Commit new Chart releases for TrueCharts

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>

stable/authentik/10.0.40/CHANGELOG.md

@@ -0,0 +1,99 @@
+**Important:**
+*for the complete changelog, please refer to the website*
+
+
+
+
+## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14)
+
+### Chore
+
+- update authentik to v2023.2.0
+  
+  
+
+
+## [authentik-10.0.39](https://github.com/truecharts/charts/compare/authentik-10.0.38...authentik-10.0.39) (2023-02-14)
+
+### Chore
+
+- update container image tccr.io/truecharts/authentik-proxy to v2023.2.0
+  
+  
+
+
+## [authentik-10.0.38](https://github.com/truecharts/charts/compare/authentik-10.0.37...authentik-10.0.38) (2023-02-10)
+
+### Fix
+
+- ensure new helm deps repo is used in latest releases as well.
+  
+  
+
+
+## [authentik-10.0.37](https://github.com/truecharts/charts/compare/authentik-10.0.36...authentik-10.0.37) (2023-01-31)
+
+### Chore
+
+- update container image tccr.io/truecharts/authentik to v2023.1.2
+  
+  
+
+
+## [authentik-10.0.36](https://github.com/truecharts/charts/compare/authentik-10.0.35...authentik-10.0.36) (2023-01-30)
+
+### Chore
+
+- update authentik to v2023.1.2
+  
+  
+
+
+## [authentik-10.0.35](https://github.com/truecharts/charts/compare/authentik-10.0.34...authentik-10.0.35) (2023-01-24)
+
+### Chore
+
+- update helm general non-major ([#6689](https://github.com/truecharts/charts/issues/6689))
+  
+  
+
+
+## [authentik-10.0.34](https://github.com/truecharts/charts/compare/authentik-10.0.33...authentik-10.0.34) (2023-01-23)
+
+### Chore
+
+- update helm general non-major
+  
+  
+
+
+## [authentik-10.0.33](https://github.com/truecharts/charts/compare/authentik-10.0.32...authentik-10.0.33) (2023-01-19)
+
+### Chore
+
+- update authentik to v2023.1.0
+  
+  
+
+
+## [authentik-10.0.32](https://github.com/truecharts/charts/compare/authentik-10.0.31...authentik-10.0.32) (2023-01-17)
+
+### Chore
+
+- update helm general non-major ([#6430](https://github.com/truecharts/charts/issues/6430))
+  
+  
+
+
+## [authentik-10.0.31](https://github.com/truecharts/charts/compare/authentik-10.0.30...authentik-10.0.31) (2023-01-10)
+
+### Chore
+
+- update container image tccr.io/truecharts/authentik to v2022.12.2
+  
+  
+
+
+## [authentik-10.0.30](https://github.com/truecharts/charts/compare/authentik-10.0.29...authentik-10.0.30) (2023-01-07)
+
+### Chore

stable/authentik/10.0.40/Chart.yaml

@@ -0,0 +1,36 @@
+apiVersion: v2
+appVersion: "2023.2.0"
+dependencies:
+  - name: common
+    repository: https://library-charts.truecharts.org
+    version: 11.1.2
+  - condition: postgresql.enabled
+    name: postgresql
+    repository: https://deps.truecharts.org/
+    version: 11.0.22
+  - condition: redis.enabled
+    name: redis
+    repository: https://deps.truecharts.org
+    version: 5.0.29
+description: authentik is an open-source Identity Provider focused on flexibility and versatility.
+home: https://truecharts.org/charts/stable/authentik
+icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
+keywords:
+  - authentik
+kubeVersion: ">=1.16.0-0"
+maintainers:
+  - email: info@truecharts.org
+    name: TrueCharts
+    url: https://truecharts.org
+name: authentik
+sources:
+  - https://github.com/truecharts/charts/tree/master/charts/stable/authentik
+  - https://ghcr.io/goauthentik/server
+  - https://github.com/goauthentik/authentik
+  - https://goauthentik.io/docs/
+version: 10.0.40
+annotations:
+  truecharts.org/catagories: |
+    - authentication
+  truecharts.org/SCALE-support: "true"
+  truecharts.org/grade: U

stable/authentik/10.0.40/README.md

@@ -0,0 +1,27 @@
+# README
+
+## General Info
+
+TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
+However only installations using the TrueNAS SCALE Apps system are supported.
+
+For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/)
+
+**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
+
+
+## Support
+
+- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
+- See the [Website](https://truecharts.org)
+- Check our [Discord](https://discord.gg/tVsPTHWTtr)
+- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
+
+---
+
+## Sponsor TrueCharts
+
+TrueCharts can only exist due to the incredible effort of our staff.
+Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
+
+*All Rights Reserved - The TrueCharts Project*

stable/authentik/10.0.40/app-changelog.md

@@ -0,0 +1,9 @@
+
+
+## [authentik-10.0.40](https://github.com/truecharts/charts/compare/authentik-10.0.39...authentik-10.0.40) (2023-02-14)
+
+### Chore
+
+- update authentik to v2023.2.0
+  
+  

stable/authentik/10.0.40/app-readme.md

@@ -0,0 +1,8 @@
+authentik is an open-source Identity Provider focused on flexibility and versatility.
+
+This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/stable/authentik](https://truecharts.org/charts/stable/authentik)
+
+---
+
+TrueCharts can only exist due to the incredible effort of our staff.
+Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!

