENTIK_POSTGRESQL__HOST
+          value: postgresql
+        - name: AUTHENTIK_POSTGRESQL__USER
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__NAME
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: POSTGRES_PASSWORD
+              name: authentik-secrets
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: AUTHENTIK_SECRET_KEY
+              name: authentik-secrets
+        - name: AUTHENTIK_ERROR_REPORTING__ENABLED
+          value: 'false'
+        image: ghcr.io/goauthentik/server:2024.12.3
+        imagePullPolicy: IfNotPresent
+        name: server
+        ports:
+        - containerPort: 9000
+          protocol: TCP
+        - containerPort: 9443
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1Gi
+          requests:
+            cpu: 100m
+            memory: 512Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /media
+          name: media
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - until pg_isready -h postgresql -U authentik; do echo waiting; sleep 2; done
+        image: postgres:17-alpine
+        imagePullPolicy: IfNotPresent
+        name: wait-postgres
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: media
+        persistentVolumeClaim:
+          claimName: authentik-media-pvc
+
@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    deployment.kubernetes.io/revision: '6'
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"authentik-worker","namespace":"authentik"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"authentik-worker"}},"template":{"metadata":{"labels":{"app":"authentik-worker"}},"spec":{"containers":[{"args":["worker"],"env":[{"name":"AUTHENTIK_REDIS__HOST","value":"authentik-redis"},{"name":"AUTHENTIK_POSTGRESQL__HOST","value":"postgresql"},{"name":"AUTHENTIK_POSTGRESQL__USER","value":"authentik"},{"name":"AUTHENTIK_POSTGRESQL__NAME","value":"authentik"},{"name":"AUTHENTIK_POSTGRESQL__PASSWORD","valueFrom":{"secretKeyRef":{"key":"POSTGRES_PASSWORD","name":"authentik-secrets"}}},{"name":"AUTHENTIK_SECRET_KEY","valueFrom":{"secretKeyRef":{"key":"AUTHENTIK_SECRET_KEY","name":"authentik-secrets"}}},{"name":"AUTHENTIK_ERROR_REPORTING__ENABLED","value":"false"}],"image":"ghcr.io/goauthentik/server:2024.12.3","name":"worker","resources":{"limits":{"cpu":"300m","memory":"512Mi"},"requests":{"cpu":"50m","memory":"256Mi"}},"volumeMounts":[{"mountPath":"/media","name":"media"}]}],"initContainers":[{"command":["sh","-c","until
+      pg_isready -h postgresql -U authentik; do echo waiting; sleep 2; done"],"image":"postgres:17-alpine","name":"wait-postgres"}],"volumes":[{"name":"media","persistentVolumeClaim":{"claimName":"authentik-media-pvc"}}]}}}}
+
+      '
+  name: authentik-worker
+  namespace: authentik
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: authentik-worker
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/restartedAt: '2026-04-08T20:03:35Z'
+      labels:
+        app: authentik-worker
+    spec:
+      containers:
+      - args:
+        - worker
+        env:
+        - name: AUTHENTIK_REDIS__HOST
+          value: authentik-redis
+        - name: AUTHENTIK_POSTGRESQL__HOST
+          value: postgresql
+        - name: AUTHENTIK_POSTGRESQL__USER
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__NAME
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: POSTGRES_PASSWORD
+              name: authentik-secrets
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: AUTHENTIK_SECRET_KEY
+              name: authentik-secrets
+        - name: AUTHENTIK_ERROR_REPORTING__ENABLED
+          value: 'false'
+        image: ghcr.io/goauthentik/server:2024.12.3
+        imagePullPolicy: IfNotPresent
+        name: worker
+        resources:
+          limits:
+            cpu: 300m
+            memory: 512Mi
+          requests:
+            cpu: 50m
+            memory: 256Mi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /media
+          name: media
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - until pg_isready -h postgresql -U authentik; do echo waiting; sleep 2; done
+        image: postgres:17-alpine
+        imagePullPolicy: IfNotPresent
+        name: wait-postgres
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: media
+        persistentVolumeClaim:
+          claimName: authentik-media-pvc
+
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"cert-manager.io/cluster-issuer":"letsencrypt-prod","traefik.ingress.kubernetes.io/router.entrypoints":"websecure"},"name":"authentik","namespace":"authentik"},"spec":{"ingressClassName":"traefik","rules":[{"host":"authentik.chemavx.xyz","http":{"paths":[{"backend":{"service":{"name":"authentik-server","port":{"number":9000}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["authentik.chemavx.xyz"],"secretName":"authentik-tls"}]}}
+
+      '
+    traefik.ingress.kubernetes.io/reload-timestamp: '1775738348'
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+  name: authentik
+  namespace: authentik
+spec:
+  ingressClassName: traefik
+  rules:
+  - host: auth.chemavx.xyz
+    http:
+      paths:
+      - backend:
+          service:
+            name: authentik-server
+            port:
+              number: 9000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - auth.chemavx.xyz
+    secretName: auth-tls
+
