feat(authentik): BREAKING CHANGE - Modularize it and add LDAP outpost (#3380)
* fix(authentik): make it modular and maintainable * add volume mounts on worker * move geoip to container instead of cron * remove sercetkey from env and rename tpl * add initial configmap and cleanup * add rest of the config * fix geoip * add footer links config * remove empty space * finish with geoip config and ui * update UI * rename to error reporting * Add ldap outpost * add ldap healthcheck * remove proxy reference * geoip runs as root * geoip issue for heathchecks * add another todo * Give full configuration options on service and move disable/enable login in tpl and add metrics endpoints * change metrics ports of one of the containers to avoid conflicts * whitespace * add note * add notes * expose container ports for ldap * correct ports * Enable prometheus metrics for main container * disable metrics when disabled * not needed * no message * add name to container port, * make note more clear * don't micromanage services. let user do that * lint * define mail secrets only if defined * handle better few secrets * μορε * whoops * handle null * quote "null" * handle poteentialy empty strings * handle empty string * fix * move ports to configmap * move more to configmap * hmm * add placeholders to avoid empty secrets * hmm * hmm * no message * hmm? * maybe? * hmm * damn * b64enc all secrets * quote again * turn off geoip and ldap * no rofs on worker * rofs * d * test empty secret * test footer links * disable ldap for ci
This commit is contained in:
@@ -3,7 +3,7 @@ appVersion: "2022.7.3"
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 10.4.9
|
||||
version: 10.4.8
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://charts.truecharts.org/
|
||||
@@ -27,7 +27,7 @@ sources:
|
||||
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
|
||||
- https://github.com/goauthentik/authentik
|
||||
- https://goauthentik.io/docs/
|
||||
version: 2.0.32
|
||||
version: 3.0.0
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- authentication
|
||||
|
||||
@@ -11,226 +11,353 @@ questions:
|
||||
# Include{strategy}
|
||||
# Include{recreate}
|
||||
# Include{controllerExpert}
|
||||
- variable: secretEnv
|
||||
- variable: authentik
|
||||
group: "Container Configuration"
|
||||
label: "Image Secrets"
|
||||
label: "Authentik Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: AK_ADMIN_PASS
|
||||
label: "AK_ADMIN_PASS (Initial Install Only)"
|
||||
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
|
||||
- variable: credentials
|
||||
label: "Credentials"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: AK_ADMIN_TOKEN
|
||||
label: "AK_ADMIN_TOKEN (Initial Install Only)"
|
||||
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: env
|
||||
group: "Container Configuration"
|
||||
label: "Image Environment"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_NAME"
|
||||
description: "Enable the ability for users to change their name."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL"
|
||||
description: "Enable the ability for users to change their Email address."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME"
|
||||
description: "Enable the ability for users to change their Usernames."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_GDPR_COMPLIANCE
|
||||
label: "AUTHENTIK_GDPR_COMPLIANCE"
|
||||
description: "When enabled, all the events caused by a user will be deleted upon the user's deletion."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_IMPERSONATION
|
||||
label: "AUTHENTIK_IMPERSONATION"
|
||||
description: "Globally enable/disable impersonation."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DISABLE_UPDATE_CHECK
|
||||
label: "AUTHENTIK_DISABLE_UPDATE_CHECK"
|
||||
description: "Disable the inbuilt update-checker."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
||||
label: "AUTHENTIK_DISABLE_STARTUP_ANALYTICS"
|
||||
description: "Disable the startup analytics."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||
label: "AUTHENTIK_ERROR_REPORTING__ENABLED"
|
||||
description: "Enable error reporting."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__SEND_PII
|
||||
label: "AUTHENTIK_ERROR_REPORTING__SEND_PII"
|
||||
description: "Whether or not to send personal data, like usernames."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
|
||||
label: "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT"
|
||||
description: "Unique environment that is attached to your error reports, should be set to your email address for example."
|
||||
schema:
|
||||
type: string
|
||||
default: "customer"
|
||||
- variable: AUTHENTIK_DEFAULT_TOKEN_LENGTH
|
||||
label: "AUTHENTIK_DEFAULT_TOKEN_LENGTH"
|
||||
description: "Configure the length of generated tokens. Defaults to 128."
