feat(authentik): BREAKING CHANGE Port to new common (#9426)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [X] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [X] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->
- Installed on native Helm
- Logged in with the bootstrapped password
- Created LDAP and Proxy outposts
- Copied their tokens
- Enabled the outposts in values.yaml and overrode their tokens (this is
necessary to circumvent a known bug
(https://github.com/truecharts/charts/issues/7390) - the bootstrap token
cannot be used by an outpost, so in the future, the overriding of the
token must become mandatory but that's for another PR)
- Logged back in authentik, confirmed the 2 outposts are showing as
healthy in its UI


**📃 Notes:**
<!-- Please enter any other relevant information here -->

- I tried to make the minimal amount of changes necessary to port this
to the new common, in order to keep the diff and this PR as small as
possible
- One small exception to the above, this PR also closes #6986 , since
this was basically 1 line change in the persistence dict
- I have bumped the chart's major revision but i am keeping it in the
incubator train for now for 2 reasons:
* It can get tested by the community (this is my first app port to the
new common)
* There are a few of TODOs left in there (1 by me and several by
others), as well as a couple of known bugs in the chart, which I would
like to address in separate PRs
- I am assuming that `questions.yaml` needs no changes (since I haven't
changed the data structure in `values.yaml`, apart from the necessary
changes to port to new common). I have NOT tested this, so do let me
know if I need to take a look at this and make changes.

