feat(authentik): BREAKING CHANGE Port to new common (#9426)
**Description** <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. --> ⚒️ Fixes # <!--(issue)--> **⚙️ Type of change** - [X] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [X] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> - Installed on native Helm - Logged in with the bootstrapped password - Created LDAP and Proxy outposts - Copied their tokens - Enabled the outposts in values.yaml and overrode their tokens (this is necessary to circumvent a known bug (https://github.com/truecharts/charts/issues/7390) - the bootstrap token cannot be used by an outpost, so in the future, the overriding of the token must become mandatory but that's for another PR) - Logged back in authentik, confirmed the 2 outposts are showing as healthy in its UI **📃 Notes:** <!-- Please enter any other relevant information here --> - I tried to make the minimal amount of changes necessary to port this to the new common, in order to keep the diff and this PR as small as possible - One small exception to the above, this PR also closes #6986 , since this was basically 1 line change in the persistence dict - I have bumped the chart's major revision but i am keeping it in the incubator train for now for 2 reasons: * It can get tested by the community (this is my first app port to the new common) * There are a few of TODOs left in there (1 by me and several by others), as well as a couple of known bugs in the chart, which I would like to address in separate PRs - I am assuming that `questions.yaml` needs no changes (since I haven't changed the data structure in `values.yaml`, apart from the necessary changes to port to new common). I have NOT tested this, so do let me know if I need to take a look at this and make changes. **✔️ Checklist:** - [X] ⚖️ My code follows the style guidelines of this project - [X] 👀 I have performed a self-review of my own code - [X] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [X] ⚠️ My changes generate no new warnings - [X] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [X] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: Kjeld Schouten <kjeld@schouten-lebbing.nl> Co-authored-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
This commit is contained in:
@@ -3,15 +3,11 @@ appVersion: "2023.4.1"
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 11.1.2
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://deps.truecharts.org/
|
||||
version: 11.0.31
|
||||
version: 12.10.4
|
||||
- condition: redis.enabled
|
||||
name: redis
|
||||
repository: https://deps.truecharts.org
|
||||
version: 5.0.33
|
||||
version: 6.0.46
|
||||
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
|
||||
home: https://truecharts.org/charts/incubator/authentik
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
|
||||
@@ -27,7 +23,7 @@ sources:
|
||||
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
|
||||
- https://github.com/goauthentik/authentik
|
||||
- https://goauthentik.io/docs/
|
||||
version: 11.0.0
|
||||
version: 12.0.0
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- authentication
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
||||
@@ -1,11 +1,12 @@
|
||||
{{/* Define the configmap */}}
|
||||
{{- define "authentik.config" -}}
|
||||
{{/* Define the configmaps */}}
|
||||
{{- define "authentik.configmaps" -}}
|
||||
|
||||
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
|
||||
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
|
||||
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
|
||||
{{- if .Values.ingress.main.enabled }}
|
||||
{{ $first := (first .Values.ingress.main.hosts) }}
|
||||
@@ -14,130 +15,104 @@
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
{{/* This configmap is loaded in both the main authentik container and worker */}}
|
||||
{{ $authServerWorkerConfigName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
|
||||
{{- with $redis := .Values.redisProvider }}
|
||||
AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
|
||||
{{- end }}
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
|
||||
AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
|
||||
{{- with $cnpg := .Values.cnpgProvider }}
|
||||
AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.port }}
|
||||
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
|
||||
{{- end }}
|
||||
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
|
||||
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
|
||||
{{- with .Values.authentik.mail.timeout }}
|
||||
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Logging */}}
|
||||
{{- with .Values.authentik.logging.log_level }}
|
||||
AUTHENTIK_LOG_LEVEL: {{ . }}
|
||||
{{- end }}
|
||||
{{/* General */}}
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
|
||||
{{- with .Values.authentik.general.avatars }}
|
||||
AUTHENTIK_AVATARS: {{ . }}
|
||||
{{- end }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
|
||||
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
|
||||
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
|
||||
{{- with .Values.authentik.general.footer_links }}
|
||||
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
|
||||
{{- end }}
|
||||
{{/* Error Reporting */}}
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
|
||||
{{- with .Values.authentik.error_reporting.environment }}
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
|
||||
{{- end }}
|
||||
{{/* LDAP */}}
|
||||
{{- with .Values.authentik.ldap.tls_ciphers }}
