feat(authentik): BREAKING CHANGE - Modularize it and add LDAP outpost (#3380)

* fix(authentik): make it modular and maintainable

* add volume mounts on worker

* move geoip to container instead of cron

* remove sercetkey from env and rename tpl

* add initial configmap and cleanup

* add rest of the config

* fix geoip

* add footer links config

* remove empty space

* finish with geoip config and ui

* update UI

* rename to error reporting

* Add ldap outpost

* add ldap healthcheck

* remove proxy reference

* geoip runs as root

* geoip issue for heathchecks

* add another todo

* Give full configuration options on service and move disable/enable login in tpl and add metrics endpoints

* change metrics ports of one of the containers to avoid conflicts

* whitespace

* add note

* add notes

* expose container ports for ldap

* correct ports

* Enable prometheus metrics for main container

* disable metrics when disabled

* not needed

* no message

* add name to container port,

* make note more clear

* don't micromanage services. let user do that

* lint

* define mail secrets only if defined

* handle better few secrets

* μορε

* whoops

* handle null

* quote "null"

* handle poteentialy empty strings

* handle empty string

* fix

* move ports to configmap

* move more to configmap

* hmm

* add placeholders to avoid empty secrets

* hmm

* hmm

* no message

* hmm?

* maybe?

* hmm

* damn

* b64enc all secrets

* quote again

* turn off geoip and ldap

* no rofs on worker

* rofs

* d

* test empty secret

* test footer links

* disable ldap for ci
This commit is contained in:
Stavros Kois
2022-08-10 01:14:43 +03:00
committed by GitHub
parent a8d0844431
commit 1920ecf582
12 changed files with 913 additions and 456 deletions

View File

@@ -3,7 +3,7 @@ appVersion: "2022.7.3"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 10.4.9
version: 10.4.8
- condition: postgresql.enabled
name: postgresql
repository: https://charts.truecharts.org/
@@ -27,7 +27,7 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 2.0.32
version: 3.0.0
annotations:
truecharts.org/catagories: |
- authentication