|
||||
schema:
|
||||
type: int
|
||||
default: 128
|
||||
- variable: AUTHENTIK_AVATARS
|
||||
label: "AUTHENTIK_AVATARS"
|
||||
description: "Configure how authentik should show avatars for users."
|
||||
schema:
|
||||
type: string
|
||||
default: "gravatar"
|
||||
- variable: AUTHENTIK_LOG_LEVEL
|
||||
label: "AUTHENTIK_LOG_LEVEL"
|
||||
description: "Log level for the server and worker containers."
|
||||
schema:
|
||||
type: string
|
||||
default: "info"
|
||||
enum:
|
||||
- value: trace
|
||||
description: "trace"
|
||||
- value: debug
|
||||
description: "debug"
|
||||
- value: info
|
||||
description: "info"
|
||||
- value: warning
|
||||
description: "warning"
|
||||
- value: error
|
||||
description: "error"
|
||||
- variable: enable_mail_config
|
||||
label: "Enable Email Settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: AUTHENTIK_EMAIL__HOST
|
||||
label: "AUTHENTIK_EMAIL__HOST"
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: password
|
||||
label: "Password (Initial install only)"
|
||||
description: "Password for <akadmin> user. Can be used for any flow executor"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__PORT
|
||||
label: "AUTHENTIK_EMAIL__PORT"
|
||||
- variable: token
|
||||
label: "Token (Initial install only)"
|
||||
description: "The string you specify for this variable is the token key you can use to authenticate yourself to the API"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: general
|
||||
label: "General"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: disable_update_check
|
||||
label: "Disable Update Check"
|
||||
description: "Disable the inbuilt update-checker"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: disable_startup_analytics
|
||||
label: "Disable Startup Analytics"
|
||||
description: "Disable startup analytics"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: allow_user_name_change
|
||||
label: "Allow User Name Change"
|
||||
description: "Enable the ability for users to change their Name"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: allow_user_mail_change
|
||||
label: "Allow User Mail Change"
|
||||
description: "Enable the ability for users to change their Email address"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: allow_user_username_change
|
||||
label: "Allow User Username Change"
|
||||
description: "Enable the ability for users to change their Usernames"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: gdpr_compliance
|
||||
label: "GDPR Compliance"
|
||||
description: "When enabled, all the events caused by a user will be deleted upon the user's deletion"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: impersonation
|
||||
label: "Impersonation"
|
||||
description: "Globally enable/disable impersonation"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: avatars
|
||||
label: "Avatars"
|
||||
description: "Configure how authentik should show avatars for users"
|
||||
schema:
|
||||
type: string
|
||||
default: "gravatar"
|
||||
- variable: token_length
|
||||
label: "Token Length"
|
||||
description: "Configure the length of generated tokens"
|
||||
schema:
|
||||
type: int
|
||||
default: 25
|
||||
- variable: AUTHENTIK_EMAIL__USERNAME
|
||||
label: "AUTHENTIK_EMAIL__USERNAME"
|
||||
default: 128
|
||||
- variable: footer_links
|
||||
label: "Footer Links"
|
||||
description: "This option configures the footer links on the flow executor pages"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__PASSWORD
|
||||
label: "AUTHENTIK_EMAIL__PASSWORD"
|
||||
- variable: mail
|
||||
label: "e-Mail"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: host
|
||||
label: "Mail Server Host"
|
||||
description: "Sets host of mail server"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: port
|
||||
label: "Mail Server Port"
|
||||
description: "Sets port of mail server"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: tls
|
||||
label: "Use TLS for authentication"
|
||||
description: "Sets tls for mail server authentication"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: ssl
|
||||
label: "Use SSL for authentication"
|
||||
description: "Sets ssl for mail server authentication"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: timeout
|
||||
label: "Timeout of authentication"
|
||||
description: "Sets timeout for mail server authentication"
|
||||
schema:
|
||||
type: int
|
||||
default: 10
|
||||
- variable: user
|
||||
label: "Username"
|
||||
description: "Sets username of mail server"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: pass
|
||||
label: "Password"
|
||||
description: "Sets password of mail server"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__USE_TLS
|
||||
label: "AUTHENTIK_EMAIL__USE_TLS"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_EMAIL__USE_SSL
|
||||
label: "AUTHENTIK_EMAIL__USE_SSL"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_EMAIL__TIMEOUT
|
||||
label: "AUTHENTIK_EMAIL__TIMEOUT"
|
||||
schema:
|
||||
type: int
|
||||
default: 10
|
||||
- variable: AUTHENTIK_EMAIL__FROM
|
||||
label: "AUTHENTIK_EMAIL__FROM"
|
||||
description: "Email address authentik will send from, should have a correct @domain. To change the sender's display name, use a format like Name <account@domain>."
