Commit new Chart releases for TrueCharts

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
TrueCharts-Bot 2023-02-14 17:16:41 +00:00
parent ec52385728
commit aaadfa6b8d
20 changed files with 3925 additions and 0 deletions

View File

@ -0,0 +1,99 @@
**Important:**
*for the complete changelog, please refer to the website*
## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14)
### Chore
- update authentik to v2023.2.0
## [authentik-10.0.39](https://github.com/truecharts/charts/compare/authentik-10.0.38...authentik-10.0.39) (2023-02-14)
### Chore
- update container image tccr.io/truecharts/authentik-proxy to v2023.2.0
## [authentik-10.0.38](https://github.com/truecharts/charts/compare/authentik-10.0.37...authentik-10.0.38) (2023-02-10)
### Fix
- ensure new helm deps repo is used in latest releases as well.
## [authentik-10.0.37](https://github.com/truecharts/charts/compare/authentik-10.0.36...authentik-10.0.37) (2023-01-31)
### Chore
- update container image tccr.io/truecharts/authentik to v2023.1.2
## [authentik-10.0.36](https://github.com/truecharts/charts/compare/authentik-10.0.35...authentik-10.0.36) (2023-01-30)
### Chore
- update authentik to v2023.1.2
## [authentik-10.0.35](https://github.com/truecharts/charts/compare/authentik-10.0.34...authentik-10.0.35) (2023-01-24)
### Chore
- update helm general non-major ([#6689](https://github.com/truecharts/charts/issues/6689))
## [authentik-10.0.34](https://github.com/truecharts/charts/compare/authentik-10.0.33...authentik-10.0.34) (2023-01-23)
### Chore
- update helm general non-major
## [authentik-10.0.33](https://github.com/truecharts/charts/compare/authentik-10.0.32...authentik-10.0.33) (2023-01-19)
### Chore
- update authentik to v2023.1.0
## [authentik-10.0.32](https://github.com/truecharts/charts/compare/authentik-10.0.31...authentik-10.0.32) (2023-01-17)
### Chore
- update helm general non-major ([#6430](https://github.com/truecharts/charts/issues/6430))
## [authentik-10.0.31](https://github.com/truecharts/charts/compare/authentik-10.0.30...authentik-10.0.31) (2023-01-10)
### Chore
- update container image tccr.io/truecharts/authentik to v2022.12.2
## [authentik-10.0.30](https://github.com/truecharts/charts/compare/authentik-10.0.29...authentik-10.0.30) (2023-01-07)
### Chore

View File

@ -0,0 +1,36 @@
apiVersion: v2
appVersion: "2023.2.0"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.1.2
- condition: postgresql.enabled
name: postgresql
repository: https://deps.truecharts.org/
version: 11.0.22
- condition: redis.enabled
name: redis
repository: https://deps.truecharts.org
version: 5.0.29
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
home: https://truecharts.org/charts/stable/authentik
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
keywords:
- authentik
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: authentik
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/authentik
- https://ghcr.io/goauthentik/server
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 10.0.40
annotations:
truecharts.org/catagories: |
- authentication
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

@ -0,0 +1,27 @@
# README
## General Info
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
However only installations using the TrueNAS SCALE Apps system are supported.
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
*All Rights Reserved - The TrueCharts Project*

View File

@ -0,0 +1,9 @@
## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14)
### Chore
- update authentik to v2023.2.0

View File

@ -0,0 +1,8 @@
authentik is an open-source Identity Provider focused on flexibility and versatility.
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/stable/authentik](https://truecharts.org/charts/stable/authentik)
---
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,258 @@
image:
repository: tccr.io/truecharts/authentik
tag: 2023.2.0@sha256:a3c00955f0a47a325a963a1d98af2784083f03896c09ffd87cd4ba1182b1d716
pullPolicy: IfNotPresent
geoipImage:
repository: tccr.io/truecharts/geoipupdate
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
repository: tccr.io/truecharts/authentik-ldap
tag: 2023.2.0@sha256:479868391c91c868d811c42b2ca21d4d4c852a4422e771663c96e038b9b290d3
pullPolicy: IfNotPresent
proxyImage:
repository: tccr.io/truecharts/authentik-proxy
tag: 2023.2.0@sha256:bf5285469fb5acf0166f88332ed22fe11a20ce2e2321b7bf02b83ef186b2e0d3
pullPolicy: IfNotPresent
args: ["server"]
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
securityContext:
readOnlyRootFilesystem: false
workerContainer:
enabled: true
authentik:
credentials:
password: "supersecret"
general:
disable_update_check: false
disable_startup_analytics: true
allow_user_name_change: true
allow_user_mail_change: true
allow_user_username_change: true
gdpr_compliance: true
impersonation: true
avatars: "gravatar"
token_length: 128
# Use single quotes for footer_links
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
mail:
host: ""
port: 25
tls: false
ssl: false
timeout: 10
user: ""
pass: ""
from: ""
error_reporting:
enabled: false
send_pii: false
environment: "customer"
logging:
log_level: "info"
ldap:
tls_ciphers: "null"
geoip:
enabled: false
account_id: ""
license_key: ""
proxy: ""
proxy_user_pass: ""
edition_ids: "GeoLite2-City"
frequency: 8
host_server: "updates.maxmind.com"
preserve_file_times: false
verbose: false
outposts:
ldap:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
proxy:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
metrics:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
serviceMonitor:
interval: 1m
scrapeTimeout: 30s
labels: {}
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
useDefault: true
labels: {}
# -- Configure additional rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: HTTPS
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: HTTPS
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: HTTP
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: HTTPS
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: HTTP
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: HTTP
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: HTTP
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: HTTP
targetPort: 9303
ingress:
proxyhttps:
autoLink: true
persistence:
media:
enabled: true
mountPath: "/media"
templates:
enabled: true
mountPath: "/templates"
certs:
enabled: true
mountPath: "/certs"
geoip:
enabled: true
mountPath: "/geoip"
postgresql:
enabled: true
existingSecret: "dbcreds"
postgresqlUsername: authentik
postgresqlDatabase: authentik
redis:
enabled: true
existingSecret: "rediscreds"
portal:
enabled: true

