From 2199889a49c58f8a69d9d4334e685849aeb4d2f7 Mon Sep 17 00:00:00 2001 From: sdimovv <36302090+sdimovv@users.noreply.github.com> Date: Sat, 10 Jun 2023 12:02:00 +0100 Subject: [PATCH] feat(authentik): BREAKING CHANGE Port to new common (#9426) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** ⚒️ Fixes # **⚙️ Type of change** - [X] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [X] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** - Installed on native Helm - Logged in with the bootstrapped password - Created LDAP and Proxy outposts - Copied their tokens - Enabled the outposts in values.yaml and overrode their tokens (this is necessary to circumvent a known bug (https://github.com/truecharts/charts/issues/7390) - the bootstrap token cannot be used by an outpost, so in the future, the overriding of the token must become mandatory but that's for another PR) - Logged back in authentik, confirmed the 2 outposts are showing as healthy in its UI **📃 Notes:** - I tried to make the minimal amount of changes necessary to port this to the new common, in order to keep the diff and this PR as small as possible - One small exception to the above, this PR also closes #6986 , since this was basically 1 line change in the persistence dict - I have bumped the chart's major revision but i am keeping it in the incubator train for now for 2 reasons: * It can get tested by the community (this is my first app port to the new common) * There are a few of TODOs left in there (1 by me and several by others), as well as a couple of known bugs in the chart, which I would like to address in separate PRs - I am assuming that `questions.yaml` needs no changes (since I haven't changed the data structure in `values.yaml`, apart from the necessary changes to port to new common). I have NOT tested this, so do let me know if I need to take a look at this and make changes. **✔️ Checklist:** - [X] ⚖️ My code follows the style guidelines of this project - [X] 👀 I have performed a self-review of my own code - [X] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [X] ⚠️ My changes generate no new warnings - [X] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [X] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: Kjeld Schouten Co-authored-by: Kjeld Schouten --- charts/incubator/authentik/Chart.yaml | 10 +- .../incubator/authentik/templates/NOTES.txt | 1 + .../incubator/authentik/templates/_config.tpl | 233 +++++------- .../incubator/authentik/templates/_geoip.tpl | 23 +- .../incubator/authentik/templates/_ldap.tpl | 41 +- .../incubator/authentik/templates/_proxy.tpl | 41 +- .../incubator/authentik/templates/_secret.tpl | 179 ++++----- .../incubator/authentik/templates/_worker.tpl | 65 ++-- .../incubator/authentik/templates/common.yaml | 35 +- .../authentik/templates/prometheusrules.yaml | 4 +- .../authentik/templates/servicemonitor.yaml | 2 +- charts/incubator/authentik/values.yaml | 360 ++++++++++-------- 12 files changed, 469 insertions(+), 525 deletions(-) create mode 100644 charts/incubator/authentik/templates/NOTES.txt diff --git a/charts/incubator/authentik/Chart.yaml b/charts/incubator/authentik/Chart.yaml index 700b76d52fd..52fcc61588f 100644 --- a/charts/incubator/authentik/Chart.yaml +++ b/charts/incubator/authentik/Chart.yaml @@ -3,15 +3,11 @@ appVersion: "2023.4.1" dependencies: - name: common repository: https://library-charts.truecharts.org - version: 11.1.2 - - condition: postgresql.enabled - name: postgresql - repository: https://deps.truecharts.org/ - version: 11.0.31 + version: 12.10.4 - condition: redis.enabled name: redis repository: https://deps.truecharts.org - version: 5.0.33 + version: 6.0.46 description: authentik is an open-source Identity Provider focused on flexibility and versatility. home: https://truecharts.org/charts/incubator/authentik icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png @@ -27,7 +23,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik - https://github.com/goauthentik/authentik - https://goauthentik.io/docs/ -version: 11.0.0 +version: 12.0.0 annotations: truecharts.org/catagories: | - authentication diff --git a/charts/incubator/authentik/templates/NOTES.txt b/charts/incubator/authentik/templates/NOTES.txt new file mode 100644 index 00000000000..efcb74cb772 --- /dev/null +++ b/charts/incubator/authentik/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "tc.v1.common.lib.chart.notes" $ -}} diff --git a/charts/incubator/authentik/templates/_config.tpl b/charts/incubator/authentik/templates/_config.tpl index cc02f68e54e..04b8874a8f3 100644 --- a/charts/incubator/authentik/templates/_config.tpl +++ b/charts/incubator/authentik/templates/_config.tpl @@ -1,11 +1,12 @@ -{{/* Define the configmap */}} -{{- define "authentik.config" -}} +{{/* Define the configmaps */}} +{{- define "authentik.configmaps" -}} + +{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }} -{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }} -{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }} -{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }} -{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }} -{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }} {{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }} {{- if .Values.ingress.main.enabled }} {{ $first := (first .Values.ingress.main.hosts) }} @@ -14,130 +15,104 @@ {{- end }} {{- end }} ---- +{{/* This configmap is loaded in both the main authentik container and worker */}} +{{ $authServerWorkerConfigName }}: + enabled: true + data: + {{/* Dependencies */}} + AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }} + {{- with $redis := .Values.redisProvider }} + AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }} + {{- end }} + AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }} + AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }} + AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }} + {{- with $cnpg := .Values.cnpgProvider }} + AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }} + {{- end }} + {{/* Mail */}} + {{- with .Values.authentik.mail.port }} + AUTHENTIK_EMAIL__PORT: {{ . | quote }} + {{- end }} + AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }} + AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }} + {{- with .Values.authentik.mail.timeout }} + AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }} + {{- end }} + {{/* Logging */}} + {{- with .Values.authentik.logging.log_level }} + AUTHENTIK_LOG_LEVEL: {{ . }} + {{- end }} + {{/* General */}} + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }} + AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }} + {{- with .Values.authentik.general.avatars }} + AUTHENTIK_AVATARS: {{ . }} + {{- end }} + AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }} + AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }} + AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }} + AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }} + {{- with .Values.authentik.general.footer_links }} + AUTHENTIK_FOOTER_LINKS: {{ . | squote }} + {{- end }} + {{/* Error Reporting */}} + AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }} + AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }} + {{- with .Values.authentik.error_reporting.environment }} + AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }} + {{- end }} + {{/* LDAP */}} + {{- with .Values.authentik.ldap.tls_ciphers }} + AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }} + {{- end }} + {{/* Outposts */}} + AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }} -{{/* This configmap are loaded on both main authentik container and worker */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $authServerWorkerConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{/* Dependencies */}} - AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }} - AUTHENTIK_REDIS__PORT: "6379" - AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }} - AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }} - AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }} - AUTHENTIK_POSTGRESQL__PORT: "5432" - {{/* Mail */}} - {{- with .Values.authentik.mail.port }} - AUTHENTIK_EMAIL__PORT: {{ . | quote }} - {{- end }} - AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }} - AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }} - {{- with .Values.authentik.mail.timeout }} - AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }} - {{- end }} - {{/* Logging */}} - {{- with .Values.authentik.logging.log_level }} - AUTHENTIK_LOG_LEVEL: {{ . }} - {{- end }} - {{/* General */}} - AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }} - AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }} - {{- with .Values.authentik.general.avatars }} - AUTHENTIK_AVATARS: {{ . }} - {{- end }} - AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }} - AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }} - AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }} - AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }} - AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }} - AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }} - {{- with .Values.authentik.general.footer_links }} - AUTHENTIK_FOOTER_LINKS: {{ . | squote }} - {{- end }} - {{/* Error Reporting */}} - AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }} - AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }} - {{- with .Values.authentik.error_reporting.environment }} - AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }} - {{- end }} - {{/* LDAP */}} - {{- with .Values.authentik.ldap.tls_ciphers }} - AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }} - {{- end }} - {{/* Outposts */}} - AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }} +{{/* This configmap is loaded in both the main authentik container and worker */}} +{{ $authServerConfigName }}: + enabled: true + data: + {{/* Listen */}} + AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }} + AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }} ---- +{{/* This configmap is loaded in the geoip container */}} +{{ $geoipConfigName }}: + enabled: {{ .Values.geoip.enabled }} + data: + {{- with .Values.geoip.edition_ids }} + GEOIPUPDATE_EDITION_IDS: {{ . }} + {{- end }} + GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }} + {{- with .Values.geoip.host_server }} + GEOIPUPDATE_HOST: {{ . }} + {{- end }} + GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }} + GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }} -{{/* This configmap are loaded on both main authentik container and worker */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $authServerConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{/* Listen */}} - AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }} - AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }} - AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }} +{{/* This configmap is loaded in the ldap container */}} +{{ $ldapConfigName }}: + enabled: {{ .Values.outposts.ldap.enabled }} + data: + AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }} + AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} + AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }} + AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }} + AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }} ---- - -{{/* This configmap is loaded on ldap container */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $ldapConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }} - AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} - AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }} - AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }} - AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }} - AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }} - ---- - -{{/* This configmap is loaded on ldap container */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $proxyConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }} - AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} - AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }} - AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }} - AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }} - AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }} - ---- - -{{/* This configmap is loaded on geoip container */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $geoipConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{- with .Values.geoip.edition_ids }} - GEOIPUPDATE_EDITION_IDS: {{ . }} - {{- end }} - GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }} - {{- with .Values.geoip.host_server }} - GEOIPUPDATE_HOST: {{ . }} - {{- end }} - GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }} - GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }} +{{/* This configmap is loaded in the proxy container */}} +{{ $proxyConfigName }}: + enabled: {{ .Values.outposts.proxy.enabled }} + data: + AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }} + AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} + AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }} + AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }} + AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }} {{- end -}} diff --git a/charts/incubator/authentik/templates/_geoip.tpl b/charts/incubator/authentik/templates/_geoip.tpl index 054ec154774..aa7032d9e38 100644 --- a/charts/incubator/authentik/templates/_geoip.tpl +++ b/charts/incubator/authentik/templates/_geoip.tpl @@ -1,20 +1,23 @@ {{/* Define the geoip container */}} -{{- define "authentik.geoip" -}} -image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }} -imagePullPolicy: {{ .Values.geoipImage.pullPolicy }} +{{- define "authentik.geoip.container" -}} +enabled: true +primary: false +imageSelector: geoipImage securityContext: runAsUser: 0 runAsGroup: 0 - readOnlyRootFilesystem: false - runAsNonRoot: false -volumeMounts: - - name: geoip - mountPath: "/usr/share/GeoIP" envFrom: - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-geoip-secret' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret' - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-geoip-config' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config' {{/* TODO: Add healthchecks */}} {{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}} +probes: + readiness: + enabled: false + liveness: + enabled: false + startup: + enabled: false {{- end -}} diff --git a/charts/incubator/authentik/templates/_ldap.tpl b/charts/incubator/authentik/templates/_ldap.tpl index 0d8f42742b1..b54a71c7674 100644 --- a/charts/incubator/authentik/templates/_ldap.tpl +++ b/charts/incubator/authentik/templates/_ldap.tpl @@ -1,17 +1,16 @@ {{/* Define the ldap container */}} -{{- define "authentik.ldap" -}} -image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }} -imagePullPolicy: {{ .Values.ldapImage.pullPolicy }} +{{- define "authentik.ldap.container" -}} +enabled: true +primary: false +imageSelector: ldapImage securityContext: - runAsUser: {{ .Values.podSecurityContext.runAsUser }} - runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} readOnlyRootFilesystem: true runAsNonRoot: true envFrom: - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-ldap-secret' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret' - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-ldap-config' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config' ports: - containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }} name: ldapldaps @@ -21,28 +20,20 @@ ports: - containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} name: ldapmetrics {{- end }} -readinessProbe: - httpGet: +probes: + readiness: + enabled: true + type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} -livenessProbe: - httpGet: + liveness: + enabled: true + type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} -startupProbe: - httpGet: + startup: + enabled: true + type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} {{- end -}} diff --git a/charts/incubator/authentik/templates/_proxy.tpl b/charts/incubator/authentik/templates/_proxy.tpl index c28161c585c..911c571403a 100644 --- a/charts/incubator/authentik/templates/_proxy.tpl +++ b/charts/incubator/authentik/templates/_proxy.tpl @@ -1,17 +1,16 @@ {{/* Define the proxy container */}} -{{- define "authentik.proxy" -}} -image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }} -imagePullPolicy: {{ .Values.proxyImage.pullPolicy }} +{{- define "authentik.proxy.container" -}} +enabled: true +primary: false +imageSelector: proxyImage securityContext: - runAsUser: {{ .Values.podSecurityContext.runAsUser }} - runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} readOnlyRootFilesystem: true runAsNonRoot: true envFrom: - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-proxy-secret' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret' - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-proxy-config' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config' ports: - containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }} name: proxyhttps @@ -21,28 +20,20 @@ ports: - containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} name: proxymetrics {{- end }} -readinessProbe: - httpGet: +probes: + readiness: + enabled: true + type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} -livenessProbe: - httpGet: + liveness: + enabled: true + type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} -startupProbe: - httpGet: + startup: + enabled: true + type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }} path: /outpost.goauthentik.io/ping port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} - initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} {{- end -}} diff --git a/charts/incubator/authentik/templates/_secret.tpl b/charts/incubator/authentik/templates/_secret.tpl index f7d39c68ef6..3f4b1957b86 100644 --- a/charts/incubator/authentik/templates/_secret.tpl +++ b/charts/incubator/authentik/templates/_secret.tpl @@ -1,106 +1,81 @@ -{{/* Define the secret */}} -{{- define "authentik.secret" -}} +{{/* Define the secrets */}} +{{- define "authentik.secrets" -}} -{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }} -{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }} -{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }} -{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }} -{{- $token := randAlphaNum 128 | b64enc }} +{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }} +{{- $token := randAlphaNum 128 }} ---- -{{/* This secrets are loaded on both main authentik container and worker */}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ $authentikSecretName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{/* Secret Key */}} - {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }} - AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }} - {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }} - {{- else }} - AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }} - {{- end }} - AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }} - {{/* Dependencies */}} - AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }} - AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }} - {{/* Credentials */}} - {{- with .Values.authentik.credentials.password }} - AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }} - {{- end }} - {{/* Mail */}} - {{- with .Values.authentik.mail.host }} - AUTHENTIK_EMAIL__HOST: {{ . | b64enc }} - {{- end }} - {{- with .Values.authentik.mail.user }} - AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }} - {{- end }} - {{- with .Values.authentik.mail.pass }} - AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }} - {{- end }} - {{- with .Values.authentik.mail.from }} - AUTHENTIK_EMAIL__FROM: {{ . | b64enc }} - {{- end }} +{{/* This secret is loaded in both the main authentik container and worker */}} +{{ $authentikSecretName }}: + enabled: true + data: + {{/* Secret Key */}} + {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }} + AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }} + {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }} + {{- else }} + AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }} + {{- end }} + AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }} + {{/* Dependencies */}} + AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }} + AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }} + {{/* Credentials */}} + {{- with .Values.authentik.credentials.password }} + AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }} + {{- end }} + {{/* Mail */}} + {{- with .Values.authentik.mail.host }} + AUTHENTIK_EMAIL__HOST: {{ . }} + {{- end }} + {{- with .Values.authentik.mail.user }} + AUTHENTIK_EMAIL__USERNAME: {{ . }} + {{- end }} + {{- with .Values.authentik.mail.pass }} + AUTHENTIK_EMAIL__PASSWORD: {{ . }} + {{- end }} + {{- with .Values.authentik.mail.from }} + AUTHENTIK_EMAIL__FROM: {{ . }} + {{- end }} -{{- if .Values.geoip.enabled }} ---- -{{/* This secrets are loaded on geoip container */}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ $geoipSecretName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{/* Credentials */}} - {{- with .Values.geoip.account_id }} - GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }} - {{- end }} - {{- with .Values.geoip.license_key }} - GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }} - {{- end }} - {{/* Proxy */}} - {{- with .Values.geoip.proxy }} - GEOIPUPDATE_PROXY: {{ . | b64enc }} - {{- end }} - {{- with .Values.geoip.proxy_user_pass }} - GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }} - {{- end }} -{{- end }} ---- -{{/* This secrets are loaded on ldap container */}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ $ldapSecretName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{- with .Values.outposts.ldap.token }} - AUTHENTIK_TOKEN: {{ . | b64enc }} - {{- else }} - AUTHENTIK_TOKEN: {{ $token }} - {{- end }} - ---- -{{/* This secrets are loaded on ldap container */}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ $proxySecretName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{- with .Values.outposts.proxy.token }} - AUTHENTIK_TOKEN: {{ . | b64enc }} - {{- else }} - AUTHENTIK_TOKEN: {{ $token }} - {{- end }} +{{/* This secret is loaded in the geoip container */}} +{{ $geoipSecretName }}: + enabled: {{ .Values.geoip.enabled }} + data: + {{/* Credentials */}} + {{- with .Values.geoip.account_id }} + GEOIPUPDATE_ACCOUNT_ID: {{ . }} + {{- end }} + {{- with .Values.geoip.license_key }} + GEOIPUPDATE_LICENSE_KEY: {{ . }} + {{- end }} + {{/* Proxy */}} + {{- with .Values.geoip.proxy }} + GEOIPUPDATE_PROXY: {{ . }} + {{- end }} + {{- with .Values.geoip.proxy_user_pass }} + GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }} + {{- end }} + +{{/* This secret is loaded in the ldap container */}} +{{ $ldapSecretName }}: + enabled: {{ .Values.outposts.ldap.enabled }} + data: + {{- with .Values.outposts.ldap.token }} + AUTHENTIK_TOKEN: {{ . }} + {{- else }} + AUTHENTIK_TOKEN: {{ $token }} + {{- end }} + +{{/* This secret is loaded in the proxy container */}} +{{ $proxySecretName }}: + enabled: {{ .Values.outposts.proxy.enabled }} + data: + {{- with .Values.outposts.proxy.token }} + AUTHENTIK_TOKEN: {{ . }} + {{- else }} + AUTHENTIK_TOKEN: {{ $token }} + {{- end }} {{- end }} diff --git a/charts/incubator/authentik/templates/_worker.tpl b/charts/incubator/authentik/templates/_worker.tpl index def8506b9f1..28457cb2b33 100644 --- a/charts/incubator/authentik/templates/_worker.tpl +++ b/charts/incubator/authentik/templates/_worker.tpl @@ -1,52 +1,31 @@ {{/* Define the worker container */}} -{{- define "authentik.worker" -}} -image: {{ .Values.image.repository }}:{{ .Values.image.tag }} -imagePullPolicy: {{ .Values.image.pullPolicy }} -securityContext: - runAsUser: {{ .Values.podSecurityContext.runAsUser }} - runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} - readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }} - runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} +{{- define "authentik.worker.container" -}} +enabled: true +primary: false +imageSelector: image args: ["worker"] envFrom: - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret' - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-authentik-config' -volumeMounts: - - name: media - mountPath: "/media" - - name: templates - mountPath: "/templates" - - name: certs - mountPath: "/certs" - - name: geoip - mountPath: "/geoip" -readinessProbe: - exec: + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config' +probes: + readiness: + enabled: true + type: exec command: - - /lifecycle/ak - - healthcheck - initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} -livenessProbe: - exec: + - /lifecycle/ak + - healthcheck + liveness: + enabled: true + type: exec command: - - /lifecycle/ak - - healthcheck - initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} - periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} -startupProbe: - exec: + - /lifecycle/ak + - healthcheck + startup: + enabled: true + type: exec command: - - /lifecycle/ak - - healthcheck - initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} - timeoutSeconds: 10 - periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} - failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} + - /lifecycle/ak + - healthcheck {{- end -}} diff --git a/charts/incubator/authentik/templates/common.yaml b/charts/incubator/authentik/templates/common.yaml index 8d610c2e55e..6e93d973082 100644 --- a/charts/incubator/authentik/templates/common.yaml +++ b/charts/incubator/authentik/templates/common.yaml @@ -1,30 +1,31 @@ {{/* Make sure all variables are set properly */}} -{{- include "tc.common.loader.init" . }} +{{- include "tc.v1.common.loader.init" . }} -{{/* Render