|
||||
- variable: from
|
||||
label: "From Address"
|
||||
description: "Email address authentik will send from"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: geoip
|
||||
- variable: error_reporting
|
||||
label: "Error Reporting"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable Reporting"
|
||||
description: "Enables error reporting"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if:
|
||||
subquestions:
|
||||
- variable: send_pii
|
||||
label: "Send Personal Data"
|
||||
description: "Whether or not to send personal data, like usernames"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: environment
|
||||
label: "Environment"
|
||||
description: "Unique environment that is attached to your error reports, should be set to your email address for example."
|
||||
schema:
|
||||
type: string
|
||||
default: "customer"
|
||||
- variable: logging
|
||||
label: "Logging"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: log_level
|
||||
label: "Log Level"
|
||||
description: "Log level for the server and worker containers"
|
||||
schema:
|
||||
type: string
|
||||
default: "info"
|
||||
enum:
|
||||
- value: trace
|
||||
description: "trace"
|
||||
- value: debug
|
||||
description: "debug"
|
||||
- value: info
|
||||
description: "info"
|
||||
- value: warning
|
||||
description: "warning"
|
||||
- value: error
|
||||
description: "error"
|
||||
- variable: metrics
|
||||
label: "Metrics"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Metrics Endpoint"
|
||||
description: "Enables metrics endpoint for Authentik and embedded outpost"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: ldap
|
||||
label: "LDAP"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: tls_ciphers
|
||||
label: "TLS Ciphers"
|
||||
description: "Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources"
|
||||
schema:
|
||||
type: string
|
||||
default: "null"
|
||||
- variable: outposts
|
||||
group: "Container Configuration"
|
||||
label: "Image GeoIP Updater"
|
||||
label: "Outpost Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: ENABLE_GEOIPUPDATER
|
||||
label: "Enable CronJob for GeoIP Updater"
|
||||
- variable: ldap
|
||||
label: "LDAP"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable LDAP outpost"
|
||||
description: "Enable only AFTER you created an LDAP Provider and an API Token"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if:
|
||||
subquestions:
|
||||
- variable: insecure
|
||||
label: "Insecure"
|
||||
description: "Check only if you accessing Authentik in an unsecure way"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: host
|
||||
label: "Authentik Host"
|
||||
description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: token
|
||||
label: "API Token"
|
||||
description: "Generated in the Authentik GUI > Directory > Token & App Passwords"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: metrics
|
||||
label: "Metrics Endpoint"
|
||||
description: "Enables metric endpoint in LDAP Outpost"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: geoip
|
||||
group: "Container Configuration"
|
||||
label: "GeoIP Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable GeoIP Container"
|
||||
description: "Enables GeoIP container"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
default: true
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: GEOIPUPDATE_ACCOUNT_ID
|
||||
label: "GEOIPUPDATE_ACCOUNT_ID"
|
||||
- variable: account_id
|
||||
label: "Account ID"
|
||||
description: "Your MaxMind account ID"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: GEOIPUPDATE_LICENSE_KEY
|
||||
label: "GEOIPUPDATE_LICENSE_KEY"
|
||||
description: "Your case-sensitive MaxMind license key."
|
||||
- variable: license_key
|
||||
label: "License Key"
|
||||
description: "Your case-sensitive MaxMind license key"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: edition_ids
|
||||
label: "Edition IDs"
|
||||
description: "List of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: "GeoLite2-City"
|
||||
- variable: frequency
|
||||
label: "Frequency"
|
||||
description: "The number of hours between geoipupdate runs"
|
||||
schema:
|
||||
type: int
|
||||
min: 1
|
||||
default: 8
|
||||
- variable: host_server
|
||||
label: "Host Server"
|
||||
description: "The host name of the server to use"
|
||||
schema:
|
||||
type: string
|
||||
default: "updates.maxmind.com"
|
||||
- variable: preserve_file_times
|
||||
label: "Preserve File Times"
|
||||
description: "Whether to preserve modification times of files downloaded from the server"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: verbose
|
||||
label: "Verbose"
|
||||
description: "Enable verbose mode. Prints out the steps that geoipupdate takes"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: proxy
|
||||
label: "Proxy"
|
||||
description: "The proxy host name or IP address"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: proxy_user_pass
|
||||
label: "Proxy Pass"
|
||||
description: "The proxy user name and password, separated by a colon"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: GEOIPUPDATE_EDITION_IDS
|
||||
label: "GEOIPUPDATE_EDITION_IDS"
|
||||
description: "ist of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes."
