fix(frigate) map container ports for rtsp and webrtc services (#9598)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [x] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [x] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [x] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [x] ⬆️ I increased versions for any altered app according to semantic
versioning

**➕ App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

.github/scripts/build-catalog.sh

@@ -75,6 +75,21 @@ patch_apps() {
     sed -i "s|^icon:|icon_url:|g" catalog/${train}/${chartname}/item.yaml
     echo "categories:" >> catalog/${train}/${chartname}/item.yaml
     cat ${target}/Chart.yaml | yq '.annotations."truecharts.org/catagories"' -r >> catalog/${train}/${chartname}/item.yaml
+
+    # Generate screenshots
+    screenshots=""
+    if [[ -d "${target}/screenshots" ]]; then
+        screenshots=$(ls ${target}/screenshots)
+    fi
+    if [[ -n $screenshots ]]; then
+        echo "screenshots:" >> catalog/${train}/${chartname}/item.yaml
+        for screenshot in $screenshots; do
+            echo "  - https://truecharts.org/img/hotlink-ok/chart-screenshots/${chartname}/${screenshot}" >> catalog/${train}/${chartname}/item.yaml
+        done
+    else
+        echo "screenshots: []" >> catalog/${train}/${chartname}/item.yaml
+    fi
+    rm -rf ${target}/screenshots
     # Copy changelog from website
     if [[ ! -f "website/docs/charts/${train}/${chartname}/CHANGELOG.md" ]]; then
         touch "website/docs/charts/${train}/${chartname}/CHANGELOG.md"

.github/workflows/charts-release.yaml

@@ -184,6 +184,7 @@ jobs:
                 mkdir -p website/docs/charts/${train}/${chart} || echo "chart path already exists, continuing..."
                 yes | cp -rf charts/${train}/${chart}/docs/* website/docs/charts/${train}/${chart}/ 2>/dev/null || :
                 yes | cp -rf charts/${train}/${chart}/icon.png website/static/img/hotlink-ok/chart-icons/${chart}.png 2>/dev/null || :
+                yes | cp -rf charts/${train}/${chart}/screenshots/* website/static/img/hotlink-ok/chart-screenshots/${chart}/ 2>/dev/null || :
 
                 # Copy over kept documents
                 mv -f tmp/website/docs/charts/${train}/${chart}/CHANGELOG.md website/docs/charts/${train}/${chart}/CHANGELOG.md 2>/dev/null || :

.github/workflows/renovate.yml

@@ -12,7 +12,7 @@ jobs:
         with:
           token: ${{ secrets.BOT_TOKEN }}
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@5aa4bc2e097e751b391105d89ff88c0c80519c1a # v38.1.3
+        uses: renovatebot/github-action@13d5bade1b209427c72a08dee34b078ddc99eeec # v38.1.6
         with:
           configurationFile: .github/renovate-config.js
           token: ${{ secrets.BOT_TOKEN }}

charts/dependency/clickhouse/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "23.4.2.11"
+appVersion: "23.5.2.7"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP).
 home: https://truecharts.org/charts/dependency/clickhouse
@@ -22,7 +22,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/clickhouse
   - https://clickhouse.com/
 type: application
-version: 5.0.41
+version: 5.0.45
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/clickhouse/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/clickhouse
   pullPolicy: IfNotPresent
-  tag: v23.4.2.11@sha256:c12f70ed3f189415fac14cb4e1cb861575817fe6d1e385dc88024341eca10cca
+  tag: v23.5.2.7@sha256:cd180068694c4ebe006381524d917e27b4d579d8e77c601822c2bb57f24dfbf3
 
 workload:
   main:

charts/dependency/kube-state-metrics/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "2.9.2"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
 home: https://truecharts.org/charts/dependency/kube-state-metrics
@@ -21,7 +21,7 @@ name: kube-state-metrics
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/kube-state-metrics
 type: application
-version: 1.0.20
+version: 1.0.24
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/dependency/kube-state-metrics/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/kube-state-metrics
   pullPolicy: IfNotPresent
-  tag: v2.9.2@sha256:3ec0f0765cae3d8635edad876f3bca1315ea2d69c2ae5cbee9f46c881c85acf5
+  tag: v2.9.2@sha256:91d689139071b2f2232480fd1ac08f9265eb0d57645193bfc2fdc0c2c5c595cd
 
 service:
   main:

charts/dependency/mariadb/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "10.11.4"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Fast, reliable, scalable, and easy to use open-source relational database system.
 home: https://truecharts.org/charts/dependency/mariadb
@@ -25,7 +25,7 @@ sources:
   - https://github.com/prometheus/mysqld_exporter
   - https://mariadb.org
 type: application
-version: 7.0.50
+version: 7.0.54
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/mariadb/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/mariadb
   pullPolicy: IfNotPresent
-  tag: v10.11.4@sha256:c36949f30cb56ed38498d794a0a4fb34d58dcf6c45aa9107f292ab9f1df1c54c
+  tag: v10.11.4@sha256:3cc546822b0f42d530cd7167b01c76e1877434e2e2fe960d03b659fe272b94f7
 
 workload:
   main:

charts/dependency/memcached/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "1.6.20"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Memcached is a memory-backed database caching solution
 home: https://truecharts.org/charts/dependency/memcached
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-memcached
   - http://memcached.org/
 type: application
-version: 6.0.59
+version: 6.0.63
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/memcached/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/memcached
   pullPolicy: IfNotPresent
-  tag: v1.6.20@sha256:ed57e787e5b280440220cd8246d87901dbfd436fa61cb63b640cfd4387e8a07c
+  tag: v1.6.20@sha256:595939f109280c88c8344eddf52b34ad77f7c33432850ac333f1f47a652819fa
 
 service:
   main:

charts/dependency/mongodb/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "6.0.6"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Fast, reliable, scalable, and easy to use open-source no-sql database system.
 home: https://truecharts.org/charts/dependency/mongodb
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-mongodb
   - https://www.mongodb.com
 type: application
-version: 6.0.48
+version: 6.0.52
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/mongodb/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/mongodb
   pullPolicy: IfNotPresent
-  tag: v6.0.6@sha256:757f91b38a37e3a33710d3c77015eae68762fd890cb675d84c9b86668790f462
+  tag: v6.0.6@sha256:a20fb1417a21d8ea1f4bf9d5896b4c2d69ac71b951884378666c77ec47b21ea8
 
 workload:
   main:

charts/dependency/node-exporter/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "1.6.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Prometheus exporter for hardware and OS metrics exposed by UNIX kernels, with pluggable metric collectors.
 home: https://truecharts.org/charts/dependency/node-exporter
@@ -21,7 +21,7 @@ name: node-exporter
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/node-exporter
 type: application
-version: 1.0.22
+version: 1.0.25
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/dependency/node-exporter/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/node-exporter
   pullPolicy: IfNotPresent
-  tag: v1.6.0@sha256:c286e5dab7f852d1464a01122c3bbd7c48149ecdec188499aea579aef379238b
+  tag: v1.6.0@sha256:e8cabac8bb12fde761d351e840acce99da0d70cf7509e69bd3125ccfd003d23f
 
 service:
   main:

charts/dependency/redis/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "7.0.11"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Open source, advanced key-value store.
 home: https://truecharts.org/charts/dependency/redis
@@ -23,7 +23,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-redis
   - http://redis.io/
 type: application
-version: 6.0.58
+version: 6.0.60
 annotations:
   truecharts.org/catagories: |
     - database

charts/dependency/solr/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: "9.2.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.1
+    version: 12.14.3
 deprecated: false
 description: Apache Solr
 home: https://truecharts.org/charts/dependency/solr
@@ -22,7 +22,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/dependency/solr
   - https://github.com/apache/solr
 type: application
-version: 4.0.48
+version: 4.0.52
 annotations:
   truecharts.org/catagories: |
     - search

charts/dependency/solr/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/solr
   pullPolicy: IfNotPresent
-  tag: v9.2.1@sha256:04c6f6e9d7c3fcecf1a5c17ca6899223e5880370bd660c1321e11bf72d892bdd
+  tag: v9.2.1@sha256:ffec4ef46e03e43dc44b3197eb9b3063017c89428d63e16196ce35b9f105238f
 
 workload:
   main:

charts/enterprise/authelia/docs/Setup-Guide.md

@@ -97,6 +97,13 @@ Leave the default `one_factor` unless you've setup TOTP above. Then click `Add`
   - `Remote-Name`
   - `Remote-Email`
 
+### Adding the forwardauth to your Apps
+
+The last step is adding the `forwardauth` along with the standard `ingress` settings for your app, for more info on setting ingress see the [ClusterIssuer Guide](https://truecharts.org/charts/enterprise/clusterissuer/how-to). What changes versus a standard setup is the `Traefik Middlewares` section, where you must add your `forwardauth` to the section.
+
+- In this example we use the same name as above, or `auth`. Click `Add` to the `Traefik Middlewares` section, and enter your `forwardauth` name.
+
+![TraefikForwardAuthMiddleware](img/TraefikForwardAuthMiddleware.png)
 ### References
 
 The origin material for this guide is available on the [LLDAP Github](https://github.com/lldap/lldap). While further information on Authelia can be found on their [Github](https://github.com/authelia/authelia) and [website](https://www.authelia.com/).

charts/enterprise/blocky/Chart.yaml

@@ -25,7 +25,7 @@ sources:
   - https://0xerr0r.github.io/blocky/
   - https://github.com/0xERR0R/blocky
   - https://github.com/Mozart409/blocky-frontend
-version: 5.0.42
+version: 5.0.43
 annotations:
   truecharts.org/catagories: |
     - network

charts/enterprise/blocky/docs/setup-guide.md

@@ -8,30 +8,30 @@ Blocky has multiple DNS entries configured by default these can be overridden to
 
 Blocky supports 3 methods for upstream DNS.
 
-UDP - Basic DNS  
-DoT - DNS over TLS  
-DoH - DNS over HTTPS  
+UDP - Basic DNS<br />
+DoT - DNS over TLS<br />
+DoH - DNS over HTTPS
 
 While UDP provides no security for DNS both DoT and DoH will encrypt DNS request. DoH has the added benefit of privacy since DNS traffic will appear as HTTPS traffic.
 
 ### UDP DNS Setup
 
-Google DNS: `8.8.8.8` `8.8.4.4`  
-Cloudflare DNS: `1.1.1.1` `1.0.0.1`  
+Google DNS: `8.8.8.8` `8.8.4.4`<br />
+Cloudflare DNS: `1.1.1.1` `1.0.0.1`
 
 ![blocky-udp-upstream-google](./img/blocky-udp-upstream-google.png)
 
 ### DoT DNS Setup
 
-Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `tcp-tls:dns.google:853`  
-Cloudflare DNS: `tcp-tls:1.1.1.1:853` `tcp-tls:1.0.0.1:853`  
+Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `tcp-tls:dns.google:853`<br />
+Cloudflare DNS: `tcp-tls:1.1.1.1:853` `tcp-tls:1.0.0.1:853`
 
 ![blocky-dot-upstream-google](./img/blocky-dot-upstream-google.png)
 
 ### DoH Upstream
 
-Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `https://dns.google/dns-query`  
-Cloudflare DNS: `https://1.1.1.1/dns-query` `https://1.0.0.1/dns-query`  
+Google DNS ([Bootstrap DNS Required](#bootstrap-dns)): `https://dns.google/dns-query`<br />
+Cloudflare DNS: `https://1.1.1.1/dns-query` `https://1.0.0.1/dns-query`
 
 ![blocky-doh-upstream-google](./img/blocky-doh-upstream-google.png)
 

charts/enterprise/blocky/values.yaml

@@ -325,7 +325,7 @@ metrics:
   main:
     # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
     # @default -- See values.yaml
-    enabled: true
+    enabled: false
     type: "servicemonitor"
     endpoints:
       - port: main

charts/enterprise/clusterissuer/docs/how-to.md

@@ -12,7 +12,7 @@ Search for clusterissuer in the `Apps` menu | `Available Applications` tab and c
 
 ## Cloudflare DNS-Provider
 
-You can setup multiple domains with a single `clusterissuer` app, all you have to do is either add the global API key (**not recommended**) or `Add` multiple `ACME Issuer` entries for each domain and create an API token for each at [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens).
+You can setup multiple domains with a single `clusterissuer` app, all you have to do is either add the global API key (**not recommended**) or `Add` multiple `ACME Issuer` entries for each domain and create an API token for each at [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens). The recommended settings for creating `API Tokens` for use with `clusterissuer` can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentation for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/).
 
