diff --git a/stable/authentik/10.0.40/CHANGELOG.md b/stable/authentik/10.0.40/CHANGELOG.md new file mode 100644 index 00000000000..95fddd7fc76 --- /dev/null +++ b/stable/authentik/10.0.40/CHANGELOG.md @@ -0,0 +1,99 @@ +**Important:** +*for the complete changelog, please refer to the website* + + + + +## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14) + +### Chore + +- update authentik to v2023.2.0 + + + + +## [authentik-10.0.39](https://github.com/truecharts/charts/compare/authentik-10.0.38...authentik-10.0.39) (2023-02-14) + +### Chore + +- update container image tccr.io/truecharts/authentik-proxy to v2023.2.0 + + + + +## [authentik-10.0.38](https://github.com/truecharts/charts/compare/authentik-10.0.37...authentik-10.0.38) (2023-02-10) + +### Fix + +- ensure new helm deps repo is used in latest releases as well. + + + + +## [authentik-10.0.37](https://github.com/truecharts/charts/compare/authentik-10.0.36...authentik-10.0.37) (2023-01-31) + +### Chore + +- update container image tccr.io/truecharts/authentik to v2023.1.2 + + + + +## [authentik-10.0.36](https://github.com/truecharts/charts/compare/authentik-10.0.35...authentik-10.0.36) (2023-01-30) + +### Chore + +- update authentik to v2023.1.2 + + + + +## [authentik-10.0.35](https://github.com/truecharts/charts/compare/authentik-10.0.34...authentik-10.0.35) (2023-01-24) + +### Chore + +- update helm general non-major ([#6689](https://github.com/truecharts/charts/issues/6689)) + + + + +## [authentik-10.0.34](https://github.com/truecharts/charts/compare/authentik-10.0.33...authentik-10.0.34) (2023-01-23) + +### Chore + +- update helm general non-major + + + + +## [authentik-10.0.33](https://github.com/truecharts/charts/compare/authentik-10.0.32...authentik-10.0.33) (2023-01-19) + +### Chore + +- update authentik to v2023.1.0 + + + + +## [authentik-10.0.32](https://github.com/truecharts/charts/compare/authentik-10.0.31...authentik-10.0.32) (2023-01-17) + +### Chore + +- update helm general non-major ([#6430](https://github.com/truecharts/charts/issues/6430)) + + + + +## [authentik-10.0.31](https://github.com/truecharts/charts/compare/authentik-10.0.30...authentik-10.0.31) (2023-01-10) + +### Chore + +- update container image tccr.io/truecharts/authentik to v2022.12.2 + + + + +## [authentik-10.0.30](https://github.com/truecharts/charts/compare/authentik-10.0.29...authentik-10.0.30) (2023-01-07) + +### Chore diff --git a/stable/authentik/10.0.40/Chart.yaml b/stable/authentik/10.0.40/Chart.yaml new file mode 100644 index 00000000000..b9403c9d7b0 --- /dev/null +++ b/stable/authentik/10.0.40/Chart.yaml @@ -0,0 +1,36 @@ +apiVersion: v2 +appVersion: "2023.2.0" +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 11.1.2 + - condition: postgresql.enabled + name: postgresql + repository: https://deps.truecharts.org/ + version: 11.0.22 + - condition: redis.enabled + name: redis + repository: https://deps.truecharts.org + version: 5.0.29 +description: authentik is an open-source Identity Provider focused on flexibility and versatility. +home: https://truecharts.org/charts/stable/authentik +icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png +keywords: + - authentik +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: authentik +sources: + - https://github.com/truecharts/charts/tree/master/charts/stable/authentik + - https://ghcr.io/goauthentik/server + - https://github.com/goauthentik/authentik + - https://goauthentik.io/docs/ +version: 10.0.40 +annotations: + truecharts.org/catagories: | + - authentication + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/stable/authentik/10.0.40/README.md b/stable/authentik/10.0.40/README.md new file mode 100644 index 00000000000..701942c352f --- /dev/null +++ b/stable/authentik/10.0.40/README.md @@ -0,0 +1,27 @@ +# README + +## General Info + +TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE. +However only installations using the TrueNAS SCALE Apps system are supported. + +For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/) + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)** + + +## Support + +- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ). +- See the [Website](https://truecharts.org) +- Check our [Discord](https://discord.gg/tVsPTHWTtr) +- Open a [issue](https://github.com/truecharts/charts/issues/new/choose) + +--- + +## Sponsor TrueCharts + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! + +*All Rights Reserved - The TrueCharts Project* diff --git a/stable/authentik/10.0.40/app-changelog.md b/stable/authentik/10.0.40/app-changelog.md new file mode 100644 index 00000000000..e718cd1c88a --- /dev/null +++ b/stable/authentik/10.0.40/app-changelog.md @@ -0,0 +1,9 @@ + + +## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14) + +### Chore + +- update authentik to v2023.2.0 + + \ No newline at end of file diff --git a/stable/authentik/10.0.40/app-readme.md b/stable/authentik/10.0.40/app-readme.md new file mode 100644 index 00000000000..88750d8c3fc --- /dev/null +++ b/stable/authentik/10.0.40/app-readme.md @@ -0,0 +1,8 @@ +authentik is an open-source Identity Provider focused on flexibility and versatility. + +This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/stable/authentik](https://truecharts.org/charts/stable/authentik) + +--- + +TrueCharts can only exist due to the incredible effort of our staff. +Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can! diff --git a/stable/authentik/10.0.40/charts/common-11.1.2.tgz b/stable/authentik/10.0.40/charts/common-11.1.2.tgz new file mode 100644 index 00000000000..da62080e8a5 Binary files /dev/null and b/stable/authentik/10.0.40/charts/common-11.1.2.tgz differ diff --git a/stable/authentik/10.0.40/charts/postgresql-11.0.22.tgz b/stable/authentik/10.0.40/charts/postgresql-11.0.22.tgz new file mode 100644 index 00000000000..e8719337257 Binary files /dev/null and b/stable/authentik/10.0.40/charts/postgresql-11.0.22.tgz differ diff --git a/stable/authentik/10.0.40/charts/redis-5.0.29.tgz b/stable/authentik/10.0.40/charts/redis-5.0.29.tgz new file mode 100644 index 00000000000..ee3b38dee8e Binary files /dev/null and b/stable/authentik/10.0.40/charts/redis-5.0.29.tgz differ diff --git a/stable/authentik/10.0.40/ix_values.yaml b/stable/authentik/10.0.40/ix_values.yaml new file mode 100644 index 00000000000..c2213ae7d03 --- /dev/null +++ b/stable/authentik/10.0.40/ix_values.yaml @@ -0,0 +1,258 @@ +image: + repository: tccr.io/truecharts/authentik + tag: 2023.2.0@sha256:a3c00955f0a47a325a963a1d98af2784083f03896c09ffd87cd4ba1182b1d716 + pullPolicy: IfNotPresent + +geoipImage: + repository: tccr.io/truecharts/geoipupdate + tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce + pullPolicy: IfNotPresent + +ldapImage: + repository: tccr.io/truecharts/authentik-ldap + tag: 2023.2.0@sha256:479868391c91c868d811c42b2ca21d4d4c852a4422e771663c96e038b9b290d3 + pullPolicy: IfNotPresent + +proxyImage: + repository: tccr.io/truecharts/authentik-proxy + tag: 2023.2.0@sha256:bf5285469fb5acf0166f88332ed22fe11a20ce2e2321b7bf02b83ef186b2e0d3 + pullPolicy: IfNotPresent + +args: ["server"] + +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + +securityContext: + readOnlyRootFilesystem: false + +workerContainer: + enabled: true + +authentik: + credentials: + password: "supersecret" + general: + disable_update_check: false + disable_startup_analytics: true + allow_user_name_change: true + allow_user_mail_change: true + allow_user_username_change: true + gdpr_compliance: true + impersonation: true + avatars: "gravatar" + token_length: 128 + # Use single quotes for footer_links + footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]' + mail: + host: "" + port: 25 + tls: false + ssl: false + timeout: 10 + user: "" + pass: "" + from: "" + error_reporting: + enabled: false + send_pii: false + environment: "customer" + logging: + log_level: "info" + ldap: + tls_ciphers: "null" +geoip: + enabled: false + account_id: "" + license_key: "" + proxy: "" + proxy_user_pass: "" + edition_ids: "GeoLite2-City" + frequency: 8 + host_server: "updates.maxmind.com" + preserve_file_times: false + verbose: false + +outposts: + ldap: + # -- First you have to create an Outpost in the GUI. Applications > Outposts + enabled: false + # -- Host Browser by default is set to the first ingress host you set + # host_browser: "" + # -- Host should not need to be overridden. Defaults to https://localhost:9443 + # host: "" + # -- As we use https://localhost:9443 it's an unsecure connection + # insecure: false + # -- Token is only needed if you accidentally deleted the token within the UI + # token: "" + proxy: + # -- First you have to create an Outpost in the GUI. Applications > Outposts + enabled: false + # -- Host Browser by default is set to the first ingress host you set + # host_browser: "" + # -- As we use https://localhost:9443 it's an unsecure connection + # insecure: false + # -- Host should not need to be overridden. Defaults to https://localhost:9443 + # host: "" + # -- Token is only needed if you accidentally deleted the token within the UI + # token: "" + +metrics: + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: false + serviceMonitor: + interval: 1m + scrapeTimeout: 30s + labels: {} + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + useDefault: true + labels: {} + # -- Configure additional rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: + [] + # - alert: UnifiPollerAbsent + # annotations: + # description: Unifi Poller has disappeared from Prometheus service discovery. + # summary: Unifi Poller is down. + # expr: | + # absent(up{job=~".*unifi-poller.