|
||||
schema:
|
||||
type: string
|
||||
default: "GeoIP2-City"
|
||||
- variable: GEOIPUPDATE_HOST
|
||||
label: "GEOIPUPDATE_HOST"
|
||||
description: "The host name of the server to use. The default is updates.maxmind.com."
|
||||
schema:
|
||||
type: string
|
||||
default: "updates.maxmind.com"
|
||||
- variable: GEOIPUPDATE_PRESERVE_FILE_TIMES
|
||||
label: "GEOIPUPDATE_PRESERVE_FILE_TIMES"
|
||||
description: "Whether to preserve modification times of files downloaded from the server. This option is either 0 or 1. The default is 0."
|
||||
schema:
|
||||
type: int
|
||||
default: 0
|
||||
- variable: freqhours
|
||||
label: "FREQUENCY"
|
||||
description: "The number of hours between geoipupdate runs."
|
||||
schema:
|
||||
type: int
|
||||
default: 8
|
||||
# Include{containerConfig}
|
||||
# Include{serviceRoot}
|
||||
- variable: main
|
||||
@@ -243,34 +370,6 @@ questions:
|
||||
# Include{serviceSelector}
|
||||
- variable: main
|
||||
label: "Main Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10230
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9000
|
||||
- variable: https
|
||||
label: "https Service"
|
||||
description: "The https service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: https
|
||||
label: "https Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
@@ -289,6 +388,157 @@ questions:
|
||||
schema:
|
||||
type: int
|
||||
default: 9443
|
||||
- variable: http
|
||||
label: "http Service"
|
||||
description: "The http service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: http
|
||||
label: "http Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10230
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9000
|
||||
- variable: metrics
|
||||
label: "metrics Service"
|
||||
description: "The metrics service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: metrics
|
||||
label: "metrics Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10231
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9301
|
||||
- variable: ldap
|
||||
label: "LDAP Service"
|
||||
description: "The LDAP service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: ldap1
|
||||
label: "ldap1 Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 389
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 3389
|
||||
- variable: ldap2
|
||||
label: "ldap2 Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 636
|
||||
required: true
|
||||
- variable: advanced
|
||||
label: "Show Advanced settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: protocol
|
||||
label: "Port Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "HTTP"
|
||||
enum:
|
||||
- value: HTTP
|
||||
description: "HTTP"
|
||||
- value: "HTTPS"
|
||||
description: "HTTPS"
|
||||
- value: TCP
|
||||
description: "TCP"
|
||||
- value: "UDP"
|
||||
description: "UDP"
|
||||
- variable: nodePort
|
||||
label: "Node Port (Optional)"
|
||||
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
|
||||
schema:
|
||||
type: int
|
||||
min: 9000
|
||||
max: 65535
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 6636
|
||||
- variable: metrics
|
||||
label: "LDAP metrics Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10232
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9300
|
||||
# Include{serviceExpertRoot}
|
||||
default: false
|
||||
# Include{serviceExpert}
|
||||
|
||||
91
charts/incubator/authentik/templates/_config.tpl
Normal file
91
charts/incubator/authentik/templates/_config.tpl
Normal file
@@ -0,0 +1,91 @@
|
||||
{{/* Define the configmap */}}
|
||||
{{- define "authentik.config" -}}
|
||||
|
||||
{{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
|
||||
|
||||
---
|
||||
{{/* This configmap are loaded on both main authentik container and worker */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $authentikConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
|
||||
AUTHENTIK_REDIS__PORT: "6379"
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
|
||||
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
|
||||
AUTHENTIK_POSTGRESQL__PORT: "5432"
|
||||
{{/* Mail */}}
|
||||
AUTHENTIK_EMAIL__PORT: {{ .Values.authentik.mail.port | quote }}
|
||||
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
|
||||
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