 - Give the certificate a name (eg domain or "maincert", etc).
 - Select the correct provider, for example `Cloudflare`.

charts/enterprise/grafana/Chart.yaml

@@ -24,7 +24,7 @@ sources:
   - https://github.com/bitnami/bitnami-docker-grafana
   - https://grafana.com/
 type: application
-version: 7.0.50
+version: 7.0.52
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/enterprise/grafana/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/grafana
   pullPolicy: IfNotPresent
-  tag: v9.5.3@sha256:3f22fc64031f0a9e432ef397f8dd94173fd09c96777c5ba54fbe15ddce19e318
+  tag: v9.5.3@sha256:2bac661c01799a9d388b1f491c7b1f672bd578cad8b55e878207e0bbaa80103a
 manifestManager:
   enabled: true
 securityContext:

charts/enterprise/prometheus/Chart.yaml

@@ -29,7 +29,7 @@ sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
 type: application
-version: 9.0.21
+version: 9.0.22
 annotations:
   truecharts.org/catagories: |
     - metrics

charts/enterprise/prometheus/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/prometheus
-  tag: v2.44.0@sha256:e35ebfcbc50d3655030eb4162ab1a33438a5d2dbadac2dcb4bcc0d794a8dadf7
+  tag: v2.44.0@sha256:d081fc7046784558330e78ffad52cd441d286d4bb493f341a1bd6894b95f4dcd
 
 thanosImage:
   repository: tccr.io/truecharts/thanos

charts/enterprise/traefik/Chart.yaml

@@ -23,7 +23,7 @@ sources:
   - https://github.com/traefik/traefik-helm-chart
   - https://traefik.io/
 type: application
-version: 18.0.15
+version: 18.0.16
 annotations:
   truecharts.org/catagories: |
     - network

charts/enterprise/traefik/questions.yaml

@@ -293,6 +293,7 @@ questions:
                           - variable: tls
                             label: "websecure Entrypoints Configuration"
                             schema:
+                              additional_attrs: true
                               type: dict
                               hidden: true
                               attrs:

charts/enterprise/traefik/values.yaml

@@ -129,7 +129,7 @@ logs:
 
 metrics:
   main:
-    enabled: true
+    enabled: false
     type: servicemonitor
     endpoints:
       - port: metrics

charts/incubator/authentik/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "2023.4.1"
+appVersion: "2023.5.3"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -8,7 +8,7 @@ dependencies:
     name: redis
     repository: https://deps.truecharts.org
     version: 6.0.58
-description: authentik is an open-source Identity Provider focused on flexibility and versatility.
+description: Authentik is an open-source Identity Provider focused on flexibility and versatility.
 home: https://truecharts.org/charts/incubator/authentik
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
 keywords:
@@ -23,9 +23,8 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
   - https://github.com/goauthentik/authentik
   - https://goauthentik.io/docs/
-version: 12.0.2
+version: 13.0.0
 annotations:
   truecharts.org/catagories: |
     - authentication
   truecharts.org/SCALE-support: "true"
-  truecharts.org/grade: U

charts/incubator/authentik/docs/installation_notes.md

@@ -6,23 +6,5 @@ Default username: `akadmin`
 
 ## Outposts
 
-Enable each outpost by simple setting `enabled` to `true`.
-Scale users, just have to check the checkbox
-
-> You have to create an outpost in the GUI first.
-> And afterwards enable it.
-> Applications > Outposts
-
-### Host
-
-`host` should not need to be overridden. Defaults to `https://localhost:9443`
-
-### Host Browser
-
-`host_browser` by default is set to the first ingress host you set
-
-### Token
-
-`token` is only needed if you accidentally deleted the bootstrap token within the UI.
-
-> You can get one from Applications > Outposts > View Deployment Info
+You need to create an outpost in the GUI first.
+Generate a token and then enable it.

charts/incubator/authentik/questions.yaml

@@ -6,7 +6,6 @@ questions:
 # Include{global}
 # Include{workload}
 # Include{workloadDeployment}
-
 # Include{replicas1}
 # Include{podSpec}
 # Include{containerMain}
@@ -25,13 +24,26 @@ questions:
             additional_attrs: true
             type: dict
             attrs:
+              - variable: email
+                label: Email
+                description: |
+                  Set the default email address for the akadmin user.</br>
+                  Only read on initial install, changing this will have no effect.
+                schema:
+                  type: string
+                  required: true
+                  immutable: true
+                  default: ""
               - variable: password
-                label: Password (Initial install only)
-                description: Password for <akadmin> user. Can be used for any flow executor
+                label: Password
+                description: |
+                  Set the default password for the akadmin user.</br>
+                  Only read on initial install, changing this will have no effect.
                 schema:
                   type: string
                   private: true
                   required: true
+                  immutable: true
                   default: ""
         - variable: general
           label: General
@@ -39,42 +51,49 @@ questions:
             additional_attrs: true
             type: dict
             attrs:
-              - variable: disable_update_check
+              - variable: disableUpdateCheck
                 label: Disable Update Check
                 description: Disable the inbuilt update-checker
                 schema:
                   type: boolean
                   default: false
-              - variable: disable_startup_analytics
+              - variable: disableUpdateCheck
                 label: Disable Startup Analytics
                 description: Disable startup analytics
                 schema:
                   type: boolean
                   default: true
-              - variable: allow_user_name_change
-                label: Allow User Name Change
+              - variable: allowUserChangeName
+                label: Allow User Change Name
                 description: Enable the ability for users to change their Name
                 schema:
                   type: boolean
                   default: true
-              - variable: allow_user_mail_change
-                label: Allow User Mail Change
+              - variable: allowUserChangeEmail
+                label: Allow User Change Mail
                 description: Enable the ability for users to change their Email address
                 schema:
                   type: boolean
                   default: true
-              - variable: allow_user_username_change
-                label: Allow User Username Change
+              - variable: allowUserChangeUsername
+                label: Allow User Change Username
                 description: Enable the ability for users to change their Usernames
                 schema:
                   type: boolean
                   default: true
-              - variable: gdpr_compliance
+              - variable: gdprCompliance
                 label: GDPR Compliance
                 description: When enabled, all the events caused by a user will be deleted upon the user's deletion
                 schema:
                   type: boolean
                   default: true
+              - variable: tokenLength
+                label: Token Length
+                description: Configure the length of generated tokens
+                schema:
+                  type: int
+                  min: 60
+                  default: 128
               - variable: impersonation
                 label: Impersonation
                 description: Globally enable / disable impersonation
@@ -85,22 +104,49 @@ questions:
                 label: Avatars
                 description: Configure how authentik should show avatars for users
                 schema:
-                  type: string
-                  default: gravatar,initials
-              - variable: token_length
-                label: Token Length
-                description: Configure the length of generated tokens
-                schema:
-                  type: int
-                  default: 128
-              - variable: footer_links
+                  type: list
+                  default:
+                    - gravatar
+                    - initials
+                  items:
+                    - variable: avatar
+                      label: Avatar
+                      description: Avatar type
+                      schema:
+                        type: string
+                        default: ""
+                        required: true
+              - variable: footerLinks
                 label: Footer Links
                 description: This option configures the footer links on the flow executor pages
                 schema:
-                  type: string
-                  default: ""
-        - variable: mail
-          label: e-Mail
+                  type: list
+                  default:
+                    - name: Authentik
+                      href: https://goauthentik.io
+                  items:
+                    - variable: footerLink
+                      label: Footer Link
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: name
+                            label: Name
+                            description: Name of the link
+                            schema:
+                              type: string
+                              default: ""
+                              required: true
+                          - variable: href
+                            label: Href
+                            description: URL of the link
+                            schema:
+                              type: string
+                              default: ""
+                              required: true
+        - variable: email
+          label: Email
           schema:
             additional_attrs: true
             type: dict
@@ -116,16 +162,29 @@ questions:
                 description: Sets port of mail server
                 schema:
                   type: int
-                  default: 25
-              - variable: tls
+                  default: 587
+              - variable: username
+                label: Username
+                description: Sets username of mail server
+                schema:
+                  type: string
+                  default: ""
+              - variable: password
+                label: Password
+                description: Sets password of mail server
+                schema:
+                  type: string
+                  private: true
+                  default: ""
+              - variable: useTLS
                 label: Use TLS for authentication
-                description: Sets tls for mail server authentication
+                description: Sets TLS for mail server authentication
                 schema:
                   type: boolean
-                  default: false
-              - variable: ssl
+                  default: true
+              - variable: useSSL
                 label: Use SSL for authentication
-                description: Sets ssl for mail server authentication
+                description: Sets SSL for mail server authentication
                 schema:
                   type: boolean
                   default: false
@@ -135,51 +194,32 @@ questions:
                 schema:
                   type: int
                   default: 10
-              - variable: user
-                label: Username
-                description: Sets username of mail server
-                schema:
-                  type: string
-                  default: ""
-              - variable: pass
-                label: Password
-                description: Sets password of mail server
-                schema:
-                  type: string
-                  private: true
-                  default: ""
               - variable: from
                 label: From Address
                 description: Email address authentik will send from
                 schema:
                   type: string
                   default: ""
-        - variable: error_reporting
-          label: Error Reporting
+        - variable: ldap
+          label: LDAP
           schema:
             additional_attrs: true
             type: dict
             attrs:
-              - variable: enabled
-                label: Enable Reporting
-                description: Enables error reporting
+              - variable: tls_ciphers
+                label: TLS Ciphers
+                description: |
+                  Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources.</br>
+                  Setting applies to all sources
                 schema:
-                  type: boolean
-                  default: false
-                  show_subquestions_if:
-                  subquestions:
-                    - variable: send_pii
-                      label: Send Personal Data
-                      description: Whether or not to send personal data, like usernames
-                      schema:
-                        type: boolean
-                        default: false
-                    - variable: environment
-                      label: Environment
-                      description: Unique environment that is attached to your error reports, should be set to your email address for example.
-                      schema:
-                        type: string
-                        default: customer
+                  type: string
+                  default: "null"
+              - variable: taskTimeoutHours
+                label: Task Timeout Hours
+                description: Timeout in hours for LDAP synchronization tasks
+                schema:
+                  type: int
+                  default: 2
         - variable: logging
           label: Logging
           schema:
@@ -203,235 +243,142 @@ questions:
                       description: warning
                     - value: error
                       description: error
-        - variable: ldap
-          label: LDAP
-          schema:
-            additional_attrs: true
-            type: dict
-            attrs:
-              - variable: tls_ciphers
-                label: TLS Ciphers
-                description: Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources
-                schema:
-                  type: string
-                  default: "null"
-  - variable: outposts
-    group: App Configuration
-    label: Outpost Configuration
-    schema:
-      additional_attrs: true
-      type: dict
-      attrs:
-        - variable: ldap
-          label: LDAP
+        - variable: error_reporting
+          label: Error Reporting
           schema:
             additional_attrs: true
             type: dict
             attrs:
               - variable: enabled
-                label: Enable LDAP outpost
+                label: Enable Reporting
+                description: Enables error reporting
                 schema:
                   type: boolean
                   default: false
-                  show_subquestions_if: true
+                  show_subquestions_if:
                   subquestions:
-                    - variable: overrideHost
-                      label: Override Host
+                    - variable: sendPII
+                      label: Send Personal Data
+                      description: Whether or not to send personal data, like usernames
                       schema:
                         type: boolean
                         default: false
-                        show_subquestions_if: true
-                        subquestions:
-                          - variable: host
-                            label: Authentik Host
-                            description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
-                            schema:
-                              type: string
-                              # TODO: Make them required again once Scale stable supports nested subquestions
-                              # required: true
-                              default: ""
-                          - variable: insecure
-                            label: Insecure
-                            description: Check only if you accessing Authentik in an unsecure way
-                            schema:
-                              type: boolean
-                              default: false
-                    - variable: overrideToken
-                      label: Override Token
-                      description: Overrides the random generated token to provide your own
+                    - variable: environment
+                      label: Environment
+                      description: The environment tag associated with all data sent to Sentry
                       schema:
-                        type: boolean
-                        default: false
-                        show_subquestions_if: true
-                        subquestions:
-                        - variable: token
-                          label: API Token
-                          description: You can get this from Applications > Outposts > View Deployment Info
-                          schema:
-                            type: string
-                            private: true
-                            # TODO: Make them required again once Scale stable supports nested subquestions
-                            # required: true
-                            default: ""
-                    - variable: overrideBrowserHost
-                      label: Override Host Browser
-                      description: Overrides the Browser Host, by default the first ingress host is used
+                        type: string
+                        default: customer
+                    - variable: sentryDSN
+                      label: Sentry DSN
+                      description: Sets the DSN for the Sentry API endpoint.
                       schema:
-                        type: boolean
-                        default: false
-                        show_subquestions_if: true
-                        subquestions:
-                        - variable: host_browser
-                          label: Host Browser
-                          description: URL to use in the browser, when it differs from << host >>
-                          schema:
-                            type: string
-                            # TODO: Make them required again once Scale stable supports nested subquestions
-                            # required: true
-                            default: ""
-        - variable: proxy
-          label: Proxy
+                        type: string
+                        private: true
+                        default: ""
+        - variable: geoip
+          label: GeoIP
           schema:
             additional_attrs: true
             type: dict
             attrs:
               - variable: enabled
-                label: Enable Proxy outpost
+                label: Enabled
+                description: |
+                  Enables and configures the GeoIP container.</br>
+                  This will deploy the GeoIP container.
                 schema:
                   type: boolean
                   default: false
                   show_subquestions_if: true
                   subquestions:
-                    - variable: overrideHost
-                      label: Override Host
+                    - variable: editionID
+                      label: Edition ID
+                      description: |
+                        The edition ID of the database to download.</br>
+                        Only one seems to be supported by Authentik.
+                      schema:
+                        type: string
+                        default: GeoLite2-City
+                    - variable: frequency
+                      label: Frequency
+                      description: The number of hours between geoipupdate runs.
+                      schema:
+                        type: int
+                        min: 1
+                        default: 8
+                    - variable: accountID
+                      label: Account ID
+                      description: Your MaxMind account ID
+                      schema:
+                        type: string
+                        private: true
+                        required: true
+                        default: ""
+                    - variable: licenseKey
+                      label: License Key
+                      description: Your MaxMind license key
+                      schema:
+                        type: string
+                        private: true
+                        required: true
+                        default: ""
+        - variable: outposts
+          label: Outposts
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+              - variable: radius
+                label: Radius
+                schema:
+                  additional_attrs: true
+                  type: dict
+                  attrs:
+                    - variable: enabled
+                      label: Enabled
+                      description: |
+                        Enables and configures the Radius container.</br>
+                        This will deploy the Radius container.
                       schema:
                         type: boolean
                         default: false
                         show_subquestions_if: true
                         subquestions:
-                          - variable: host
-                            label: Authentik Host
-                            description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
+                          - variable: token
+                            label: Token
+                            description: |
+                              The token used to authenticate with the authentik server.
                             schema:
                               type: string
-                              # TODO: Make them required again once Scale stable supports nested subquestions
-                              # required: true
+                              private: true
+                              required: true
                               default: ""
-                          - variable: insecure
-                            label: Insecure
-                            description: Check only if you accessing Authentik in an unsecure way
+              - variable: ldap
+                label: LDAP
+                schema:
+                  additional_attrs: true
+                  type: dict
+                  attrs:
+                    - variable: enabled
+                      label: Enabled
+                      description: |
+                        Enables and configures the LDAP container.</br>
+                        This will deploy the LDAP container.
+                      schema:
+                        type: boolean
+                        default: false
+                        show_subquestions_if: true
+                        subquestions:
+                          - variable: token
+                            label: Token
+                            description: |
+                              The token used to authenticate with the authentik server.
                             schema:
-                              type: boolean
-                              default: false
-                    - variable: overrideToken
-                      label: Override Token
-                      description: Overrides the random generated token to provide your own
-                      schema:
-                        type: boolean
-                        default: false
-                        show_subquestions_if: true
-                        subquestions:
-                        - variable: token
-                          label: API Token
-                          description: You can get this from Applications > Outposts > View Deployment Info
-                          schema:
-                            type: string
-                            private: true
-                            # TODO: Make them required again once Scale stable supports nested subquestions
-                            # required: true
-                            default: ""
-                    - variable: overrideBrowserHost
-                      label: Override Host Browser
-                      description: Overrides the Browser Host, by default the first ingress host is used
-                      schema:
-                        type: boolean
-                        default: false
-                        show_subquestions_if: true
-                        subquestions:
-                        - variable: host_browser
-                          label: Host Browser
-                          description: URL to use in the browser, when it differs from << host >>
-                          schema:
-                            type: string
-                            # TODO: Make them required again once Scale stable supports nested subquestions
-                            # required: true
-                            default: ""
-  - variable: geoip
-    group: App Configuration
-    label: GeoIP Configuration
-    schema:
-      additional_attrs: true
-      type: dict
-      attrs:
-        - variable: enabled
-          label: Enable GeoIP Container
-          description: Enables GeoIP container
-          schema:
-            type: boolean
-            default: false
-            show_subquestions_if: true
-            subquestions:
-              - variable: account_id
-                label: Account ID
-                description: Your MaxMind account ID
-                schema:
-                  type: string
-                  private: true
-                  required: true
-                  default: ""
-              - variable: license_key
-                label: License Key
-                description: Your case-sensitive MaxMind license key
-                schema:
-                  type: string
-                  private: true
-                  required: true
-                  default: ""
-              - variable: edition_ids
-                label: Edition IDs
-                description: List of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes
-                schema:
-                  type: string
-                  required: true
-                  default: GeoLite2-City
-              - variable: frequency
-                label: Frequency
-                description: The number of hours between geoipupdate runs
-                schema:
-                  type: int
-                  min: 1
-                  default: 8
-              - variable: host_server
-                label: Host Server
-                description: The host name of the server to use
-                schema:
-                  type: string
-                  default: updates.maxmind.com
-              - variable: preserve_file_times
-                label: Preserve File Times
-                description: Whether to preserve modification times of files downloaded from the server
-                schema:
-                  type: boolean
-                  default: false
-              - variable: verbose
-                label: Verbose
-                description: Enable verbose mode. Prints out the steps that geoipupdate takes
-                schema:
-                  type: boolean
-                  default: false
-              - variable: proxy
-                label: Proxy
-                description: The proxy host name or IP address
-                schema:
-                  type: string
-                  default: ""
-              - variable: proxy_user_pass
-                label: Proxy Pass
-                description: The proxy user name and password, separated by a colon
-                schema:
-                  type: string
-                  private: true
-                  default: ""
+                              type: string
+                              private: true
+                              required: true
+                              default: ""
 # Include{containerConfig}
 # Include{podOptions}
 # Include{serviceRoot}
@@ -457,17 +404,17 @@ questions:
                               type: int
                               default: 10229
                               required: true
-        - variable: ldapldaps
-          label: LDAPS Service
-          description: The LDAPS service.
+        - variable: radius
+          label: RADIUS Service
+          description: The RADIUS service.
           schema:
             additional_attrs: true
             type: dict
             attrs:
 # Include{serviceSelectorLoadBalancer}
 # Include{serviceSelectorExtras}
-                    - variable: ldapldaps
-                      label: LDAPS Service Port Configuration
+                    - variable: radius
+                      label: RADIUS Service Port Configuration
                       schema:
                         additional_attrs: true
                         type: dict
@@ -477,18 +424,18 @@ questions:
                             description: This port exposes the container port on the service
                             schema:
                               type: int
-                              default: 636
+                              default: 1812
                               required: true
-        - variable: ldapldap
+        - variable: ldap
           label: LDAP Service
-          description: The LDAPS service.
+          description: The LDAP service.
           schema:
             additional_attrs: true
             type: dict
             attrs:
 # Include{serviceSelectorLoadBalancer}
 # Include{serviceSelectorExtras}
-                    - variable: ldapldap
+                    - variable: ldap
                       label: LDAP Service Port Configuration
                       schema:
                         additional_attrs: true
@@ -501,17 +448,17 @@ questions:
                               type: int
                               default: 389
                               required: true
-        - variable: proxyhttps
-          label: Proxy HTTPS Service
-          description: The Proxy HTTPS service.
+        - variable: ldaps
+          label: LDAPS Service
+          description: The LDAPS service.
           schema:
             additional_attrs: true
             type: dict
             attrs:
 # Include{serviceSelectorLoadBalancer}
 # Include{serviceSelectorExtras}
-                    - variable: proxyhttps
-                      label: Proxy HTTPS Service Port Configuration
+                    - variable: ldaps
+                      label: LDAPS Service Port Configuration
                       schema:
                         additional_attrs: true
                         type: dict
@@ -521,7 +468,7 @@ questions:
                             description: This port exposes the container port on the service
                             schema:
                               type: int
-                              default: 10233
+                              default: 636
                               required: true
 # Include{serviceExpertRoot}
 # Include{serviceExpert}
@@ -542,6 +489,14 @@ questions:
             additional_attrs: true
             type: dict
             attrs:
+# Include{persistenceBasic}
+        - variable: blueprints
+          label: App Blueprints Storage
+          description: Stores the Application Blueprints.
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
 # Include{persistenceBasic}
         - variable: certs
           label: App Certs Storage
@@ -570,29 +525,18 @@ questions:
 # Include{ingressDefault}
 # Include{ingressTLS}
 # Include{ingressTraefik}
-# Include{ingressAdvanced}
-        - variable: proxyhttps
-          label: Proxy HTTPS Ingress
-          schema:
-            additional_attrs: true
-            type: dict
-            attrs:
-# Include{ingressDefault}
-# Include{ingressTLS}
-# Include{ingressTraefik}
 # Include{ingressAdvanced}
 # Include{ingressList}
 # Include{securityContextRoot}
-
               - variable: runAsUser
-                label: "runAsUser"
-                description: "The UserID of the user running the application"
+                label: runAsUser
+                description: The UserID of the user running the application
                 schema:
                   type: int
                   default: 1000
               - variable: runAsGroup
-                label: "runAsGroup"
-                description: "The groupID of the user running the application"
+                label: runAsGroup
+                description: The groupID of the user running the application
                 schema:
                   type: int
                   default: 1000
@@ -600,12 +544,11 @@ questions:
 # Include{securityContextAdvanced}
 # Include{securityContextPod}
               - variable: fsGroup
-                label: "fsGroup"
-                description: "The group that should own ALL storage."
+                label: fsGroup
+                description: The group that should own ALL storage.
                 schema:
                   type: int
                   default: 568
-
 # Include{resources}
 # Include{metrics}
 # Include{prometheusRule}