*"} == 1) + # for: 5m + # labels: + # severity: critical + +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-config' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config' + +probes: + liveness: + type: HTTPS + path: /-/health/live/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + readiness: + type: HTTPS + path: /-/health/ready/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + startup: + type: HTTPS + path: /-/health/ready/ + port: "{{ .Values.service.main.ports.main.targetPort }}" + +service: + main: + ports: + main: + protocol: HTTPS + port: 10229 + targetPort: 9443 + http: + enabled: true + type: ClusterIP + ports: + http: + enabled: true + protocol: HTTP + port: 10230 + targetPort: 9000 + # LDAP Outpost Services + ldapldaps: + enabled: true + ports: + ldapldaps: + enabled: true + port: 636 + targetPort: 6636 + ldapldap: + enabled: true + ports: + ldapldap: + enabled: true + port: 389 + targetPort: 3389 + # Proxy Outpost Services + proxyhttps: + enabled: true + ports: + proxyhttps: + enabled: true + port: 10233 + protocol: HTTPS + targetPort: 9444 + proxyhttp: + enabled: true + type: ClusterIP + ports: + proxyhttp: + enabled: true + port: 10234 + protocol: HTTP + targetPort: 9001 + # Metrics Services + metrics: + enabled: true + type: ClusterIP + ports: + metrics: + enabled: true + protocol: HTTP + port: 10231 + targetPort: 9301 + ldapmetrics: + enabled: true + type: ClusterIP + ports: + ldapmetrics: + enabled: true + port: 10232 + protocol: HTTP + targetPort: 9302 + proxymetrics: + enabled: true + type: ClusterIP + ports: + proxymetrics: + enabled: true + port: 10235 + protocol: HTTP + targetPort: 9303 + +ingress: + proxyhttps: + autoLink: true + +persistence: + media: + enabled: true + mountPath: "/media" + templates: + enabled: true + mountPath: "/templates" + certs: + enabled: true + mountPath: "/certs" + geoip: + enabled: true + mountPath: "/geoip" + +postgresql: + enabled: true + existingSecret: "dbcreds" + postgresqlUsername: authentik + postgresqlDatabase: authentik + +redis: + enabled: true + existingSecret: "rediscreds" + +portal: + enabled: true diff --git a/stable/authentik/10.0.40/questions.yaml b/stable/authentik/10.0.40/questions.yaml new file mode 100644 index 00000000000..4bd4285d44f --- /dev/null +++ b/stable/authentik/10.0.40/questions.yaml @@ -0,0 +1,2822 @@ +groups: + - name: Container Image + description: Image to be used for container + - name: General Settings + description: General Deployment Settings + - name: App Configuration + description: App Specific Config Options + - name: Networking and Services + description: Configure Network and Services for Container + - name: Storage and Persistence + description: Persist and Share Data that is Separate from the Container + - name: Ingress + description: Ingress Configuration + - name: Security and Permissions + description: Configure Security Context and Permissions + - name: Resources and Devices + description: "Specify Resources/Devices to be Allocated to Workload" + - name: Middlewares + description: Traefik Middlewares + - name: Metrics + description: Metrics + - name: VPN + description: VPN + - name: Addons + description: Addon Configuration + - name: Advanced + description: Advanced Configuration + - name: Documentation + description: Documentation +portals: + open: + protocols: + - "$kubernetes-resource_configmap_portal_protocol" + host: + - "$kubernetes-resource_configmap_portal_host" + ports: + - "$kubernetes-resource_configmap_portal_port" +questions: + - variable: global + label: Global Settings + group: "General Settings" + schema: + type: dict + hidden: true + attrs: + - variable: isSCALE + label: Flag this is SCALE + schema: + type: boolean + default: true + hidden: true + - variable: controller + group: "General Settings" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: replicas + description: Number of desired pod replicas + label: Desired Replicas + schema: + type: int + required: true + default: 1 + - variable: customextraargs + group: "General Settings" + label: "Extra Args" + description: "Do not click this unless you know what you are doing" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: extraArgs + label: Extra Args + schema: + type: list + default: [] + items: + - variable: arg + label: Arg + schema: + type: string + - variable: authentik + group: App Configuration + label: Authentik Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: credentials + label: Credentials + schema: + additional_attrs: true + type: dict + attrs: + - variable: password + label: Password (Initial install only) + description: Password for user. Can be used for any flow executor + schema: + type: string + private: true + required: true + default: "" + - variable: general + label: General + schema: + additional_attrs: true + type: dict + attrs: + - variable: disable_update_check + label: Disable Update Check + description: Disable the inbuilt update-checker + schema: + type: boolean + default: false + - variable: disable_startup_analytics + label: Disable Startup Analytics + description: Disable startup analytics + schema: + type: boolean + default: true + - variable: allow_user_name_change + label: Allow User Name Change + description: Enable the ability for users to change their Name + schema: + type: boolean + default: true + - variable: allow_user_mail_change + label: Allow User Mail Change + description: Enable the ability for users to change their Email address + schema: + type: boolean + default: true + - variable: allow_user_username_change + label: Allow User Username Change + description: Enable the ability for users to change their Usernames + schema: + type: boolean + default: true + - variable: gdpr_compliance + label: GDPR Compliance + description: When enabled, all the events caused by a user will be deleted upon the user's deletion + schema: + type: boolean + default: true + - variable: impersonation + label: Impersonation + description: Globally enable / disable impersonation + schema: + type: boolean + default: true + - variable: avatars + label: Avatars + description: Configure how authentik should show avatars for users + schema: + type: string + default: gravatar + - variable: token_length + label: Token Length + description: Configure the length of generated tokens + schema: + type: int + default: 128 + - variable: footer_links + label: Footer Links + description: This option configures the footer links on the flow executor pages + schema: + type: string + default: "" + - variable: mail + label: e-Mail + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: Mail Server Host + description: Sets host of mail server + schema: + type: string + default: "" + - variable: port + label: Mail Server Port + description: Sets port of mail server + schema: + type: int + default: 25 + - variable: tls + label: Use TLS for authentication + description: Sets tls for mail server authentication + schema: + type: boolean + default: false + - variable: ssl + label: Use SSL for authentication + description: Sets ssl for mail server authentication + schema: + type: boolean + default: false + - variable: timeout + label: Timeout of authentication + description: Sets timeout for mail server authentication + schema: + type: int + default: 10 + - variable: user + label: Username + description: Sets username of mail server + schema: + type: string + default: "" + - variable: pass + label: Password + description: Sets password of mail server + schema: + type: string + private: true + default: "" + - variable: from + label: From Address + description: Email address authentik will send from + schema: + type: string + default: "" + - variable: error_reporting + label: Error Reporting + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Reporting + description: Enables error reporting + schema: + type: boolean + default: false + show_subquestions_if: + subquestions: + - variable: send_pii + label: Send Personal Data + description: Whether or not to send personal data, like usernames + schema: + type: boolean + default: false + - variable: environment + label: Environment + description: Unique environment that is attached to your error reports, should be set to your email address for example. + schema: + type: string + default: customer + - variable: logging + label: Logging + schema: + additional_attrs: true + type: dict + attrs: + - variable: log_level + label: Log Level + description: Log level for the server and worker containers + schema: + type: string + default: info + enum: + - value: trace + description: trace + - value: debug + description: debug + - value: info + description: info + - value: warning + description: warning + - value: error + description: error + - variable: ldap + label: LDAP + schema: + additional_attrs: true + type: dict + attrs: + - variable: tls_ciphers + label: TLS Ciphers + description: Allows configuration of TLS Ciphers for LDAP connections used by LDAP sources. Setting applies to all sources + schema: + type: string + default: "null" + - variable: outposts + group: App Configuration + label: Outpost Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: ldap + label: LDAP + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable LDAP outpost + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: overrideHost + label: Override Host + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: host + label: Authentik Host + description: "URL of your Authentik server. (e.g. https://auth.domain.com)" + schema: + type: string + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: insecure + label: Insecure + description: Check only if you accessing Authentik in an unsecure way + schema: + type: boolean + default: false + - variable: overrideToken + label: Override Token + description: Overrides the random generated token to provide your own + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: token + label: API Token + description: You can get this from Applications > Outposts > View Deployment Info + schema: + type: string + private: true + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: overrideBrowserHost + label: Override Host Browser + description: Overrides the Browser Host, by default the first ingress host is used + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: host_browser + label: Host Browser + description: URL to use in the browser, when it differs from << host >> + schema: + type: string + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: proxy + label: Proxy + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Proxy outpost + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: overrideHost + label: Override Host + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: host + label: Authentik Host + description: "URL of your Authentik server. (e.g. https://auth.domain.com)" + schema: + type: string + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: insecure + label: Insecure + description: Check only if you accessing Authentik in an unsecure way + schema: + type: boolean + default: false + - variable: overrideToken + label: Override Token + description: Overrides the random generated token to provide your own + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: token + label: API Token + description: You can get this from Applications > Outposts > View Deployment Info + schema: + type: string + private: true + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: overrideBrowserHost + label: Override Host Browser + description: Overrides the Browser Host, by default the first ingress host is used + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: host_browser + label: Host Browser + description: URL to use in the browser, when it differs from << host >> + schema: + type: string + # TODO: Make them required again once Scale stable supports nested subquestions + # required: true + default: "" + - variable: geoip + group: App Configuration + label: GeoIP Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable GeoIP Container + description: Enables GeoIP container + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: account_id + label: Account ID + description: Your MaxMind account ID + schema: + type: string + private: true + required: true + default: "" + - variable: license_key + label: License Key + description: Your case-sensitive MaxMind license key + schema: + type: string + private: true + required: true + default: "" + - variable: edition_ids + label: Edition IDs + description: List of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes + schema: + type: string + required: true + default: GeoLite2-City + - variable: frequency + label: Frequency + description: The number of hours between geoipupdate runs + schema: + type: int + min: 1 + default: 8 + - variable: host_server + label: Host Server + description: The host name of the server to use + schema: + type: string + default: updates.maxmind.com + - variable: preserve_file_times + label: Preserve File Times + description: Whether to preserve modification times of files downloaded from the server + schema: + type: boolean + default: false + - variable: verbose + label: Verbose + description: Enable verbose mode. Prints out the steps that geoipupdate takes + schema: + type: boolean + default: false + - variable: proxy + label: Proxy + description: The proxy host name or IP address + schema: + type: string + default: "" + - variable: proxy_user_pass + label: Proxy Pass + description: The proxy user name and password, separated by a colon + schema: + type: string + private: true + default: "" + - variable: TZ + label: Timezone + group: "General Settings" + schema: + type: string + default: "Etc/UTC" + $ref: + - "definitions/timezone" + - variable: envList + label: Extra Environment Variables + description: "Please be aware that some variables are set in the background, adding duplicates here might cause issues or prevent the app from starting..." + group: "General Settings" + schema: + type: list + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + - variable: value + label: Value + schema: + type: string + - variable: service + group: Networking and Services + label: Configure Service(s) + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: Main Service + description: The Primary service on which the healthcheck runs, often the webUI + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: Main Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 10229 + required: true + - variable: ldapldaps + label: LDAPS Service + description: The LDAPS service. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ldapldaps + label: LDAPS Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 636 + required: true + - variable: ldapldap + label: LDAP Service + description: The LDAPS service. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ldapldap + label: LDAP Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 389 + required: true + - variable: proxyhttps + label: Proxy HTTPS Service + description: The Proxy HTTPS service. + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Service + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: ports + label: "Service's Port(s) Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: proxyhttps + label: Proxy HTTPS Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 10233 + required: true + - variable: serviceexpert + group: Networking and Services + label: Show Expert Config + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + group: Networking and Services + label: Host-Networking (Complicated) + schema: + type: boolean + default: false + - variable: externalInterfaces + description: Add External Interfaces + label: Add external Interfaces + group: Networking + schema: + type: list + items: + - variable: interfaceConfiguration + description: Interface Configuration + label: Interface Configuration + schema: + type: dict + $ref: + - "normalize/interfaceConfiguration" + attrs: + - variable: hostInterface + description: Please Specify Host Interface + label: Host Interface + schema: + type: string + required: true + $ref: + - "definitions/interface" + - variable: ipam + description: Define how IP Address will be managed + label: IP Address Management + schema: + type: dict + required: true + attrs: + - variable: type + description: Specify type for IPAM + label: IPAM Type + schema: + type: string + required: true + enum: + - value: dhcp + description: Use DHCP + - value: static + description: Use Static IP + show_subquestions_if: static + subquestions: + - variable: staticIPConfigurations + label: Static IP Addresses + schema: + type: list + items: + - variable: staticIP + label: Static IP + schema: + type: ipaddr + cidr: true + - variable: staticRoutes + label: Static Routes + schema: + type: list + items: + - variable: staticRouteConfiguration + label: Static Route Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: destination + label: Destination + schema: + type: ipaddr + cidr: true + required: true + - variable: gateway + label: Gateway + schema: + type: ipaddr + cidr: false + required: true + - variable: serviceList + label: Add Manual Custom Services + group: Networking and Services + schema: + type: list + default: [] + items: + - variable: serviceListEntry + label: Custom Service + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the service + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Name + schema: + type: string + default: "" + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: LoadBalancer + description: LoadBalancer (Expose Ports) + - value: ClusterIP + description: ClusterIP (Do Not Expose Ports) + - value: Simple + description: Deprecated CHANGE THIS + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: advancedsvcset + label: Show Advanced Service Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: externalIPs + label: "External IP's" + description: "External IP's" + schema: + type: list + default: [] + items: + - variable: externalIP + label: External IP + schema: + type: string + - variable: ipFamilyPolicy + label: IP Family Policy + description: Specify the IP Policy + schema: + type: string + default: SingleStack + enum: + - value: SingleStack + description: SingleStack + - value: PreferDualStack + description: PreferDualStack + - value: RequireDualStack + description: RequireDualStack + - variable: ipFamilies + label: IP Families + description: (Advanced) The IP Families that should be used + schema: + type: list + default: [] + items: + - variable: ipFamily + label: IP Family + schema: + type: string + - variable: portsList + label: Additional Service Ports + schema: + type: list + default: [] + items: + - variable: portsListEntry + label: Custom ports + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Port + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Port Name + schema: + type: string + default: "" + - variable: protocol + label: Port Type + schema: + type: string + default: TCP + enum: + - value: HTTP + description: HTTP + - value: HTTPS + description: HTTPS + - value: TCP + description: TCP + - value: UDP + description: UDP + - variable: targetPort + label: Target Port + description: This port exposes the container port on the service + schema: + type: int + required: true + - variable: port + label: Container Port + schema: + type: int + required: true + - variable: persistence + label: Integrated Persistent Storage + description: Integrated Persistent Storage + group: Storage and Persistence + schema: + additional_attrs: true + type: dict + attrs: + - variable: media + label: App Media Storage + description: Stores the Application