View File

@@ -11,226 +11,353 @@ questions:
# Include{strategy}
# Include{recreate}
# Include{controllerExpert}
- variable: secretEnv
- variable: authentik
group: "Container Configuration"
label: "Image Secrets"
label: "Authentik Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: AK_ADMIN_PASS
label: "AK_ADMIN_PASS (Initial Install Only)"
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
- variable: credentials
label: "Credentials"
schema:
type: string
private: true
required: true
default: ""
- variable: AK_ADMIN_TOKEN
label: "AK_ADMIN_TOKEN (Initial Install Only)"
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
schema:
type: string
private: true
required: true
default: ""
- variable: env
group: "Container Configuration"
label: "Image Environment"
schema:
additional_attrs: true
type: dict
attrs:
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
label: "AUTHENTIK_DEFAULT_USER_CHANGE_NAME"
description: "Enable the ability for users to change their name."
schema:
type: boolean
default: true
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
label: "AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL"
description: "Enable the ability for users to change their Email address."
schema:
type: boolean
default: true
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
label: "AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME"
description: "Enable the ability for users to change their Usernames."
schema:
type: boolean
default: true
- variable: AUTHENTIK_GDPR_COMPLIANCE
label: "AUTHENTIK_GDPR_COMPLIANCE"
description: "When enabled, all the events caused by a user will be deleted upon the user's deletion."
schema:
type: boolean
default: true
- variable: AUTHENTIK_IMPERSONATION
label: "AUTHENTIK_IMPERSONATION"
description: "Globally enable/disable impersonation."
schema:
type: boolean
default: true
- variable: AUTHENTIK_DISABLE_UPDATE_CHECK
label: "AUTHENTIK_DISABLE_UPDATE_CHECK"
description: "Disable the inbuilt update-checker."
schema:
type: boolean
default: false
- variable: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
label: "AUTHENTIK_DISABLE_STARTUP_ANALYTICS"
description: "Disable the startup analytics."
schema:
type: boolean
default: false
- variable: AUTHENTIK_ERROR_REPORTING__ENABLED
label: "AUTHENTIK_ERROR_REPORTING__ENABLED"
description: "Enable error reporting."
schema:
type: boolean
default: false
- variable: AUTHENTIK_ERROR_REPORTING__SEND_PII
label: "AUTHENTIK_ERROR_REPORTING__SEND_PII"
description: "Whether or not to send personal data, like usernames."
schema:
type: boolean
default: false
- variable: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
label: "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT"
description: "Unique environment that is attached to your error reports, should be set to your email address for example."
schema:
type: string
default: "customer"
- variable: AUTHENTIK_DEFAULT_TOKEN_LENGTH
label: "AUTHENTIK_DEFAULT_TOKEN_LENGTH"
description: "Configure the length of generated tokens. Defaults to 128."
schema:
type: int
default: 128
- variable: AUTHENTIK_AVATARS
label: "AUTHENTIK_AVATARS"
description: "Configure how authentik should show avatars for users."
schema:
type: string
default: "gravatar"
- variable: AUTHENTIK_LOG_LEVEL
label: "AUTHENTIK_LOG_LEVEL"
description: "Log level for the server and worker containers."
schema:
type: string
default: "info"
enum:
- value: trace
description: "trace"
- value: debug
description: "debug"
- value: info
description: "info"
- value: warning
description: "warning"
- value: error
description: "error"
- variable: enable_mail_config
label: "Enable Email Settings"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: AUTHENTIK_EMAIL__HOST
label: "AUTHENTIK_EMAIL__HOST"
additional_attrs: true
type: dict
attrs:
- variable: password
label: "Password (Initial install only)"
description: "Password for <akadmin> user. Can be used for any flow executor"
schema:
type: string
private: true
required: true
default: ""
- variable: AUTHENTIK_EMAIL__PORT
label: "AUTHENTIK_EMAIL__PORT"
- variable: token
label: "Token (Initial install only)"
description: "The string you specify for this variable is the token key you can use to authenticate yourself to the API"
schema:
type: string
private: true
required: true
default: ""
- variable: general
label: "General"
schema:
additional_attrs: true
type: dict
attrs:
- variable: disable_update_check
label: "Disable Update Check"
description: "Disable the inbuilt update-checker"
schema:
type: boolean
default: false
- variable: disable_startup_analytics
label: "Disable Startup Analytics"
description: "Disable startup analytics"
schema:
type: boolean
default: true
- variable: allow_user_name_change
label: "Allow User Name Change"
description: "Enable the ability for users to change their Name"
schema:
type: boolean
default: true
- variable: allow_user_mail_change
label: "Allow User Mail Change"
description: "Enable the ability for users to change their Email address"
schema:
type: boolean
default: true
- variable: allow_user_username_change