charts/incubator/authentik/templates/_config.tpl

@@ -1,118 +1,109 @@
 {{/* Define the configmaps */}}
 {{- define "authentik.configmaps" -}}
 
-{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
+  {{- $fullname := include "tc.v1.common.lib.chart.names.fullname" $ -}}
+  {{- $host := .Values.chartContext.APPURL }}
+server:
+  enabled: true
+  data:
+    AUTHENTIK_LISTEN__HTTPS: {{ printf "0.0.0.0:%v" .Values.service.main.ports.main.port | quote }}
+    AUTHENTIK_LISTEN__HTTP: {{ printf "0.0.0.0:%v" .Values.service.http.ports.http.port | quote }}
+    AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.servermetrics.ports.servermetrics.port | quote }}
 
-{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
-{{- if .Values.ingress.main.enabled }}
-  {{ $first := (first .Values.ingress.main.hosts) }}
-  {{- if $first }}
-    {{ $host = printf "https://%s" $first.host }}
-  {{- end }}
-{{- end }}
-
-{{/* This configmap is loaded in both the main authentik container and worker */}}
-{{ $authServerWorkerConfigName }}:
+server-worker:
   enabled: true
   data:
     {{/* Dependencies */}}
-    AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
-    {{- with $redis := .Values.redisProvider }}
-    AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
-    {{- end }}
     AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
     AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
     AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
-    {{- with $cnpg := .Values.cnpgProvider }}
-    AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
-    {{- end }}
-    {{/* Mail */}}
-    {{- with .Values.authentik.mail.port }}
-    AUTHENTIK_EMAIL__PORT: {{ . | quote }}
-    {{- end }}
-    AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
-    AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
-    {{- with .Values.authentik.mail.timeout }}
-    AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
-    {{- end }}
-    {{/* Logging */}}
-    {{- with .Values.authentik.logging.log_level }}
-    AUTHENTIK_LOG_LEVEL: {{ . }}
-    {{- end }}
-    {{/* General */}}
-    AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
-    AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
-    {{- with .Values.authentik.general.avatars }}
-    AUTHENTIK_AVATARS: {{ . }}
-    {{- end }}
-    AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
-    AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
-    AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
-    AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
-    AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
-    AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
-    {{- with .Values.authentik.general.footer_links }}
-    AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
-    {{- end }}
-    {{/* Error Reporting */}}
-    AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
-    AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
-    {{- with .Values.authentik.error_reporting.environment }}
-    AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
-    {{- end }}
-    {{/* LDAP */}}
-    {{- with .Values.authentik.ldap.tls_ciphers }}
-    AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
-    {{- end }}
-    {{/* Outposts */}}
-    AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
+    AUTHENTIK_POSTGRESQL__PORT: "5432"
+    AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
+    AUTHENTIK_REDIS__PORT: "6379"
 
-{{/* This configmap is loaded in both the main authentik container and worker */}}
-{{ $authServerConfigName }}:
+    {{/* Outposts */}}
+    AUTHENTIK_OUTPOSTS__DISCOVER: "false"
+
+    {{/* GeoIP */}}
+    {{- $geoipPath := (printf "/geoip/%v.mmdb" .Values.authentik.geoip.editionID) -}}
+    {{- if not .Values.authentik.geoip.enabled -}}
+      {{- $geoipPath = "/tmp/non-existent-file" -}}
+    {{- end }}
+    AUTHENTIK_GEOIP: {{ $geoipPath }}
+
+    {{/* Mail */}}
+    AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.email.useTLS | quote }}
+    AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.email.useSSL | quote }}
+    {{- with .Values.authentik.email.port }}
+    AUTHENTIK_EMAIL__PORT: {{ . | quote }}
+    {{- end -}}
+    {{- with .Values.authentik.email.timeout }}
+    AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
+    {{- end -}}
+
+    {{/* LDAP */}}
+    AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS: {{ .Values.authentik.ldap.taskTimeoutHours | quote }}
+    AUTHENTIK_LDAP__TLS__CIPHERS: {{ .Values.authentik.ldap.tlsCiphers | quote }}
+
+    {{/* Logging */}}
+    AUTHENTIK_LOG_LEVEL: {{ .Values.authentik.logging.logLevel }}
+
+    {{/* Error Reporting */}}
+    AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.errorReporting.enabled | quote }}
+    AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.errorReporting.sendPII | quote }}
+    {{- with .Values.authentik.errorReporting.environment }}
+    AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . | quote }}
+    {{- end -}}
+    {{- with .Values.authentik.errorReporting.sentryDSN }}
+    AUTHENTIK_ERROR_REPORTING__SENTRY_DSN: {{ . | quote }}
+    {{- end -}}
+    {{- with .Values.authentik.general.avatars }}
+    AUTHENTIK_AVATARS: {{ join "," . }}
+    {{- end -}}
+    {{- with .Values.authentik.general.footerLinks }}
+    AUTHENTIK_FOOTER_LINKS: {{ toJson . | squote }}
+    {{- end -}}
+
+    {{/* General */}}
+    AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disableUpdateCheck | quote }}
+    AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disableStartupAnalytics | quote }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allowUserChangeName | quote }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allowUserChangeEmail | quote }}
+    AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allowUserChangeUsername | quote }}
+    AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdprCompliance | quote }}
+    AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.tokenLength | quote }}
+    AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
+
+{{- if .Values.authentik.outposts.radius.enabled }}
+radius:
   enabled: true
   data:
-    {{/* Listen */}}
-    AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
-    AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
-    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
-
-{{/* This configmap is loaded in the geoip container */}}
-{{ $geoipConfigName }}:
-  enabled: {{ .Values.geoip.enabled }}
-  data:
-    {{- with .Values.geoip.edition_ids }}
-    GEOIPUPDATE_EDITION_IDS: {{ . }}
-    {{- end }}
-    GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
-    {{- with .Values.geoip.host_server }}
-    GEOIPUPDATE_HOST: {{ . }}
-    {{- end }}
-    GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
-    GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
-
-{{/* This configmap is loaded in the ldap container */}}
-{{ $ldapConfigName }}:
-  enabled: {{ .Values.outposts.ldap.enabled }}
-  data:
-    AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
-    AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
-    AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
-    AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
-    AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
-    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
-
-{{/* This configmap is loaded in the proxy container */}}
-{{ $proxyConfigName }}:
-  enabled: {{ .Values.outposts.proxy.enabled }}
-  data:
-    AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
-    AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
-    AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
-    AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
-    AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
-    AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
+    AUTHENTIK_LISTEN__RADIUS: {{ printf "0.0.0.0:%v" .Values.service.radius.ports.radius.port | quote }}
+    AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.radiusmetrics.ports.radiusmetrics.port | quote }}
+    AUTHENTIK_HOST: {{ printf "https://%v:%v" $fullname .Values.service.main.ports.main.port }}
+    AUTHENTIK_INSECURE: "true"
+    # TODO: node ip or ingress host
+    AUTHENTIK_HOST_BROWSER: {{ $host }}
+{{- end -}}
+
+{{- if .Values.authentik.outposts.ldap.enabled }}
+ldap:
+  enabled: true
+  data:
+    AUTHENTIK_LISTEN__LDAP: {{ printf "0.0.0.0:%v" .Values.service.ldap.ports.ldap.port | quote }}
+    AUTHENTIK_LISTEN__LDAPS: {{ printf "0.0.0.0:%v" .Values.service.ldaps.ports.ldaps.port | quote }}
+    AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.ldapmetrics.ports.ldapmetrics.port | quote }}
+    AUTHENTIK_HOST: {{ printf "https://%v:%v" $fullname .Values.service.main.ports.main.port }}
+    AUTHENTIK_INSECURE: "true"
+    # TODO: node ip or ingress host
+    AUTHENTIK_HOST_BROWSER: {{ $host }}
+{{- end -}}
+
+{{- if .Values.authentik.geoip.enabled }}
+geoip:
+  enabled: true
+  data:
+    GEOIPUPDATE_EDITION_IDS: {{ .Values.authentik.geoip.editionID }}
+    GEOIPUPDATE_FREQUENCY: {{ .Values.authentik.geoip.frequency | quote }}
+{{- end -}}
 {{- end -}}