Media. + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type of Storage + description: Sets the persistence type, Anything other than PVC could break rollback! + schema: + type: string + default: pvc + enum: + - value: pvc + description: PVC + - value: hostPath + description: Host Path + - value: emptyDir + description: emptyDir + - value: nfs + description: NFS Share + - variable: server + label: NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: path + label: Path on NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: setPermissions + label: Automatic Permissions + description: Automatically set permissions on install + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: false + - variable: readOnly + label: Read Only + schema: + type: boolean + default: false + - variable: hostPath + label: Host Path + description: Path inside the container the storage is mounted + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: EmptyDir Medium + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: Default + - value: Memory + description: Memory + - variable: size + label: Size quotum of Storage (Do NOT REDUCE after installation) + description: This value can ONLY be INCREASED after the installation + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: 256Gi + - variable: templates + label: App Templates Storage + description: Stores the Application Templates. + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type of Storage + description: Sets the persistence type, Anything other than PVC could break rollback! + schema: + type: string + default: pvc + enum: + - value: pvc + description: PVC + - value: hostPath + description: Host Path + - value: emptyDir + description: emptyDir + - value: nfs + description: NFS Share + - variable: server + label: NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: path + label: Path on NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: setPermissions + label: Automatic Permissions + description: Automatically set permissions on install + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: false + - variable: readOnly + label: Read Only + schema: + type: boolean + default: false + - variable: hostPath + label: Host Path + description: Path inside the container the storage is mounted + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: EmptyDir Medium + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: Default + - value: Memory + description: Memory + - variable: size + label: Size quotum of Storage (Do NOT REDUCE after installation) + description: This value can ONLY be INCREASED after the installation + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: 256Gi + - variable: certs + label: App Certs Storage + description: Stores the Application Certs. + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type of Storage + description: Sets the persistence type, Anything other than PVC could break rollback! + schema: + type: string + default: pvc + enum: + - value: pvc + description: PVC + - value: hostPath + description: Host Path + - value: emptyDir + description: emptyDir + - value: nfs + description: NFS Share + - variable: server + label: NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: path + label: Path on NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: setPermissions + label: Automatic Permissions + description: Automatically set permissions on install + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: false + - variable: readOnly + label: Read Only + schema: + type: boolean + default: false + - variable: hostPath + label: Host Path + description: Path inside the container the storage is mounted + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: EmptyDir Medium + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: Default + - value: Memory + description: Memory + - variable: size + label: Size quotum of Storage (Do NOT REDUCE after installation) + description: This value can ONLY be INCREASED after the installation + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: 256Gi + - variable: geoip + label: App GeoIP Storage + description: Stores the Application GeoIP. + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type of Storage + description: Sets the persistence type, Anything other than PVC could break rollback! + schema: + type: string + default: pvc + enum: + - value: pvc + description: PVC + - value: hostPath + description: Host Path + - value: emptyDir + description: emptyDir + - value: nfs + description: NFS Share + - variable: server + label: NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: path + label: Path on NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: setPermissions + label: Automatic Permissions + description: Automatically set permissions on install + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: false + - variable: readOnly + label: Read Only + schema: + type: boolean + default: false + - variable: hostPath + label: Host Path + description: Path inside the container the storage is mounted + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: EmptyDir Medium + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: Default + - value: Memory + description: Memory + - variable: size + label: Size quotum of Storage (Do NOT REDUCE after installation) + description: This value can ONLY be INCREASED after the installation + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: 256Gi + - variable: persistenceList + label: Additional App Storage + group: Storage and Persistence + schema: + type: list + default: [] + items: + - variable: persistenceListEntry + label: Custom Storage + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the storage + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Type of Storage + description: Sets the persistence type, Anything other than PVC could break rollback! + schema: + type: string + default: hostPath + enum: + - value: pvc + description: PVC + - value: hostPath + description: Host Path + - value: emptyDir + description: emptyDir + - value: nfs + description: NFS Share + - variable: server + label: NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: path + label: Path on NFS Server + schema: + show_if: [["type", "=", "nfs"]] + type: string + default: "" + - variable: setPermissions + label: Automatic Permissions + description: Automatically set permissions on install + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: false + - variable: readOnly + label: Read Only + schema: + type: boolean + default: false + - variable: hostPath + label: Host Path + description: Path inside the container the storage is mounted + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: mountPath + label: Mount Path + description: Path inside the container the storage is mounted + schema: + type: string + default: "" + required: true + valid_chars: '^\/([a-zA-Z0-9._-]+(\s?[a-zA-Z0-9._-]+|\/?))+$' + - variable: medium + label: EmptyDir Medium + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: Default + - value: Memory + description: Memory + - variable: size + label: Size Quotum of Storage + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: 256Gi + - variable: ingress + label: "" + group: Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: Main (HTTPS) Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: clusterIssuer + label: clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + show_if: [["clusterIssuer", "=", ""]] + default: [] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + + - variable: clusterIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: string + default: "" + - variable: entrypoint + label: (Advanced) Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + required: true + - variable: ingressClassName + label: (Advanced/Optional) IngressClass Name + schema: + type: string + default: "" + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + - variable: proxyhttps + label: Proxy HTTPS Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: clusterIssuer + label: clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + show_if: [["clusterIssuer", "=", ""]] + default: [] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + + - variable: clusterIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: string + default: "" + - variable: entrypoint + label: (Advanced) Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + required: true + - variable: ingressClassName + label: (Advanced/Optional) IngressClass Name + schema: + type: string + default: "" + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + - variable: ingressList + label: Add Manual Custom Ingresses + group: Ingress + schema: + type: list + default: [] + items: + - variable: ingressListEntry + label: Custom Ingress + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable Ingress + schema: + type: boolean + default: true + hidden: true + - variable: name + label: Name + schema: + type: string + default: "" + - variable: ingressClassName + label: IngressClass Name + schema: + type: string + default: "" + - variable: hosts + label: Hosts + schema: + type: list + default: [] + items: + - variable: hostEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: host + label: HostName + schema: + type: string + default: "" + required: true + - variable: paths + label: Paths + schema: + type: list + default: [] + items: + - variable: pathEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: path + label: Path + schema: + type: string + required: true + default: "/" + - variable: pathType + label: Path Type + schema: + type: string + required: true + default: Prefix + - variable: service + label: Linked Service + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Service Name + schema: + type: string + default: "" + - variable: port + label: Service Port + schema: + type: int + - variable: clusterIssuer + label: clusterIssuer + description: 'add the name of your cert-manager clusterIssuer here for automatic tls certificates. Cannot be used combined with tls option below' + schema: + type: string + default: "" + - variable: tls + label: TLS-Settings + schema: + type: list + default: [] + show_if: [["clusterIssuer", "=", ""]] + items: + - variable: tlsEntry + label: Host + schema: + additional_attrs: true + type: dict + attrs: + - variable: hosts + label: Certificate Hosts + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + - variable: clusterIssuer + label: Use Cert-Manager clusterIssuer + description: 'add the name of your Cert-Manager clusterIssuer here for automatic tls certificates.' + schema: + type: string + default: "" + - variable: scaleCert + label: Use TrueNAS SCALE Certificate (Deprecated) + schema: + show_if: [["clusterIssuer", "=", ""]] + type: int + $ref: + - "definitions/certificate" + - variable: secretName + label: Use Custom Secret (Advanced) + schema: + type: string + show_if: [["clusterIssuer", "=", ""]] + default: "" + - variable: entrypoint + label: Traefik Entrypoint + description: Entrypoint used by Traefik when using Traefik as Ingress Provider + schema: + type: string + default: websecure + required: true + - variable: middlewares + label: Traefik Middlewares + description: Add previously created Traefik Middlewares to this Ingress + schema: + type: list + default: [] + items: + - variable: name + label: Name + schema: + type: string + default: "" + required: true + - variable: security + label: Container Security Settings + group: Security and Permissions + schema: + type: dict + additional_attrs: true + attrs: + - variable: editsecurity + label: Change PUID / UMASK values + description: By enabling this you override default set values. + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: PUID + label: Process User ID - PUID + description: When supported by the container, this sets the User ID running the Application Process. Not supported by all Apps + schema: + type: int + default: 568 + - variable: UMASK + label: UMASK + description: When supported by the container, this sets the UMASK for the App. Not supported by all Apps + schema: + type: string + default: "002" + - variable: advancedSecurity + label: Show Advanced Security Settings + group: Security and Permissions + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: securityContext + label: Security Context + schema: + additional_attrs: true + type: dict + attrs: + - variable: privileged + label: Privileged mode + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: ReadOnly Root Filesystem + schema: + type: boolean + default: true + - variable: allowPrivilegeEscalation + label: Allow Privilege Escalation + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: runAsNonRoot + schema: + type: boolean + default: true + - variable: podSecurityContext + group: Security and Permissions + label: Pod Security Context + schema: + additional_attrs: true + type: dict + attrs: + - variable: runAsUser + label: runAsUser + description: The UserID of the user running the application + schema: + type: int + default: 1000 + - variable: runAsGroup + label: runAsGroup + description: The groupID this App of the user running the application + schema: + type: int + default: 1000 + - variable: fsGroup + label: fsGroup + description: The group that should own ALL storage. + schema: + type: int + default: 568 + - variable: fsGroupChangePolicy + label: "When should we take ownership?" + schema: + type: string + default: OnRootMismatch + enum: + - value: OnRootMismatch + description: OnRootMismatch + - value: Always + description: Always + - variable: supplementalGroups + label: Supplemental Groups + schema: + type: list + default: [] + items: + - variable: supplementalGroupsEntry + label: Supplemental Group + schema: + type: int + - variable: resources + group: Resources and Devices + label: "Resource Limits" + schema: + additional_attrs: true + type: dict + attrs: + - variable: limits + label: Advanced Limit Resource Consumption + schema: + additional_attrs: true + type: dict + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 4000m + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: RAM + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 8Gi + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: requests + label: "Minimum Resources Required (request)" + schema: + additional_attrs: true + type: dict + hidden: true + attrs: + - variable: cpu + label: CPU + description: "1000m means 1 hyperthread. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 10m + hidden: true + valid_chars: '^(?!^0(\.0|m|)$)([0-9]+)(\.[0-9]|m?)$' + - variable: memory + label: "RAM" + description: "1Gi means 1 Gibibyte RAM. Detailed info: https://truecharts.org/docs/manual/SCALE%20Apps/indepth/validation" + schema: + type: string + default: 50Mi + hidden: true + valid_chars: '^(?!^0(e[0-9]|[EPTGMK]i?|)$)([0-9]+)(|[EPTGMK]i?|e[0-9]+)$' + - variable: deviceList + label: Mount USB Devices + group: Resources and Devices + schema: + type: list + default: [] + items: + - variable: deviceListEntry + label: Device + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enable the Storage + schema: + type: boolean + default: true + - variable: type + label: (Advanced) Type of Storage + description: Sets the persistence type + schema: + type: string + default: hostPath + hidden: true + - variable: readOnly + label: readOnly + schema: + type: boolean + default: false + - variable: hostPath + label: Host Device Path + description: Path to the device on the host system + schema: + type: path + - variable: mountPath + label: Container Device Path + description: Path inside the container the device is mounted + schema: + type: string + default: "/dev/ttyACM0" + # Specify GPU configuration + - variable: scaleGPU + label: GPU Configuration + group: Resources and Devices + schema: + type: dict + $ref: + - "definitions/gpuConfiguration" + attrs: [] + - variable: metrics + group: Metrics + label: Prometheus Metrics + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + description: Enable Prometheus Metrics + schema: + type: boolean + default: true + show_subquestions_if: true + subquestions: + - variable: serviceMonitor + label: Service Monitor Settings + schema: + additional_attrs: true + type: dict + attrs: + - variable: interval + label: Scrape Interval + description: Scrape interval time + schema: + type: string + default: 1m + required: true + - variable: scrapeTimeout + label: Scrape Timeout + description: Scrape timeout Time + schema: + type: string + default: 30s + required: true +# - variable: horizontalPodAutoscaler +# group: Advanced +# label: (Advanced) Horizontal Pod Autoscaler +# schema: +# type: list +# default: [] +# items: +# - variable: hpaEntry +# label: HPA Entry +# schema: +# additional_attrs: true +# type: dict +# attrs: +# - variable: name +# label: Name +# schema: +# type: string +# required: true +# default: "" +# - variable: enabled +# label: Enabled +# schema: +# type: boolean +# default: false +# show_subquestions_if: true +# subquestions: +# - variable: target +# label: Target +# description: Deployment name, Defaults to Main Deployment +# schema: +# type: string +# default: "" +# - variable: minReplicas +# label: Minimum Replicas +# schema: +# type: int +# default: 1 +# - variable: maxReplicas +# label: Maximum Replicas +# schema: +# type: int +# default: 5 +# - variable: targetCPUUtilizationPercentage +# label: Target CPU Utilization Percentage +# schema: +# type: int +# default: 80 +# - variable: targetMemoryUtilizationPercentage +# label: Target Memory Utilization Percentage +# schema: +# type: int +# default: 80 + - variable: networkPolicy + group: Advanced + label: (Advanced) Network Policy + schema: + type: list + default: [] + items: + - variable: netPolicyEntry + label: Network Policy Entry + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + default: "" + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: policyType + label: Policy Type + schema: + type: string + default: "" + enum: + - value: "" + description: Default + - value: ingress + description: Ingress + - value: egress + description: Egress + - value: ingress-egress + description: Ingress and Egress + - variable: egress + label: Egress + schema: + type: list + default: [] + items: + - variable: egressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: to + label: To + schema: + type: list + default: [] + items: + - variable: toEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: ingress + label: Ingress + schema: + type: list + default: [] + items: + - variable: ingressEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: from + label: From + schema: + type: list + default: [] + items: + - variable: fromEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipBlock + label: IP Block + schema: + additional_attrs: true + type: dict + attrs: + - variable: cidr + label: CIDR + schema: + type: string + default: "" + - variable: except + label: Except + schema: + type: list + default: [] + items: + - variable: exceptint + label: "" + schema: + type: string + - variable: namespaceSelector + label: Namespace Selector + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: podSelector + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: matchExpressions + label: Match Expressions + schema: + type: list + default: [] + items: + - variable: expressionEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: key + label: Key + schema: + type: string + - variable: operator + label: Operator + schema: + type: string + default: TCP + enum: + - value: In + description: In + - value: NotIn + description: NotIn + - value: Exists + description: Exists + - value: DoesNotExist + description: DoesNotExist + - variable: values + label: Values + schema: + type: list + default: [] + items: + - variable: value + label: "" + schema: + type: string + - variable: ports + label: Ports + schema: + type: list + default: [] + items: + - variable: portsEntry + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + - variable: endPort + label: End Port + schema: + type: int + - variable: protocol + label: Protocol + schema: + type: string + default: TCP + enum: + - value: TCP + description: TCP + - value: UDP + description: UDP + - value: SCTP + description: SCTP + - variable: addons + group: Addons + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: Codeserver + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: git + label: Git Settings + schema: + additional_attrs: true + type: dict + attrs: + - variable: deployKey + description: Raw SSH Private Key + label: Deploy Key + schema: + type: string + - variable: deployKeyBase64 + description: Base64-encoded SSH private key. When both variables are set, the raw SSH key takes precedence + label: Deploy Key Base64 + schema: + type: string + - variable: service + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Service Type + description: "ClusterIP's are only internally available and Loadbalancer exposes the service using the system loadbalancer" + schema: + type: string + default: LoadBalancer + enum: + - value: NodePort + description: Deprecated CHANGE THIS + - value: ClusterIP + description: ClusterIP + - value: LoadBalancer + description: LoadBalancer + - variable: loadBalancerIP + label: LoadBalancer IP + description: "MetalLB Only: Selects the Loadbalancer IP to expose on. Required when using PortalButton with MetalLB" + schema: + show_if: [["type", "=", "LoadBalancer"]] + type: string + default: "" + - variable: advancedsvcset + label: Show Advanced Service Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: externalIPs + label: "External IP's" + description: "External IP's" + schema: + type: list + default: [] + items: + - variable: externalIP + label: External IP + schema: + type: string + - variable: ipFamilyPolicy + label: IP Family Policy + description: Specify the IP Policy + schema: + type: string + default: SingleStack + enum: + - value: SingleStack + description: SingleStack + - value: PreferDualStack + description: PreferDualStack + - value: RequireDualStack + description: RequireDualStack + - variable: ipFamilies + label: IP Families + description: (Advanced) The IP Families that should be used + schema: + type: list + default: [] + items: + - variable: ipFamily + label: IP Family + schema: + type: string + - variable: ports + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: codeserver + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + schema: + type: int + default: 36107 + - variable: nodePort + description: Leave Empty to Disable + label: nodePort DEPRECATED + schema: + type: int + default: 36107 + - variable: envList + label: Codeserver Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + - variable: vpn + label: VPN + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: Type + schema: + type: string + default: disabled + enum: + - value: disabled + description: disabled + - value: openvpn + description: OpenVPN + - value: wireguard + description: Wireguard + - value: tailscale + description: Tailscale + - variable: openvpn + label: OpenVPN Settings + schema: + type: dict + show_if: [["type", "=", "openvpn"]] + attrs: + - variable: username + label: Authentication Username (Optional) + description: Authentication Username, Optional + schema: + type: string + default: "" + - variable: password + label: Authentication Password + description: Authentication Credentials + schema: + type: string + default: "" + required: true + - variable: tailscale + label: Tailscale Settings + schema: + type: dict + show_if: [["type", "=", "tailscale"]] + attrs: + - variable: authkey + label: Authentication Key + description: Provide an auth key to automatically authenticate the node as your user account. + schema: + type: string + private: true + default: "" + - variable: auth_once + label: Auth Once + description: Only attempt to log in if not already logged in. + schema: + type: boolean + default: true + - variable: accept_dns + label: Accept DNS + description: Accept DNS configuration from the admin console. + schema: + type: boolean + default: false + - variable: userspace + label: Userspace + description: Userspace Networking mode allows running Tailscale where you do not have access to create a VPN tunnel device. + schema: + type: boolean + default: false + - variable: routes + label: Routes + description: Expose physical subnet routes to your entire Tailscale network. + schema: + type: string + default: "" + - variable: dest_ip + label: Destination IP + description: Tells the DNAT mechanism which Destination IP to set in the IP header, and where to send packets that are matched. + schema: + type: string + default: "" + - variable: sock5_server + label: Sock5 Server + description: The address on which to listen for SOCKS5 proxying into the tailscale net. + schema: + type: string + default: "" + - variable: outbound_http_proxy_listen + label: Outbound HTTP Proxy Listen + description: The address on which to listen for HTTP proxying into the tailscale net. + schema: + type: string + default: "" + - variable: extra_args + label: Extra Args + description: Extra Args + schema: + type: string + default: "" + - variable: daemon_extra_args + label: Tailscale Daemon Extra Args + description: Tailscale Daemon Extra Args + schema: + type: string + default: "" + - variable: killSwitch + label: Enable Killswitch + schema: + type: boolean + show_if: [["type", "!=", "disabled"]] + default: true + - variable: excludedNetworks_IPv4 + label: Killswitch Excluded IPv4 networks + description: List of Killswitch Excluded IPv4 Addresses + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv4 + label: IPv4 Network + schema: + type: string + required: true + - variable: excludedNetworks_IPv6 + label: Killswitch Excluded IPv6 networks + description: "List of Killswitch Excluded IPv6 Addresses" + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: networkv6 + label: IPv6 Network + schema: + type: string + required: true + - variable: configFile + label: VPN Config File Location + schema: + type: dict + show_if: [["type", "!=", "disabled"]] + attrs: + - variable: enabled + label: Enabled + schema: + type: boolean + default: true + hidden: true + - variable: type + label: Type + schema: + type: string + default: hostPath + hidden: true + - variable: hostPathType + label: hostPathType + schema: + type: string + default: File + hidden: true + - variable: noMount + label: noMount + schema: + type: boolean + default: true + hidden: true + - variable: hostPath + label: Full Path to File + description: "Path to your local VPN config file for example: /mnt/tank/vpn.conf or /mnt/tank/vpn.ovpn" + schema: + type: string + default: "" + - variable: envList + label: VPN Environment Variables + schema: + type: list + show_if: [["type", "!=", "disabled"]] + default: [] + items: + - variable: envItem + label: Environment Variable + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + - variable: docs + group: Documentation + label: Please read the documentation at https://truecharts.org + description: Please read the documentation at +
https://truecharts.org + schema: + additional_attrs: true + type: dict + attrs: + - variable: confirmDocs + label: I have checked the documentation + schema: + type: boolean + default: true + - variable: donateNag + group: Documentation + label: Please consider supporting TrueCharts, see https://truecharts.org/sponsor + description: Please consider supporting TrueCharts, see +
https://truecharts.org/sponsor + schema: + additional_attrs: true + type: dict + attrs: + - variable: confirmDonate + label: I have considered donating + schema: + type: boolean + default: true + hidden: true diff --git a/stable/authentik/10.0.40/templates/_config.tpl b/stable/authentik/10.0.40/templates/_config.tpl new file mode 100644 index 00000000000..cc02f68e54e --- /dev/null +++ b/stable/authentik/10.0.40/templates/_config.tpl @@ -0,0 +1,143 @@ +{{/* Define the configmap */}} +{{- define "authentik.config" -}} + +{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }} +{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }} +{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }} +{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }} +{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }} +{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }} +{{- if .Values.ingress.main.enabled }} + {{ $first := (first .Values.ingress.main.hosts) }} + {{- if $first }} + {{ $host = printf "https://%s" $first.host }} + {{- end }} +{{- end }} + +--- + +{{/* This configmap are loaded on both main authentik container and worker */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $authServerWorkerConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Dependencies */}} + AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }} + AUTHENTIK_REDIS__PORT: "6379" + AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }} + AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }} + AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }} + AUTHENTIK_POSTGRESQL__PORT: "5432" + {{/* Mail */}} + {{- with .Values.authentik.mail.port }} + AUTHENTIK_EMAIL__PORT: {{ . | quote }} + {{- end }} + AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }} + AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }} + {{- with .Values.authentik.mail.timeout }} + AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }} + {{- end }} + {{/* Logging */}} + {{- with .Values.authentik.logging.log_level }} + AUTHENTIK_LOG_LEVEL: {{ . }} + {{- end }} + {{/* General */}} + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }} + AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }} + {{- with .Values.authentik.general.avatars }} + AUTHENTIK_AVATARS: {{ . }} + {{- end }} + AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }} + AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }} + AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }} + AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }} + AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }} + {{- with .Values.authentik.general.footer_links }} + AUTHENTIK_FOOTER_LINKS: {{ . | squote }} + {{- end }} + {{/* Error Reporting */}} + AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }} + AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }} + {{- with .Values.authentik.error_reporting.environment }} + AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }} + {{- end }} + {{/* LDAP */}} + {{- with .Values.authentik.ldap.tls_ciphers }} + AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }} + {{- end }} + {{/* Outposts */}} + AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }} + +--- + +{{/* This configmap are loaded on both main authentik container and worker */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $authServerConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Listen */}} + AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }} + AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }} + +--- + +{{/* This configmap is loaded on ldap container */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $ldapConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }} + AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} + AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }} + AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }} + AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }} + +--- + +{{/* This configmap is loaded on ldap container */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $proxyConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }} + AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }} + AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }} + AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }} + AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }} + AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }} + +--- + +{{/* This configmap is loaded on geoip container */}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $geoipConfigName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.geoip.edition_ids }} + GEOIPUPDATE_EDITION_IDS: {{ . }} + {{- end }} + GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }} + {{- with .Values.geoip.host_server }} + GEOIPUPDATE_HOST: {{ . }} + {{- end }} + GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }} + GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }} +{{- end -}} diff --git a/stable/authentik/10.0.40/templates/_geoip.tpl b/stable/authentik/10.0.40/templates/_geoip.tpl new file mode 100644 index 00000000000..054ec154774 --- /dev/null +++ b/stable/authentik/10.0.40/templates/_geoip.tpl @@ -0,0 +1,20 @@ +{{/* Define the geoip container */}} +{{- define "authentik.geoip" -}} +image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }} +imagePullPolicy: {{ .Values.geoipImage.pullPolicy }} +securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: false + runAsNonRoot: false +volumeMounts: + - name: geoip + mountPath: "/usr/share/GeoIP" +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-geoip-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-geoip-config' +{{/* TODO: Add healthchecks */}} +{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}} +{{- end -}} diff --git a/stable/authentik/10.0.40/templates/_ldap.tpl b/stable/authentik/10.0.40/templates/_ldap.tpl new file mode 100644 index 00000000000..0d8f42742b1 --- /dev/null +++ b/stable/authentik/10.0.40/templates/_ldap.tpl @@ -0,0 +1,48 @@ +{{/* Define the ldap container */}} +{{- define "authentik.ldap" -}} +image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }} +imagePullPolicy: {{ .Values.ldapImage.pullPolicy }} +securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} + readOnlyRootFilesystem: true + runAsNonRoot: true +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-ldap-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-ldap-config' +ports: + - containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }} + name: ldapldaps + - containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }} + name: ldapldap +{{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} + name: ldapmetrics +{{- end }} +readinessProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/stable/authentik/10.0.40/templates/_proxy.tpl b/stable/authentik/10.0.40/templates/_proxy.tpl new file mode 100644 index 00000000000..c28161c585c --- /dev/null +++ b/stable/authentik/10.0.40/templates/_proxy.tpl @@ -0,0 +1,48 @@ +{{/* Define the proxy container */}} +{{- define "authentik.proxy" -}} +image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }} +imagePullPolicy: {{ .Values.proxyImage.pullPolicy }} +securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} + readOnlyRootFilesystem: true + runAsNonRoot: true +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-proxy-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-proxy-config' +ports: + - containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }} + name: proxyhttps + - containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }} + name: proxyhttp +{{- if .Values.metrics.enabled }} + - containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} + name: proxymetrics +{{- end }} +readinessProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: /outpost.goauthentik.io/ping + port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }} + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/stable/authentik/10.0.40/templates/_secret.tpl b/stable/authentik/10.0.40/templates/_secret.tpl new file mode 100644 index 00000000000..f7d39c68ef6 --- /dev/null +++ b/stable/authentik/10.0.40/templates/_secret.tpl @@ -0,0 +1,106 @@ +{{/* Define the secret */}} +{{- define "authentik.secret" -}} + +{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }} +{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }} +{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }} +{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }} +{{- $token := randAlphaNum 128 | b64enc }} + +--- +{{/* This secrets are loaded on both main authentik container and worker */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $authentikSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Secret Key */}} + {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }} + AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }} + {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }} + {{- else }} + AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }} + {{- end }} + AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }} + {{/* Dependencies */}} + AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }} + AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }} + {{/* Credentials */}} + {{- with .Values.authentik.credentials.password }} + AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }} + {{- end }} + {{/* Mail */}} + {{- with .Values.authentik.mail.host }} + AUTHENTIK_EMAIL__HOST: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.user }} + AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.pass }} + AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }} + {{- end }} + {{- with .Values.authentik.mail.from }} + AUTHENTIK_EMAIL__FROM: {{ . | b64enc }} + {{- end }} + +{{- if .Values.geoip.enabled }} +--- +{{/* This secrets are loaded on geoip container */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $geoipSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Credentials */}} + {{- with .Values.geoip.account_id }} + GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }} + {{- end }} + {{- with .Values.geoip.license_key }} + GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }} + {{- end }} + {{/* Proxy */}} + {{- with .Values.geoip.proxy }} + GEOIPUPDATE_PROXY: {{ . | b64enc }} + {{- end }} + {{- with .Values.geoip.proxy_user_pass }} + GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }} + {{- end }} +{{- end }} +--- +{{/* This secrets are loaded on ldap container */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $ldapSecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.outposts.ldap.token }} + AUTHENTIK_TOKEN: {{ . | b64enc }} + {{- else }} + AUTHENTIK_TOKEN: {{ $token }} + {{- end }} + +--- +{{/* This secrets are loaded on ldap container */}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $proxySecretName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{- with .Values.outposts.proxy.token }} + AUTHENTIK_TOKEN: {{ . | b64enc }} + {{- else }} + AUTHENTIK_TOKEN: {{ $token }} + {{- end }} +{{- end }} diff --git a/stable/authentik/10.0.40/templates/_worker.tpl b/stable/authentik/10.0.40/templates/_worker.tpl new file mode 100644 index 00000000000..def8506b9f1 --- /dev/null +++ b/stable/authentik/10.0.40/templates/_worker.tpl @@ -0,0 +1,52 @@ +{{/* Define the worker container */}} +{{- define "authentik.worker" -}} +image: {{ .Values.image.repository }}:{{ .Values.image.tag }} +imagePullPolicy: {{ .Values.image.pullPolicy }} +securityContext: + runAsUser: {{ .Values.podSecurityContext.runAsUser }} + runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} + readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }} + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} +args: ["worker"] +envFrom: + - secretRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-secret' + - configMapRef: + name: '{{ include "tc.common.names.fullname" . }}-authentik-config' +volumeMounts: + - name: media + mountPath: "/media" + - name: templates + mountPath: "/templates" + - name: certs + mountPath: "/certs" + - name: geoip + mountPath: "/geoip" +readinessProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + exec: + command: + - /lifecycle/ak + - healthcheck + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + timeoutSeconds: 10 + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/stable/authentik/10.0.40/templates/common.yaml b/stable/authentik/10.0.40/templates/common.yaml new file mode 100644 index 00000000000..8d610c2e55e --- /dev/null +++ b/stable/authentik/10.0.40/templates/common.yaml @@ -0,0 +1,45 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.common.loader.init" . }} + +{{/* Render secret */}} +{{- include "authentik.secret" . }} + +{{/* Render config */}} +{{- include "authentik.config" . }} + +{{- if hasKey .Values "metrics" -}} +{{- if .Values.metrics.enabled -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}} +{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}} +{{- end -}} +{{- end -}} + +{{- if .Values.workerContainer.enabled -}} +{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}} +{{- end -}} + +{{- if .Values.geoip.enabled -}} +{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}} +{{- end -}} + +{{- if .Values.outposts.ldap.enabled -}} +{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}} +{{/* - if .Values.metrics.enabled - */}} +{{/* https://github.com/prometheus/prometheus/issues/3756 */}} +{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} +{{/* We can't define multiple ports/endpoints with annotations */}} +{{/* - end - */}} +{{- end -}} + +{{- if .Values.outposts.proxy.enabled -}} +{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}} +{{/* - if .Values.metrics.enabled - */}} +{{/* https://github.com/prometheus/prometheus/issues/3756 */}} +{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} +{{/* We can't define multiple ports/endpoints with annotations */}} +{{/* - end - */}} +{{- end -}} + +{{/* Render the templates */}} +{{ include "tc.common.loader.apply" . }} diff --git a/stable/authentik/10.0.40/templates/prometheusrules.yaml b/stable/authentik/10.0.40/templates/prometheusrules.yaml new file mode 100644 index 00000000000..b3a37c57c21 --- /dev/null +++ b/stable/authentik/10.0.40/templates/prometheusrules.yaml @@ -0,0 +1,160 @@ +{{- if hasKey .Values "metrics" }} +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "tc.common.names.fullname" . }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} + {{- with .Values.metrics.prometheusRule.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "tc.common.names.fullname" . }} + rules: + {{- with .Values.metrics.prometheusRule.rules }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.useDefault }} + - name: authentik Aggregate request counters + rules: + - record: job:django_http_requests_before_middlewares_total:sum_rate30s + expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job) + - record: job:django_http_requests_unknown_latency_total:sum_rate30s + expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job) + - record: job:django_http_ajax_requests_total:sum_rate30s + expr: sum(rate(django_http_ajax_requests_total[30s])) by (job) + - record: job:django_http_responses_before_middlewares_total:sum_rate30s + expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job) + - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s + expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job) + - record: job:django_http_requests_body_total_bytes:sum_rate30s + expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job) + - record: job:django_http_responses_streaming_total:sum_rate30s + expr: sum(rate(django_http_responses_streaming_total[30s])) by (job) + - record: job:django_http_responses_body_total_bytes:sum_rate30s + expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job) + - record: job:django_http_requests_total:sum_rate30s + expr: sum(rate(django_http_requests_total_by_method[30s])) by (job) + - record: job:django_http_requests_total_by_method:sum_rate30s + expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method) + - record: job:django_http_requests_total_by_transport:sum_rate30s + expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport) + - record: job:django_http_requests_total_by_view:sum_rate30s + expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view) + - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s + expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method) + - record: job:django_http_responses_total_by_templatename:sum_rate30s + expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename) + - record: job:django_http_responses_total_by_status:sum_rate30s + expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status) + - record: job:django_http_responses_total_by_status_name_method:sum_rate30s + expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method) + - record: job:django_http_responses_total_by_charset:sum_rate30s + expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset) + - record: job:django_http_exceptions_total_by_type:sum_rate30s + expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type) + - record: job:django_http_exceptions_total_by_view:sum_rate30s + expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view) + - name: authentik Aggregate latency histograms + rules: + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "50" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "95" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "99" + - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s + expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "99.9" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "50" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "95" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "99" + - record: job:django_http_requests_latency_seconds:quantile_rate30s + expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) + labels: + quantile: "99.9" + - name: authentik Aggregate model operations + rules: + - record: job:django_model_inserts_total:sum_rate1m + expr: sum(rate(django_model_inserts_total[1m])) by (job, model) + - record: job:django_model_updates_total:sum_rate1m + expr: sum(rate(django_model_updates_total[1m])) by (job, model) + - record: job:django_model_deletes_total:sum_rate1m + expr: sum(rate(django_model_deletes_total[1m])) by (job, model) + - name: authentik Aggregate database operations + rules: + - record: job:django_db_new_connections_total:sum_rate30s + expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor) + - record: job:django_db_new_connection_errors_total:sum_rate30s + expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor) + - record: job:django_db_execute_total:sum_rate30s + expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor) + - record: job:django_db_execute_many_total:sum_rate30s + expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor) + - record: job:django_db_errors_total:sum_rate30s + expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type) + - name: authentik Aggregate migrations + rules: + - record: job:django_migrations_applied_total:max + expr: max(django_migrations_applied_total) by (job, connection) + - record: job:django_migrations_unapplied_total:max + expr: max(django_migrations_unapplied_total) by (job, connection) + - name: authentik Alerts + rules: + - alert: NoWorkersConnected + expr: max without (pid) (authentik_admin_workers) < 1 + annotations: + message: | + authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected. + summary: No workers connected + for: 10m + labels: + severity: critical + - alert: PendingMigrations + expr: max without (pid) (django_migrations_unapplied_total) > 0 + annotations: + message: | + authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations + summary: Pending database migrations + for: 10m + labels: + severity: critical + - alert: FailedSystemTasks + expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0 + annotations: + message: | + System task {{ printf "{{ $labels.task_name }}" }} has failed + summary: Failed system tasks + for: 2h + labels: + severity: critical + - alert: DisconnectedOutposts + expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1 + annotations: + message: | + Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance + summary: Disconnected outpost + for: 30m + labels: + severity: critical + {{- end }} +{{- end }} +{{- end }} diff --git a/stable/authentik/10.0.40/templates/servicemonitor.yaml b/stable/authentik/10.0.40/templates/servicemonitor.yaml new file mode 100644 index 00000000000..afa560ff34e --- /dev/null +++ b/stable/authentik/10.0.40/templates/servicemonitor.yaml @@ -0,0 +1,44 @@ +{{- if hasKey .Values "metrics" }} +{{- if .Values.metrics.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "tc.common.names.fullname" . }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "tc.common.labels.selectorLabels" . | nindent 6 }} + endpoints: + - port: metrics + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: /metrics + + - port: ldapmetrics + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: /metrics + + - port: proxymetrics + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: /metrics +{{- end }} +{{- end }} diff --git a/stable/authentik/10.0.40/values.yaml b/stable/authentik/10.0.40/values.yaml new file mode 100644 index 00000000000..e69de29bb2d