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"PersistentVolumeClaim","metadata":{"annotations":{},"name":"authentik-media-pvc","namespace":"authentik"},"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}},"storageClassName":"local-path"}}
+
+      '
+    pv.kubernetes.io/bind-completed: 'yes'
+    pv.kubernetes.io/bound-by-controller: 'yes'
+    volume.beta.kubernetes.io/storage-provisioner: rancher.io/local-path
+    volume.kubernetes.io/selected-node: chemavx-k8
+    volume.kubernetes.io/storage-provisioner: rancher.io/local-path
+  name: authentik-media-pvc
+  namespace: authentik
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: local-path
+  volumeMode: Filesystem
+  volumeName: pvc-2485eef0-a8bb-40c6-8013-86134841d095
+
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  annotations:
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"PersistentVolumeClaim","metadata":{"annotations":{},"name":"authentik-pg-pvc","namespace":"authentik"},"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"10Gi"}},"storageClassName":"local-path","volumeName":"authentik-pg-pv"}}
+
+      '
+    pv.kubernetes.io/bind-completed: 'yes'
+  name: authentik-pg-pvc
+  namespace: authentik
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: local-path
+  volumeMode: Filesystem
+  volumeName: authentik-pg-pv
+
@@ -0,0 +1,21 @@
+apiVersion: v1
+data:
+  tls.crt: REDACTED
+  tls.key: REDACTED
+kind: Secret
+metadata:
+  annotations:
+    cert-manager.io/alt-names: auth.chemavx.xyz
+    cert-manager.io/certificate-name: auth-tls
+    cert-manager.io/common-name: auth.chemavx.xyz
+    cert-manager.io/ip-sans: ''
+    cert-manager.io/issuer-group: cert-manager.io
+    cert-manager.io/issuer-kind: ClusterIssuer
+    cert-manager.io/issuer-name: letsencrypt-prod
+    cert-manager.io/uri-sans: ''
+  labels:
+    controller.cert-manager.io/fao: 'true'
+  name: auth-tls
+  namespace: authentik
+type: kubernetes.io/tls
+
@@ -0,0 +1,15 @@
+apiVersion: v1
+data:
+  AUTHENTIK_POSTGRESQL__PASSWORD: REDACTED
+  AUTHENTIK_SECRET_KEY: REDACTED
+  POSTGRES_PASSWORD: REDACTED
+kind: Secret
+metadata:
+  annotations:
+    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"authentik-secrets","namespace":"authentik"},"stringData":{"AUTHENTIK_POSTGRESQL__PASSWORD":"authentik","AUTHENTIK_SECRET_KEY":"PLACEHOLDER_WILL_UPDATE","POSTGRES_PASSWORD":"authentik"},"type":"Opaque"}
+
+      '
+  name: authentik-secrets
+  namespace: authentik
+type: Opaque
+
@@ -0,0 +1,21 @@
+apiVersion: v1
+data:
+  tls.crt: REDACTED
+  tls.key: REDACTED
+kind: Secret
+metadata:
+  annotations:
+    cert-manager.io/alt-names: authentik.chemavx.xyz
+    cert-manager.io/certificate-name: authentik-tls
+    cert-manager.io/common-name: authentik.chemavx.xyz
+    cert-manager.io/ip-sans: ''
+    cert-manager.io/issuer-group: cert-manager.io
+    cert-manager.io/issuer-kind: ClusterIssuer
+    cert-manager.io/issuer-name: letsencrypt-prod
+    cert-manager.io/uri-sans: ''
+  labels:
+    controller.cert-manager.io/fao: 'true'
+  name: authentik-tls
+  namespace: authentik
+type: kubernetes.io/tls
+
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-redis
+  namespace: authentik
+spec:
+  clusterIP: 10.43.156.120
+  clusterIPs:
+  - 10.43.156.120
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 6379
+    protocol: TCP
+    targetPort: 6379
+  selector:
+    app: authentik-redis
+  sessionAffinity: None
+  type: ClusterIP
+
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-server
+  namespace: authentik
+spec:
+  clusterIP: 10.43.135.224
+  clusterIPs:
+  - 10.43.135.224
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  - name: https
+    port: 9443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    app: authentik-server
+  sessionAffinity: None
+  type: ClusterIP
+
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql
+  namespace: authentik
+spec:
+  clusterIP: 10.43.75.133
+  clusterIPs:
+  - 10.43.75.133
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 5432
+    protocol: TCP
+    targetPort: 5432
+  selector:
+    app: postgresql
+  sessionAffinity: None
+  type: ClusterIP
+
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgresql
+  namespace: authentik
+spec:
+  persistentVolumeClaimRetentionPolicy:
+    whenDeleted: Retain
+    whenScaled: Retain
+  podManagementPolicy: OrderedReady
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+      - env:
+        - name: POSTGRES_USER
+          value: authentik
+        - name: POSTGRES_DB
+          value: authentik
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: POSTGRES_PASSWORD
+              name: authentik-secrets
+        - name: PGDATA
+          value: /var/lib/postgresql/data
+        image: postgres:17-alpine
+        imagePullPolicy: IfNotPresent
+        name: postgresql
+        ports:
+        - containerPort: 5432
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - authentik
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: pg-data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 999
+        runAsGroup: 999
+        runAsUser: 999
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: pg-data
+        persistentVolumeClaim:
+          claimName: authentik-pg-pvc
+  updateStrategy:
+    rollingUpdate:
+      partition: 0
+    type: RollingUpdate
+