|
||||
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Outposts */}}
|
||||
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
|
||||
|
||||
{{/* This configmap are loaded on both main authentik container and worker */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $authServerWorkerConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
|
||||
AUTHENTIK_REDIS__PORT: "6379"
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
|
||||
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
|
||||
AUTHENTIK_POSTGRESQL__PORT: "5432"
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.port }}
|
||||
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
|
||||
{{- end }}
|
||||
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
|
||||
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
|
||||
{{- with .Values.authentik.mail.timeout }}
|
||||
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Logging */}}
|
||||
{{- with .Values.authentik.logging.log_level }}
|
||||
AUTHENTIK_LOG_LEVEL: {{ . }}
|
||||
{{- end }}
|
||||
{{/* General */}}
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
|
||||
{{- with .Values.authentik.general.avatars }}
|
||||
AUTHENTIK_AVATARS: {{ . }}
|
||||
{{- end }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
|
||||
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
|
||||
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
|
||||
{{- with .Values.authentik.general.footer_links }}
|
||||
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
|
||||
{{- end }}
|
||||
{{/* Error Reporting */}}
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
|
||||
{{- with .Values.authentik.error_reporting.environment }}
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
|
||||
{{- end }}
|
||||
{{/* LDAP */}}
|
||||
{{- with .Values.authentik.ldap.tls_ciphers }}
|
||||
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Outposts */}}
|
||||
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
|
||||
{{/* This configmap is loaded in both the main authentik container and worker */}}
|
||||
{{ $authServerConfigName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Listen */}}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
|
||||
|
||||
---
|
||||
{{/* This configmap is loaded in the geoip container */}}
|
||||
{{ $geoipConfigName }}:
|
||||
enabled: {{ .Values.geoip.enabled }}
|
||||
data:
|
||||
{{- with .Values.geoip.edition_ids }}
|
||||
GEOIPUPDATE_EDITION_IDS: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
|
||||
{{- with .Values.geoip.host_server }}
|
||||
GEOIPUPDATE_HOST: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
|
||||
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
|
||||
|
||||
{{/* This configmap are loaded on both main authentik container and worker */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $authServerConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Listen */}}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
|
||||
{{/* This configmap is loaded in the ldap container */}}
|
||||
{{ $ldapConfigName }}:
|
||||
enabled: {{ .Values.outposts.ldap.enabled }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
|
||||
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
|
||||
|
||||
---
|
||||
|
||||
{{/* This configmap is loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $ldapConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
|
||||
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
|
||||
|
||||
---
|
||||
|
||||
{{/* This configmap is loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $proxyConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
|
||||
|
||||
---
|
||||
|
||||
{{/* This configmap is loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $geoipConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.geoip.edition_ids }}
|
||||
GEOIPUPDATE_EDITION_IDS: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
|
||||
{{- with .Values.geoip.host_server }}
|
||||
GEOIPUPDATE_HOST: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
|
||||
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
|
||||
{{/* This configmap is loaded in the proxy container */}}
|
||||
{{ $proxyConfigName }}:
|
||||
enabled: {{ .Values.outposts.proxy.enabled }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,20 +1,23 @@
|
||||
{{/* Define the geoip container */}}
|
||||
{{- define "authentik.geoip" -}}
|
||||
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
|
||||
imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
|
||||
{{- define "authentik.geoip.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: geoipImage
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: false
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
|
||||
{{/* TODO: Add healthchecks */}}
|
||||
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
|
||||
probes:
|
||||
readiness:
|
||||
enabled: false
|
||||
liveness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,17 +1,16 @@
|
||||
{{/* Define the ldap container */}}
|
||||
{{- define "authentik.ldap" -}}
|
||||
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
|
||||
imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
|
||||
{{- define "authentik.ldap.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: ldapImage
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
|
||||
ports:
|
||||
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
|
||||
name: ldapldaps
|
||||
@@ -21,28 +20,20 @@ ports:
|
||||
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