|
||||
AUTHENTIK_EMAIL__TIMEOUT: {{ .Values.authentik.mail.timeout | quote }}
|
||||
{{/* Logging */}}
|
||||
{{- with .Values.authentik.logging.log_level }}
|
||||
AUTHENTIK_LOG_LEVEL: {{ . }}
|
||||
{{- end }}
|
||||
{{/* General */}}
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
|
||||
{{- with .Values.authentik.general.avatars }}
|
||||
AUTHENTIK_AVATARS: {{ . }}
|
||||
{{- end }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
|
||||
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
|
||||
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
|
||||
{{- with .Values.authentik.general.footer_links }}
|
||||
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
|
||||
{{- end }}
|
||||
{{/* Error Reporting */}}
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
|
||||
{{- with .Values.authentik.error_reporting.environment }}
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
|
||||
{{- end }}
|
||||
{{/* LDAP */}}
|
||||
{{- with .Values.authentik.ldap.tls_ciphers }}
|
||||
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Metrics */}}
|
||||
AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }}
|
||||
---
|
||||
{{/* This configmap is loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $ldapConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }}
|
||||
{{- with .Values.outposts.ldap.host }}
|
||||
AUTHENTIK_HOST: {{ . }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This configmap is loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $geoipConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.geoip.edition_ids }}
|
||||
GEOIPUPDATE_EDITION_IDS: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
|
||||
{{- with .Values.geoip.host_server }}
|
||||
GEOIPUPDATE_HOST: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: '{{ ternary "1" "0" .Values.geoip.preserve_file_times }}'
|
||||
GEOIPUPDATE_VERBOSE: '{{ ternary "1" "0" .Values.geoip.verbose }}'
|
||||
{{- end }}
|
||||
@@ -1,53 +0,0 @@
|
||||
{{/* Define the cronjob */}}
|
||||
{{- define "authentik.cronjob" -}}
|
||||
{{- $jobName := include "tc.common.names.fullname" . }}
|
||||
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ printf "%s-cronjob" $jobName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
spec:
|
||||
schedule: "0 */{{ .Values.geoip.freqhours }} * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
{{- with .Values.cronjob.failedJobsHistoryLimit }}
|
||||
failedJobsHistoryLimit: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.cronjob.successfulJobsHistoryLimit }}
|
||||
successfulJobsHistoryLimit: {{ . }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
metadata:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
{{- with (include "tc.common.controller.volumes" . | trim) }}
|
||||
volumes:
|
||||
{{- nindent 12 . }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}"
|
||||
env:
|
||||
- name: GEOIPUPDATE_FREQUENCY
|
||||
value: "{{ .Values.geoip.GEOIPUPDATE_FREQUENCY }}"
|
||||
- name: GEOIPUPDATE_PRESERVE_FILE_TIMES
|
||||
value: "{{ .Values.geoip.GEOIPUPDATE_PRESERVE_FILE_TIMES }}"
|
||||
- name: GEOIPUPDATE_ACCOUNT_ID
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_ACCOUNT_ID }}
|
||||
- name: GEOIPUPDATE_LICENSE_KEY
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_LICENSE_KEY }}
|
||||
- name: GEOIPUPDATE_EDITION_IDS
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_EDITION_IDS }}
|
||||
- name: GEOIPUPDATE_HOST
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_HOST }}
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 16 }}
|
||||
{{- end -}}
|
||||
20
charts/incubator/authentik/templates/_geoip.tpl
Normal file
20
charts/incubator/authentik/templates/_geoip.tpl
Normal file
@@ -0,0 +1,20 @@
|
||||
{{/* Define the geoip container */}}
|
||||
{{- define "authentik.geoip" -}}
|
||||
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
|
||||
imagePullPolicy: '{{ .Values.geoipImage.pullPolicy }}'
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
|
||||
{{/* TODO: Add healthchecks */}}
|
||||
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
|
||||
{{- end -}}
|
||||
52
charts/incubator/authentik/templates/_ldap.tpl
Normal file
52
charts/incubator/authentik/templates/_ldap.tpl