stable/authentik/10.0.40/ix_values.yaml

@@ -0,0 +1,258 @@
+image:
+  repository: tccr.io/truecharts/authentik
+  tag: 2023.2.0@sha256:a3c00955f0a47a325a963a1d98af2784083f03896c09ffd87cd4ba1182b1d716
+  pullPolicy: IfNotPresent
+
+geoipImage:
+  repository: tccr.io/truecharts/geoipupdate
+  tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
+  pullPolicy: IfNotPresent
+
+ldapImage:
+  repository: tccr.io/truecharts/authentik-ldap
+  tag: 2023.2.0@sha256:479868391c91c868d811c42b2ca21d4d4c852a4422e771663c96e038b9b290d3
+  pullPolicy: IfNotPresent
+
+proxyImage:
+  repository: tccr.io/truecharts/authentik-proxy
+  tag: 2023.2.0@sha256:bf5285469fb5acf0166f88332ed22fe11a20ce2e2321b7bf02b83ef186b2e0d3
+  pullPolicy: IfNotPresent
+
+args: ["server"]
+
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+
+securityContext:
+  readOnlyRootFilesystem: false
+
+workerContainer:
+  enabled: true
+
+authentik:
+  credentials:
+    password: "supersecret"
+  general:
+    disable_update_check: false
+    disable_startup_analytics: true
+    allow_user_name_change: true
+    allow_user_mail_change: true
+    allow_user_username_change: true
+    gdpr_compliance: true
+    impersonation: true
+    avatars: "gravatar"
+    token_length: 128
+    # Use single quotes for footer_links
+    footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
+  mail:
+    host: ""
+    port: 25
+    tls: false
+    ssl: false
+    timeout: 10
+    user: ""
+    pass: ""
+    from: ""
+  error_reporting:
+    enabled: false
+    send_pii: false
+    environment: "customer"
+  logging:
+    log_level: "info"
+  ldap:
+    tls_ciphers: "null"
+geoip:
+  enabled: false
+  account_id: ""
+  license_key: ""
+  proxy: ""
+  proxy_user_pass: ""
+  edition_ids: "GeoLite2-City"
+  frequency: 8
+  host_server: "updates.maxmind.com"
+  preserve_file_times: false
+  verbose: false
+
+outposts:
+  ldap:
+    # -- First you have to create an Outpost in the GUI. Applications > Outposts
+    enabled: false
+    # -- Host Browser by default is set to the first ingress host you set
+    # host_browser: ""
+    # -- Host should not need to be overridden. Defaults to https://localhost:9443
+    # host: ""
+    # -- As we use https://localhost:9443 it's an unsecure connection
+    # insecure: false
+    # -- Token is only needed if you accidentally deleted the token within the UI
+    # token: ""
+  proxy:
+    # -- First you have to create an Outpost in the GUI. Applications > Outposts
+    enabled: false
+    # -- Host Browser by default is set to the first ingress host you set
+    # host_browser: ""
+    # -- As we use https://localhost:9443 it's an unsecure connection
+    # insecure: false
+    # -- Host should not need to be overridden. Defaults to https://localhost:9443
+    # host: ""
+    # -- Token is only needed if you accidentally deleted the token within the UI
+    # token: ""
+
+metrics:
+  # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
+  # @default -- See values.yaml
+  enabled: false
+  serviceMonitor:
+    interval: 1m
+    scrapeTimeout: 30s
+    labels: {}
+  # -- Enable and configure Prometheus Rules for the chart under this key.
+  # @default -- See values.yaml
+  prometheusRule:
+    enabled: false
+    useDefault: true
+    labels: {}
+    # -- Configure additional rules for the chart under this key.
+    # @default -- See prometheusrules.yaml
+    rules:
+      []
+      # - alert: UnifiPollerAbsent
+      #   annotations:
+      #     description: Unifi Poller has disappeared from Prometheus service discovery.
+      #     summary: Unifi Poller is down.
+      #   expr: |
+      #     absent(up{job=~".*unifi-poller.*"} == 1)
+      #   for: 5m
+      #   labels:
+      #     severity: critical
+
+envFrom:
+  - secretRef:
+      name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
+
+probes:
+  liveness:
+    type: HTTPS
+    path: /-/health/live/
+    port: "{{ .Values.service.main.ports.main.targetPort }}"
+  readiness:
+    type: HTTPS
+    path: /-/health/ready/
+    port: "{{ .Values.service.main.ports.main.targetPort }}"
+  startup:
+    type: HTTPS
+    path: /-/health/ready/
+    port: "{{ .Values.service.main.ports.main.targetPort }}"
+
+service:
+  main:
+    ports:
+      main:
+        protocol: HTTPS
+        port: 10229
+        targetPort: 9443
+  http:
+    enabled: true
+    type: ClusterIP
+    ports:
+      http:
+        enabled: true
+        protocol: HTTP
+        port: 10230
+        targetPort: 9000
+  # LDAP Outpost Services
+  ldapldaps:
+    enabled: true
+    ports:
+      ldapldaps:
+        enabled: true
+        port: 636
+        targetPort: 6636
+  ldapldap:
+    enabled: true
+    ports:
+      ldapldap:
+        enabled: true
+        port: 389
+        targetPort: 3389
+  # Proxy Outpost Services
+  proxyhttps:
+    enabled: true
+    ports:
+      proxyhttps:
+        enabled: true
+        port: 10233
+        protocol: HTTPS
+        targetPort: 9444
+  proxyhttp:
+    enabled: true
+    type: ClusterIP
+    ports:
+      proxyhttp:
+        enabled: true
+        port: 10234
+        protocol: HTTP
+        targetPort: 9001
+  # Metrics Services
+  metrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      metrics:
+        enabled: true
+        protocol: HTTP
+        port: 10231
+        targetPort: 9301
+  ldapmetrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      ldapmetrics:
+        enabled: true
+        port: 10232
+        protocol: HTTP
+        targetPort: 9302
+  proxymetrics:
+    enabled: true
+    type: ClusterIP
+    ports:
+      proxymetrics:
+        enabled: true
+        port: 10235
+        protocol: HTTP
+        targetPort: 9303
+
+ingress:
+  proxyhttps:
+    autoLink: true
+
+persistence:
+  media:
+    enabled: true
+    mountPath: "/media"
+  templates:
+    enabled: true
+    mountPath: "/templates"
+  certs:
+    enabled: true
+    mountPath: "/certs"
+  geoip:
+    enabled: true
+    mountPath: "/geoip"
+
+postgresql:
+  enabled: true
+  existingSecret: "dbcreds"
+  postgresqlUsername: authentik
+  postgresqlDatabase: authentik
+
+redis:
+  enabled: true
+  existingSecret: "rediscreds"
+
+portal:
+  enabled: true