name: ldapmetrics
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
liveness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
startup:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,17 +1,16 @@
|
||||
{{/* Define the proxy container */}}
|
||||
{{- define "authentik.proxy" -}}
|
||||
image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
|
||||
imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
|
||||
{{- define "authentik.proxy.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: proxyImage
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
|
||||
ports:
|
||||
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
|
||||
name: proxyhttps
|
||||
@@ -21,28 +20,20 @@ ports:
|
||||
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
name: proxymetrics
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
liveness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
startup:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,106 +1,81 @@
|
||||
{{/* Define the secret */}}
|
||||
{{- define "authentik.secret" -}}
|
||||
{{/* Define the secrets */}}
|
||||
{{- define "authentik.secrets" -}}
|
||||
|
||||
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $token := randAlphaNum 128 | b64enc }}
|
||||
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $token := randAlphaNum 128 }}
|
||||
|
||||
---
|
||||
{{/* This secrets are loaded on both main authentik container and worker */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $authentikSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Secret Key */}}
|
||||
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
|
||||
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
|
||||
{{- else }}
|
||||
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
|
||||
{{- end }}
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
|
||||
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.authentik.credentials.password }}
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.host }}
|
||||
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.user }}
|
||||
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.pass }}
|
||||
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.from }}
|
||||
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{/* This secret is loaded in both the main authentik container and worker */}}
|
||||
{{ $authentikSecretName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Secret Key */}}
|
||||
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
|
||||
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
|
||||
{{- else }}
|
||||
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
|
||||
{{- end }}
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
|
||||
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.authentik.credentials.password }}
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.host }}
|
||||
AUTHENTIK_EMAIL__HOST: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.user }}
|
||||
AUTHENTIK_EMAIL__USERNAME: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.pass }}
|
||||
AUTHENTIK_EMAIL__PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.from }}
|
||||
AUTHENTIK_EMAIL__FROM: {{ . }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.geoip.enabled }}
|
||||
---
|
||||
{{/* This secrets are loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $geoipSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.geoip.account_id }}
|
||||
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.license_key }}
|
||||
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{/* Proxy */}}
|
||||
{{- with .Values.geoip.proxy }}
|
||||
GEOIPUPDATE_PROXY: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.proxy_user_pass }}
|
||||
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This secrets are loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $ldapSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.outposts.ldap.token }}
|
||||
AUTHENTIK_TOKEN: {{ . | b64enc }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
{{/* This secrets are loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $proxySecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.outposts.proxy.token }}
|
||||
AUTHENTIK_TOKEN: {{ . | b64enc }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
{{/* This secret is loaded in the geoip container */}}
|
||||
{{ $geoipSecretName }}:
|
||||
enabled: {{ .Values.geoip.enabled }}
|
||||
data:
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.geoip.account_id }}
|
||||
GEOIPUPDATE_ACCOUNT_ID: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.license_key }}
|
||||
GEOIPUPDATE_LICENSE_KEY: {{ . }}
|
||||
{{- end }}
|
||||
{{/* Proxy */}}
|
||||
{{- with .Values.geoip.proxy }}
|
||||
GEOIPUPDATE_PROXY: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.proxy_user_pass }}
|
||||
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This secret is loaded in the ldap container */}}
|
||||
{{ $ldapSecretName }}:
|
||||
enabled: {{ .Values.outposts.ldap.enabled }}
|
||||
data:
|
||||
{{- with .Values.outposts.ldap.token }}
|
||||
AUTHENTIK_TOKEN: {{ . }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This secret is loaded in the proxy container */}}
|
||||
{{ $proxySecretName }}:
|
||||
enabled: {{ .Values.outposts.proxy.enabled }}
|
||||
data:
|
||||
{{- with .Values.outposts.proxy.token }}
|
||||
AUTHENTIK_TOKEN: {{ . }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,52 +1,31 @@
|
||||
{{/* Define the worker container */}}
|
||||