Normal file
@@ -0,0 +1,52 @@
|
||||
{{/* Define the ldap container */}}
|
||||
{{- define "authentik.ldap" -}}
|
||||
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
|
||||
imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}'
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
|
||||
ports:
|
||||
- containerPort: 3389
|
||||
- containerPort: 6636
|
||||
{{ if .Values.outposts.ldap.metrics }}
|
||||
- containerPort: 9300
|
||||
name: metrics
|
||||
{{ end }}
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
{{- end -}}
|
||||
84
charts/incubator/authentik/templates/_secret.tpl
Normal file
84
charts/incubator/authentik/templates/_secret.tpl
Normal file
@@ -0,0 +1,84 @@
|
||||
{{/* Define the secret */}}
|
||||
{{- define "authentik.secret" -}}
|
||||
|
||||
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
|
||||
|
||||
---
|
||||
{{/* This secrets are loaded on both main authentik container and worker */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $authentikSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Secret Key */}}
|
||||
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
|
||||
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{- else }}
|
||||
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
|
||||
{{- end }}
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
|
||||
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.authentik.credentials.password }}
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.credentials.token }}
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.host }}
|
||||
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.user }}
|
||||
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.pass }}
|
||||
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.from }}
|
||||
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This secrets are loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $ldapSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.outposts.ldap.token }}
|
||||
AUTHENTIK_TOKEN: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This secrets are loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $geoipSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.geoip.account_id }}
|
||||
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.license_key }}
|
||||
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{/* Proxy */}}
|
||||
{{- with .Values.geoip.proxy }}
|
||||
GEOIPUPDATE_PROXY: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.proxy_user_pass }}
|
||||
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,20 +0,0 @@
|
||||
{{/* Define the secrets */}}
|
||||
{{- define "authentik.secrets" -}}
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: authentik-secrets
|
||||
{{- $authentikprevious := lookup "v1" "Secret" .Release.Namespace "authentik-secrets" }}
|
||||
{{- $secret_key := "" }}
|
||||
data:
|
||||
{{- if $authentikprevious}}
|
||||
AUTHENTIK_SECRET_KEY: {{ index $authentikprevious.data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{- else }}
|
||||
{{- $secret_key := randAlphaNum 32 }}
|
||||
AUTHENTIK_SECRET_KEY: {{ $secret_key | b64enc }}
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
||||
52
charts/incubator/authentik/templates/_worker.tpl
Normal file
52
charts/incubator/authentik/templates/_worker.tpl
Normal file
@@ -0,0 +1,52 @@
|
||||
{{/* Define the worker container */}}
|
||||
{{- define "authentik.worker" -}}
|
||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: false
|
||||
runAsNonRoot: true
|
||||
args: ["worker"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
|
||||
volumeMounts:
|
||||
- name: media
|
||||
mountPath: "/media"
|
||||
- name: templates
|
||||
mountPath: "/templates"
|
||||
- name: certs
|
||||
mountPath: "/certs"
|
||||
- name: geoip
|
||||
mountPath: "/geoip"
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
{{- end -}}
|
||||
@@ -1,12 +1,32 @@
|
||||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.common.loader.init" . }}
|
||||
|
||||
{{/* Render secrets for authentik */}}
|
||||
{{- include "authentik.secrets" . }}
|
||||
{{/* Render secret */}}
|
||||
{{- include "authentik.secret" . }}
|
||||
|
||||
{{- if .Values.geoip.ENABLE_GEOIPUPDATER }}
|
||||
{{/* Render cronjob for authentik */}}