charts/incubator/authentik/templates/_geoip.tpl

@@ -1,23 +0,0 @@
-{{/* Define the geoip container */}}
-{{- define "authentik.geoip.container" -}}
-enabled: true
-primary: false
-imageSelector: geoipImage
-securityContext:
-  runAsUser: 0
-  runAsGroup: 0
-envFrom:
-  - secretRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
-  - configMapRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
-{{/* TODO: Add healthchecks */}}
-{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
-probes:
-  readiness:
-    enabled: false
-  liveness:
-    enabled: false
-  startup:
-    enabled: false
-{{- end -}}

charts/incubator/authentik/templates/_ldap.tpl

@@ -1,39 +0,0 @@
-{{/* Define the ldap container */}}
-{{- define "authentik.ldap.container" -}}
-enabled: true
-primary: false
-imageSelector: ldapImage
-securityContext:
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-envFrom:
-  - secretRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
-  - configMapRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
-ports:
-  - containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
-    name: ldapldaps
-  - containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
-    name: ldapldap
-{{- if .Values.metrics.enabled }}
-  - containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-    name: ldapmetrics
-{{- end }}
-probes:
-  readiness:
-    enabled: true
-    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-  liveness:
-    enabled: true
-    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-  startup:
-    enabled: true
-    type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
-{{- end -}}

charts/incubator/authentik/templates/_proxy.tpl

@@ -1,39 +0,0 @@
-{{/* Define the proxy container */}}
-{{- define "authentik.proxy.container" -}}
-enabled: true
-primary: false
-imageSelector: proxyImage
-securityContext:
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-envFrom:
-  - secretRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
-  - configMapRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
-ports:
-  - containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
-    name: proxyhttps
-  - containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
-    name: proxyhttp
-{{- if .Values.metrics.enabled }}
-  - containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-    name: proxymetrics
-{{- end }}
-probes:
-  readiness:
-    enabled: true
-    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-  liveness:
-    enabled: true
-    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-  startup:
-    enabled: true
-    type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
-    path: /outpost.goauthentik.io/ping
-    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
-{{- end -}}

charts/incubator/authentik/templates/_secret.tpl

@@ -1,81 +1,63 @@
 {{/* Define the secrets */}}
 {{- define "authentik.secrets" -}}
 
-{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
-{{- $token := randAlphaNum 128 }}
+  {{- $fullname := include "tc.v1.common.lib.chart.names.fullname" $ -}}
+  {{- $fetchname := printf "%v-server-worker" $fullname -}}
 
-{{/* This secret is loaded in both the main authentik container and worker */}}
-{{ $authentikSecretName }}:
+  {{- $secretKey := randAlphaNum 32 -}}
+  {{- with (lookup "v1" "Secret" .Release.Namespace $fetchname) -}}
+    {{ $secretKey = index .data "AUTHENTIK_SECRET_KEY" }}
+  {{- end }}
+
+server-worker:
   enabled: true
   data:
-    {{/* Secret Key */}}
-    {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
-    AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
-    {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
-    {{- else }}
-    AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
-    {{- end }}
-    AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
     {{/* Dependencies */}}
     AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
     AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
-    {{/* Credentials */}}
-    {{- with .Values.authentik.credentials.password }}
-    AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
-    {{- end }}
+
+    {{/* Secret Key */}}
+    AUTHENTIK_SECRET_KEY: {{ $secretKey }}
+
+    {{/* Initial credentials */}}
+    AUTHENTIK_BOOTSTRAP_EMAIL: {{ .Values.authentik.credentials.email | quote }}
+    AUTHENTIK_BOOTSTRAP_PASSWORD: {{ .Values.authentik.credentials.password | quote }}
+
     {{/* Mail */}}
-    {{- with .Values.authentik.mail.host }}
+    {{- with .Values.authentik.email.host }}
     AUTHENTIK_EMAIL__HOST: {{ . }}
-    {{- end }}
-    {{- with .Values.authentik.mail.user }}
+    {{- end -}}
+    {{- with .Values.authentik.email.user }}
     AUTHENTIK_EMAIL__USERNAME: {{ . }}
-    {{- end }}
-    {{- with .Values.authentik.mail.pass }}
+    {{- end -}}
+    {{- with .Values.authentik.email.pass }}
     AUTHENTIK_EMAIL__PASSWORD: {{ . }}
-    {{- end }}
-    {{- with .Values.authentik.mail.from }}
+    {{- end -}}
+    {{- with .Values.authentik.email.from }}
     AUTHENTIK_EMAIL__FROM: {{ . }}
     {{- end }}
 
-{{/* This secret is loaded in the geoip container */}}
-{{ $geoipSecretName }}:
-  enabled: {{ .Values.geoip.enabled }}
+{{- if .Values.authentik.geoip.enabled }}
+geoip:
+  enabled: true
   data:
-    {{/* Credentials */}}
-    {{- with .Values.geoip.account_id }}
-    GEOIPUPDATE_ACCOUNT_ID: {{ . }}
-    {{- end }}
-    {{- with .Values.geoip.license_key }}
-    GEOIPUPDATE_LICENSE_KEY: {{ . }}
-    {{- end }}
-    {{/* Proxy */}}
-    {{- with .Values.geoip.proxy }}
-    GEOIPUPDATE_PROXY: {{ . }}
-    {{- end }}
-    {{- with .Values.geoip.proxy_user_pass }}
-    GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
-    {{- end }}
+    GEOIPUPDATE_VERBOSE: "0"
+    GEOIPUPDATE_PRESERVE_FILE_TIMES: "1"
+    GEOIPUPDATE_ACCOUNT_ID: {{ .Values.authentik.geoip.accountID | quote }}
+    GEOIPUPDATE_LICENSE_KEY: {{ .Values.authentik.geoip.licenseKey | quote }}
+{{- end -}}
 
-{{/* This secret is loaded in the ldap container */}}
-{{ $ldapSecretName }}:
-  enabled: {{ .Values.outposts.ldap.enabled }}
+{{- if .Values.authentik.outposts.radius.enabled }}
+radius:
+  enabled: true
   data:
-    {{- with .Values.outposts.ldap.token }}
-    AUTHENTIK_TOKEN: {{ . }}
-    {{- else }}
-    AUTHENTIK_TOKEN: {{ $token }}
-    {{- end }}
+    AUTHENTIK_TOKEN: {{ .Values.authentik.outposts.radius.token | quote }}
+{{- end -}}
 
-{{/* This secret is loaded in the proxy container */}}
-{{ $proxySecretName }}:
-  enabled: {{ .Values.outposts.proxy.enabled }}
+{{- if .Values.authentik.outposts.ldap.enabled }}
+ldap:
+  enabled: true
   data:
-    {{- with .Values.outposts.proxy.token }}
-    AUTHENTIK_TOKEN: {{ . }}
-    {{- else }}
-    AUTHENTIK_TOKEN: {{ $token }}
-    {{- end }}
-{{- end }}
+    AUTHENTIK_TOKEN: {{ .Values.authentik.outposts.ldap.token | quote }}
+{{- end -}}
+{{- end -}}

charts/incubator/authentik/templates/_validation.tpl

@@ -0,0 +1,21 @@
+{{- define "authentik.validation" -}}
+  {{- range $outpost, $values := .Values.authentik.outposts -}}
+    {{- if and $values.enabled (not $values.token) -}}
+      {{- fail (printf "Authentik - Outpost [%v] is enabled, but [token] was not provided" ($outpost | upper)) -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if .Values.authentik.geoip.enabled -}}
+    {{- if not .Values.authentik.geoip.accountID -}}
+      {{- fail "Authentik - GeoIP is enabled but [accountID] was not provided" -}}
+    {{- end -}}
+
+    {{- if not .Values.authentik.geoip.licenseKey -}}
+      {{- fail "Authentik - GeoIP is enabled but [licenseKey] was not provided" -}}
+    {{- end -}}
+
+    {{- if contains " " .Values.authentik.geoip.editionID -}}
+      {{- fail "Authentik - GeoIP is enabled but [editionID] cannot contain spaces" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

charts/incubator/authentik/templates/_worker.tpl

@@ -1,31 +0,0 @@
-{{/* Define the worker container */}}
-{{- define "authentik.worker.container" -}}
-enabled: true
-primary: false
-imageSelector: image
-args: ["worker"]
-envFrom:
-  - secretRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
-  - configMapRef:
-      name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
-probes:
-  readiness:
-    enabled: true
-    type: exec
-    command:
-        - /lifecycle/ak
-        - healthcheck
-  liveness:
-    enabled: true
-    type: exec
-    command:
-        - /lifecycle/ak
-        - healthcheck
-  startup:
-    enabled: true
-    type: exec
-    command:
-        - /lifecycle/ak
-        - healthcheck
-{{- end -}}

charts/incubator/authentik/templates/common.yaml

@@ -1,46 +1,62 @@
 {{/* Make sure all variables are set properly */}}
 {{- include "tc.v1.common.loader.init" . }}
 
+{{- include "authentik.validation" $ -}}
+
 {{/* Render secrets for authentik and friends */}}
-{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
-{{- if $authentikSecrets -}}
-  {{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
+{{- $secrets := include "authentik.secrets" . | fromYaml -}}
+{{- if $secrets -}}
+  {{ $secrets := (mustMergeOverwrite .Values.secret $secrets) }}
   {{- $_ := set .Values "secret" $secrets -}}
 {{- end -}}
 
 {{/* Render configmaps for authentik and friends */}}
-{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
-{{- if $authentikConfigmaps -}}
-  {{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
+{{- $configmaps := include "authentik.configmaps" . | fromYaml -}}
+{{- if $configmaps -}}
+  {{ $configmaps := (mustMergeOverwrite .Values.configmap $configmaps) }}
   {{- $_ := set .Values "configmap" $configmaps -}}
 {{- end -}}
 
-
-{{- if .Values.workerContainer.enabled -}}
-{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
+{{- if .Values.authentik.geoip.enabled -}}
+  {{- $_ := set .Values.workload.geoip "enabled" true -}}
+{{- else -}}
+  {{- $_ := set .Values.workload.geoip "enabled" false -}}
 {{- end -}}
 
-{{- if .Values.geoip.enabled -}}
-{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
+{{- if .Values.authentik.outposts.radius.enabled -}}
+  {{- $_ := set .Values.workload.radius "enabled" true -}}
+  {{- $_ := set .Values.service.radius "enabled" true -}}
+  {{- $_ := set .Values.service.radiusmetrics "enabled" true -}}
+  {{- $_ := set .Values.metrics.radiusmetrics "enabled" true -}}
+{{- else -}}
+  {{- $_ := set .Values.workload.radius "enabled" false -}}
+  {{- $_ := set .Values.service.radius "enabled" false -}}
+  {{- $_ := set .Values.service.radiusmetrics "enabled" false -}}
+  {{- $_ := set .Values.metrics.radiusmetrics "enabled" false -}}
 {{- end -}}
 
-{{- if .Values.outposts.ldap.enabled -}}
-{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
-{{/* - if .Values.metrics.enabled - */}}
-{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
-{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
-{{/* We can't define multiple ports/endpoints with annotations */}}
-{{/* - end - */}}
+{{- if .Values.authentik.outposts.ldap.enabled -}}
+  {{- $_ := set .Values.workload.ldap "enabled" true -}}
+  {{- $_ := set .Values.service.ldap "enabled" true -}}
+  {{- $_ := set .Values.service.ldaps "enabled" true -}}
+  {{- $_ := set .Values.service.ldapmetrics "enabled" true -}}
+  {{- $_ := set .Values.metrics.ldapmetrics "enabled" true -}}
+{{- else -}}
+  {{- $_ := set .Values.workload.ldap "enabled" false -}}
+  {{- $_ := set .Values.service.ldap "enabled" false -}}
+  {{- $_ := set .Values.service.ldaps "enabled" false -}}
+  {{- $_ := set .Values.service.ldapmetrics "enabled" false -}}
+  {{- $_ := set .Values.metrics.ldapmetrics "enabled" false -}}
 {{- end -}}
 
-{{- if .Values.outposts.proxy.enabled -}}
-{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
-{{/* - if .Values.metrics.enabled - */}}
-{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
-{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
-{{/* We can't define multiple ports/endpoints with annotations */}}
-{{/* - end - */}}
-{{- end -}}
+{{/* FIXME: See values.yaml */}}
+{{- $_ := set .Values.service.servermetrics "enabled" false -}}
+{{- $_ := set .Values.service.radiusmetrics "enabled" false -}}
+{{- $_ := set .Values.service.ldapmetrics "enabled" false -}}
+
+{{- $_ := set .Values.metrics.servermetrics "enabled" false -}}
+{{- $_ := set .Values.metrics.radiusmetrics "enabled" false -}}
+{{- $_ := set .Values.metrics.ldapmetrics "enabled" false -}}
 