{{- define "authentik.worker" -}}
|
||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
|
||||
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
|
||||
{{- define "authentik.worker.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: image
|
||||
args: ["worker"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
|
||||
volumeMounts:
|
||||
- name: media
|
||||
mountPath: "/media"
|
||||
- name: templates
|
||||
mountPath: "/templates"
|
||||
- name: certs
|
||||
mountPath: "/certs"
|
||||
- name: geoip
|
||||
mountPath: "/geoip"
|
||||
readinessProbe:
|
||||
exec:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
liveness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
exec:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
startup:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,30 +1,31 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.common.loader.init" . }}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{/* Render secret */}}
|
||||
{{- include "authentik.secret" . }}
|
||||
|
||||
{{/* Render config */}}
|
||||
{{- include "authentik.config" . }}
|
||||
|
||||
{{- if hasKey .Values "metrics" -}}
|
||||
{{- if .Values.metrics.enabled -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
|
||||
{{/* Render secrets for authentik and friends */}}
|
||||
{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
|
||||
{{- if $authentikSecrets -}}
|
||||
{{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
|
||||
{{- $_ := set .Values "secret" $secrets -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render configmaps for authentik and friends */}}
|
||||
{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
|
||||
{{- if $authentikConfigmaps -}}
|
||||
{{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
|
||||
{{- $_ := set .Values "configmap" $configmaps -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- if .Values.workerContainer.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.geoip.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.ldap.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
|
||||
{{/* - if .Values.metrics.enabled - */}}
|
||||
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
@@ -33,7 +34,7 @@
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.proxy.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
|
||||
{{/* - if .Values.metrics.enabled - */}}
|
||||
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
@@ -42,4 +43,4 @@
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.common.loader.apply" . }}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "tc.common.names.fullname" . }}
|
||||
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
{{- with .Values.metrics.prometheusRule.labels }}
|
||||
@@ -11,7 +11,7 @@ metadata:
|
||||
{{- end }}
|
||||
spec:
|
||||
groups:
|
||||
- name: {{ include "tc.common.names.fullname" . }}
|
||||
- name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
rules:
|
||||
{{- with .Values.metrics.prometheusRule.rules }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "tc.common.names.fullname" . }}
|
||||
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
{{- with .Values.metrics.serviceMonitor.labels }}
|
||||
|
||||
@@ -18,14 +18,200 @@ proxyImage:
|
||||
tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
args: ["server"]
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
container:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
workload:
|
||||
main:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
args: ["server"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
|
||||
probes:
|
||||
liveness:
|
||||
type: https
|
||||
path: /-/health/live/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
readiness:
|
||||
type: https
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
startup:
|
||||
type: https
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
protocol: https
|
||||
port: 10229
|
||||
targetPort: 9443
|
||||
http:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
http:
|
||||
enabled: true
|
||||
protocol: http
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
# LDAP Outpost Services
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
port: 636
|
||||
targetPort: 6636
|
||||
ldapldap:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldap:
|
||||
enabled: true
|
||||
port: 389
|
||||
targetPort: 3389
|
||||
# Proxy Outpost Services
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
ports:
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
port: 10233
|
||||
protocol: https
|
||||
targetPort: 9444
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
port: 10234
|
||||
protocol: http
|
||||
targetPort: 9001
|
||||
# Metrics Services
|
||||
metrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
protocol: http
|
||||
port: 10231
|
||||
targetPort: 9301
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
port: 10232
|
||||
protocol: http
|
||||
targetPort: 9302
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
port: 10235
|
||||
protocol: http
|
||||
targetPort: 9303
|
||||
|
||||
metrics:
|
||||
# TODO
|
||||
main:
|
||||
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
enabled: false
|
||||
type: "servicemonitor"
|
||||
endpoints:
|
||||
- port: main
|
||||
path: /metrics
|
||||
interval: 1m
|
||||
scrapeTimeout: 30s
|
||||
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
labels: {}
|
||||
# -- Configure additionial rules for the chart under this key.
|
||||
# @default -- See prometheusrules.yaml
|
||||
rules:
|
||||
[]