|
||||
{{- include "authentik.cronjob" . }}
|
||||
{{/* Render config */}}
|
||||
{{- include "authentik.config" . }}
|
||||
|
||||
{{- if .Values.authentik.metrics.enabled -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
|
||||
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" ( .Values.service.metrics.ports.metrics.targetPort | quote) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.workerContainer.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.geoip.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.ldap.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}}
|
||||
{{/* - if .Values.outposts.ldap.metrics - */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
{{/* We can't define multiple ports/endpoints with annotations */}}
|
||||
{{/* - end - */}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
|
||||
@@ -8,193 +8,153 @@ geoipImage:
|
||||
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
ldapImage:
|
||||
# TODO: Update this to our mirror
|
||||
repository: ghcr.io/goauthentik/ldap
|
||||
tag: 2022.7.3@sha256:fed2b7e9149bfe9693f7ea1abf87012d643c53e5054415862449c20fe4fe6413
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
extraArgs: ["server"]
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
|
||||
secretEnv:
|
||||
AK_ADMIN_PASS: "supersecret"
|
||||
AK_ADMIN_TOKEN: "supersecretapitoken"
|
||||
workerContainer:
|
||||
enabled: true
|
||||
|
||||
env:
|
||||
AUTHENTIK_POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
AUTHENTIK_POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
AUTHENTIK_POSTGRESQL__PORT: "5432"
|
||||
AUTHENTIK_REDIS__PORT: "6379"
|
||||
# User Defined
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: false
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: true
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: true
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: true
|
||||
AUTHENTIK_GDPR_COMPLIANCE: true
|
||||
AUTHENTIK_IMPERSONATION: true
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: false
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: false
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: false
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: " "
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: 128
|
||||
AUTHENTIK_AVATARS: "gravatar"
|
||||
AUTHENTIK_LOG_LEVEL: "warning"
|
||||
AUTHENTIK_EMAIL__HOST: ""
|
||||
AUTHENTIK_EMAIL__PORT: 25
|
||||
AUTHENTIK_EMAIL__USERNAME: ""
|
||||
AUTHENTIK_EMAIL__PASSWORD: ""
|
||||
AUTHENTIK_EMAIL__USE_TLS: false
|
||||
AUTHENTIK_EMAIL__USE_SSL: false
|
||||
AUTHENTIK_EMAIL__TIMEOUT: 10
|
||||
AUTHENTIK_EMAIL__FROM: ""
|
||||
AUTHENTIK_POSTGRESQL__HOST:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: plainhost
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: postgresql-password
|
||||
AUTHENTIK_REDIS__HOST:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: plainhost
|
||||
AUTHENTIK_REDIS__PASSWORD:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: redis-password
|
||||
AUTHENTIK_SECRET_KEY:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
authentik:
|
||||
credentials:
|
||||
password: "supersecret"
|
||||
token: "supersecretapitoken"
|
||||
general:
|
||||
disable_update_check: false
|
||||
disable_startup_analytics: true
|
||||
allow_user_name_change: true
|
||||
allow_user_mail_change: true
|
||||
allow_user_username_change: true
|
||||
gdpr_compliance: true
|
||||
impersonation: true
|
||||
avatars: "gravatar"
|
||||
token_length: 128
|
||||
# Use single quotes for footer_links
|
||||
# TODO: test how scale behaves
|
||||
# eg footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
|
||||
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
|
||||
mail:
|
||||
host: ""
|
||||
port: 25
|
||||
tls: false
|
||||
ssl: false
|
||||
timeout: 10
|
||||
user: ""
|
||||
pass: ""
|
||||
from: ""
|
||||
error_reporting:
|
||||
enabled: false
|
||||
send_pii: false
|
||||
environment: "customer"
|
||||
logging:
|
||||
log_level: "info"
|
||||
ldap:
|
||||
tls_ciphers: "null"
|
||||
metrics:
|
||||
enabled: true
|
||||
# LDAP Outpost listens on 9300. To avoid conflicts
|
||||
# This sets internal Authentik metrics port to 9301
|
||||
internalPort: 9301
|
||||
|
||||
geoip:
|
||||
# Set image's frequence to 0, so it executes once and exits.
|
||||
GEOIPUPDATE_FREQUENCY: 0
|
||||
# User Defined
|
||||
ENABLE_GEOIPUPDATER: false
|
||||
# How often should we run the cronjob to update geoip
|
||||
freqhours: 8
|
||||
GEOIPUPDATE_ACCOUNT_ID: ""
|
||||
GEOIPUPDATE_LICENSE_KEY: ""
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoIP2-City"
|
||||
GEOIPUPDATE_HOST: "updates.maxmind.com"
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: 0
|
||||
enabled: false
|
||||
account_id: ""
|
||||
license_key: ""
|
||||
proxy: ""
|
||||
proxy_user_pass: ""
|
||||
edition_ids: "GeoLite2-City"
|
||||
frequency: 8
|
||||
host_server: "updates.maxmind.com"
|
||||
preserve_file_times: false
|
||||
verbose: false
|
||||
|
||||
outposts:
|
||||
ldap:
|
||||
enabled: false
|
||||
insecure: false
|
||||
host: ""
|
||||
token: "test"
|
||||
metrics: true
|
||||
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
path: "/-/health/live"
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
readiness:
|
||||
path: "/-/health/ready"
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
startup:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
exec:
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
https:
|
||||
enabled: true
|
||||
ports:
|
||||
https:
|
||||
enabled: true
|
||||
protocol: "HTTPS"
|
||||
protocol: HTTPS
|
||||
port: 10229
|
||||
targetPort: 9443
|
||||
|
||||
additionalContainers:
|
||||
worker:
|
||||
name: worker
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
args: ["worker"]
|
||||
volumeMounts:
|
||||
- name: media
|
||||
mountPath: "/media"
|
||||
- name: templates
|
||||
mountPath: "/templates"
|
||||
- name: certs
|
||||
mountPath: "/certs"
|
||||
- name: geoip
|
||||
mountPath: "/geoip"
|
||||
env:
|
||||
- name: AUTHENTIK_REDIS__PORT
|
||||
value: "6379"
|
||||
- name: AUTHENTIK_REDIS__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: plainhost
|
||||
- name: AUTHENTIK_REDIS__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: redis-password
|
||||
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||
value: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
- name: AUTHENTIK_POSTGRESQL__USER
|
||||
value: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
- name: AUTHENTIK_POSTGRESQL__PORT
|
||||
value: "5432"
|
||||
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: plainhost
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: postgresql-password
|
||||
- name: AUTHENTIK_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
- name: AUTHENTIK_LOG_LEVEL
|
||||
value: "{{ .Values.env.AUTHENTIK_LOG_LEVEL }}"
|
||||
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
|
||||
value: "{{ .Values.env.AUTHENTIK_DISABLE_UPDATE_CHECK }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENABLED }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENVIRONMENT }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__SEND_PII
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__SEND_PII }}"
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__HOST }}"
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__PORT }}"
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USERNAME }}"
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__PASSWORD }}"
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_TLS }}"
|
||||
- name: AUTHENTIK_EMAIL__USE_SSL
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_SSL }}"
|
||||
- name: AUTHENTIK_EMAIL__TIMEOUT
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__TIMEOUT }}"
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__FROM }}"
|
||||
- name: AUTHENTIK_AVATARS
|
||||
value: "{{ .Values.env.AUTHENTIK_AVATARS }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_NAME }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME }}"
|
||||
- name: AUTHENTIK_GDPR_COMPLIANCE
|
||||
value: "{{ .Values.env.AUTHENTIK_GDPR_COMPLIANCE }}"
|
||||
- name: AUTHENTIK_DEFAULT_TOKEN_LENGTH
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_TOKEN_LENGTH }}"
|
||||
- name: AUTHENTIK_IMPERSONATION
|
||||
value: "{{ .Values.env.AUTHENTIK_IMPERSONATION }}"
|
||||
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
||||
value: "{{ .Values.env.AUTHENTIK_DISABLE_STARTUP_ANALYTICS }}"
|
||||
|
||||
cronjob:
|
||||
annotations: {}
|
||||
failedJobsHistoryLimit: 5
|
||||
successfulJobsHistoryLimit: 2
|
||||
http:
|
||||
enabled: true
|
||||
ports:
|
||||
http:
|
||||
enabled: true
|
||||
protocol: HTTP
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
metrics:
|
||||
enabled: true
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
protocol: HTTP
|
||||
port: 10231
|
||||
targetPort: 9301
|
||||
ldap:
|
||||
enabled: false
|
||||
ports:
|
||||
ldap1:
|
||||
enabled: false
|
||||
port: 389
|
||||
targetPort: 3389
|
||||
ldap2:
|
||||
enabled: false
|
||||
port: 636
|
||||
targetPort: 6636
|
||||
metrics:
|
||||
enabled: false
|
||||
port: 10232
|
||||
protocol: HTTP
|
||||
targetPort: 9300
|
||||
|
||||
persistence:
|
||||
media:
|
||||
|
||||
@@ -4,6 +4,7 @@ words:
|
||||
- allowtransparency
|
||||
- APITOKEN
|
||||
- appname
|
||||
- Authentik
|
||||
- autoconnect
|
||||
- backupname
|
||||
- bazarr
|
||||
|
||||
Reference in New Issue
Block a user