secret */}} -{{- include "authentik.secret" . }} - -{{/* Render config */}} -{{- include "authentik.config" . }} - -{{- if hasKey .Values "metrics" -}} -{{- if .Values.metrics.enabled -}} -{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}} -{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}} -{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}} +{{/* Render secrets for authentik and friends */}} +{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}} +{{- if $authentikSecrets -}} + {{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }} + {{- $_ := set .Values "secret" $secrets -}} {{- end -}} + +{{/* Render configmaps for authentik and friends */}} +{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}} +{{- if $authentikConfigmaps -}} + {{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }} + {{- $_ := set .Values "configmap" $configmaps -}} {{- end -}} + {{- if .Values.workerContainer.enabled -}} -{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}} +{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}} {{- end -}} {{- if .Values.geoip.enabled -}} -{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}} +{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}} {{- end -}} {{- if .Values.outposts.ldap.enabled -}} -{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}} +{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}} {{/* - if .Values.metrics.enabled - */}} {{/* https://github.com/prometheus/prometheus/issues/3756 */}} {{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} @@ -33,7 +34,7 @@ {{- end -}} {{- if .Values.outposts.proxy.enabled -}} -{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}} +{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}} {{/* - if .Values.metrics.enabled - */}} {{/* https://github.com/prometheus/prometheus/issues/3756 */}} {{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} @@ -42,4 +43,4 @@ {{- end -}} {{/* Render the templates */}} -{{ include "tc.common.loader.apply" . }} +{{ include "tc.v1.common.loader.apply" . }} diff --git a/charts/incubator/authentik/templates/prometheusrules.yaml b/charts/incubator/authentik/templates/prometheusrules.yaml index b3a37c57c21..db0c56cd213 100644 --- a/charts/incubator/authentik/templates/prometheusrules.yaml +++ b/charts/incubator/authentik/templates/prometheusrules.yaml @@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: {{ include "tc.common.names.fullname" . }} + name: {{ include "tc.v1.common.lib.chart.names.fullname" . }} labels: {{- include "tc.common.labels" . | nindent 4 }} {{- with .Values.metrics.prometheusRule.labels }} @@ -11,7 +11,7 @@ metadata: {{- end }} spec: groups: - - name: {{ include "tc.common.names.fullname" . }} + - name: {{ include "tc.v1.common.lib.chart.names.fullname" . }} rules: {{- with .Values.metrics.prometheusRule.rules }} {{- toYaml . | nindent 8 }} diff --git a/charts/incubator/authentik/templates/servicemonitor.yaml b/charts/incubator/authentik/templates/servicemonitor.yaml index afa560ff34e..231f1eb5229 100644 --- a/charts/incubator/authentik/templates/servicemonitor.yaml +++ b/charts/incubator/authentik/templates/servicemonitor.yaml @@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ include "tc.common.names.fullname" . }} + name: {{ include "tc.v1.common.lib.chart.names.fullname" . }} labels: {{- include "tc.common.labels" . | nindent 4 }} {{- with .Values.metrics.serviceMonitor.labels }} diff --git a/charts/incubator/authentik/values.yaml b/charts/incubator/authentik/values.yaml index b7e122539da..f30ddc863e0 100644 --- a/charts/incubator/authentik/values.yaml +++ b/charts/incubator/authentik/values.yaml @@ -18,14 +18,200 @@ proxyImage: tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4 pullPolicy: IfNotPresent -args: ["server"] - -podSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - securityContext: - readOnlyRootFilesystem: false + container: + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: false + +workload: + main: + replicas: 1 + strategy: RollingUpdate + podSpec: + containers: + main: + args: ["server"] + envFrom: + - secretRef: + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret' + - configMapRef: + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config' + - configMapRef: + name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config' + probes: + liveness: + type: https + path: /-/health/live/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + readiness: + type: https + path: /-/health/ready/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + startup: + type: https + path: /-/health/ready/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + +service: + main: + ports: + main: + protocol: https + port: 10229 + targetPort: 9443 + http: + enabled: true + type: ClusterIP + ports: + http: + enabled: true + protocol: http + port: 10230 + targetPort: 9000 + # LDAP Outpost Services + ldapldaps: + enabled: true + ports: + ldapldaps: + enabled: true + port: 636 + targetPort: 6636 + ldapldap: + enabled: true + ports: + ldapldap: + enabled: true + port: 389 + targetPort: 3389 + # Proxy Outpost Services + proxyhttps: + enabled: true + ports: + proxyhttps: + enabled: true + port: 10233 + protocol: https + targetPort: 9444 + proxyhttp: + enabled: true + type: ClusterIP + ports: + proxyhttp: + enabled: true + port: 10234 + protocol: http + targetPort: 9001 + # Metrics Services + metrics: + enabled: true + type: ClusterIP + ports: + metrics: + enabled: true + protocol: http + port: 10231 + targetPort: 9301 + ldapmetrics: + enabled: true + type: ClusterIP + ports: + ldapmetrics: + enabled: true + port: 10232 + protocol: http + targetPort: 9302 + proxymetrics: + enabled: true + type: ClusterIP + ports: + proxymetrics: + enabled: true + port: 10235 + protocol: http + targetPort: 9303 + +metrics: + # TODO + main: + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: false + type: "servicemonitor" + endpoints: + - port: main + path: /metrics + interval: 1m + scrapeTimeout: 30s + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: + [] + # - alert: UnifiPollerAbsent + # annotations: + # description: Unifi Poller has disappeared from Prometheus service discovery. + # summary: Unifi Poller is down. + # expr: | + # absent(up{job=~".*unifi-poller.*"} == 1) + # for: 5m + # labels: + # severity: critical + +ingress: + proxyhttps: + autoLink: true + +# Target selectors taken from authentik's compose file: +# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml +persistence: + media: + enabled: true + mountPath: "/media" + targetSelector: + main: + main: {} + worker: {} + templates: + enabled: true + mountPath: "/templates" + targetSelector: + main: + main: {} + worker: {} + certs: + enabled: true + mountPath: "/certs" + targetSelector: + main: + worker: {} + geoip: + enabled: true + mountPath: "/usr/share/GeoIP" + targetSelector: + main: + geoip: {} + +cnpg: + main: + enabled: true + user: authentik + database: authentik + +cnpgProvider: + port: 5432 + +# Enabled redis +# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis +redis: + enabled: true + +redisProvider: + port: 6379 workerContainer: enabled: true @@ -62,6 +248,7 @@ authentik: log_level: "info" ldap: tls_ciphers: "null" + geoip: enabled: false account_id: "" @@ -98,161 +285,6 @@ outposts: # -- Token is only needed if you accidentally deleted the token within the UI # token: "" -metrics: - # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. - # @default -- See values.yaml - enabled: false - serviceMonitor: - interval: 1m - scrapeTimeout: 30s - labels: {} - # -- Enable and configure Prometheus Rules for the chart under this key. - # @default -- See values.yaml - prometheusRule: - enabled: false - useDefault: true - labels: {} - # -- Configure additional rules for the chart under this key. - # @default -- See prometheusrules.yaml - rules: - [] - # - alert: UnifiPollerAbsent - # annotations: - # description: Unifi Poller has disappeared from Prometheus service discovery. - # summary: Unifi Poller is down. - # expr: | - # absent(up{job=~".*unifi-poller.*"} == 1) - # for: 5m - # labels: - # severity: critical - -envFrom: - - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' - - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-authentik-config' - - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config' - -probes: - liveness: - type: HTTPS - path: /-/health/live/ - port: "{{ .Values.service.main.ports.main.targetPort }}" - readiness: - type: HTTPS - path: /-/health/ready/ - port: "{{ .Values.service.main.ports.main.targetPort }}" - startup: - type: HTTPS - path: /-/health/ready/ - port: "{{ .Values.service.main.ports.main.targetPort }}" - -service: - main: - ports: - main: - protocol: HTTPS - port: 10229 - targetPort: 9443 - http: - enabled: true - type: ClusterIP - ports: - http: - enabled: true - protocol: HTTP - port: 10230 - targetPort: 9000 - # LDAP Outpost Services - ldapldaps: - enabled: true - ports: - ldapldaps: - enabled: true - port: 636 - targetPort: 6636 - ldapldap: - enabled: true - ports: - ldapldap: - enabled: true - port: 389 - targetPort: 3389 - # Proxy Outpost Services - proxyhttps: - enabled: true - ports: - proxyhttps: - enabled: true - port: 10233 - protocol: HTTPS - targetPort: 9444 - proxyhttp: - enabled: true - type: ClusterIP - ports: - proxyhttp: - enabled: true - port: 10234 - protocol: HTTP - targetPort: 9001 - # Metrics Services - metrics: - enabled: true - type: ClusterIP - ports: - metrics: - enabled: true - protocol: HTTP - port: 10231 - targetPort: 9301 - ldapmetrics: - enabled: true - type: ClusterIP - ports: - ldapmetrics: - enabled: true - port: 10232 - protocol: HTTP - targetPort: 9302 - proxymetrics: - enabled: true - type: ClusterIP - ports: - proxymetrics: - enabled: true - port: 10235 - protocol: HTTP - targetPort: 9303 - -ingress: - proxyhttps: - autoLink: true - -persistence: - media: - enabled: true - mountPath: "/media" - templates: - enabled: true - mountPath: "/templates" - certs: - enabled: true - mountPath: "/certs" - geoip: - enabled: true - mountPath: "/geoip" - -postgresql: - enabled: true - existingSecret: "dbcreds" - postgresqlUsername: authentik - postgresqlDatabase: authentik - -redis: - enabled: true - existingSecret: "rediscreds" - portal: - enabled: true + open: + enabled: true