From f07098cdfbd6d1596efbb2f688202cb4740acb93 Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Sat, 17 Jun 2023 19:12:45 +0300 Subject: [PATCH] chore(authentik): test outposts on CI (#9721) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** ⚒️ Fixes # **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [ ] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [ ] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --- .github/scripts/tc-lint.sh | 26 ++++++++++++++----- charts/incubator/authentik/Chart.yaml | 2 +- .../authentik/ci/outposts-values.yaml | 18 +++++++++++++ charts/incubator/authentik/questions.yaml | 11 ++++++++ .../incubator/authentik/templates/_config.tpl | 5 ++-- .../incubator/authentik/templates/_secret.tpl | 6 ++++- .../authentik/templates/_waitAuthentik.tpl | 20 ++++++++++++++ .../incubator/authentik/templates/common.yaml | 12 +++++++++ charts/incubator/authentik/values.yaml | 22 ++++++++++++++-- 9 files changed, 110 insertions(+), 12 deletions(-) create mode 100644 charts/incubator/authentik/ci/outposts-values.yaml create mode 100644 charts/incubator/authentik/templates/_waitAuthentik.tpl diff --git a/.github/scripts/tc-lint.sh b/.github/scripts/tc-lint.sh index 5c5e58a51e4..86fefffabbe 100755 --- a/.github/scripts/tc-lint.sh +++ b/.github/scripts/tc-lint.sh @@ -42,7 +42,9 @@ function check_chart_schema(){ yamale_output=$(yamale --schema .github/chart_schema.yaml "$chart_path/Chart.yaml") yamale_exit_code=$? while IFS= read -r line; do - echo -e "\t$line" + if [[ -n $line ]]; then + echo -e "\t$line" + fi done <<< "$yamale_output" if [ $yamale_exit_code -ne 0 ]; then @@ -61,7 +63,9 @@ function helm_lint(){ helm_lint_output=$(helm lint --quiet "$chart_path") helm_lint_exit_code=$? while IFS= read -r line; do - echo -e "\t$line" + if [[ -n $line ]]; then + echo -e "\t$line" + fi done <<< "$helm_lint_output" if [ $helm_lint_exit_code -ne 0 ]; then @@ -75,12 +79,19 @@ export -f helm_lint function helm_template(){ chart_path=${1:?"No chart path provided to [Helm template]"} + values=${2:-} + + if [[ -n "$values" ]]; then + values="-f $values" + fi # Print only errors and warnings - helm_template_output=$(helm template "$chart_path" 2>&1 >/dev/null) + helm_template_output=$(helm template $values "$chart_path" 2>&1 >/dev/null) helm_template_exit_code=$? while IFS= read -r line; do - echo -e "\t$line" + if [[ -n $line ]]; then + echo -e "\t$line" + fi done <<< "$helm_template_output" if [ $helm_template_exit_code -ne 0 ]; then @@ -98,7 +109,9 @@ function yaml_lint(){ yaml_lint_output=$(yamllint --config-file .github/yaml-lint-conf.yaml "$file_path") yaml_lint_exit_code=$? while IFS= read -r line; do - echo -e "\t$line" + if [[ -n $line ]]; then + echo -e "\t$line" + fi done <<< "$yaml_lint_output" if [ $yaml_lint_exit_code -ne 0 ]; then @@ -132,7 +145,7 @@ function lint_chart(){ for values in $chart_path/ci/*values.yaml; do if [ -f "${values}" ]; then echo "👣 Helm Template - [$values]" - helm_template "$chart_path" -f "$values" + helm_template "$chart_path" "$values" fi done @@ -168,6 +181,7 @@ function lint_chart(){ echo '' } > "$curr_result_file" cat "$curr_result_file" + # $curr_result starts with 0, and it gets set to 1 only when a linting step fails echo $curr_result >> "$status_file" } export -f lint_chart diff --git a/charts/incubator/authentik/Chart.yaml b/charts/incubator/authentik/Chart.yaml index b5722aaf250..91a2d832954 100644 --- a/charts/incubator/authentik/Chart.yaml +++ b/charts/incubator/authentik/Chart.yaml @@ -23,7 +23,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik - https://github.com/goauthentik/authentik - https://goauthentik.io/docs/ -version: 13.0.3 +version: 13.0.4 annotations: truecharts.org/catagories: | - authentication diff --git a/charts/incubator/authentik/ci/outposts-values.yaml b/charts/incubator/authentik/ci/outposts-values.yaml new file mode 100644 index 00000000000..d62f8b4c083 --- /dev/null +++ b/charts/incubator/authentik/ci/outposts-values.yaml @@ -0,0 +1,18 @@ +authentik: + credentials: + bootstrapToken: some_super_secret_token + outposts: + disableEmbeddedOutpost: true + proxy: + enabled: true + token: some_super_secret_token + radius: + # Can't enable it before creating a + # provider in the GUI + enabled: false + token: some_super_secret_token + ldap: + # Can't enable it before creating a + # provider in the GUI + enabled: false + token: some_super_secret_token diff --git a/charts/incubator/authentik/questions.yaml b/charts/incubator/authentik/questions.yaml index f7ad5614e42..d54793b89a1 100644 --- a/charts/incubator/authentik/questions.yaml +++ b/charts/incubator/authentik/questions.yaml @@ -45,6 +45,17 @@ questions: required: true immutable: true default: "" + - variable: bootstrapToken + label: (Optional) Bootstrap Token + description: | + Set the bootstrap token for the authentik server.