label: "Allow User Username Change"
description: "Enable the ability for users to change their Usernames"
schema:
type: boolean
default: true
- variable: gdpr_compliance
label: "GDPR Compliance"
description: "When enabled, all the events caused by a user will be deleted upon the user's deletion"
schema:
type: boolean
default: true
- variable: impersonation
label: "Impersonation"
description: "Globally enable/disable impersonation"
schema:
type: boolean
default: true
- variable: avatars
label: "Avatars"
description: "Configure how authentik should show avatars for users"
schema:
type: string
default: "gravatar"
- variable: token_length
label: "Token Length"
description: "Configure the length of generated tokens"
schema:
type: int
default: 25
- variable: AUTHENTIK_EMAIL__USERNAME
label: "AUTHENTIK_EMAIL__USERNAME"
default: 128
- variable: footer_links
label: "Footer Links"
description: "This option configures the footer links on the flow executor pages"
schema:
type: string
default: ""
- variable: AUTHENTIK_EMAIL__PASSWORD
label: "AUTHENTIK_EMAIL__PASSWORD"
- variable: mail
label: "e-Mail"
schema:
additional_attrs: true
type: dict
attrs:
- variable: host
label: "Mail Server Host"
description: "Sets host of mail server"
schema:
type: string
default: ""
- variable: port
label: "Mail Server Port"
description: "Sets port of mail server"
schema:
type: string
default: ""
- variable: tls
label: "Use TLS for authentication"
description: "Sets tls for mail server authentication"
schema:
type: boolean
default: false
- variable: ssl
label: "Use SSL for authentication"
description: "Sets ssl for mail server authentication"
schema:
type: boolean
default: false
- variable: timeout
label: "Timeout of authentication"
description: "Sets timeout for mail server authentication"
schema:
type: int
default: 10
- variable: user
label: "Username"
description: "Sets username of mail server"
schema:
type: string
default: ""
- variable: pass
label: "Password"
description: "Sets password of mail server"
schema:
type: string
private: true
default: ""
- variable: AUTHENTIK_EMAIL__USE_TLS
label: "AUTHENTIK_EMAIL__USE_TLS"
schema:
type: boolean
default: false
- variable: AUTHENTIK_EMAIL__USE_SSL
label: "AUTHENTIK_EMAIL__USE_SSL"
schema:
type: boolean
default: false
- variable: AUTHENTIK_EMAIL__TIMEOUT
label: "AUTHENTIK_EMAIL__TIMEOUT"
schema:
type: int
default: 10
- variable: AUTHENTIK_EMAIL__FROM
label: "AUTHENTIK_EMAIL__FROM"
description: "Email address authentik will send from, should have a correct @domain. To change the sender's display name, use a format like Name <account@domain>."
- variable: from
label: "From Address"
description: "Email address authentik will send from"
schema:
type: string
default: ""
- variable: geoip
- variable: error_reporting
label: "Error Reporting"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable Reporting"
description: "Enables error reporting"
schema:
type: boolean
default: false
show_subquestions_if:
subquestions:
- variable: send_pii
label: "Send Personal Data"
description: "Whether or not to send personal data, like usernames"
schema:
type: boolean
default: false
- variable: environment
label: "Environment"
description: "Unique environment that is attached to your error reports, should be set to your email address for example."
schema:
type: string
default: "customer"
- variable: logging
label: "Logging"
schema:
additional_attrs: true
type: dict
attrs:
- variable: log_level
label: "Log Level"
description: "Log level for the server and worker containers"
schema:
type: string
default: "info"
enum:
- value: trace
description: "trace"
- value: debug
description: "debug"
- value: info
description: "info"
- value: warning
description: "warning"
- value: error
description: "error"
- variable: metrics
label: "Metrics"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Metrics Endpoint"
description: "Enables metrics endpoint for Authentik and embedded outpost"
schema:
type: boolean
default: false
- variable: ldap
label: "LDAP"
schema:
additional_attrs: true
type: dict
attrs:
- variable: tls_ciphers
label: "TLS Ciphers"
description: "Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources"
schema:
type: string
default: "null"
- variable: outposts
group: "Container Configuration"
label: "Image GeoIP Updater"
label: "Outpost Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: ENABLE_GEOIPUPDATER
label: "Enable CronJob for GeoIP Updater"
- variable: ldap
label: "LDAP"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable LDAP outpost"
description: "Enable only AFTER you created an LDAP Provider and an API Token"
schema:
type: boolean
default: false
show_subquestions_if:
subquestions:
- variable: insecure
label: "Insecure"
description: "Check only if you accessing Authentik in an unsecure way"
schema:
type: boolean
default: false
- variable: host
label: "Authentik Host"
description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
schema:
type: string
required: true
default: ""
- variable: token
label: "API Token"
description: "Generated in the Authentik GUI > Directory > Token & App Passwords"