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,143 @@
{{/* Define the configmap */}}
{{- define "authentik.config" -}}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
{{- if .Values.ingress.main.enabled }}
{{ $first := (first .Values.ingress.main.hosts) }}
{{- if $first }}
{{ $host = printf "https://%s" $first.host }}
{{- end }}
{{- end }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerWorkerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
AUTHENTIK_REDIS__PORT: "6379"
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
AUTHENTIK_POSTGRESQL__PORT: "5432"
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $proxyConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $geoipConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{- end -}}

View File

@ -0,0 +1,20 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip" -}}
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
{{- end -}}

View File

@ -0,0 +1,48 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
ports:
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
name: ldapldaps
- containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
name: ldapldap
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
name: ldapmetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@ -0,0 +1,48 @@
{{/* Define the proxy container */}}
{{- define "authentik.proxy" -}}
image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
ports:
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
name: proxyhttps
- containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
name: proxyhttp
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
name: proxymetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@ -0,0 +1,106 @@
{{/* Define the secret */}}
{{- define "authentik.secret" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
{{- $token := randAlphaNum 128 | b64enc }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $authentikSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
{{- if .Values.geoip.enabled }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $geoipSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $proxySecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,52 @@
{{/* Define the worker container */}}
{{- define "authentik.worker" -}}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
readinessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: 10
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@ -0,0 +1,45 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render secret */}}
{{- include "authentik.secret" . }}
{{/* Render config */}}
{{- include "authentik.config" . }}
{{- if hasKey .Values "metrics" -}}
{{- if .Values.metrics.enabled -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
{{- end -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{- if .Values.outposts.proxy.enabled -}}
{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

View File

@ -0,0 +1,160 @@
{{- if hasKey .Values "metrics" }}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "tc.common.names.fullname" . }}
rules:
{{- with .Values.metrics.prometheusRule.rules }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.useDefault }}
- name: authentik Aggregate request counters
rules:
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
- record: job:django_http_ajax_requests_total:sum_rate30s
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
- record: job:django_http_requests_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
- record: job:django_http_responses_streaming_total:sum_rate30s
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
- record: job:django_http_responses_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
- record: job:django_http_requests_total:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
- record: job:django_http_requests_total_by_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
- record: job:django_http_requests_total_by_transport:sum_rate30s
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
- record: job:django_http_requests_total_by_view:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
- record: job:django_http_responses_total_by_templatename:sum_rate30s
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
- record: job:django_http_responses_total_by_status:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
- record: job:django_http_responses_total_by_charset:sum_rate30s
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
- record: job:django_http_exceptions_total_by_type:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
- record: job:django_http_exceptions_total_by_view:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
- name: authentik Aggregate latency histograms
rules:
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- name: authentik Aggregate model operations
rules:
- record: job:django_model_inserts_total:sum_rate1m
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
- record: job:django_model_updates_total:sum_rate1m
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
- record: job:django_model_deletes_total:sum_rate1m
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
- name: authentik Aggregate database operations
rules:
- record: job:django_db_new_connections_total:sum_rate30s
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
- record: job:django_db_new_connection_errors_total:sum_rate30s
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
- record: job:django_db_execute_total:sum_rate30s
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
- record: job:django_db_execute_many_total:sum_rate30s
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
- record: job:django_db_errors_total:sum_rate30s
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
- name: authentik Aggregate migrations
rules:
- record: job:django_migrations_applied_total:max
expr: max(django_migrations_applied_total) by (job, connection)
- record: job:django_migrations_unapplied_total:max
expr: max(django_migrations_unapplied_total) by (job, connection)
- name: authentik Alerts
rules:
- alert: NoWorkersConnected
expr: max without (pid) (authentik_admin_workers) < 1
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
summary: No workers connected
for: 10m
labels:
severity: critical
- alert: PendingMigrations
expr: max without (pid) (django_migrations_unapplied_total) > 0
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
summary: Pending database migrations
for: 10m
labels:
severity: critical
- alert: FailedSystemTasks
expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
annotations:
message: |
System task {{ printf "{{ $labels.task_name }}" }} has failed
summary: Failed system tasks
for: 2h
labels:
severity: critical
- alert: DisconnectedOutposts
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
annotations:
message: |
Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
summary: Disconnected outpost
for: 30m
labels:
severity: critical
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,44 @@
{{- if hasKey .Values "metrics" }}
{{- if .Values.metrics.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
endpoints:
- port: metrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: ldapmetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: proxymetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- end }}
{{- end }}

View File