**✔️ Checklist:**

- [X] ⚖️ My code follows the style guidelines of this project
- [X] 👀 I have performed a self-review of my own code
- [X] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [X] ⚠️ My changes generate no new warnings
- [X] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [X] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
Co-authored-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
This commit is contained in:
sdimovv
2023-06-10 12:02:00 +01:00
committed by GitHub
parent 382bcfcc04
commit 2199889a49
12 changed files with 469 additions and 525 deletions
+3 -7
View File
@@ -3,15 +3,11 @@ appVersion: "2023.4.1"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.1.2
- condition: postgresql.enabled
name: postgresql
repository: https://deps.truecharts.org/
version: 11.0.31
version: 12.10.4
- condition: redis.enabled
name: redis
repository: https://deps.truecharts.org
version: 5.0.33
version: 6.0.46
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
home: https://truecharts.org/charts/incubator/authentik
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
@@ -27,7 +23,7 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 11.0.0
version: 12.0.0
annotations:
truecharts.org/catagories: |
- authentication
@@ -0,0 +1 @@
{{- include "tc.v1.common.lib.chart.notes" $ -}}
+104 -129
View File
@@ -1,11 +1,12 @@
{{/* Define the configmap */}}
{{- define "authentik.config" -}}
{{/* Define the configmaps */}}
{{- define "authentik.configmaps" -}}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
{{- if .Values.ingress.main.enabled }}
{{ $first := (first .Values.ingress.main.hosts) }}
@@ -14,130 +15,104 @@
{{- end }}
{{- end }}
---
{{/* This configmap is loaded in both the main authentik container and worker */}}
{{ $authServerWorkerConfigName }}:
enabled: true
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
{{- with $redis := .Values.redisProvider }}
AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
{{- end }}
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
{{- with $cnpg := .Values.cnpgProvider }}
AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerWorkerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
AUTHENTIK_REDIS__PORT: "6379"
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
AUTHENTIK_POSTGRESQL__PORT: "5432"
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
{{/* This configmap is loaded in both the main authentik container and worker */}}
{{ $authServerConfigName }}:
enabled: true
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
---
{{/* This configmap is loaded in the geoip container */}}
{{ $geoipConfigName }}:
enabled: {{ .Values.geoip.enabled }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
{{/* This configmap is loaded in the ldap container */}}
{{ $ldapConfigName }}:
enabled: {{ .Values.outposts.ldap.enabled }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $proxyConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $geoipConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{/* This configmap is loaded in the proxy container */}}
{{ $proxyConfigName }}:
enabled: {{ .Values.outposts.proxy.enabled }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
{{- end -}}
+13 -10
View File
@@ -1,20 +1,23 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip" -}}
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
{{- define "authentik.geoip.container" -}}
enabled: true
primary: false
imageSelector: geoipImage
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
probes:
readiness:
enabled: false
liveness:
enabled: false
startup:
enabled: false
{{- end -}}
+16 -25
View File
@@ -1,17 +1,16 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
{{- define "authentik.ldap.container" -}}
enabled: true
primary: false
imageSelector: ldapImage
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
ports:
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
name: ldapldaps
@@ -21,28 +20,20 @@ ports:
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
name: ldapmetrics
{{- end }}
readinessProbe:
httpGet:
probes:
readiness:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
liveness:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
startup:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}
+16 -25
View File
@@ -1,17 +1,16 @@
{{/* Define the proxy container */}}
{{- define "authentik.proxy" -}}
image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
{{- define "authentik.proxy.container" -}}
enabled: true
primary: false
imageSelector: proxyImage
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
ports:
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
name: proxyhttps
@@ -21,28 +20,20 @@ ports:
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
name: proxymetrics
{{- end }}
readinessProbe:
httpGet:
probes:
readiness:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
liveness:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
startup:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}
+77 -102
View File
@@ -1,106 +1,81 @@
{{/* Define the secret */}}
{{- define "authentik.secret" -}}
{{/* Define the secrets */}}
{{- define "authentik.secrets" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
{{- $token := randAlphaNum 128 | b64enc }}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $token := randAlphaNum 128 }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $authentikSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
{{/* This secret is loaded in both the main authentik container and worker */}}
{{ $authentikSecretName }}:
enabled: true
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . }}
{{- end }}
{{- if .Values.geoip.enabled }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $geoipSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $proxySecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{/* This secret is loaded in the geoip container */}}
{{ $geoipSecretName }}:
enabled: {{ .Values.geoip.enabled }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
{{- end }}
{{/* This secret is loaded in the ldap container */}}
{{ $ldapSecretName }}:
enabled: {{ .Values.outposts.ldap.enabled }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{/* This secret is loaded in the proxy container */}}
{{ $proxySecretName }}:
enabled: {{ .Values.outposts.proxy.enabled }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{- end }}
@@ -1,52 +1,31 @@
{{/* Define the worker container */}}
{{- define "authentik.worker" -}}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- define "authentik.worker.container" -}}
enabled: true
primary: false
imageSelector: image
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
readinessProbe:
exec:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
probes:
readiness:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
- /lifecycle/ak
- healthcheck
liveness:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
- /lifecycle/ak
- healthcheck
startup:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: 10
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
- /lifecycle/ak
- healthcheck
{{- end -}}
@@ -1,30 +1,31 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{- include "tc.v1.common.loader.init" . }}
{{/* Render secret */}}
{{- include "authentik.secret" . }}
{{/* Render config */}}
{{- include "authentik.config" . }}
{{- if hasKey .Values "metrics" -}}
{{- if .Values.metrics.enabled -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
{{/* Render secrets for authentik and friends */}}
{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
{{- if $authentikSecrets -}}
{{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
{{- $_ := set .Values "secret" $secrets -}}
{{- end -}}
{{/* Render configmaps for authentik and friends */}}
{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
{{- if $authentikConfigmaps -}}
{{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
{{- $_ := set .Values "configmap" $configmaps -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
@@ -33,7 +34,7 @@
{{- end -}}
{{- if .Values.outposts.proxy.enabled -}}
{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
@@ -42,4 +43,4 @@
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}
{{ include "tc.v1.common.loader.apply" . }}
@@ -3,7 +3,7 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "tc.common.names.fullname" . }}
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.labels }}
@@ -11,7 +11,7 @@ metadata:
{{- end }}
spec:
groups:
- name: {{ include "tc.common.names.fullname" . }}
- name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
rules:
{{- with .Values.metrics.prometheusRule.rules }}
{{- toYaml . | nindent 8 }}
@@ -3,7 +3,7 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "tc.common.names.fullname" . }}
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.labels }}
+196 -164
View File
@@ -18,14 +18,200 @@ proxyImage:
tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
pullPolicy: IfNotPresent
args: ["server"]
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
securityContext:
readOnlyRootFilesystem: false
container:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
workload:
main:
replicas: 1
strategy: RollingUpdate
podSpec:
containers:
main:
args: ["server"]
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: https
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: https
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: https
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: https
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: http
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: https
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: http
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: http
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: http
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: http
targetPort: 9303
metrics:
# TODO
main:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
type: "servicemonitor"
endpoints:
- port: main
path: /metrics
interval: 1m
scrapeTimeout: 30s
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
labels: {}
# -- Configure additionial rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
ingress:
proxyhttps:
autoLink: true
# Target selectors taken from authentik's compose file:
# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
persistence:
media:
enabled: true
mountPath: "/media"
targetSelector:
main:
main: {}
worker: {}
templates:
enabled: true
mountPath: "/templates"
targetSelector:
main:
main: {}
worker: {}
certs:
enabled: true
mountPath: "/certs"
targetSelector:
main:
worker: {}
geoip:
enabled: true
mountPath: "/usr/share/GeoIP"
targetSelector:
main:
geoip: {}
cnpg:
main:
enabled: true
user: authentik
database: authentik
cnpgProvider:
port: 5432
# Enabled redis
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
redis:
enabled: true
redisProvider:
port: 6379
workerContainer:
enabled: true
@@ -62,6 +248,7 @@ authentik:
log_level: "info"
ldap:
tls_ciphers: "null"
geoip:
enabled: false
account_id: ""
@@ -98,161 +285,6 @@ outposts:
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
metrics:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
serviceMonitor:
interval: 1m
scrapeTimeout: 30s
labels: {}
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
useDefault: true
labels: {}
# -- Configure additional rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: HTTPS
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: HTTPS
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: HTTP
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: HTTPS
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: HTTP
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: HTTP
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: HTTP
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: HTTP
targetPort: 9303
ingress:
proxyhttps:
autoLink: true
persistence:
media:
enabled: true
mountPath: "/media"
templates:
enabled: true
mountPath: "/templates"
certs:
enabled: true
mountPath: "/certs"
geoip:
enabled: true
mountPath: "/geoip"
postgresql:
enabled: true
existingSecret: "dbcreds"
postgresqlUsername: authentik
postgresqlDatabase: authentik
redis:
enabled: true
existingSecret: "rediscreds"
portal:
enabled: true
open:
enabled: true