schema:
type: string
private: true
required: true
default: ""
- variable: metrics
label: "Metrics Endpoint"
description: "Enables metric endpoint in LDAP Outpost"
schema:
type: boolean
default: false
- variable: geoip
group: "Container Configuration"
label: "GeoIP Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable GeoIP Container"
description: "Enables GeoIP container"
schema:
type: boolean
default: false
default: true
show_subquestions_if: true
subquestions:
- variable: GEOIPUPDATE_ACCOUNT_ID
label: "GEOIPUPDATE_ACCOUNT_ID"
- variable: account_id
label: "Account ID"
description: "Your MaxMind account ID"
schema:
type: string
private: true
required: true
default: ""
- variable: GEOIPUPDATE_LICENSE_KEY
label: "GEOIPUPDATE_LICENSE_KEY"
description: "Your case-sensitive MaxMind license key."
- variable: license_key
label: "License Key"
description: "Your case-sensitive MaxMind license key"
schema:
type: string
private: true
required: true
default: ""
- variable: edition_ids
label: "Edition IDs"
description: "List of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes"
schema:
type: string
required: true
default: "GeoLite2-City"
- variable: frequency
label: "Frequency"
description: "The number of hours between geoipupdate runs"
schema:
type: int
min: 1
default: 8
- variable: host_server
label: "Host Server"
description: "The host name of the server to use"
schema:
type: string
default: "updates.maxmind.com"
- variable: preserve_file_times
label: "Preserve File Times"
description: "Whether to preserve modification times of files downloaded from the server"
schema:
type: boolean
default: false
- variable: verbose
label: "Verbose"
description: "Enable verbose mode. Prints out the steps that geoipupdate takes"
schema:
type: boolean
default: false
- variable: proxy
label: "Proxy"
description: "The proxy host name or IP address"
schema:
type: string
default: ""
- variable: proxy_user_pass
label: "Proxy Pass"
description: "The proxy user name and password, separated by a colon"
schema:
type: string
private: true
default: ""
- variable: GEOIPUPDATE_EDITION_IDS
label: "GEOIPUPDATE_EDITION_IDS"
description: "ist of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes."
schema:
type: string
default: "GeoIP2-City"
- variable: GEOIPUPDATE_HOST
label: "GEOIPUPDATE_HOST"
description: "The host name of the server to use. The default is updates.maxmind.com."
schema:
type: string
default: "updates.maxmind.com"
- variable: GEOIPUPDATE_PRESERVE_FILE_TIMES
label: "GEOIPUPDATE_PRESERVE_FILE_TIMES"
description: "Whether to preserve modification times of files downloaded from the server. This option is either 0 or 1. The default is 0."
schema:
type: int
default: 0
- variable: freqhours
label: "FREQUENCY"
description: "The number of hours between geoipupdate runs."
schema:
type: int
default: 8
# Include{containerConfig}
# Include{serviceRoot}
- variable: main
@@ -243,34 +370,6 @@ questions:
# Include{serviceSelector}
- variable: main
label: "Main Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10230
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 9000
- variable: https
label: "https Service"
description: "The https service."
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: https
label: "https Service Port Configuration"
schema:
additional_attrs: true
type: dict
@@ -289,6 +388,157 @@ questions:
schema:
type: int
default: 9443
- variable: http
label: "http Service"
description: "The http service."
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: http
label: "http Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10230
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 9000
- variable: metrics
label: "metrics Service"
description: "The metrics service."
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: metrics
label: "metrics Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10231
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 9301
- variable: ldap
label: "LDAP Service"
description: "The LDAP service."
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: ldap1
label: "ldap1 Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 389
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 3389
- variable: ldap2
label: "ldap2 Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 636
required: true
- variable: advanced
label: "Show Advanced settings"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: protocol
label: "Port Type"
schema:
type: string
default: "HTTP"
enum:
- value: HTTP
description: "HTTP"
- value: "HTTPS"
description: "HTTPS"
- value: TCP
description: "TCP"
- value: "UDP"
description: "UDP"
- variable: nodePort
label: "Node Port (Optional)"
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
schema:
type: int
min: 9000
max: 65535
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 6636
- variable: metrics
label: "LDAP metrics Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10232
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 9300
# Include{serviceExpertRoot}
default: false
# Include{serviceExpert}