stable/authentik/10.0.40/templates/_config.tpl

@@ -0,0 +1,143 @@
+{{/* Define the configmap */}}
+{{- define "authentik.config" -}}
+
+{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
+{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
+{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
+{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
+{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
+{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
+{{- if .Values.ingress.main.enabled }}
+  {{ $first := (first .Values.ingress.main.hosts) }}
+  {{- if $first }}
+    {{ $host = printf "https://%s" $first.host }}
+  {{- end }}
+{{- end }}
+
+---
+
+{{/* This configmap are loaded on both main authentik container and worker */}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $authServerWorkerConfigName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{/* Dependencies */}}
+  AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
+  AUTHENTIK_REDIS__PORT: "6379"
+  AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
+  AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
+  AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
+  AUTHENTIK_POSTGRESQL__PORT: "5432"
+  {{/* Mail */}}
+  {{- with .Values.authentik.mail.port }}
+  AUTHENTIK_EMAIL__PORT: {{ . | quote }}
+  {{- end }}
+  AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
+  AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
+  {{- with .Values.authentik.mail.timeout }}
+  AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
+  {{- end }}
+  {{/* Logging */}}
+  {{- with .Values.authentik.logging.log_level }}
+  AUTHENTIK_LOG_LEVEL: {{ . }}
+  {{- end }}
+  {{/* General */}}
+  AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
+  AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
+  {{- with .Values.authentik.general.avatars }}
+  AUTHENTIK_AVATARS: {{ . }}
+  {{- end }}
+  AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
+  AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
+  AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
+  AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
+  AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
+  AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
+  {{- with .Values.authentik.general.footer_links }}
+  AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
+  {{- end }}
+  {{/* Error Reporting */}}
+  AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
+  AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
+  {{- with .Values.authentik.error_reporting.environment }}
+  AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
+  {{- end }}
+  {{/* LDAP */}}
+  {{- with .Values.authentik.ldap.tls_ciphers }}
+  AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
+  {{- end }}
+  {{/* Outposts */}}
+  AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
+
+---
+
+{{/* This configmap are loaded on both main authentik container and worker */}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $authServerConfigName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{/* Listen */}}
+  AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
+  AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
+  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
+
+---
+
+{{/* This configmap is loaded on ldap container */}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $ldapConfigName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
+  AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
+  AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
+  AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
+  AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
+  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
+
+---
+
+{{/* This configmap is loaded on ldap container */}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $proxyConfigName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
+  AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
+  AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
+  AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
+  AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
+  AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
+
+---
+
+{{/* This configmap is loaded on geoip container */}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $geoipConfigName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{- with .Values.geoip.edition_ids }}
+  GEOIPUPDATE_EDITION_IDS: {{ . }}
+  {{- end }}
+  GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
+  {{- with .Values.geoip.host_server }}
+  GEOIPUPDATE_HOST: {{ . }}
+  {{- end }}
+  GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
+  GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
+{{- end -}}