+ Only read on initial install, changing this will have no effect.
+ Only set this token if you plan to use the API right after installation. + schema: + type: string + private: true + immutable: true + default: "" - variable: general label: General schema: diff --git a/charts/incubator/authentik/templates/_config.tpl b/charts/incubator/authentik/templates/_config.tpl index e5b6038f201..849f7e2c8b5 100644 --- a/charts/incubator/authentik/templates/_config.tpl +++ b/charts/incubator/authentik/templates/_config.tpl @@ -41,7 +41,7 @@ server-worker: {{- end -}} {{- with .Values.authentik.email.timeout }} AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }} - {{- end -}} + {{- end }} {{/* LDAP */}} AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS: {{ .Values.authentik.ldap.taskTimeoutHours | quote }} @@ -64,7 +64,7 @@ server-worker: {{- end -}} {{- with .Values.authentik.general.footerLinks }} AUTHENTIK_FOOTER_LINKS: {{ toJson . | squote }} - {{- end -}} + {{- end }} {{/* General */}} AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disableUpdateCheck | quote }} @@ -121,4 +121,5 @@ geoip: GEOIPUPDATE_EDITION_IDS: {{ .Values.authentik.geoip.editionID }} GEOIPUPDATE_FREQUENCY: {{ .Values.authentik.geoip.frequency | quote }} {{- end -}} + {{- end -}} diff --git a/charts/incubator/authentik/templates/_secret.tpl b/charts/incubator/authentik/templates/_secret.tpl index 7d9f3f9a9ef..7104932c349 100644 --- a/charts/incubator/authentik/templates/_secret.tpl +++ b/charts/incubator/authentik/templates/_secret.tpl @@ -22,6 +22,9 @@ server-worker: {{/* Initial credentials */}} AUTHENTIK_BOOTSTRAP_EMAIL: {{ .Values.authentik.credentials.email | quote }} AUTHENTIK_BOOTSTRAP_PASSWORD: {{ .Values.authentik.credentials.password | quote }} + {{- with .Values.authentik.credentials.bootstrapToken }} + AUTHENTIK_BOOTSTRAP_TOKEN: {{ . }} + {{- end }} {{/* Mail */}} {{- with .Values.authentik.email.host }} @@ -35,7 +38,7 @@ server-worker: {{- end -}} {{- with .Values.authentik.email.from }} AUTHENTIK_EMAIL__FROM: {{ . }} - {{- end }} + {{- end -}} {{- if .Values.authentik.geoip.enabled }} geoip: @@ -67,4 +70,5 @@ ldap: data: AUTHENTIK_TOKEN: {{ .Values.authentik.outposts.ldap.token | quote }} {{- end -}} + {{- end -}} diff --git a/charts/incubator/authentik/templates/_waitAuthentik.tpl b/charts/incubator/authentik/templates/_waitAuthentik.tpl new file mode 100644 index 00000000000..b2421746cef --- /dev/null +++ b/charts/incubator/authentik/templates/_waitAuthentik.tpl @@ -0,0 +1,20 @@ +{{- define "authentik.wait.server" -}} +{{- $fullname := (include "tc.v1.common.lib.chart.names.fullname" $) -}} +{{- $serverUrl := printf "https://%v:%v/-/health/ready/" $fullname .Values.service.main.ports.main.port }} +enabled: true +type: init +imageSelector: alpineImage +command: /bin/sh +args: + - -c + - | + echo "Waiting Authentik Server [{{ $serverUrl }}] to be ready..." + until wget --no-check-certificate --spider --quiet "{{ $serverUrl }}"; + do + echo "Waiting Authentik Server [{{ $serverUrl }}] to be ready..." + sleep 3 + done + + echo "Authentik [{{ $serverUrl }}] is ready..." + echo "Starting Outpost..." +{{- end -}} diff --git a/charts/incubator/authentik/templates/common.yaml b/charts/incubator/authentik/templates/common.yaml index d0f9eaacf5b..9f1b6424035 100644 --- a/charts/incubator/authentik/templates/common.yaml +++ b/charts/incubator/authentik/templates/common.yaml @@ -25,6 +25,10 @@ {{- if .Values.authentik.outposts.proxy.enabled -}} {{- $_ := set .Values.workload.proxy "enabled" true -}} + {{- if not .Values.workload.proxy.podSpec.initContainers -}} + {{- $_ := set .Values.workload.proxy.podSpec "initContainers" dict -}} + {{- end -}} + {{- $_ := set .Values.workload.proxy.podSpec.initContainers "wait-server" (include "authentik.wait.server" . | fromYaml) -}} {{- $_ := set .Values.service.proxy "enabled" true -}} {{- $_ := set .Values.service.proxymetrics "enabled" true -}} {{- $_ := set .Values.metrics.proxymetrics "enabled" true -}} @@ -37,6 +41,10 @@ {{- if .Values.authentik.outposts.radius.enabled -}} {{- $_ := set .Values.workload.radius "enabled" true -}} + {{- if not .Values.workload.radius.podSpec.initContainers -}} + {{- $_ := set .Values.workload.radius.podSpec "initContainers" dict -}} + {{- end -}} + {{- $_ := set .Values.workload.radius.podSpec.initContainers "wait-server" (include "authentik.wait.server" . | fromYaml) -}} {{- $_ := set .Values.service.radius "enabled" true -}} {{- $_ := set .Values.service.radiusmetrics "enabled" true -}} {{- $_ := set .Values.metrics.radiusmetrics "enabled" true -}} @@ -49,6 +57,10 @@ {{- if .Values.authentik.outposts.ldap.enabled -}} {{- $_ := set .Values.workload.ldap "enabled" true -}} + {{- if not .Values.workload.ldap.podSpec.initContainers -}} + {{- $_ := set .Values.workload.ldap.podSpec "initContainers" dict -}} + {{- end -}} + {{- $_ := set .Values.workload.ldap.podSpec.initContainers "wait-server" (include "authentik.wait.server" . | fromYaml) -}} {{- $_ := set .Values.service.ldap "enabled" true -}} {{- $_ := set .Values.service.ldaps "enabled" true -}} {{- $_ := set .Values.service.ldapmetrics "enabled" true -}} diff --git a/charts/incubator/authentik/values.yaml b/charts/incubator/authentik/values.yaml index cee9a523941..727e4648433 100644 --- a/charts/incubator/authentik/values.yaml +++ b/charts/incubator/authentik/values.yaml @@ -15,7 +15,7 @@ ldapImage: radiusImage: repository: tccr.io/truecharts/authentik-radius - tag: v2023.5.3@sha256:d46f4dbc727d5d6f6c91df0f6a2bf98d2c941de908fdc15193552413331e375b + tag: v2023.5.3@sha256:824415af5e7efa090d716d38b944df3a758df08a78f2dce5a77fd0f12ee41c5c pullPolicy: IfNotPresent proxyImage: @@ -28,6 +28,8 @@ authentik: # Only works on initial install email: my-mail@example.com password: my-password + # Optional, only set if you want to use it + bootstrapToken: "" general: disableUpdateCheck: false disableStartupAnalytics: true @@ -328,36 +330,47 @@ service: port: 10230 # Proxy proxy: + enabled: true + targetSelector: proxy ports: http: + enabled: true protocol: http port: 10227 + targetSelector: proxy https: enabled: true protocol: https port: 10228 + targetSelector: proxy # Radius radius: enabled: true + targetSelector: radius ports: radius: enabled: true protocol: udp + targetSelector: radius port: 1812 # LDAP ldap: enabled: true + targetSelector: ldap ports: ldap: enabled: true port: 389 + targetSelector: ldap # LDAPS ldaps: enabled: true + targetSelector: ldap ports: ldaps: enabled: true port: 636 + targetSelector: ldap # Server Metrics servermetrics: enabled: true @@ -371,30 +384,35 @@ service: radiusmetrics: enabled: true type: ClusterIP + targetSelector: radius ports: radiusmetrics: enabled: true protocol: http port: 10232 + targetSelector: radius # LDAP Metrics ldapmetrics: enabled: true type: ClusterIP + targetSelector: ldap ports: ldapmetrics: enabled: true protocol: http port: 10233 + targetSelector: ldap # Proxy Metrics proxymetrics: enabled: true type: ClusterIP + targetSelector: proxy ports: proxymetrics: enabled: true protocol: http port: 10234 - + targetSelector: proxy persistence: media: enabled: true