291 lines
7.0 KiB
YAML
291 lines
7.0 KiB
YAML
|
image:
|
||
|
repository: tccr.io/truecharts/authentik
|
||
|
tag: 2023.4.1@sha256:7d60414d9d5f2395b703228193e8b03c616d7fed6c3cee620940845dd0b725cb
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
geoipImage:
|
||
|
repository: tccr.io/truecharts/geoipupdate
|
||
|
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
ldapImage:
|
||
|
repository: tccr.io/truecharts/authentik-ldap
|
||
|
tag: 2023.4.1@sha256:f737b534c6f3a022b002bb5d635ef491273fd40f8c0b6dd64efa7f5f6265d8cf
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
proxyImage:
|
||
|
repository: tccr.io/truecharts/authentik-proxy
|
||
|
tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
securityContext:
|
||
|
container:
|
||
|
runAsUser: 1000
|
||
|
runAsGroup: 1000
|
||
|
readOnlyRootFilesystem: false
|
||
|
|
||
|
workload:
|
||
|
main:
|
||
|
replicas: 1
|
||
|
strategy: RollingUpdate
|
||
|
podSpec:
|
||
|
containers:
|
||
|
main:
|
||
|
args: ["server"]
|
||
|
envFrom:
|
||
|
- secretRef:
|
||
|
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
|
||
|
- configMapRef:
|
||
|
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
|
||
|
- configMapRef:
|
||
|
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
|
||
|
probes:
|
||
|
liveness:
|
||
|
type: https
|
||
|
path: /-/health/live/
|
||
|
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||
|
readiness:
|
||
|
type: https
|
||
|
path: /-/health/ready/
|
||
|
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||
|
startup:
|
||
|
type: https
|
||
|
path: /-/health/ready/
|
||
|
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||
|
|
||
|
service:
|
||
|
main:
|
||
|
ports:
|
||
|
main:
|
||
|
protocol: https
|
||
|
port: 10229
|
||
|
targetPort: 9443
|
||
|
http:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
ports:
|
||
|
http:
|
||
|
enabled: true
|
||
|
protocol: http
|
||
|
port: 10230
|
||
|
targetPort: 9000
|
||
|
# LDAP Outpost Services
|
||
|
ldapldaps:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
ldapldaps:
|
||
|
enabled: true
|
||
|
port: 636
|
||
|
targetPort: 6636
|
||
|
ldapldap:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
ldapldap:
|
||
|
enabled: true
|
||
|
port: 389
|
||
|
targetPort: 3389
|
||
|
# Proxy Outpost Services
|
||
|
proxyhttps:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
proxyhttps:
|
||
|
enabled: true
|
||
|
port: 10233
|
||
|
protocol: https
|
||
|
targetPort: 9444
|
||
|
proxyhttp:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
ports:
|
||
|
proxyhttp:
|
||
|
enabled: true
|
||
|
port: 10234
|
||
|
protocol: http
|
||
|
targetPort: 9001
|
||
|
# Metrics Services
|
||
|
metrics:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
ports:
|
||
|
metrics:
|
||
|
enabled: true
|
||
|
protocol: http
|
||
|
port: 10231
|
||
|
targetPort: 9301
|
||
|
ldapmetrics:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
ports:
|
||
|
ldapmetrics:
|
||
|
enabled: true
|
||
|
port: 10232
|
||
|
protocol: http
|
||
|
targetPort: 9302
|
||
|
proxymetrics:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
ports:
|
||
|
proxymetrics:
|
||
|
enabled: true
|
||
|
port: 10235
|
||
|
protocol: http
|
||
|
targetPort: 9303
|
||
|
|
||
|
metrics:
|
||
|
# TODO
|
||
|
main:
|
||
|
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||
|
# @default -- See values.yaml
|
||
|
enabled: false
|
||
|
type: "servicemonitor"
|
||
|
endpoints:
|
||
|
- port: main
|
||
|
path: /metrics
|
||
|
interval: 1m
|
||
|
scrapeTimeout: 30s
|
||
|
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||
|
# @default -- See values.yaml
|
||
|
prometheusRule:
|
||
|
enabled: false
|
||
|
labels: {}
|
||
|
# -- Configure additionial rules for the chart under this key.
|
||
|
# @default -- See prometheusrules.yaml
|
||
|
rules:
|
||
|
[]