View File

@@ -0,0 +1,91 @@
{{/* Define the configmap */}}
{{- define "authentik.config" -}}
{{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authentikConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
AUTHENTIK_REDIS__PORT: "6379"
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
AUTHENTIK_POSTGRESQL__PORT: "5432"
{{/* Mail */}}
AUTHENTIK_EMAIL__PORT: {{ .Values.authentik.mail.port | quote }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
AUTHENTIK_EMAIL__TIMEOUT: {{ .Values.authentik.mail.timeout | quote }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Metrics */}}
AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }}
{{- with .Values.outposts.ldap.host }}
AUTHENTIK_HOST: {{ . }}
{{- end }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $geoipConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: '{{ ternary "1" "0" .Values.geoip.preserve_file_times }}'
GEOIPUPDATE_VERBOSE: '{{ ternary "1" "0" .Values.geoip.verbose }}'
{{- end }}

View File

@@ -1,53 +0,0 @@
{{/* Define the cronjob */}}
{{- define "authentik.cronjob" -}}
{{- $jobName := include "tc.common.names.fullname" . }}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ printf "%s-cronjob" $jobName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
spec:
schedule: "0 */{{ .Values.geoip.freqhours }} * * *"
concurrencyPolicy: Forbid
{{- with .Values.cronjob.failedJobsHistoryLimit }}
failedJobsHistoryLimit: {{ . }}
{{- end }}
{{- with .Values.cronjob.successfulJobsHistoryLimit }}
successfulJobsHistoryLimit: {{ . }}
{{- end }}
jobTemplate:
metadata:
spec:
template:
metadata:
spec:
restartPolicy: Never
{{- with (include "tc.common.controller.volumes" . | trim) }}
volumes:
{{- nindent 12 . }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}"
env:
- name: GEOIPUPDATE_FREQUENCY
value: "{{ .Values.geoip.GEOIPUPDATE_FREQUENCY }}"
- name: GEOIPUPDATE_PRESERVE_FILE_TIMES
value: "{{ .Values.geoip.GEOIPUPDATE_PRESERVE_FILE_TIMES }}"
- name: GEOIPUPDATE_ACCOUNT_ID
value: {{ .Values.geoip.GEOIPUPDATE_ACCOUNT_ID }}
- name: GEOIPUPDATE_LICENSE_KEY
value: {{ .Values.geoip.GEOIPUPDATE_LICENSE_KEY }}
- name: GEOIPUPDATE_EDITION_IDS
value: {{ .Values.geoip.GEOIPUPDATE_EDITION_IDS }}
- name: GEOIPUPDATE_HOST
value: {{ .Values.geoip.GEOIPUPDATE_HOST }}
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
resources:
{{ toYaml .Values.resources | indent 16 }}
{{- end -}}

View File

@@ -0,0 +1,20 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip" -}}
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
imagePullPolicy: '{{ .Values.geoipImage.pullPolicy }}'
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
runAsNonRoot: false
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
{{- end -}}

View File

@@ -0,0 +1,52 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}'
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
ports:
- containerPort: 3389
- containerPort: 6636
{{ if .Values.outposts.ldap.metrics }}
- containerPort: 9300
name: metrics
{{ end }}
readinessProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@@ -0,0 +1,84 @@
{{/* Define the secret */}}
{{- define "authentik.secret" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $authentikSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
{{- end }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.credentials.token }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ . | b64enc }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $geoipSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- end }}

View File

@@ -1,20 +0,0 @@
{{/* Define the secrets */}}
{{- define "authentik.secrets" -}}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: authentik-secrets
{{- $authentikprevious := lookup "v1" "Secret" .Release.Namespace "authentik-secrets" }}
{{- $secret_key := "" }}
data:
{{- if $authentikprevious}}
AUTHENTIK_SECRET_KEY: {{ index $authentikprevious.data "AUTHENTIK_SECRET_KEY" }}
{{- else }}
{{- $secret_key := randAlphaNum 32 }}
AUTHENTIK_SECRET_KEY: {{ $secret_key | b64enc }}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,52 @@
{{/* Define the worker container */}}
{{- define "authentik.worker" -}}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: false
runAsNonRoot: true
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
readinessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@@ -1,12 +1,32 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render secrets for authentik */}}
{{- include "authentik.secrets" . }}
{{/* Render secret */}}
{{- include "authentik.secret" . }}
{{- if .Values.geoip.ENABLE_GEOIPUPDATER }}
{{/* Render cronjob for authentik */}}
{{- include "authentik.cronjob" . }}
{{/* Render config */}}
{{- include "authentik.config" . }}
{{- if .Values.authentik.metrics.enabled -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" ( .Values.service.metrics.ports.metrics.targetPort | quote) -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}}
{{/* - if .Values.outposts.ldap.metrics - */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}