 {{/* Render the templates */}}
 {{ include "tc.v1.common.loader.apply" . }}

charts/incubator/authentik/templates/prometheusrules.yaml

@@ -1,160 +0,0 @@
-{{- if hasKey .Values "metrics" }}
-{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-    {{- with .Values.metrics.prometheusRule.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  groups:
-    - name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
-      rules:
-        {{- with .Values.metrics.prometheusRule.rules }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    {{- if .Values.metrics.prometheusRule.useDefault }}
-    - name: authentik Aggregate request counters
-      rules:
-        - record: job:django_http_requests_before_middlewares_total:sum_rate30s
-          expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
-        - record: job:django_http_requests_unknown_latency_total:sum_rate30s
-          expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
-        - record: job:django_http_ajax_requests_total:sum_rate30s
-          expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
-        - record: job:django_http_responses_before_middlewares_total:sum_rate30s
-          expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
-        - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
-          expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
-        - record: job:django_http_requests_body_total_bytes:sum_rate30s
-          expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
-        - record: job:django_http_responses_streaming_total:sum_rate30s
-          expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
-        - record: job:django_http_responses_body_total_bytes:sum_rate30s
-          expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
-        - record: job:django_http_requests_total:sum_rate30s
-          expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
-        - record: job:django_http_requests_total_by_method:sum_rate30s
-          expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
-        - record: job:django_http_requests_total_by_transport:sum_rate30s
-          expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
-        - record: job:django_http_requests_total_by_view:sum_rate30s
-          expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
-        - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
-          expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
-        - record: job:django_http_responses_total_by_templatename:sum_rate30s
-          expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
-        - record: job:django_http_responses_total_by_status:sum_rate30s
-          expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
-        - record: job:django_http_responses_total_by_status_name_method:sum_rate30s
-          expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
-        - record: job:django_http_responses_total_by_charset:sum_rate30s
-          expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
-        - record: job:django_http_exceptions_total_by_type:sum_rate30s
-          expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
-        - record: job:django_http_exceptions_total_by_view:sum_rate30s
-          expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
-    - name: authentik Aggregate latency histograms
-      rules:
-        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
-          expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "50"
-        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
-          expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "95"
-        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
-          expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "99"
-        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
-          expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "99.9"
-        - record: job:django_http_requests_latency_seconds:quantile_rate30s
-          expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "50"
-        - record: job:django_http_requests_latency_seconds:quantile_rate30s
-          expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "95"
-        - record: job:django_http_requests_latency_seconds:quantile_rate30s
-          expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "99"
-        - record: job:django_http_requests_latency_seconds:quantile_rate30s
-          expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
-          labels:
-            quantile: "99.9"
-    - name: authentik Aggregate model operations
-      rules:
-        - record: job:django_model_inserts_total:sum_rate1m
-          expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
-        - record: job:django_model_updates_total:sum_rate1m
-          expr: sum(rate(django_model_updates_total[1m])) by (job, model)
-        - record: job:django_model_deletes_total:sum_rate1m
-          expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
-    - name: authentik Aggregate database operations
-      rules:
-        - record: job:django_db_new_connections_total:sum_rate30s
-          expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
-        - record: job:django_db_new_connection_errors_total:sum_rate30s
-          expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
-        - record: job:django_db_execute_total:sum_rate30s
-          expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
-        - record: job:django_db_execute_many_total:sum_rate30s
-          expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
-        - record: job:django_db_errors_total:sum_rate30s
-          expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
-    - name: authentik Aggregate migrations
-      rules:
-        - record: job:django_migrations_applied_total:max
-          expr: max(django_migrations_applied_total) by (job, connection)
-        - record: job:django_migrations_unapplied_total:max
-          expr: max(django_migrations_unapplied_total) by (job, connection)
-    - name: authentik Alerts
-      rules:
-        - alert: NoWorkersConnected
-          expr: max without (pid) (authentik_admin_workers) < 1
-          annotations:
-            message: |
-              authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
-            summary: No workers connected
-          for: 10m
-          labels:
-            severity: critical
-        - alert: PendingMigrations
-          expr: max without (pid) (django_migrations_unapplied_total) > 0
-          annotations:
-            message: |
-              authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
-            summary: Pending database migrations
-          for: 10m
-          labels:
-            severity: critical
-        - alert: FailedSystemTasks
-          expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
-          annotations:
-            message: |
-              System task {{ printf "{{ $labels.task_name }}" }} has failed
-            summary: Failed system tasks
-          for: 2h
-          labels:
-            severity: critical
-        - alert: DisconnectedOutposts
-          expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"}))  < 1
-          annotations:
-            message: |
-              Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
-            summary: Disconnected outpost
-          for: 30m
-          labels:
-            severity: critical
-    {{- end }}
-{{- end }}
-{{- end }}

charts/incubator/authentik/templates/servicemonitor.yaml

@@ -1,44 +0,0 @@
-{{- if hasKey .Values "metrics" }}
-{{- if .Values.metrics.enabled }}
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
-  labels:
-    {{- include "tc.common.labels" . | nindent 4 }}
-    {{- with .Values.metrics.serviceMonitor.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
-  endpoints:
-    - port: metrics
-      {{- with .Values.metrics.serviceMonitor.interval }}
-      interval: {{ . }}
-      {{- end }}
-      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
-      scrapeTimeout: {{ . }}
-      {{- end }}
-      path: /metrics
-
-    - port: ldapmetrics
-      {{- with .Values.metrics.serviceMonitor.interval }}
-      interval: {{ . }}
-      {{- end }}
-      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
-      scrapeTimeout: {{ . }}
-      {{- end }}
-      path: /metrics
-
-    - port: proxymetrics
-      {{- with .Values.metrics.serviceMonitor.interval }}
-      interval: {{ . }}
-      {{- end }}
-      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
-      scrapeTimeout: {{ . }}
-      {{- end }}
-      path: /metrics
-{{- end }}
-{{- end }}

charts/incubator/authentik/values.yaml

@@ -1,65 +1,275 @@
 image:
   repository: tccr.io/truecharts/authentik
-  tag: 2023.4.1@sha256:7d60414d9d5f2395b703228193e8b03c616d7fed6c3cee620940845dd0b725cb
+  tag: v2023.5.3@sha256:55c6eea8ce8d936379b34a05c0d0558a0ca737e71a72d27600d27ce23bc369e3
   pullPolicy: IfNotPresent
 
 geoipImage:
   repository: tccr.io/truecharts/geoipupdate
-  tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
+  tag: v5.1.0@sha256:9397c7e4d99ab79d620bd7c6ecbad3558ac581dfc2c9432d98dd066ae7d55c71
   pullPolicy: IfNotPresent
 
 ldapImage:
   repository: tccr.io/truecharts/authentik-ldap
-  tag: 2023.4.1@sha256:f737b534c6f3a022b002bb5d635ef491273fd40f8c0b6dd64efa7f5f6265d8cf
+  tag: v2023.5.3@sha256:7ac0f5c4ad334c9480548cf2d5978fe0f6105809c9deeb8d40c450486863526f
   pullPolicy: IfNotPresent
 
-proxyImage:
-  repository: tccr.io/truecharts/authentik-proxy
-  tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
+radiusImage:
+  repository: tccr.io/truecharts/authentik-radius
+  tag: v2023.5.3@sha256:d46f4dbc727d5d6f6c91df0f6a2bf98d2c941de908fdc15193552413331e375b
   pullPolicy: IfNotPresent
 
-securityContext:
-  container:
-    runAsUser: 1000
-    runAsGroup: 1000
-    readOnlyRootFilesystem: false
+authentik:
+  credentials:
+    # Only works on initial install
+    email: my-mail@example.com
+    password: my-password
+  general:
+    disableUpdateCheck: false
+    disableStartupAnalytics: true
+    allowUserChangeName: true
+    allowUserChangeEmail: true
+    allowUserChangeUsername: true
+    gdprCompliance: true
+    tokenLength: 128
+    impersonation: true
+    avatars:
+      - gravatar
+      - initials
+    footerLinks:
+      - name: Authentik
+        href: https://goauthentik.io
+  email:
+    host: ""
+    port: 587
+    username:
+    password:
+    useTLS: true
+    useSSL: false
+    timeout: 10
+    from: ""
+  ldap:
+    tlsCiphers: "null"
+    taskTimeoutHours: 2
+  logging:
+    # info, debug, warning, error, trace
+    logLevel: info
+  errorReporting:
+    enabled: false
+    sendPII: false
+    environment: customer
+    sentryDSN: ""
+  geoip:
+    enabled: false
+    editionID: GeoLite2-City
+    frequency: 8
+    accountID: ""
+    licenseKey: ""
+  outposts:
+    radius:
+      enabled: false
+      token: ""
+    ldap:
+      enabled: false
+      token: ""
 
+# ===== DO NOT EDIT BELOW THIS LINE =====
 workload:
+  # ===== Server =====
   main:
-    replicas: 1
-    strategy: RollingUpdate
+    enabled: true
+    type: Deployment
     podSpec:
       containers:
         main:
-          args: ["server"]
+          enabled: true
+          primary: true
+          imageSelector: image
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            # readOnlyRootFilesystem: false
           envFrom:
+            - configMapRef:
+                name: server
             - secretRef:
-                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
+                name: server-worker
             - configMapRef:
-                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
-            - configMapRef:
-                name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
+                name: server-worker
+          args:
+            - server
           probes:
             liveness:
-              type: https
-              path: /-/health/live/
-              port: "{{ .Values.service.main.ports.main.targetPort }}"
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
             readiness:
-              type: https
-              path: /-/health/ready/
-              port: "{{ .Values.service.main.ports.main.targetPort }}"
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
             startup:
-              type: https
-              path: /-/health/ready/
-              port: "{{ .Values.service.main.ports.main.targetPort }}"
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
+
+  # ===== Worker =====
+  worker:
+    enabled: true
+    type: Deployment
+    podSpec:
+      containers:
+        worker:
+          enabled: true
+          primary: true
+          imageSelector: image
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            # readOnlyRootFilesystem: false
+          envFrom:
+            - secretRef:
+                name: server-worker
+            - configMapRef:
+                name: server-worker
+          args:
+            - worker
+          probes:
+            liveness:
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
+            readiness:
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
+            startup:
+              enabled: true
+              type: exec
+              command:
+               - /lifecycle/ak
+               - healthcheck
+
+  # ===== RADIUS =====
+  radius:
+    enabled: true
+    type: Deployment
+    podSpec:
+      containers:
+        radius:
+          enabled: true
+          primary: true
+          imageSelector: radiusImage
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+          envFrom:
+            - configMapRef:
+                name: radius
+            - secretRef:
+                name: radius
+          probes:
+            liveness:
+              enabled: true
+              type: exec
+              command:
+               - /radius
+               - healthcheck
+            readiness:
+              enabled: true
+              type: exec
+              command:
+               - /radius
+               - healthcheck
+            startup:
+              enabled: true
+              type: exec
+              command:
+               - /radius
+               - healthcheck
+
+  # ===== LDAP =====
+  ldap:
+    enabled: true
+    type: Deployment
+    podSpec:
+      containers:
+        ldap:
+          enabled: true
+          primary: true
+          imageSelector: ldapImage
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+          envFrom:
+            - configMapRef:
+                name: ldap
+            - secretRef:
+                name: ldap
+          probes:
+            liveness:
+              enabled: true
+              type: exec
+              command:
+               - /ldap
+               - healthcheck
+            readiness:
+              enabled: true
+              type: exec
+              command:
+               - /ldap
+               - healthcheck
+            startup:
+              enabled: true
+              type: exec
+              command:
+               - /ldap
+               - healthcheck
+
+  # ===== GeoIP Updater =====
+  geoip:
+    enabled: true
+    type: Deployment
+    podSpec:
+      containers:
+        geoip:
+          enabled: true
+          primary: true
+          imageSelector: geoipImage
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            capabilities:
+              disableS6Caps: true
+          envFrom:
+            - configMapRef:
+                name: geoip
+            - secretRef:
+                name: geoip
+          probes:
+            liveness:
+              enabled: false
+            readiness:
+              enabled: false
+            startup:
+              enabled: false
 
 service:
+  # Server HTTPS
   main:
     ports:
       main:
         protocol: https
         port: 10229
-        targetPort: 9443
+  # Server HTTP
   http:
     enabled: true
     type: ClusterIP
@@ -68,133 +278,100 @@ service:
         enabled: true
         protocol: http
         port: 10230
-        targetPort: 9000
-  # LDAP Outpost Services
-  ldapldaps:
+  # Radius
+  radius:
     enabled: true
     ports:
-      ldapldaps:
+      radius:
         enabled: true
-        port: 636
-        targetPort: 6636
-  ldapldap:
+        protocol: udp
+        port: 1812
+  # LDAP
+  ldap:
     enabled: true
     ports:
-      ldapldap:
+      ldap:
         enabled: true
         port: 389
-        targetPort: 3389
-  # Proxy Outpost Services
-  proxyhttps:
+  # LDAPS
+  ldaps:
     enabled: true
     ports:
-      proxyhttps:
+      ldaps:
         enabled: true
-        port: 10233
-        protocol: https
-        targetPort: 9444
-  proxyhttp:
+        port: 636
+  # Server Metrics
+  servermetrics:
     enabled: true
     type: ClusterIP
     ports:
-      proxyhttp:
-        enabled: true
-        port: 10234
-        protocol: http
-        targetPort: 9001
-  # Metrics Services
-  metrics:
-    enabled: true
-    type: ClusterIP
-    ports:
-      metrics:
+      servermetrics:
         enabled: true
         protocol: http
         port: 10231
-        targetPort: 9301
+  # Radius Metrics
+  radiusmetrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      radiusmetrics:
+        enabled: true
+        protocol: http
+        port: 10232
+  # LDAP Metrics
   ldapmetrics:
     enabled: true
     type: ClusterIP
     ports:
       ldapmetrics:
         enabled: true
-        port: 10232
         protocol: http
-        targetPort: 9302
-  proxymetrics:
-    enabled: true
-    type: ClusterIP
-    ports:
-      proxymetrics:
-        enabled: true
-        port: 10235
-        protocol: http
-        targetPort: 9303
+        port: 10233
 