|
||
|
# - alert: UnifiPollerAbsent
|
||
|
# annotations:
|
||
|
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||
|
# summary: Unifi Poller is down.
|
||
|
# expr: |
|
||
|
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||
|
# for: 5m
|
||
|
# labels:
|
||
|
# severity: critical
|
||
|
|
||
|
ingress:
|
||
|
proxyhttps:
|
||
|
autoLink: true
|
||
|
|
||
|
# Target selectors taken from authentik's compose file:
|
||
|
# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
|
||
|
persistence:
|
||
|
media:
|
||
|
enabled: true
|
||
|
mountPath: "/media"
|
||
|
targetSelector:
|
||
|
main:
|
||
|
main: {}
|
||
|
worker: {}
|
||
|
templates:
|
||
|
enabled: true
|
||
|
mountPath: "/templates"
|
||
|
targetSelector:
|
||
|
main:
|
||
|
main: {}
|
||
|
worker: {}
|
||
|
certs:
|
||
|
enabled: true
|
||
|
mountPath: "/certs"
|
||
|
targetSelector:
|
||
|
main:
|
||
|
worker: {}
|
||
|
geoip:
|
||
|
enabled: true
|
||
|
mountPath: "/usr/share/GeoIP"
|
||
|
targetSelector:
|
||
|
main:
|
||
|
geoip: {}
|
||
|
|
||
|
cnpg:
|
||
|
main:
|
||
|
enabled: true
|
||
|
user: authentik
|
||
|
database: authentik
|
||
|
|
||
|
cnpgProvider:
|
||
|
port: 5432
|
||
|
|
||
|
# Enabled redis
|
||
|
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
|
||
|
redis:
|
||
|
enabled: true
|
||
|
|
||
|
redisProvider:
|
||
|
port: 6379
|
||
|
|
||
|
workerContainer:
|
||
|
enabled: true
|
||
|
|
||
|
authentik:
|
||
|
credentials:
|
||
|
password: "supersecret"
|
||
|
general:
|
||
|
disable_update_check: false
|
||
|
disable_startup_analytics: true
|
||
|
allow_user_name_change: true
|
||
|
allow_user_mail_change: true
|
||
|
allow_user_username_change: true
|
||
|
gdpr_compliance: true
|
||
|
impersonation: true
|
||
|
avatars: "gravatar,initials"
|
||
|
token_length: 128
|
||
|
# Use single quotes for footer_links
|
||
|
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
|
||
|
mail:
|
||
|
host: ""
|
||
|
port: 25
|
||
|
tls: false
|
||
|
ssl: false
|
||
|
timeout: 10
|
||
|
user: ""
|
||
|
pass: ""
|
||
|
from: ""
|
||
|
error_reporting:
|
||
|
enabled: false
|
||
|
send_pii: false
|
||
|
environment: "customer"
|
||
|
logging:
|
||
|
log_level: "info"
|
||
|
ldap:
|
||
|
tls_ciphers: "null"
|
||
|
|
||
|
geoip:
|
||
|
enabled: false
|
||
|
account_id: ""
|
||
|
license_key: ""
|
||
|
proxy: ""
|
||
|
proxy_user_pass: ""
|
||
|
edition_ids: "GeoLite2-City"
|
||
|
frequency: 8
|
||
|
host_server: "updates.maxmind.com"
|
||
|
preserve_file_times: false
|
||
|
verbose: false
|
||
|
|
||
|
outposts:
|
||
|
ldap:
|
||
|
# -- First you have to create an Outpost in the GUI. Applications > Outposts
|
||
|
enabled: false
|
||
|
# -- Host Browser by default is set to the first ingress host you set
|
||
|
# host_browser: ""
|
||
|
# -- Host should not need to be overridden. Defaults to https://localhost:9443
|
||
|
# host: ""
|
||
|
# -- As we use https://localhost:9443 it's an unsecure connection
|
||
|
# insecure: false
|
||
|
# -- Token is only needed if you accidentally deleted the token within the UI
|
||
|
# token: ""
|
||
|
proxy:
|
||
|
# -- First you have to create an Outpost in the GUI. Applications > Outposts
|
||
|
enabled: false
|
||
|
# -- Host Browser by default is set to the first ingress host you set
|
||
|
# host_browser: ""
|
||
|
# -- As we use https://localhost:9443 it's an unsecure connection
|
||
|
# insecure: false
|
||
|
# -- Host should not need to be overridden. Defaults to https://localhost:9443
|
||
|
# host: ""
|
||
|
# -- Token is only needed if you accidentally deleted the token within the UI
|
||
|
# token: ""
|
||
|
|
||
|
portal:
|
||
|
open:
|
||
|
enabled: true
|