View File

@@ -8,193 +8,153 @@ geoipImage:
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
# TODO: Update this to our mirror
repository: ghcr.io/goauthentik/ldap
tag: 2022.7.3@sha256:fed2b7e9149bfe9693f7ea1abf87012d643c53e5054415862449c20fe4fe6413
pullPolicy: IfNotPresent
extraArgs: ["server"]
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
secretEnv:
AK_ADMIN_PASS: "supersecret"
AK_ADMIN_TOKEN: "supersecretapitoken"
workerContainer:
enabled: true
env:
AUTHENTIK_POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
AUTHENTIK_POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
AUTHENTIK_POSTGRESQL__PORT: "5432"
AUTHENTIK_REDIS__PORT: "6379"
# User Defined
AUTHENTIK_DISABLE_UPDATE_CHECK: false
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: true
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: true
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: true
AUTHENTIK_GDPR_COMPLIANCE: true
AUTHENTIK_IMPERSONATION: true
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: false
AUTHENTIK_ERROR_REPORTING__ENABLED: false
AUTHENTIK_ERROR_REPORTING__SEND_PII: false
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: " "
AUTHENTIK_DEFAULT_TOKEN_LENGTH: 128
AUTHENTIK_AVATARS: "gravatar"
AUTHENTIK_LOG_LEVEL: "warning"
AUTHENTIK_EMAIL__HOST: ""
AUTHENTIK_EMAIL__PORT: 25
AUTHENTIK_EMAIL__USERNAME: ""
AUTHENTIK_EMAIL__PASSWORD: ""
AUTHENTIK_EMAIL__USE_TLS: false
AUTHENTIK_EMAIL__USE_SSL: false
AUTHENTIK_EMAIL__TIMEOUT: 10
AUTHENTIK_EMAIL__FROM: ""
AUTHENTIK_POSTGRESQL__HOST:
secretKeyRef:
name: dbcreds
key: plainhost
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
name: dbcreds
key: postgresql-password
AUTHENTIK_REDIS__HOST:
secretKeyRef:
name: rediscreds
key: plainhost
AUTHENTIK_REDIS__PASSWORD:
secretKeyRef:
name: rediscreds
key: redis-password
AUTHENTIK_SECRET_KEY:
secretKeyRef:
name: authentik-secrets
key: AUTHENTIK_SECRET_KEY
authentik:
credentials:
password: "supersecret"
token: "supersecretapitoken"
general:
disable_update_check: false
disable_startup_analytics: true
allow_user_name_change: true
allow_user_mail_change: true
allow_user_username_change: true
gdpr_compliance: true
impersonation: true
avatars: "gravatar"
token_length: 128
# Use single quotes for footer_links
# TODO: test how scale behaves
# eg footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
mail:
host: ""
port: 25
tls: false
ssl: false
timeout: 10
user: ""
pass: ""
from: ""
error_reporting:
enabled: false
send_pii: false
environment: "customer"
logging:
log_level: "info"
ldap:
tls_ciphers: "null"
metrics:
enabled: true
# LDAP Outpost listens on 9300. To avoid conflicts
# This sets internal Authentik metrics port to 9301
internalPort: 9301
geoip:
# Set image's frequence to 0, so it executes once and exits.
GEOIPUPDATE_FREQUENCY: 0
# User Defined
ENABLE_GEOIPUPDATER: false
# How often should we run the cronjob to update geoip
freqhours: 8
GEOIPUPDATE_ACCOUNT_ID: ""
GEOIPUPDATE_LICENSE_KEY: ""
GEOIPUPDATE_EDITION_IDS: "GeoIP2-City"
GEOIPUPDATE_HOST: "updates.maxmind.com"
GEOIPUPDATE_PRESERVE_FILE_TIMES: 0
enabled: false
account_id: ""
license_key: ""
proxy: ""
proxy_user_pass: ""
edition_ids: "GeoLite2-City"
frequency: 8
host_server: "updates.maxmind.com"
preserve_file_times: false
verbose: false
outposts:
ldap:
enabled: false
insecure: false
host: ""
token: "test"
metrics: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
probes:
liveness:
path: "/-/health/live"
enabled: true
custom: true
spec:
exec:
command:
- /lifecycle/ak
- healthcheck
readiness:
path: "/-/health/ready"
enabled: true
custom: true
spec:
exec:
command:
- /lifecycle/ak
- healthcheck
startup:
enabled: true
custom: true
spec:
exec:
command:
- /lifecycle/ak
- healthcheck
service:
main:
ports:
main:
port: 10230
targetPort: 9000
https:
enabled: true
ports:
https:
enabled: true
protocol: "HTTPS"
protocol: HTTPS
port: 10229
targetPort: 9443
additionalContainers:
worker:
name: worker
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
args: ["worker"]
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
env:
- name: AUTHENTIK_REDIS__PORT
value: "6379"
- name: AUTHENTIK_REDIS__HOST
valueFrom:
secretKeyRef:
name: rediscreds
key: plainhost
- name: AUTHENTIK_REDIS__PASSWORD
valueFrom:
secretKeyRef:
name: rediscreds
key: redis-password
- name: AUTHENTIK_POSTGRESQL__NAME
value: "{{ .Values.postgresql.postgresqlDatabase }}"
- name: AUTHENTIK_POSTGRESQL__USER
value: "{{ .Values.postgresql.postgresqlUsername }}"
- name: AUTHENTIK_POSTGRESQL__PORT
value: "5432"
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: dbcreds
key: plainhost
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: dbcreds
key: postgresql-password
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secrets
key: AUTHENTIK_SECRET_KEY
- name: AUTHENTIK_LOG_LEVEL
value: "{{ .Values.env.AUTHENTIK_LOG_LEVEL }}"
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
value: "{{ .Values.env.AUTHENTIK_DISABLE_UPDATE_CHECK }}"
- name: AUTHENTIK_ERROR_REPORTING__ENABLED
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENABLED }}"
- name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENVIRONMENT }}"
- name: AUTHENTIK_ERROR_REPORTING__SEND_PII
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__SEND_PII }}"
- name: AUTHENTIK_EMAIL__HOST
value: "{{ .Values.env.AUTHENTIK_EMAIL__HOST }}"
- name: AUTHENTIK_EMAIL__PORT
value: "{{ .Values.env.AUTHENTIK_EMAIL__PORT }}"
- name: AUTHENTIK_EMAIL__USERNAME
value: "{{ .Values.env.AUTHENTIK_EMAIL__USERNAME }}"
- name: AUTHENTIK_EMAIL__PASSWORD
value: "{{ .Values.env.AUTHENTIK_EMAIL__PASSWORD }}"
- name: AUTHENTIK_EMAIL__USE_TLS
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_TLS }}"
- name: AUTHENTIK_EMAIL__USE_SSL
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_SSL }}"
- name: AUTHENTIK_EMAIL__TIMEOUT
value: "{{ .Values.env.AUTHENTIK_EMAIL__TIMEOUT }}"
- name: AUTHENTIK_EMAIL__FROM
value: "{{ .Values.env.AUTHENTIK_EMAIL__FROM }}"
- name: AUTHENTIK_AVATARS
value: "{{ .Values.env.AUTHENTIK_AVATARS }}"
- name: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_NAME }}"
- name: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL }}"
- name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME }}"
- name: AUTHENTIK_GDPR_COMPLIANCE
value: "{{ .Values.env.AUTHENTIK_GDPR_COMPLIANCE }}"
- name: AUTHENTIK_DEFAULT_TOKEN_LENGTH
value: "{{ .Values.env.AUTHENTIK_DEFAULT_TOKEN_LENGTH }}"
- name: AUTHENTIK_IMPERSONATION
value: "{{ .Values.env.AUTHENTIK_IMPERSONATION }}"
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
value: "{{ .Values.env.AUTHENTIK_DISABLE_STARTUP_ANALYTICS }}"
cronjob:
annotations: {}
failedJobsHistoryLimit: 5
successfulJobsHistoryLimit: 2
http:
enabled: true
ports:
http:
enabled: true
protocol: HTTP
port: 10230
targetPort: 9000
metrics:
enabled: true
ports:
metrics:
enabled: true
protocol: HTTP
port: 10231
targetPort: 9301
ldap:
enabled: false
ports:
ldap1:
enabled: false
port: 389
targetPort: 3389
ldap2:
enabled: false
port: 636
targetPort: 6636
metrics:
enabled: false
port: 10232
protocol: HTTP
targetPort: 9300
persistence:
media:

View File

@@ -4,6 +4,7 @@ words:
- allowtransparency
- APITOKEN
- appname
- Authentik
- autoconnect
- backupname
- bazarr