-metrics:
-  # TODO
-  main:
-    # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
-    # @default -- See values.yaml
-    enabled: false
-    type: "servicemonitor"
-    endpoints:
-      - port: main
-        path: /metrics
-        interval: 1m
-        scrapeTimeout: 30s
-    # -- Enable and configure Prometheus Rules for the chart under this key.
-    # @default -- See values.yaml
-    prometheusRule:
-      enabled: false
-      labels: {}
-      # -- Configure additionial rules for the chart under this key.
-      # @default -- See prometheusrules.yaml
-      rules:
-        []
-        # - alert: UnifiPollerAbsent
-        #   annotations:
-        #     description: Unifi Poller has disappeared from Prometheus service discovery.
-        #     summary: Unifi Poller is down.
-        #   expr: |
-        #     absent(up{job=~".*unifi-poller.*"} == 1)
-        #   for: 5m
-        #   labels:
-        #     severity: critical
-
-ingress:
-  proxyhttps:
-    autoLink: true
-
-# Target selectors taken from authentik's compose file:
-# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
 persistence:
   media:
     enabled: true
-    mountPath: "/media"
     targetSelector:
       main:
-        main: {}
-        worker: {}
+        main:
+          mountPath: /media
+      worker:
+        worker:
+          mountPath: /media
   templates:
     enabled: true
-    mountPath: "/templates"
     targetSelector:
       main:
-        main: {}
-        worker: {}
+        main:
+          mountPath: /templates
+      worker:
+        worker:
+          mountPath: /templates
+  blueprints:
+    enabled: true
+    targetSelector:
+      worker:
+        worker:
+          mountPath: /blueprints
   certs:
     enabled: true
-    mountPath: "/certs"
+    mountPath: /certs
     targetSelector:
-      main:
-        worker: {}
+      worker:
+        worker:
+          mountPath: /certs
   geoip:
     enabled: true
-    mountPath: "/usr/share/GeoIP"
     targetSelector:
       main:
-        geoip: {}
+        main:
+          mountPath: /geoip
+      worker:
+        worker:
+          mountPath: /geoip
+      geoip:
+        geoip:
+          mountPath: /usr/share/GeoIP
 
 cnpg:
   main:
@@ -202,89 +379,36 @@ cnpg:
     user: authentik
     database: authentik
 
-cnpgProvider:
-  port: 5432
-
-# Enabled redis
-# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
 redis:
   enabled: true
 
-redisProvider:
-  port: 6379
-
-workerContainer:
-  enabled: true
-
-authentik:
-  credentials:
-    password: "supersecret"
-  general:
-    disable_update_check: false
-    disable_startup_analytics: true
-    allow_user_name_change: true
-    allow_user_mail_change: true
-    allow_user_username_change: true
-    gdpr_compliance: true
-    impersonation: true
-    avatars: "gravatar,initials"
-    token_length: 128
-    # Use single quotes for footer_links
-    footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
-  mail:
-    host: ""
-    port: 25
-    tls: false
-    ssl: false
-    timeout: 10
-    user: ""
-    pass: ""
-    from: ""
-  error_reporting:
-    enabled: false
-    send_pii: false
-    environment: "customer"
-  logging:
-    log_level: "info"
-  ldap:
-    tls_ciphers: "null"
-
-geoip:
-  enabled: false
-  account_id: ""
-  license_key: ""
-  proxy: ""
-  proxy_user_pass: ""
-  edition_ids: "GeoLite2-City"
-  frequency: 8
-  host_server: "updates.maxmind.com"
-  preserve_file_times: false
-  verbose: false
-
-outposts:
-  ldap:
-    # -- First you have to create an Outpost in the GUI. Applications > Outposts
-    enabled: false
-    # -- Host Browser by default is set to the first ingress host you set
-    # host_browser: ""
-    # -- Host should not need to be overridden. Defaults to https://localhost:9443
-    # host: ""
-    # -- As we use https://localhost:9443 it's an unsecure connection
-    # insecure: false
-    # -- Token is only needed if you accidentally deleted the token within the UI
-    # token: ""
-  proxy:
-    # -- First you have to create an Outpost in the GUI. Applications > Outposts
-    enabled: false
-    # -- Host Browser by default is set to the first ingress host you set
-    # host_browser: ""
-    # -- As we use https://localhost:9443 it's an unsecure connection
-    # insecure: false
-    # -- Host should not need to be overridden. Defaults to https://localhost:9443
-    # host: ""
-    # -- Token is only needed if you accidentally deleted the token within the UI
-    # token: ""
-
 portal:
   open:
     enabled: true
+
+metrics:
+  # FIXME: Metris do not work yet
+  servermetrics:
+    enabled: true
+    type: servicemonitor
+    endpoints:
+      - port: "{{ .Values.service.servermetrics.ports.servermetrics.port }}"
+        path: /metrics
+    prometheusRule:
+      enabled: false
+  radiusmetrics:
+    enabled: true
+    type: servicemonitor
+    endpoints:
+      - port: "{{ .Values.service.radiusmetrics.ports.radiusmetrics.port }}"
+        path: /metrics
+    prometheusRule:
+      enabled: false
+  ldapmetrics:
+    enabled: true
+    type: servicemonitor
+    endpoints:
+      - port: "{{ .Values.service.ldapmetrics.ports.ldapmetrics.port }}"
+        path: /metrics
+    prometheusRule:
+      enabled: false

charts/incubator/etesync/Chart.yaml

@@ -31,7 +31,7 @@ sources:
   - https://github.com/etesync
   - https://github.com/victor-rds/docker-etebase
 type: application
-version: 4.0.8
+version: 4.0.9
 annotations:
   truecharts.org/catagories: |
     - productivity

charts/incubator/etesync/questions.yaml

@@ -2,6 +2,10 @@
 portals:
   open:
 # Include{portalLink}
+    path: "/"
+  admin:
+# Include{portalLink}
+    path: "/admin/"
 questions:
 # Include{global}
 # Include{workload}

charts/incubator/firezone/.helmignore

@@ -0,0 +1,30 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# OWNERS file for Kubernetes
+OWNERS
+# helm-docs templates
+*.gotmpl
+# docs folder
+/docs
+# icon
+icon.png

charts/incubator/firezone/CHANGELOG.md

@@ -0,0 +1 @@
+# Changelog

charts/incubator/firezone/Chart.yaml

@@ -0,0 +1,30 @@
+apiVersion: v2
+appVersion: "0.7.30"
+dependencies:
+  - name: common
+    repository: https://library-charts.truecharts.org
+    version: 12.14.2
+deprecated: false
+description: WireGuard-based VPN server and egress firewall
+home: https://truecharts.org/charts/incubator/firezone
+icon: https://truecharts.org/img/hotlink-ok/chart-icons/firezone.png
+keywords:
+  - firezone
+  - wireguard
+  - vpn
+kubeVersion: ">=1.16.0-0"
+maintainers:
+  - email: info@truecharts.org
+    name: TrueCharts
+    url: https://truecharts.org
+name: firezone
+sources:
+  - https://github.com/truecharts/charts/tree/master/charts/incubator/firezone
+  - https://github.com/firezone/firezone
+type: application
+version: 0.0.1
+annotations:
+  truecharts.org/catagories: |
+    - vpn
+    - security
+  truecharts.org/SCALE-support: "true"

charts/incubator/firezone/README.md

@@ -0,0 +1 @@
+# README

charts/incubator/firezone/questions.yaml

@@ -0,0 +1,341 @@
+# Include{groups}
+portals:
+  open:
+# Include{portalLink}
+questions:
+# Include{global}
+# Include{workload}
+# Include{workloadDeployment}
+
+# Include{replicas1}
+# Include{podSpec}
+# Include{containerMain}
+
+                                - variable: env
+                                  label: Image Environment
+                                  schema:
+                                    additional_attrs: true
+                                    type: dict
+                                    attrs:
+                                      - variable: EXTERNAL_URL
+                                        label: External Url
+                                        description: Must be a valid and public FQDN for ACME SSL issuance to function.
+                                        schema:
+                                          type: string
+                                          required: true
+                                          default: ""
+                                      - variable: DEFAULT_ADMIN_EMAIL
+                                        label: Default Admin Email
+                                        description: Primary administrator email.
+                                        schema:
+                                          type: string
+                                          required: true
+                                          default: ""
+                                      - variable: DEFAULT_ADMIN_PASSWORD
+                                        label: Default Admin Password
+                                        description: Primary administrator password.
+                                        schema:
+                                          type: string
+                                          required: true
+                                          private: true
+                                          default: ""
+                                      - variable: RESET_ADMIN_ON_BOOT
+                                        label: Reset Admin On Boot
+                                        description: to create or reset the admin password every time FireZone starts.
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                      - variable: TELEMETRY_ENABLED
+                                        label: Telemetry Enabled
+                                        description: Enable or disable the FireZone telemetry collection.
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                      - variable: devices
+                                        label: Devices Settings
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                          show_subquestions_if: true
+                                          subquestions:
+                                            - variable: ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT
+                                              label: Allow Unprivileged Devices
+                                              description: Enable or disable management of devices on unprivileged accounts.
+                                              schema:
+                                                type: boolean
+                                                default: true
+                                            - variable: ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION
+                                              label: Allow Unprivileged Device Configuration
+                                              description: Enable or disable configuration of device network settings for unprivileged users.
+                                              schema:
+                                                type: boolean
+                                                default: true
+                                            - variable: VPN_SESSION_DURATION
+                                              label: VPN Session Duration
+                                              description: Optionally require users to periodically authenticate to the FireZone, Interval for WireGuard persistent keepalive.
+                                              schema:
+                                                type: int
+                                                default: 0
+                                            - variable: DEFAULT_CLIENT_PERSISTENT_KEEPALIVE
+                                              label: Default Client Persistent KeepAlive
+                                              description: send a keepalive packet every 25 seconds. Otherwise, keep it disabled with a 0 default value.
+                                              schema:
+                                                type: int
+                                                default: 25
+                                            - variable: DEFAULT_CLIENT_MTU
+                                              label: Default Client MTU
+                                              description: WireGuard interface MTU for devices.
+                                              schema:
+                                                type: int
+                                                default: 1280
+                                            - variable: DEFAULT_CLIENT_ENDPOINT
+                                              label: Default Client EndPoint
+                                              description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. Defaults to this server's FQDN.
+                                              schema:
+                                                type: string
+                                                default: ""
+                                            - variable: DEFAULT_CLIENT_DNS
+                                              label: Default Client DNS
+                                              description: Comma-separated list of DNS servers to use for devices.
+                                              schema:
+                                                type: string
+                                                default: "1.1.1.1,1.0.0.1"
+                                            - variable: DEFAULT_CLIENT_ALLOWED_IPS
+                                              label: Default Client Allowed IPs
+                                              description: AllowedIPs determines which destination IPs get routed through FireZone.
+                                              schema:
+                                                type: string
+                                                default: "0.0.0.0/0,::/0"
+                                            - variable: MAX_DEVICES_PER_USER
+                                              label: Max Devices Per User
+                                              description: Changes how many devices a user can have at a time.
+                                              schema:
+                                                type: int
+                                                default: 10
+                                      - variable: authorization
+                                        label: Authorization Settings
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                          show_subquestions_if: true
+                                          subquestions:
+                                            - variable: LOCAL_AUTH_ENABLED
+                                              label: Local Auth Enabled
+                                              description: Enable or disable the local authentication method for all users.
+                                              schema:
+                                                type: boolean
+                                                default: true
+                                            - variable: DISABLE_VPN_ON_OIDC_ERROR
+                                              label: Disable VPN On OIDC Error
+                                              description: Enable or disable auto disabling VPN connection on OIDC refresh error.
+                                              schema:
+                                                type: boolean
+                                                default: false
+                                      - variable: wireguard
+                                        label: Wireguard Settings
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                          show_subquestions_if: true
+                                          subquestions:
+                                            - variable: WIREGUARD_IPV4_ENABLED
+                                              label: WireGuard IPV4 Enabled
+                                              description: Enable or disable IPv4 support for WireGuard.
+                                              schema:
+                                                type: boolean
+                                                default: true
+                                            - variable: WIREGUARD_IPV6_ENABLED
+                                              label: WireGuard IPV6 Enabled
+                                              description: Enable or disable IPv6 support for WireGuard.
+                                              schema:
+                                                type: boolean
+                                                default: false
+                                      - variable: outbound
+                                        label: OutBound Email Settings
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                          show_subquestions_if: true
+                                          subquestions:
+                                            - variable: OUTBOUND_EMAIL_FROM
+                                              label: Outbound Email From
+                                              description: From address to use for sending outbound emails.
+                                              schema:
+                                                type: string
+                                                default: ""
+                                            - variable: OUTBOUND_EMAIL_ADAPTER
+                                              label: Outbound Email Adapter
+                                              description: Method to use for sending outbound email.
+                                              schema:
+                                                type: string
+                                                default: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
+                                                enum:
+                                                  - value: "Elixir.FzHttpWeb.Mailer.AmazonSES"
+                                                    description: "AmazonSES"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.CustomerIO"
+                                                    description: CustomerIO"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Dyn"
+                                                    description: Dyn
+                                                  - value: "Elixir.FzHttpWeb.Mailer.ExAwsAmazonSES"
+                                                    description: ExAwsAmazonSES"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Gmail"
+                                                    description: Gmail"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.MailPace"
+                                                    description: MailPace"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Mailgun"
+                                                    description: Mailgun"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Mailjet"
+                                                    description: MailJet"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Mandrill"
+                                                    description: Mandrill"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Postmark"
+                                                    description: Postmark"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.ProtonBridge"
+                                                    description: ProtonBridge"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.SMTP"
+                                                    description: SMTP"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.SMTP2GO"
+                                                    description: SMTP2GO"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Sendgrid"
+                                                    description: SendGrid"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Sendinblue"
+                                                    description: "SendInBlue"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.Sendmail"
+                                                    description: "Sendmail"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.SocketLabs"
+                                                    description: "SocketLabs"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.SparkPost"
+                                                    description: "SparkPost"
+                                                  - value: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
+                                                    description: "NoopAdapter"
+                                            - variable: OUTBOUND_EMAIL_ADAPTER_OPTS
+                                              label: Outbound Email Adapter OPTS
+                                              description: Adapter configuration, see https://github.com/swoosh/swoosh#adapters.
+                                              schema:
+                                                type: string
+                                                default: ""
+                                      - variable: connectivity
+                                        label: Connectivity Settings
+                                        schema:
+                                          type: boolean
+                                          default: false
+                                          show_subquestions_if: true
+                                          subquestions:
+                                            - variable: CONNECTIVITY_CHECKS_ENABLED
+                                              label: Connectivity Checks Enabled
+                                              description:     Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields.
+                                              schema:
+                                                type: boolean
+                                                default: true
+                                            - variable: CONNECTIVITY_CHECKS_INTERVAL
+                                              label: Connectivity Checks Interval
+                                              description: Periodicity in seconds to check for egress connectivity.
+                                              schema:
+                                                type: int
+                                                default: 43200
+
+# Include{containerBasic}
+# Include{containerAdvanced}
+
+# Include{containerConfig}
+# Include{podOptions}
+# Include{serviceRoot}
+        - variable: main
+          label: Main Service
+          description: The Primary service on which the healthcheck runs, often the webUI
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{serviceSelectorLoadBalancer}
+# Include{serviceSelectorExtras}
+                    - variable: main
+                      label: Main Service Port Configuration
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: port
+                            label: Port
+                            description: This port exposes the container port on the service
+                            schema:
+                              type: int
+                              default: 13000
+                              required: true
+        - variable: wireguard
+          label: Wireguard Service
+          description: The Wireguard service
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{serviceSelectorLoadBalancer}
+# Include{serviceSelectorExtras}
+                    - variable: wireguard
+                      label: Wireguard Service Port Configuration
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: port
+                            label: Port
+                            description: This port exposes the container port on the service
+                            schema:
+                              type: int
+                              default: 51820
+                              required: true
+# Include{serviceExpertRoot}
+# Include{serviceExpert}
+# Include{serviceList}
+# Include{persistenceRoot}
+        - variable: config
+          label: App Config Storage
+          description: Stores the Application Config.
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{persistenceBasic}
+# Include{persistenceList}
+# Include{ingressRoot}
+        - variable: main
+          label: Main Ingress
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{ingressDefault}
+# Include{ingressTLS}
+# Include{ingressTraefik}
+# Include{ingressList}
+# Include{securityContextRoot}
+              - variable: runAsUser
+                label: runAsUser
+                description: The UserID of the user running the application
+                schema:
+                  type: int
+                  default: 0
+              - variable: runAsGroup
+                label: runAsGroup
+                description: The groupID of the user running the application
+                schema:
+                  type: int
+                  default: 0
+# Include{securityContextContainer}
+# Include{securityContextAdvanced}
+# Include{securityContextPod}
+              - variable: fsGroup
+                label: fsGroup
+                description: The group that should own ALL storage.
+                schema:
+                  type: int
+                  default: 568
+# Include{resources}
+# Include{metrics}
+# Include{prometheusRule}
+# Include{advanced}
+# Include{addons}
+# Include{codeserver}
+# Include{netshoot}
+# Include{vpn}
+# Include{documentation}

