From 1920ecf582cf2aed63995f87c9ee5d304f4a6853 Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Wed, 10 Aug 2022 01:14:43 +0300 Subject: [PATCH] feat(authentik): BREAKING CHANGE - Modularize it and add LDAP outpost (#3380) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(authentik): make it modular and maintainable * add volume mounts on worker * move geoip to container instead of cron * remove sercetkey from env and rename tpl * add initial configmap and cleanup * add rest of the config * fix geoip * add footer links config * remove empty space * finish with geoip config and ui * update UI * rename to error reporting * Add ldap outpost * add ldap healthcheck * remove proxy reference * geoip runs as root * geoip issue for heathchecks * add another todo * Give full configuration options on service and move disable/enable login in tpl and add metrics endpoints * change metrics ports of one of the containers to avoid conflicts * whitespace * add note * add notes * expose container ports for ldap * correct ports * Enable prometheus metrics for main container * disable metrics when disabled * not needed * no message * add name to container port, * make note more clear * don't micromanage services. let user do that * lint * define mail secrets only if defined * handle better few secrets * μορε * whoops * handle null * quote "null" * handle poteentialy empty strings * handle empty string * fix * move ports to configmap * move more to configmap * hmm * add placeholders to avoid empty secrets * hmm * hmm * no message * hmm? * maybe? * hmm * damn * b64enc all secrets * quote again * turn off geoip and ldap * no rofs on worker * rofs * d * test empty secret * test footer links * disable ldap for ci --- charts/incubator/authentik/Chart.yaml | 4 +- charts/incubator/authentik/questions.yaml | 668 ++++++++++++------ .../incubator/authentik/templates/_config.tpl | 91 +++ .../authentik/templates/_cronjob.tpl | 53 -- .../incubator/authentik/templates/_geoip.tpl | 20 + .../incubator/authentik/templates/_ldap.tpl | 52 ++ .../incubator/authentik/templates/_secret.tpl | 84 +++ .../authentik/templates/_secrets.tpl | 20 - .../incubator/authentik/templates/_worker.tpl | 52 ++ .../incubator/authentik/templates/common.yaml | 30 +- charts/incubator/authentik/values.yaml | 294 ++++---- cspell.config.yaml | 1 + 12 files changed, 913 insertions(+), 456 deletions(-) create mode 100644 charts/incubator/authentik/templates/_config.tpl delete mode 100644 charts/incubator/authentik/templates/_cronjob.tpl create mode 100644 charts/incubator/authentik/templates/_geoip.tpl create mode 100644 charts/incubator/authentik/templates/_ldap.tpl create mode 100644 charts/incubator/authentik/templates/_secret.tpl delete mode 100644 charts/incubator/authentik/templates/_secrets.tpl create mode 100644 charts/incubator/authentik/templates/_worker.tpl diff --git a/charts/incubator/authentik/Chart.yaml b/charts/incubator/authentik/Chart.yaml index 0b42dea512d..070807f9f14 100644 --- a/charts/incubator/authentik/Chart.yaml +++ b/charts/incubator/authentik/Chart.yaml @@ -3,7 +3,7 @@ appVersion: "2022.7.3" dependencies: - name: common repository: https://library-charts.truecharts.org - version: 10.4.9 + version: 10.4.8 - condition: postgresql.enabled name: postgresql repository: https://charts.truecharts.org/ @@ -27,7 +27,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik - https://github.com/goauthentik/authentik - https://goauthentik.io/docs/ -version: 2.0.32 +version: 3.0.0 annotations: truecharts.org/catagories: | - authentication diff --git a/charts/incubator/authentik/questions.yaml b/charts/incubator/authentik/questions.yaml index 312be5856a7..e48bf34843d 100644 --- a/charts/incubator/authentik/questions.yaml +++ b/charts/incubator/authentik/questions.yaml @@ -11,226 +11,353 @@ questions: # Include{strategy} # Include{recreate} # Include{controllerExpert} - - variable: secretEnv + - variable: authentik group: "Container Configuration" - label: "Image Secrets" + label: "Authentik Configuration" schema: additional_attrs: true type: dict attrs: - - variable: AK_ADMIN_PASS - label: "AK_ADMIN_PASS (Initial Install Only)" - description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled" + - variable: credentials + label: "Credentials" schema: - type: string - private: true - required: true - default: "" - - variable: AK_ADMIN_TOKEN - label: "AK_ADMIN_TOKEN (Initial Install Only)" - description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled" - schema: - type: string - private: true - required: true - default: "" - - variable: env - group: "Container Configuration" - label: "Image Environment" - schema: - additional_attrs: true - type: dict - attrs: - - variable: AUTHENTIK_DEFAULT_USER_CHANGE_NAME - label: "AUTHENTIK_DEFAULT_USER_CHANGE_NAME" - description: "Enable the ability for users to change their name." - schema: - type: boolean - default: true - - variable: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL - label: "AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL" - description: "Enable the ability for users to change their Email address." - schema: - type: boolean - default: true - - variable: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME - label: "AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME" - description: "Enable the ability for users to change their Usernames." - schema: - type: boolean - default: true - - variable: AUTHENTIK_GDPR_COMPLIANCE - label: "AUTHENTIK_GDPR_COMPLIANCE" - description: "When enabled, all the events caused by a user will be deleted upon the user's deletion." - schema: - type: boolean - default: true - - variable: AUTHENTIK_IMPERSONATION - label: "AUTHENTIK_IMPERSONATION" - description: "Globally enable/disable impersonation." - schema: - type: boolean - default: true - - variable: AUTHENTIK_DISABLE_UPDATE_CHECK - label: "AUTHENTIK_DISABLE_UPDATE_CHECK" - description: "Disable the inbuilt update-checker." - schema: - type: boolean - default: false - - variable: AUTHENTIK_DISABLE_STARTUP_ANALYTICS - label: "AUTHENTIK_DISABLE_STARTUP_ANALYTICS" - description: "Disable the startup analytics." - schema: - type: boolean - default: false - - variable: AUTHENTIK_ERROR_REPORTING__ENABLED - label: "AUTHENTIK_ERROR_REPORTING__ENABLED" - description: "Enable error reporting." - schema: - type: boolean - default: false - - variable: AUTHENTIK_ERROR_REPORTING__SEND_PII - label: "AUTHENTIK_ERROR_REPORTING__SEND_PII" - description: "Whether or not to send personal data, like usernames." - schema: - type: boolean - default: false - - variable: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT - label: "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT" - description: "Unique environment that is attached to your error reports, should be set to your email address for example." - schema: - type: string - default: "customer" - - variable: AUTHENTIK_DEFAULT_TOKEN_LENGTH - label: "AUTHENTIK_DEFAULT_TOKEN_LENGTH" - description: "Configure the length of generated tokens. Defaults to 128." - schema: - type: int - default: 128 - - variable: AUTHENTIK_AVATARS - label: "AUTHENTIK_AVATARS" - description: "Configure how authentik should show avatars for users." - schema: - type: string - default: "gravatar" - - variable: AUTHENTIK_LOG_LEVEL - label: "AUTHENTIK_LOG_LEVEL" - description: "Log level for the server and worker containers." - schema: - type: string - default: "info" - enum: - - value: trace - description: "trace" - - value: debug - description: "debug" - - value: info - description: "info" - - value: warning - description: "warning" - - value: error - description: "error" - - variable: enable_mail_config - label: "Enable Email Settings" - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: AUTHENTIK_EMAIL__HOST - label: "AUTHENTIK_EMAIL__HOST" + additional_attrs: true + type: dict + attrs: + - variable: password + label: "Password (Initial install only)" + description: "Password for user. Can be used for any flow executor" schema: type: string + private: true + required: true default: "" - - variable: AUTHENTIK_EMAIL__PORT - label: "AUTHENTIK_EMAIL__PORT" + - variable: token + label: "Token (Initial install only)" + description: "The string you specify for this variable is the token key you can use to authenticate yourself to the API" + schema: + type: string + private: true + required: true + default: "" + - variable: general + label: "General" + schema: + additional_attrs: true + type: dict + attrs: + - variable: disable_update_check + label: "Disable Update Check" + description: "Disable the inbuilt update-checker" + schema: + type: boolean + default: false + - variable: disable_startup_analytics + label: "Disable Startup Analytics" + description: "Disable startup analytics" + schema: + type: boolean + default: true + - variable: allow_user_name_change + label: "Allow User Name Change" + description: "Enable the ability for users to change their Name" + schema: + type: boolean + default: true + - variable: allow_user_mail_change + label: "Allow User Mail Change" + description: "Enable the ability for users to change their Email address" + schema: + type: boolean + default: true + - variable: allow_user_username_change + label: "Allow User Username Change" + description: "Enable the ability for users to change their Usernames" + schema: + type: boolean + default: true + - variable: gdpr_compliance + label: "GDPR Compliance" + description: "When enabled, all the events caused by a user will be deleted upon the user's deletion" + schema: + type: boolean + default: true + - variable: impersonation + label: "Impersonation" + description: "Globally enable/disable impersonation" + schema: + type: boolean + default: true + - variable: avatars + label: "Avatars" + description: "Configure how authentik should show avatars for users" + schema: + type: string + default: "gravatar" + - variable: token_length + label: "Token Length" + description: "Configure the length of generated tokens" schema: type: int - default: 25 - - variable: AUTHENTIK_EMAIL__USERNAME - label: "AUTHENTIK_EMAIL__USERNAME" + default: 128 + - variable: footer_links + label: "Footer Links" + description: "This option configures the footer links on the flow executor pages" schema: type: string default: "" - - variable: AUTHENTIK_EMAIL__PASSWORD - label: "AUTHENTIK_EMAIL__PASSWORD" + - variable: mail + label: "e-Mail" + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: "Mail Server Host" + description: "Sets host of mail server" + schema: + type: string + default: "" + - variable: port + label: "Mail Server Port" + description: "Sets port of mail server" + schema: + type: string + default: "" + - variable: tls + label: "Use TLS for authentication" + description: "Sets tls for mail server authentication" + schema: + type: boolean + default: false + - variable: ssl + label: "Use SSL for authentication" + description: "Sets ssl for mail server authentication" + schema: + type: boolean + default: false + - variable: timeout + label: "Timeout of authentication" + description: "Sets timeout for mail server authentication" + schema: + type: int + default: 10 + - variable: user + label: "Username" + description: "Sets username of mail server" + schema: + type: string + default: "" + - variable: pass + label: "Password" + description: "Sets password of mail server" schema: type: string private: true default: "" - - variable: AUTHENTIK_EMAIL__USE_TLS - label: "AUTHENTIK_EMAIL__USE_TLS" - schema: - type: boolean - default: false - - variable: AUTHENTIK_EMAIL__USE_SSL - label: "AUTHENTIK_EMAIL__USE_SSL" - schema: - type: boolean - default: false - - variable: AUTHENTIK_EMAIL__TIMEOUT - label: "AUTHENTIK_EMAIL__TIMEOUT" - schema: - type: int - default: 10 - - variable: AUTHENTIK_EMAIL__FROM - label: "AUTHENTIK_EMAIL__FROM" - description: "Email address authentik will send from, should have a correct @domain. To change the sender's display name, use a format like Name ." + - variable: from + label: "From Address" + description: "Email address authentik will send from" schema: type: string default: "" - - variable: geoip + - variable: error_reporting + label: "Error Reporting" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable Reporting" + description: "Enables error reporting" + schema: + type: boolean + default: false + show_subquestions_if: + subquestions: + - variable: send_pii + label: "Send Personal Data" + description: "Whether or not to send personal data, like usernames" + schema: + type: boolean + default: false + - variable: environment + label: "Environment" + description: "Unique environment that is attached to your error reports, should be set to your email address for example." + schema: + type: string + default: "customer" + - variable: logging + label: "Logging" + schema: + additional_attrs: true + type: dict + attrs: + - variable: log_level + label: "Log Level" + description: "Log level for the server and worker containers" + schema: + type: string + default: "info" + enum: + - value: trace + description: "trace" + - value: debug + description: "debug" + - value: info + description: "info" + - value: warning + description: "warning" + - value: error + description: "error" + - variable: metrics + label: "Metrics" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Metrics Endpoint" + description: "Enables metrics endpoint for Authentik and embedded outpost" + schema: + type: boolean + default: false + - variable: ldap + label: "LDAP" + schema: + additional_attrs: true + type: dict + attrs: + - variable: tls_ciphers + label: "TLS Ciphers" + description: "Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources" + schema: + type: string + default: "null" + - variable: outposts group: "Container Configuration" - label: "Image GeoIP Updater" + label: "Outpost Configuration" schema: additional_attrs: true type: dict attrs: - - variable: ENABLE_GEOIPUPDATER - label: "Enable CronJob for GeoIP Updater" + - variable: ldap + label: "LDAP" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable LDAP outpost" + description: "Enable only AFTER you created an LDAP Provider and an API Token" + schema: + type: boolean + default: false + show_subquestions_if: + subquestions: + - variable: insecure + label: "Insecure" + description: "Check only if you accessing Authentik in an unsecure way" + schema: + type: boolean + default: false + - variable: host + label: "Authentik Host" + description: "URL of your Authentik server. (e.g. https://auth.domain.com)" + schema: + type: string + required: true + default: "" + - variable: token + label: "API Token" + description: "Generated in the Authentik GUI > Directory > Token & App Passwords" + schema: + type: string + private: true + required: true + default: "" + - variable: metrics + label: "Metrics Endpoint" + description: "Enables metric endpoint in LDAP Outpost" + schema: + type: boolean + default: false + - variable: geoip + group: "Container Configuration" + label: "GeoIP Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: "Enable GeoIP Container" + description: "Enables GeoIP container" schema: type: boolean - default: false + default: true show_subquestions_if: true subquestions: - - variable: GEOIPUPDATE_ACCOUNT_ID - label: "GEOIPUPDATE_ACCOUNT_ID" + - variable: account_id + label: "Account ID" description: "Your MaxMind account ID" schema: type: string private: true + required: true default: "" - - variable: GEOIPUPDATE_LICENSE_KEY - label: "GEOIPUPDATE_LICENSE_KEY" - description: "Your case-sensitive MaxMind license key." + - variable: license_key + label: "License Key" + description: "Your case-sensitive MaxMind license key" + schema: + type: string + private: true + required: true + default: "" + - variable: edition_ids + label: "Edition IDs" + description: "List of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes" + schema: + type: string + required: true + default: "GeoLite2-City" + - variable: frequency + label: "Frequency" + description: "The number of hours between geoipupdate runs" + schema: + type: int + min: 1 + default: 8 + - variable: host_server + label: "Host Server" + description: "The host name of the server to use" + schema: + type: string + default: "updates.maxmind.com" + - variable: preserve_file_times + label: "Preserve File Times" + description: "Whether to preserve modification times of files downloaded from the server" + schema: + type: boolean + default: false + - variable: verbose + label: "Verbose" + description: "Enable verbose mode. Prints out the steps that geoipupdate takes" + schema: + type: boolean + default: false + - variable: proxy + label: "Proxy" + description: "The proxy host name or IP address" + schema: + type: string + default: "" + - variable: proxy_user_pass + label: "Proxy Pass" + description: "The proxy user name and password, separated by a colon" schema: type: string private: true default: "" - - variable: GEOIPUPDATE_EDITION_IDS - label: "GEOIPUPDATE_EDITION_IDS" - description: "ist of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes." - schema: - type: string - default: "GeoIP2-City" - - variable: GEOIPUPDATE_HOST - label: "GEOIPUPDATE_HOST" - description: "The host name of the server to use. The default is updates.maxmind.com." - schema: - type: string - default: "updates.maxmind.com" - - variable: GEOIPUPDATE_PRESERVE_FILE_TIMES - label: "GEOIPUPDATE_PRESERVE_FILE_TIMES" - description: "Whether to preserve modification times of files downloaded from the server. This option is either 0 or 1. The default is 0." - schema: - type: int - default: 0 - - variable: freqhours - label: "FREQUENCY" - description: "The number of hours between geoipupdate runs." - schema: - type: int - default: 8 # Include{containerConfig} # Include{serviceRoot} - variable: main @@ -243,34 +370,6 @@ questions: # Include{serviceSelector} - variable: main label: "Main Service Port Configuration" - schema: - additional_attrs: true - type: dict - attrs: - - variable: port - label: "Port" - description: "This port exposes the container port on the service" - schema: - type: int - default: 10230 - required: true -# Include{advancedPortHTTP} - - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" - schema: - type: int - default: 9000 - - variable: https - label: "https Service" - description: "The https service." - schema: - additional_attrs: true - type: dict - attrs: -# Include{serviceSelector} - - variable: https - label: "https Service Port Configuration" schema: additional_attrs: true type: dict @@ -289,6 +388,157 @@ questions: schema: type: int default: 9443 + - variable: http + label: "http Service" + description: "The http service." + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: http + label: "http Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10230 + required: true +# Include{advancedPortHTTP} + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 9000 + - variable: metrics + label: "metrics Service" + description: "The metrics service." + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: metrics + label: "metrics Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10231 + required: true +# Include{advancedPortHTTP} + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 9301 + - variable: ldap + label: "LDAP Service" + description: "The LDAP service." + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: ldap1 + label: "ldap1 Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 389 + required: true +# Include{advancedPortHTTP} + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 3389 + - variable: ldap2 + label: "ldap2 Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 636 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTP" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 6636 + - variable: metrics + label: "LDAP metrics Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10232 + required: true +# Include{advancedPortHTTP} + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 9300 # Include{serviceExpertRoot} default: false # Include{serviceExpert} diff --git a/charts/incubator/authentik/templates/_config.tpl b/charts/incubator/authentik/templates/_config.tpl new file mode 100644 index 00000000000..cd1824037d8 --- /dev/null +++ b/charts/incubator/authentik/templates/_config.tpl @@ -0,0 +1,91 @@ +{{/* Define the configmap */}} +{{- define "authentik.config" -}} + +{{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }} +{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }} +{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }} + +--- +{{/* This configmap are loaded on both main