|
||||
# - alert: UnifiPollerAbsent
|
||||
# annotations:
|
||||
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||||
# summary: Unifi Poller is down.
|
||||
# expr: |
|
||||
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
|
||||
ingress:
|
||||
proxyhttps:
|
||||
autoLink: true
|
||||
|
||||
# Target selectors taken from authentik's compose file:
|
||||
# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
mountPath: "/media"
|
||||
targetSelector:
|
||||
main:
|
||||
main: {}
|
||||
worker: {}
|
||||
templates:
|
||||
enabled: true
|
||||
mountPath: "/templates"
|
||||
targetSelector:
|
||||
main:
|
||||
main: {}
|
||||
worker: {}
|
||||
certs:
|
||||
enabled: true
|
||||
mountPath: "/certs"
|
||||
targetSelector:
|
||||
main:
|
||||
worker: {}
|
||||
geoip:
|
||||
enabled: true
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
targetSelector:
|
||||
main:
|
||||
geoip: {}
|
||||
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: authentik
|
||||
database: authentik
|
||||
|
||||
cnpgProvider:
|
||||
port: 5432
|
||||
|
||||
# Enabled redis
|
||||
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
|
||||
redis:
|
||||
enabled: true
|
||||
|
||||
redisProvider:
|
||||
port: 6379
|
||||
|
||||
workerContainer:
|
||||
enabled: true
|
||||
@@ -62,6 +248,7 @@ authentik:
|
||||
log_level: "info"
|
||||
ldap:
|
||||
tls_ciphers: "null"
|
||||
|
||||
geoip:
|
||||
enabled: false
|
||||
account_id: ""
|
||||
@@ -98,161 +285,6 @@ outposts:
|
||||
# -- Token is only needed if you accidentally deleted the token within the UI
|
||||
# token: ""
|
||||
|
||||
metrics:
|
||||
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
interval: 1m
|
||||
scrapeTimeout: 30s
|
||||
labels: {}
|
||||
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
useDefault: true
|
||||
labels: {}
|
||||
# -- Configure additional rules for the chart under this key.
|
||||
# @default -- See prometheusrules.yaml
|
||||
rules:
|
||||
[]
|
||||
# - alert: UnifiPollerAbsent
|
||||
# annotations:
|
||||
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||||
# summary: Unifi Poller is down.
|
||||
# expr: |
|
||||
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
type: HTTPS
|
||||
path: /-/health/live/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
readiness:
|
||||
type: HTTPS
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
startup:
|
||||
type: HTTPS
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
protocol: HTTPS
|
||||
port: 10229
|
||||
targetPort: 9443
|
||||
http:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
http:
|
||||
enabled: true
|
||||
protocol: HTTP
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
# LDAP Outpost Services
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
port: 636
|
||||
targetPort: 6636
|
||||
ldapldap:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldap:
|
||||
enabled: true
|
||||
port: 389
|
||||
targetPort: 3389
|
||||
# Proxy Outpost Services
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
ports:
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
port: 10233
|
||||
protocol: HTTPS
|
||||
targetPort: 9444
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
port: 10234
|
||||
protocol: HTTP
|
||||
targetPort: 9001
|
||||
# Metrics Services
|
||||
metrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
protocol: HTTP
|
||||
port: 10231
|
||||
targetPort: 9301
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
port: 10232
|
||||
protocol: HTTP
|
||||
targetPort: 9302
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
port: 10235
|
||||
protocol: HTTP
|
||||
targetPort: 9303
|
||||
|
||||
ingress:
|
||||
proxyhttps:
|
||||
autoLink: true
|
||||
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
mountPath: "/media"
|
||||
templates:
|
||||
enabled: true
|
||||
mountPath: "/templates"
|
||||
certs:
|
||||
enabled: true
|
||||
mountPath: "/certs"
|
||||
geoip:
|
||||
enabled: true
|
||||
mountPath: "/geoip"
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
existingSecret: "dbcreds"
|
||||
postgresqlUsername: authentik
|
||||
postgresqlDatabase: authentik
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
existingSecret: "rediscreds"
|
||||
|
||||
portal:
|
||||
enabled: true
|
||||
open:
|
||||
enabled: true
|
||||
|
||||
Reference in New Issue
Block a user