charts/incubator/firezone/templates/NOTES.txt

@@ -0,0 +1 @@
+{{- include "tc.v1.common.lib.chart.notes" $ -}}

charts/incubator/firezone/templates/_secrets.tpl

@@ -0,0 +1,26 @@
+{{/* Define the secrets */}}
+{{- define "firezone.secrets" -}}
+{{- $secretName := (printf "%s-firezone-secrets" (include "tc.v1.common.lib.chart.names.fullname" $)) -}}
+{{- $keyGuardian := randAlphaNum 32 -}}
+{{- $keyDatabase := randAlphaNum 32 -}}
+{{- $keySecret := randAlphaNum 32 -}}
+{{- $keyLive := randAlphaNum 32 -}}
+{{- $keyCookieSigning := randAlphaNum 32 -}}
+{{- $keyCookieEncrypt := randAlphaNum 32 -}}
+{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+  {{- $keyGuardian = index .data "GUARDIAN_SECRET_KEY" | b64dec -}}
+  {{- $keyDatabase = index .data "DATABASE_ENCRYPTION_KEY" | b64dec -}}
+  {{- $keySecret = index .data "SECRET_KEY_BASE" | b64dec -}}
+  {{- $keyLive = index .data "LIVE_VIEW_SIGNING_SALT" | b64dec -}}
+  {{- $keyCookieSigning = index .data "COOKIE_SIGNING_SALT" | b64dec -}}
+  {{- $keyCookieEncrypt = index .data "COOKIE_ENCRYPTION_SALT" | b64dec -}}
+{{- end }}
+enabled: true
+data:
+  GUARDIAN_SECRET_KEY: {{ $keyGuardian }}
+  DATABASE_ENCRYPTION_KEY: {{ $keyDatabase }}
+  SECRET_KEY_BASE: {{ $keySecret }}
+  LIVE_VIEW_SIGNING_SALT: {{ $keyLive }}
+  COOKIE_SIGNING_SALT: {{ $keyCookieSigning }}
+  COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt }}
+{{- end -}}

charts/incubator/firezone/templates/common.yaml

@@ -0,0 +1,11 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "tc.v1.common.loader.init" . }}
+
+{{/* Render secrets for firezone */}}
+{{- $secrets := include "firezone.secrets" . | fromYaml -}}
+{{- if $secrets -}}
+  {{- $_ := set .Values.secret "secrets" $secrets -}}
+{{- end -}}
+
+{{/* Render the templates */}}
+{{ include "tc.v1.common.loader.apply" . }}

charts/incubator/firezone/values.yaml

@@ -0,0 +1,140 @@
+image:
+  repository: tccr.io/truecharts/firezone
+  pullPolicy: IfNotPresent
+  tag: v0.7.30@sha256:e22dc7a9be93a804bbe0e3d301c883625463a3649d856c8b41f80a2257214667
+
+securityContext:
+  container:
+    readOnlyRootFilesystem: false
+    runAsNonRoot: false
+    PUID: 0
+    runAsUser: 0
+    runAsGroup: 0
+    capabilities:
+      add:
+        - NET_ADMIN
+        - SYS_MODULE
+
+workload:
+  main:
+    podSpec:
+      containers:
+        main:
+          probes:
+            liveness:
+              enabled: false
+            readiness:
+              enabled: false
+            startup:
+              enabled: false
+          env:
+            # web
+            PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}"
+            EXTERNAL_URL: "https://app.mydomain.com"
+            # PHOENIX_SECURE_COOKIES: true
+            # PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}"
+            # PHOENIX_EXTERNAL_TRUSTED_PROXIES: "[]"
+            # PHOENIX_PRIVATE_CLIENTS: "[]"
+            # DB
+            DATABASE_HOST:
+              secretKeyRef:
+                name: cnpg-main-urls
+                key: host
+            DATABASE_PORT: 5432
+            DATABASE_NAME: "{{ .Values.cnpg.main.database }}"
+            DATABASE_USER: "{{ .Values.cnpg.main.user }}"
+            DATABASE_PASSWORD:
+              secretKeyRef:
+                name: cnpg-main-user
+                key: password
+            # DATABASE_POOL_SIZE
+            DATABASE_SSL_ENABLED: false
+            # DATABASE_SSL_OPTS: "{}"
+            # Admin
+            RESET_ADMIN_ON_BOOT: false
+            DEFAULT_ADMIN_EMAIL: "admin@email.com"
+            DEFAULT_ADMIN_PASSWORD: "1234567890"
+            # Secrets and Encryption
+            GUARDIAN_SECRET_KEY:
+              secretKeyRef:
+                name: secrets
+                key: GUARDIAN_SECRET_KEY
+            DATABASE_ENCRYPTION_KEY:
+              secretKeyRef:
+                name: secrets
+                key: DATABASE_ENCRYPTION_KEY
+            SECRET_KEY_BASE:
+              secretKeyRef:
+                name: secrets
+                key: SECRET_KEY_BASE
+            LIVE_VIEW_SIGNING_SALT:
+              secretKeyRef:
+                name: secrets
+                key: LIVE_VIEW_SIGNING_SALT
+            COOKIE_SIGNING_SALT:
+              secretKeyRef:
+                name: secrets
+                key: COOKIE_SIGNING_SALT
+            COOKIE_ENCRYPTION_SALT:
+              secretKeyRef:
+                name: secrets
+                key: COOKIE_ENCRYPTION_SALT
+            # Devices
+            ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: true
+            ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: true
+            VPN_SESSION_DURATION: 0
+            DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: 25
+            DEFAULT_CLIENT_MTU: 1280
+            # DEFAULT_CLIENT_ENDPOINT: ""
+            DEFAULT_CLIENT_DNS: "1.1.1.1,1.0.0.1"
+            DEFAULT_CLIENT_ALLOWED_IPS: "0.0.0.0/0, ::/0"
+            # Limits
+            MAX_DEVICES_PER_USER: 10
+            # Authorization
+            LOCAL_AUTH_ENABLED: true
+            DISABLE_VPN_ON_OIDC_ERROR: false
+            SAML_ENTITY_ID: "urn:firezone.dev:firezone-app"
+            # SAML_KEYFILE_PATH: "/var/firezone/saml.key"
+            # SAML_CERTFILE_PATH: "/var/firezone/saml.crt"
+            # OPENID_CONNECT_PROVIDERS: "[]"
+            # SAML_IDENTITY_PROVIDERS: "[]"
+            # WireGuard
+            WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}"
+            WIREGUARD_IPV4_ENABLED: true
+            WIREGUARD_IPV6_ENABLED: false
+            # Outbound Emails
+            OUTBOUND_EMAIL_FROM: ""
+            OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
+            # OUTBOUND_EMAIL_ADAPTER_OPTS: "{}"
+            # Connectivity Checks
+            CONNECTIVITY_CHECKS_ENABLED: true
+            CONNECTIVITY_CHECKS_INTERVAL: 43200
+            # Telemetry
+            TELEMETRY_ENABLED: false
+
+service:
+  main:
+    ports:
+      main:
+        protocol: http
+        port: 13000
+  wireguard:
+    ports:
+      wireguard:
+        protocol: udp
+        port: 51820
+
+persistence:
+  config:
+    enabled: true
+    mountPath: "/var/firezone"
+
+cnpg:
+  main:
+    enabled: true
+    user: firezone
+    database: firezone
+
+portal:
+  open:
+    enabled: true

charts/incubator/frigate/Chart.yaml

@@ -23,7 +23,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/incubator/frigate
   - https://github.com/blakeblackshear/frigate
 type: application
-version: 9.0.2
+version: 9.0.3
 annotations:
   truecharts.org/catagories: |
     - nvr

charts/incubator/frigate/questions.yaml

@@ -29,7 +29,6 @@ questions:
                             schema:
                               type: int
                               default: 10500
-                              editable: true
                               required: true
         - variable: rtmp
           label: RTMP Service
@@ -52,7 +51,63 @@ questions:
                             schema:
                               type: int
                               default: 1935
-                              editable: true
+                              required: true
+        - variable: rtsp
+          label: RTSP Service
+          description: The service on which nodes connect to.
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{serviceSelectorLoadBalancer}
+# Include{serviceSelectorExtras}
+                    - variable: rtsp
+                      label: RTSP Service Port Configuration
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: port
+                            label: Port
+                            description: This port exposes the container port on the service
+                            schema:
+                              type: int
+                              default: 8554
+                              required: true
+        - variable: webrtc
+          label: WebRTC Service
+          description: The service on which nodes connect to.
+          schema:
+            additional_attrs: true
+            type: dict
+            attrs:
+# Include{serviceSelectorLoadBalancer}
+# Include{serviceSelectorExtras}
+                    - variable: webrtc-tcp
+                      label: WebRTC (TCP) Service Port Configuration
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: port
+                            label: Port
+                            description: This port exposes the container port on the service
+                            schema:
+                              type: int
+                              default: 8555
+                              required: true
+                    - variable: webrtc-udp
+                      label: WebRTC (UDP) Service Port Configuration
+                      schema:
+                        additional_attrs: true
+                        type: dict
+                        attrs:
+                          - variable: port
+                            label: Port
+                            description: This port exposes the container port on the service
+                            schema:
+                              type: int
+                              default: 8555
                               required: true
 # Include{serviceExpertRoot}
 # Include{serviceExpert}

charts/incubator/frigate/values.yaml

@@ -44,10 +44,6 @@ securityContext:
     runAsUser: 0
     runAsGroup: 0
 
-ingress:
-  rtmp:
-    autoLink: true
-
 service:
   main:
     ports:
@@ -62,6 +58,25 @@ service:
         enabled: true
         port: 1935
         targetPort: 1935
+  rtsp:
+    enabled: true
+    ports:
+      rtsp:
+        enabled: true
+        port: 8554
+        targetPort: 8554
+  webrtc:
+    enabled: true
+    ports:
+      webrtc-tcp:
+        enabled: true
+        port: 8555
+        targetPort: 8555
+      webrtc-udp:
+        enabled: true
+        port: 8555
+        protocol: udp
+        targetPort: 8555
 