authentik container and worker */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $authentikConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Dependencies */}} + AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }} + AUTHENTIK_REDIS__PORT: "6379" + AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }} + AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }} + AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }} + AUTHENTIK_POSTGRESQL__PORT: "5432" + {{/* Mail */}} + AUTHENTIK_EMAIL__PORT: {{ .Values.authentik.mail.port | quote }} + AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }} + AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }} + AUTHENTIK_EMAIL__TIMEOUT: {{ .Values.authentik.mail.timeout | quote }} + {{/* Logging */}} + {{- with .Values.authentik.logging.log_level }} + AUTHENTIK_LOG_LEVEL: {{ . }} + {{- end }} + {{/* General */}} + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }} + AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }} + {{- with .Values.authentik.general.avatars }} + AUTHENTIK_AVATARS: {{ . }} + {{- end }} + AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }} + AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }} + AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }} + AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }} + {{- with .Values.authentik.general.footer_links }} + AUTHENTIK_FOOTER_LINKS: {{ . | squote }} + {{- end }} + {{/* Error Reporting */}} + AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }} + AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }} + {{- with .Values.authentik.error_reporting.environment }} + AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }} + {{- end }} + {{/* LDAP */}} + {{- with .Values.authentik.ldap.tls_ciphers }} + AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }} + {{- end }} + {{/* Metrics */}} + AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }} +--- +{{/* This configmap is loaded on ldap container */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $ldapConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }} + {{- with .Values.outposts.ldap.host }} + AUTHENTIK_HOST: {{ . }} + {{- end }} +--- +{{/* This configmap is loaded on geoip container */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $geoipConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.geoip.edition_ids }} + GEOIPUPDATE_EDITION_IDS: {{ . }} + {{- end }} + GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }} + {{- with .Values.geoip.host_server }} + GEOIPUPDATE_HOST: {{ . }} + {{- end }} + GEOIPUPDATE_PRESERVE_FILE_TIMES: '{{ ternary "1" "0" .Values.geoip.preserve_file_times }}' + GEOIPUPDATE_VERBOSE: '{{ ternary "1" "0" .Values.geoip.verbose }}' +{{- end }} diff --git a/charts/incubator/authentik/templates/_cronjob.tpl b/charts/incubator/authentik/templates/_cronjob.tpl deleted file mode 100644 index 68a58ac4201..00000000000 --- a/charts/incubator/authentik/templates/_cronjob.tpl +++ /dev/null @@ -1,53 +0,0 @@ -{{/* Define the cronjob */}} -{{- define "authentik.cronjob" -}} -{{- $jobName := include "tc.common.names.fullname" . }} - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ printf "%s-cronjob" $jobName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -spec: - schedule: "0 */{{ .Values.geoip.freqhours }} * * *" - concurrencyPolicy: Forbid - {{- with .Values.cronjob.failedJobsHistoryLimit }} - failedJobsHistoryLimit: {{ . }} - {{- end }} - {{- with .Values.cronjob.successfulJobsHistoryLimit }} - successfulJobsHistoryLimit: {{ . }} - {{- end }} - jobTemplate: - metadata: - spec: - template: - metadata: - spec: - restartPolicy: Never - {{- with (include "tc.common.controller.volumes" . | trim) }} - volumes: - {{- nindent 12 . }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}" - env: - - name: GEOIPUPDATE_FREQUENCY - value: "{{ .Values.geoip.GEOIPUPDATE_FREQUENCY }}" - - name: GEOIPUPDATE_PRESERVE_FILE_TIMES - value: "{{ .Values.geoip.GEOIPUPDATE_PRESERVE_FILE_TIMES }}" - - name: GEOIPUPDATE_ACCOUNT_ID - value: {{ .Values.geoip.GEOIPUPDATE_ACCOUNT_ID }} - - name: GEOIPUPDATE_LICENSE_KEY - value: {{ .Values.geoip.GEOIPUPDATE_LICENSE_KEY }} - - name: GEOIPUPDATE_EDITION_IDS - value: {{ .Values.geoip.GEOIPUPDATE_EDITION_IDS }} - - name: GEOIPUPDATE_HOST - value: {{ .Values.geoip.GEOIPUPDATE_HOST }} - volumeMounts: - - name: geoip - mountPath: "/usr/share/GeoIP" - resources: -{{ toYaml .Values.resources | indent 16 }} -{{- end -}} diff --git a/charts/incubator/authentik/templates/_geoip.tpl b/charts/incubator/authentik/templates/_geoip.tpl new file mode 100644 index 00000000000..269ce6e5b1f --- /dev/null +++ b/charts/incubator/authentik/templates/_geoip.tpl @@ -0,0 +1,20 @@ +{{/* Define the geoip container */}} +{{- define "authentik.geoip" -}} +image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }} +imagePullPolicy: '{{ .Values.geoipImage.pullPolicy }}' +securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + runAsNonRoot: false +volumeMounts: + - name: geoip + mountPath: "/usr/share/GeoIP" +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-geoip-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-geoip-config' +{{/* TODO: Add healthchecks */}} +{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}} +{{- end -}} diff --git a/charts/incubator/authentik/templates/_ldap.tpl b/charts/incubator/authentik/templates/_ldap.tpl new file mode 100644 index 00000000000..f29e4bafa41 --- /dev/null +++ b/charts/incubator/authentik/templates/_ldap.tpl @@ -0,0 +1,52 @@ +{{/* Define the ldap container */}} +{{- define "authentik.ldap" -}} +image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }} +imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}' +securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} + readOnlyRootFilesystem: true + runAsNonRoot: true +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-ldap-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-ldap-config' +ports: + - containerPort: 3389 + - containerPort: 6636 +{{ if .Values.outposts.ldap.metrics }} + - containerPort: 9300 + name: metrics +{{ end }} +readinessProbe: + exec: + command: + - "wget" + - "--spider" + - "http://localhost:9300/outpost.goauthentik.io/ping" + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + exec: + command: + - "wget" + - "--spider" + - "http://localhost:9300/outpost.goauthentik.io/ping" + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + exec: + command: + - "wget" + - "--spider" + - "http://localhost:9300/outpost.goauthentik.io/ping" + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/charts/incubator/authentik/templates/_secret.tpl b/charts/incubator/authentik/templates/_secret.tpl new file mode 100644 index 00000000000..4547e3dd7f9 --- /dev/null +++ b/charts/incubator/authentik/templates/_secret.tpl @@ -0,0 +1,84 @@ +{{/* Define the secret */}} +{{- define "authentik.secret" -}} + +{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }} +{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }} +{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }} + +--- +{{/* This secrets are loaded on both main authentik container and worker */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $authentikSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Secret Key */}} + {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }} + AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }} + {{- else }} + AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }} + {{- end }} + {{/* Dependencies */}} + AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }} + AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }} + {{/* Credentials */}} + {{- with .Values.authentik.credentials.password }} + AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.credentials.token }} + AUTHENTIK_BOOTSTRAP_TOKEN: {{ . | b64enc }} + {{- end }} + {{/* Mail */}} + {{- with .Values.authentik.mail.host }} + AUTHENTIK_EMAIL__HOST: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.user }} + AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.pass }} + AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.from }} + AUTHENTIK_EMAIL__FROM: {{ . | b64enc }} + {{- end }} +--- +{{/* This secrets are loaded on ldap container */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $ldapSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.outposts.ldap.token }} + AUTHENTIK_TOKEN: {{ . | b64enc }} + {{- end }} +--- +{{/* This secrets are loaded on geoip container */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $geoipSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Credentials */}} + {{- with .Values.geoip.account_id }} + GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }} + {{- end }} + {{- with .Values.geoip.license_key }} + GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }} + {{- end }} + {{/* Proxy */}} + {{- with .Values.geoip.proxy }} + GEOIPUPDATE_PROXY: {{ . | b64enc }} + {{- end }} + {{- with .Values.geoip.proxy_user_pass }} + GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/incubator/authentik/templates/_secrets.tpl b/charts/incubator/authentik/templates/_secrets.tpl deleted file mode 100644 index 2769adbb299..00000000000 --- a/charts/incubator/authentik/templates/_secrets.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* Define the secrets */}} -{{- define "authentik.secrets" -}} ---- - -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: authentik-secrets -{{- $authentikprevious := lookup "v1" "Secret" .Release.Namespace "authentik-secrets" }} -{{- $secret_key := "" }} -data: - {{- if $authentikprevious}} - AUTHENTIK_SECRET_KEY: {{ index $authentikprevious.data "AUTHENTIK_SECRET_KEY" }} - {{- else }} - {{- $secret_key := randAlphaNum 32 }} - AUTHENTIK_SECRET_KEY: {{ $secret_key | b64enc }} - {{- end }} - -{{- end -}} diff --git a/charts/incubator/authentik/templates/_worker.tpl b/charts/incubator/authentik/templates/_worker.tpl new file mode 100644 index 00000000000..2a00d08c0bf --- /dev/null +++ b/charts/incubator/authentik/templates/_worker.tpl @@ -0,0 +1,52 @@ +{{/* Define the worker container */}} +{{- define "authentik.worker" -}} +image: {{ .Values.image.repository }}:{{ .Values.image.tag }} +imagePullPolicy: '{{ .Values.image.pullPolicy }}' +securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} + readOnlyRootFilesystem: false + runAsNonRoot: true +args: ["worker"] +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-config' +volumeMounts: + - name: media + mountPath: "/media" + - name: templates + mountPath: "/templates" + - name: certs + mountPath: "/certs" + - name: geoip + mountPath: "/geoip" +readinessProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/charts/incubator/authentik/templates/common.yaml b/charts/incubator/authentik/templates/common.yaml index ca3fd554674..8acd79b2756 100644 --- a/charts/incubator/authentik/templates/common.yaml +++ b/charts/incubator/authentik/templates/common.yaml @@ -1,12 +1,32 @@ {{/* Make sure all variables are set properly */}} {{- include "tc.common.loader.init" . }} -{{/* Render secrets for authentik */}} -{{- include "authentik.secrets" . }} +{{/* Render secret */}} +{{- include "authentik.secret" . }} -{{- if .Values.geoip.ENABLE_GEOIPUPDATER }} -{{/* Render cronjob for authentik */}} -{{- include "authentik.cronjob" . }} +{{/* Render config */}} +{{- include "authentik.config" . }} + +{{- if .Values.authentik.metrics.enabled -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" ( .Values.service.metrics.ports.metrics.targetPort | quote) -}} +{{- end -}} + +{{- if .Values.workerContainer.enabled -}} +{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}} +{{- end -}} + +{{- if .Values.geoip.enabled -}} +{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}} +{{- end -}} + +{{- if .Values.outposts.ldap.enabled -}} +{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}} +{{/* - if .Values.outposts.ldap.metrics - */}} +{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} +{{/* We can't define multiple ports/endpoints with annotations */}} +{{/* - end - */}} {{- end -}} {{/* Render the templates */}} diff --git a/charts/incubator/authentik/values.yaml b/charts/incubator/authentik/values.yaml index d98ee2c4f69..29f1ec43591 100644 --- a/charts/incubator/authentik/values.yaml +++ b/charts/incubator/authentik/values.yaml @@ -8,193 +8,153 @@ geoipImage: tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce pullPolicy: IfNotPresent +ldapImage: + # TODO: Update this to our mirror + repository: ghcr.io/goauthentik/ldap + tag: 2022.7.3@sha256:fed2b7e9149bfe9693f7ea1abf87012d643c53e5054415862449c20fe4fe6413 + pullPolicy: IfNotPresent + extraArgs: ["server"] podSecurityContext: runAsUser: 1000 runAsGroup: 1000 -secretEnv: - AK_ADMIN_PASS: "supersecret" - AK_ADMIN_TOKEN: "supersecretapitoken" +workerContainer: + enabled: true -env: - AUTHENTIK_POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}" - AUTHENTIK_POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}" - AUTHENTIK_POSTGRESQL__PORT: "5432" - AUTHENTIK_REDIS__PORT: "6379" - # User Defined - AUTHENTIK_DISABLE_UPDATE_CHECK: false - AUTHENTIK_DEFAULT_USER_CHANGE_NAME: true - AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: true - AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: true - AUTHENTIK_GDPR_COMPLIANCE: true - AUTHENTIK_IMPERSONATION: true - AUTHENTIK_DISABLE_STARTUP_ANALYTICS: false - AUTHENTIK_ERROR_REPORTING__ENABLED: false - AUTHENTIK_ERROR_REPORTING__SEND_PII: false - AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: " " - AUTHENTIK_DEFAULT_TOKEN_LENGTH: 128 - AUTHENTIK_AVATARS: "gravatar" - AUTHENTIK_LOG_LEVEL: "warning" - AUTHENTIK_EMAIL__HOST: "" - AUTHENTIK_EMAIL__PORT: 25 - AUTHENTIK_EMAIL__USERNAME: "" - AUTHENTIK_EMAIL__PASSWORD: "" - AUTHENTIK_EMAIL__USE_TLS: false - AUTHENTIK_EMAIL__USE_SSL: false - AUTHENTIK_EMAIL__TIMEOUT: 10 - AUTHENTIK_EMAIL__FROM: "" - AUTHENTIK_POSTGRESQL__HOST: - secretKeyRef: - name: dbcreds - key: plainhost - AUTHENTIK_POSTGRESQL__PASSWORD: - secretKeyRef: - name: dbcreds - key: postgresql-password - AUTHENTIK_REDIS__HOST: - secretKeyRef: - name: rediscreds - key: plainhost - AUTHENTIK_REDIS__PASSWORD: - secretKeyRef: - name: rediscreds - key: redis-password - AUTHENTIK_SECRET_KEY: - secretKeyRef: - name: authentik-secrets - key: AUTHENTIK_SECRET_KEY +authentik: + credentials: + password: "supersecret" + token: "supersecretapitoken" + general: + disable_update_check: false + disable_startup_analytics: true + allow_user_name_change: true + allow_user_mail_change: true + allow_user_username_change: true + gdpr_compliance: true + impersonation: true + avatars: "gravatar" + token_length: 128 + # Use single quotes for footer_links + # TODO: test how scale behaves + # eg footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]' + footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]' + mail: + host: "" + port: 25 + tls: false + ssl: false + timeout: 10 + user: "" + pass: "" + from: "" + error_reporting: + enabled: false + send_pii: false + environment: "customer" + logging: + log_level: "info" + ldap: + tls_ciphers: "null" + metrics: + enabled: true + # LDAP Outpost listens on 9300. To avoid conflicts + # This sets internal Authentik metrics port to 9301 + internalPort: 9301 geoip: - # Set image's frequence to 0, so it executes once and exits. - GEOIPUPDATE_FREQUENCY: 0 - # User Defined - ENABLE_GEOIPUPDATER: false - # How often should we run the cronjob to update geoip - freqhours: 8 - GEOIPUPDATE_ACCOUNT_ID: "" - GEOIPUPDATE_LICENSE_KEY: "" - GEOIPUPDATE_EDITION_IDS: "GeoIP2-City" - GEOIPUPDATE_HOST: "updates.maxmind.com" - GEOIPUPDATE_PRESERVE_FILE_TIMES: 0 + enabled: false + account_id: "" + license_key: "" + proxy: "" + proxy_user_pass: "" + edition_ids: "GeoLite2-City" + frequency: 8 + host_server: "updates.maxmind.com" + preserve_file_times: false + verbose: false + +outposts: + ldap: + enabled: false + insecure: false + host: "" + token: "test" + metrics: true + +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-config' probes: liveness: - path: "/-/health/live" + enabled: true + custom: true + spec: + exec: + command: + - /lifecycle/ak + - healthcheck readiness: - path: "/-/health/ready" + enabled: true + custom: true + spec: + exec: + command: + - /lifecycle/ak + - healthcheck + startup: + enabled: true + custom: true + spec: + exec: + command: + - /lifecycle/ak + - healthcheck service: main: ports: main: - port: 10230 - targetPort: 9000 - https: - enabled: true - ports: - https: - enabled: true - protocol: "HTTPS" + protocol: HTTPS port: 10229 targetPort: 9443 - -additionalContainers: - worker: - name: worker - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - args: ["worker"] - volumeMounts: - - name: media - mountPath: "/media" - - name: templates - mountPath: "/templates" - - name: certs - mountPath: "/certs" - - name: geoip - mountPath: "/geoip" - env: - - name: AUTHENTIK_REDIS__PORT - value: "6379" - - name: AUTHENTIK_REDIS__HOST - valueFrom: - secretKeyRef: - name: rediscreds - key: plainhost - - name: AUTHENTIK_REDIS__PASSWORD - valueFrom: - secretKeyRef: - name: rediscreds - key: redis-password - - name: AUTHENTIK_POSTGRESQL__NAME - value: "{{ .Values.postgresql.postgresqlDatabase }}" - - name: AUTHENTIK_POSTGRESQL__USER - value: "{{ .Values.postgresql.postgresqlUsername }}" - - name: AUTHENTIK_POSTGRESQL__PORT - value: "5432" - - name: AUTHENTIK_POSTGRESQL__HOST - valueFrom: - secretKeyRef: - name: dbcreds - key: plainhost - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: dbcreds - key: postgresql-password - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: authentik-secrets - key: AUTHENTIK_SECRET_KEY - - name: AUTHENTIK_LOG_LEVEL - value: "{{ .Values.env.AUTHENTIK_LOG_LEVEL }}" - - name: AUTHENTIK_DISABLE_UPDATE_CHECK - value: "{{ .Values.env.AUTHENTIK_DISABLE_UPDATE_CHECK }}" - - name: AUTHENTIK_ERROR_REPORTING__ENABLED - value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENABLED }}" - - name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT - value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENVIRONMENT }}" - - name: AUTHENTIK_ERROR_REPORTING__SEND_PII - value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__SEND_PII }}" - - name: AUTHENTIK_EMAIL__HOST - value: "{{ .Values.env.AUTHENTIK_EMAIL__HOST }}" - - name: AUTHENTIK_EMAIL__PORT - value: "{{ .Values.env.AUTHENTIK_EMAIL__PORT }}" - - name: AUTHENTIK_EMAIL__USERNAME - value: "{{ .Values.env.AUTHENTIK_EMAIL__USERNAME }}" - - name: AUTHENTIK_EMAIL__PASSWORD - value: "{{ .Values.env.AUTHENTIK_EMAIL__PASSWORD }}" - - name: AUTHENTIK_EMAIL__USE_TLS - value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_TLS }}" - - name: AUTHENTIK_EMAIL__USE_SSL - value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_SSL }}" - - name: AUTHENTIK_EMAIL__TIMEOUT - value: "{{ .Values.env.AUTHENTIK_EMAIL__TIMEOUT }}" - - name: AUTHENTIK_EMAIL__FROM - value: "{{ .Values.env.AUTHENTIK_EMAIL__FROM }}" - - name: AUTHENTIK_AVATARS - value: "{{ .Values.env.AUTHENTIK_AVATARS }}" - - name: AUTHENTIK_DEFAULT_USER_CHANGE_NAME - value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_NAME }}" - - name: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL - value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL }}" - - name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME - value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME }}" - - name: AUTHENTIK_GDPR_COMPLIANCE - value: "{{ .Values.env.AUTHENTIK_GDPR_COMPLIANCE }}" - - name: AUTHENTIK_DEFAULT_TOKEN_LENGTH - value: "{{ .Values.env.AUTHENTIK_DEFAULT_TOKEN_LENGTH }}" - - name: AUTHENTIK_IMPERSONATION - value: "{{ .Values.env.AUTHENTIK_IMPERSONATION }}" - - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS - value: "{{ .Values.env.AUTHENTIK_DISABLE_STARTUP_ANALYTICS }}" - -cronjob: - annotations: {} - failedJobsHistoryLimit: 5 - successfulJobsHistoryLimit: 2 + http: + enabled: true + ports: + http: + enabled: true + protocol: HTTP + port: 10230 + targetPort: 9000 + metrics: + enabled: true + ports: + metrics: + enabled: true + protocol: HTTP + port: 10231 + targetPort: 9301 + ldap: + enabled: false + ports: + ldap1: + enabled: false + port: 389 + targetPort: 3389 + ldap2: + enabled: false + port: 636 + targetPort: 6636 + metrics: + enabled: false + port: 10232 + protocol: HTTP + targetPort: 9300 persistence: media: diff --git a/cspell.config.yaml b/cspell.config.yaml index 746425bd067..5760b190101 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -4,6 +4,7 @@ words: - allowtransparency - APITOKEN - appname + - Authentik - autoconnect - backupname - bazarr