 persistence:
   media:

charts/stable/adguard-home/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "0.107.31"
+appVersion: "0.107.32"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -18,7 +18,7 @@ maintainers:
 name: adguard-home
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/adguard-home
-version: 5.0.25
+version: 5.0.26
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/adguard-home/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/adguard-home
-  tag: v0.107.31@sha256:2ae07fbded3b2ef4a895740e4b1ec452c29cc22bfb73102bf0918273f417ba5f
+  tag: v0.107.32@sha256:4ff1081f57fb105939e215bf8d5730cc637087b67b73e5b0ed9fac8b64073427
   pullPolicy: IfNotPresent
 
 securityContext:

charts/stable/adminer/Chart.yaml

@@ -26,4 +26,4 @@ sources:
   - https://github.com/vrana/adminer
   - http://hub.docker.com/_/adminer/
 type: application
-version: 4.0.26
+version: 4.0.27

charts/stable/adminer/values.yaml

@@ -1,7 +1,7 @@
 image:
   pullPolicy: IfNotPresent
   repository: tccr.io/truecharts/adminer
-  tag: latest@sha256:f3537ed516235c6ddee08ee60f7dd0fde7324d7a71f09071a1358b3020e4ffc5
+  tag: latest@sha256:df93d7ae1e57c4201491961d9f2b23ccafa7a2cb0706dc50c124ade3ab65ece1
 
 securityContext:
   container:

charts/stable/audiobookshelf/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "2.2.22"
+appVersion: "2.2.23"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -18,7 +18,7 @@ name: audiobookshelf
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/audiobookshelf
   - https://github.com/advplyr/audiobookshelf
-version: 5.0.24
+version: 5.0.25
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/audiobookshelf/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/audiobookshelf
-  tag: v2.2.22@sha256:06e77866defc8589911a3983a196aef75e7b3b0bd1032745e2e2f00425aa61a0
+  tag: v2.2.23@sha256:1f967c966a2a6c884b14df981f043244c90142e52fb08749b4713dc4a2a31f0b
   pullPolicy: IfNotPresent
 
 securityContext:

charts/stable/babybuddy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 appVersion: "1.16.0"
 kubeVersion: ">=1.16.0-0"
-version: 12.0.25
+version: 12.0.26
 name: babybuddy
 description: Helps caregivers track sleep, feedings, diaper changes, tummy time and more to learn about and predict baby's needs without (as much) guess work.
 type: application

charts/stable/babybuddy/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/babybuddy
   pullPolicy: IfNotPresent
-  tag: v1.16.0@sha256:e17109eaaf6e35ec34c63116c7783a9fb43d48162ec4dd128c85f4b0f4475172
+  tag: v1.16.0@sha256:64757d4745c9be045d09b3ebf3bdb95ada3168e2ace44666d3493d2f21223ebd
 
 securityContext:
   container:

charts/stable/beets/Chart.yaml

@@ -24,7 +24,7 @@ sources:
   - https://github.com/linuxserver/docker-beets
   - https://beets.io/
 type: application
-version: 7.0.27
+version: 7.0.28
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/beets/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/beets
   pullPolicy: IfNotPresent
-  tag: v1.6.0@sha256:e8dbd7123cd3e1c40fdff6cefa5c7f5bbe4de4e41d3621ef9801bbddfddfa9a1
+  tag: v1.6.0@sha256:9e7f179ff0b36910b7e8389967be7362e48bcb760ad81f16d721a9703b0063f8
 
 securityContext:
   container:

charts/stable/boinc/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: boinc
-version: 5.0.25
+version: 5.0.26
 appVersion: "latest"
 description: BOINC is a platform for high-throughput computing on a large scale (thousands or millions of computers).
 type: application

charts/stable/boinc/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/boinc
   pullPolicy: IfNotPresent
-  tag: latest@sha256:1f649a21cf3cb1715886c18fd857b15b1c3d974d0a20ba6cdcca015cef641a68
+  tag: latest@sha256:4266a1089b9f2dec6e38b11429411ec30dcc8e66da84a6410e6b9bb7652b0d24
 
 securityContext:
   container:

charts/stable/budge/Chart.yaml

@@ -20,7 +20,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/budge
   - https://github.com/linuxserver/budge
   - https://github.com/linuxserver/docker-BudgE
-version: 5.0.25
+version: 5.0.26
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/budge/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/budge
-  tag: v0.0.9@sha256:52d6a93c8586f892a6931d6157f7a2a0e3b6787c6b50f6fe06bc10b69791d5ea
+  tag: v0.0.9@sha256:4a7782dc9dddc94979234988d7d1dce9c4eb99c48b2a78c515ea595cfc390ca7
   pullPolicy: IfNotPresent
 
 securityContext:

charts/stable/calibre/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "6.20.0"
+appVersion: "6.21.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -18,7 +18,7 @@ name: calibre
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/calibre
   - https://github.com/kovidgoyal/calibre/
-version: 10.0.24
+version: 10.0.25
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/calibre/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/calibre
-  tag: v6.20.0@sha256:f74763fad58b39b02631970ec7b30c22fdde0c50f23f99014a479f345173b977
+  tag: v6.21.0@sha256:5c9ffb06f9ef18662694994e066cacfece1ce80a93ae54e5b7e5671278bb4849
   pullPolicy: IfNotPresent
 
 securityContext:

charts/stable/clamav/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: "1.0.1"
+appVersion: "1.1.0"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
-    version: 12.14.2
+    version: 12.14.3
 description: ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
 home: https://truecharts.org/charts/stable/clamav
 icon: https://truecharts.org/img/hotlink-ok/chart-icons/clamav.png
@@ -21,7 +21,7 @@ sources:
   - https://github.com/Cisco-Talos/clamav
   - https://docs.clamav.net/
 type: application
-version: 6.0.14
+version: 6.0.16
 annotations:
   truecharts.org/catagories: |
     - utilities

charts/stable/clamav/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/clamav
   pullPolicy: IfNotPresent
-  tag: 1.0.1@sha256:902f3fc1ba85ab319a8d009d4c350eb5ec73e6a5a7483df8a8ad24b525be97ee
+  tag: v1.1.0@sha256:ab196d867fcfddedc8dc965d67a2e6824ca65488cf616cc707e9c36efd54e086
 
 securityContext:
   container:

charts/stable/czkawka/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "23.06.1"
+appVersion: "23.06.2"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -23,7 +23,7 @@ sources:
   - https://github.com/jlesage/docker-czkawka
   - https://github.com/qarmin/czkawka
 type: application
-version: 4.0.26
+version: 4.0.27
 annotations:
   truecharts.org/catagories: |
     - duplicates

charts/stable/czkawka/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/czkawka
   pullPolicy: IfNotPresent
-  tag: v23.06.1@sha256:71cdaee1fdca8e1c8efd647c10c1cec9e4b1d6deef6c40a9b32f294b90e7f27f
+  tag: v23.06.2@sha256:f00cb5cd9ff825d76591619eb01e3f1dd0a94b77720d58efefdea5f9b328b9d2
 
 securityContext:
   container:

charts/stable/ddns-go/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: ddns-go
-version: 5.0.24
-appVersion: "5.2.2"
+version: 5.0.25
+appVersion: "5.3.5"
 description: Automatically obtain your public network IPv4 or IPv6 address and resolve it to the corresponding domain name service
 type: application
 deprecated: false

charts/stable/ddns-go/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/ddns-go
   pullPolicy: IfNotPresent
-  tag: v5.2.2@sha256:a4948be84d7cc270c9fc84909caae19874936a05e87273b5e6ab0ec8114fb2b4
+  tag: v5.3.5@sha256:fd730372825783bb371fbccfa31031cc24519e81c4bf35c993d9e0d7c001e08a
 
 securityContext:
   container:

charts/stable/dillinger/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: dillinger
-version: 5.0.26
+version: 5.0.27
 appVersion: "3.39.1"
 description: Dillinger is a cloud-enabled, mobile-ready, offline-storage, AngularJS powered HTML5 Markdown editor.
 type: application

charts/stable/dillinger/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/dillinger
   pullPolicy: IfNotPresent
-  tag: v3.39.1@sha256:6f5f818054f3d9f7195b878bc34ceac67e92a41a39b964c938d175216cb66bed
+  tag: v3.39.1@sha256:4a260f03cc7d6127dac9698b911188fd7fd0707b7e275f3475e6ed287fcac4a7
 
 securityContext:
   container:

charts/stable/embystat/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: embystat
-version: 5.0.26
+version: 5.0.27
 appVersion: "0.2.0"
 description: Embystat is a personal web server that can calculate all kinds of statistics from your (local) Emby server.
 type: application

charts/stable/embystat/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/embystat
   pullPolicy: IfNotPresent
-  tag: v0.2.0@sha256:16da8e5afc3f83e7adf9b3734adb8abe54537bc4c417f49b510d797fa1431ffe
+  tag: v0.2.0@sha256:d7ce5a5f7f22bd714e58e4b7bc3afe611c47a5cc57d2eac153ec53de45917e4c
 
 securityContext:
   container:

charts/stable/external-service/questions.yaml

@@ -90,8 +90,9 @@ questions:
                   show_subquestions_if: true
                   subquestions:
                     - variable: annotations
-                      label: "annoations"
+                      label: "annotations"
                       schema:
+                        additional_attrs: true
                         type: dict
                         hidden: true
                         attrs:

charts/stable/fileflows/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "23.06.1"
+appVersion: "23.06.3"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -18,7 +18,7 @@ name: fileflows
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/fileflows
   - https://github.com/revenz/FileFlows
-version: 5.0.25
+version: 5.0.26
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/fileflows/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: tccr.io/truecharts/fileflows
-  tag: v23.06.1@sha256:60accea0610336afe5e72f6657b5feea507177a32f29e30313f707850bc79074
+  tag: v23.06.3@sha256:b6369e2d486b196f0dcbadb2d92df6d10d5f901061427f7894979953ac83e228
   pullPolicy: IfNotPresent
 
 securityContext:

charts/stable/fireflyiii/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "6.0.11"
+appVersion: "6.0.13"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -25,7 +25,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/fireflyiii
   - https://github.com/firefly-iii/firefly-iii/
 type: application
-version: 20.0.26
+version: 20.0.27
 annotations:
   truecharts.org/catagories: |
     - finacial

charts/stable/fireflyiii/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/fireflyiii-core
   pullPolicy: IfNotPresent
-  tag: v6.0.11@sha256:3f4458c9cdae0b7fab96911ffe7cb938f33f01321120e15f13d9b31ebfb67551
+  tag: v6.0.13@sha256:6590e8b1f3ca40f8c577b9a38ed648eb6af096e58c2730ebb071b458bbb76398
 
 securityContext:
   container:

charts/stable/flaresolverr/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.2.0"
+appVersion: "3.2.1"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -19,7 +19,7 @@ name: flaresolverr
 sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/flaresolverr
   - https://github.com/FlareSolverr/FlareSolverr
-version: 9.0.23
+version: 9.0.24
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/flaresolverr/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/flaresolverr
   pullPolicy: IfNotPresent
-  tag: v3.2.0@sha256:c04f724800c4d6c87e459b47a9cb2753be09dda1db174f8c3994c663c618f0a4
+  tag: v3.2.1@sha256:6c38830efb22b3807e4503736642a91edd5c6c7f6f64265176e51d8c28a20b9b
 
 securityContext:
   container:

charts/stable/flexget/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.7.4"
+appVersion: "3.7.5"
 dependencies:
   - name: common
     repository: https://library-charts.truecharts.org
@@ -21,7 +21,7 @@ sources:
   - https://github.com/truecharts/charts/tree/master/charts/stable/flexget
   - https://github.com/wiserain/docker-flexget
 type: application
-version: 5.0.28
+version: 5.0.29
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/flexget/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/flexget
   pullPolicy: IfNotPresent
-  tag: v3.7.4@sha256:bbc5368254671c4f567b9d966c94526a057ce08af8ee6bc402cd9272a2984459
+  tag: v3.7.5@sha256:5f814c85237aa2fe0fc27472f52fb5888ef74a4469490c1ed3189728822895a0
 
 securityContext:
   container:

charts/stable/foldingathome/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: foldingathome
-version: 5.0.26
+version: 5.0.27
 appVersion: "7.6.21"
 description: Folding@home is a distributed computing project for simulating protein dynamics, including the process of protein folding and the movements of proteins implicated in a variety of diseases.
 type: application

charts/stable/foldingathome/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/foldingathome
   pullPolicy: IfNotPresent
-  tag: v7.6.21@sha256:c1e703059283bfe4362139bb2596d075de6f423be5c4b18fa30703d416fec65a
+  tag: v7.6.21@sha256:494b30cc431c07e78f4c62f8f97409233c40d820be4b615fd4a93670c156736a
 
 securityContext:
   container:

charts/stable/grav/Chart.yaml

@@ -23,7 +23,7 @@ sources:
   - https://github.com/linuxserver/docker-grav
   - https://github.com/getgrav/grav/
 type: application
-version: 7.0.25
+version: 7.0.26
 annotations:
   truecharts.org/catagories: |
     - media

charts/stable/grav/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: tccr.io/truecharts/grav
   pullPolicy: IfNotPresent
-  tag: v1.7.41@sha256:ed46cec668cd7a8e32748c012ffacc050b0ef73fda54aa4ff51b1e1846147750
+  tag: v1.7.41@sha256:c0c883af77d8f3d5bebeb008ec2b652b7ec4897cf2678121c49dc59cda624e23
 service:
   main:
     ports:

charts/stable/hedgedoc/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 kubeVersion: ">=1.16.0-0"
 name: hedgedoc
-version: 8.0.24
+version: 8.0.25
 appVersion: "1.9.8"
 description: HedgeDoc lets you create real-time collaborative markdown notes.
 type: application