stable/authentik/10.0.40/templates/_geoip.tpl

@@ -0,0 +1,20 @@
+{{/* Define the geoip container */}}
+{{- define "authentik.geoip" -}}
+image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
+imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
+securityContext:
+  runAsUser: 0
+  runAsGroup: 0
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+volumeMounts:
+  - name: geoip
+    mountPath: "/usr/share/GeoIP"
+envFrom:
+  - secretRef:
+      name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
+{{/* TODO: Add healthchecks */}}
+{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
+{{- end -}}

stable/authentik/10.0.40/templates/_ldap.tpl

@@ -0,0 +1,48 @@
+{{/* Define the ldap container */}}
+{{- define "authentik.ldap" -}}
+image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
+imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
+securityContext:
+  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
+  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+envFrom:
+  - secretRef:
+      name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
+ports:
+  - containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
+    name: ldapldaps
+  - containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
+    name: ldapldap
+{{- if .Values.metrics.enabled }}
+  - containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
+    name: ldapmetrics
+{{- end }}
+readinessProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
+livenessProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
+startupProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
+{{- end -}}

stable/authentik/10.0.40/templates/_proxy.tpl

@@ -0,0 +1,48 @@
+{{/* Define the proxy container */}}
+{{- define "authentik.proxy" -}}
+image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
+imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
+securityContext:
+  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
+  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+envFrom:
+  - secretRef:
+      name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
+ports:
+  - containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
+    name: proxyhttps
+  - containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
+    name: proxyhttp
+{{- if .Values.metrics.enabled }}
+  - containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
+    name: proxymetrics
+{{- end }}
+readinessProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
+livenessProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
+startupProbe:
+  httpGet:
+    path: /outpost.goauthentik.io/ping
+    port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
+  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
+{{- end -}}

stable/authentik/10.0.40/templates/_secret.tpl

@@ -0,0 +1,106 @@
+{{/* Define the secret */}}
+{{- define "authentik.secret" -}}
+
+{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
+{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
+{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
+{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
+{{- $token := randAlphaNum 128 | b64enc }}
+
+---
+{{/* This secrets are loaded on both main authentik container and worker */}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ $authentikSecretName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{/* Secret Key */}}
+  {{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
+  AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
+  {{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
+  {{- else }}
+  AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
+  {{/* Dependencies */}}
+  AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
+  AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
+  {{/* Credentials */}}
+  {{- with .Values.authentik.credentials.password }}
+  AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
+  {{- end }}
+  {{/* Mail */}}
+  {{- with .Values.authentik.mail.host }}
+  AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.authentik.mail.user }}
+  AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.authentik.mail.pass }}
+  AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.authentik.mail.from }}
+  AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
+  {{- end }}
+
+{{- if .Values.geoip.enabled }}
+---
+{{/* This secrets are loaded on geoip container */}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ $geoipSecretName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{/* Credentials */}}
+  {{- with .Values.geoip.account_id }}
+  GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.geoip.license_key }}
+  GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
+  {{- end }}
+  {{/* Proxy */}}
+  {{- with .Values.geoip.proxy }}
+  GEOIPUPDATE_PROXY: {{ . | b64enc }}
+  {{- end }}
+  {{- with .Values.geoip.proxy_user_pass }}
+  GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
+  {{- end }}
+{{- end }}
+---
+{{/* This secrets are loaded on ldap container */}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ $ldapSecretName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{- with .Values.outposts.ldap.token }}
+  AUTHENTIK_TOKEN: {{ . | b64enc }}
+  {{- else }}
+  AUTHENTIK_TOKEN: {{ $token }}
+  {{- end }}
+
+---
+{{/* This secrets are loaded on ldap container */}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ $proxySecretName }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+data:
+  {{- with .Values.outposts.proxy.token }}
+  AUTHENTIK_TOKEN: {{ . | b64enc }}
+  {{- else }}
+  AUTHENTIK_TOKEN: {{ $token }}
+  {{- end }}
+{{- end }}

stable/authentik/10.0.40/templates/_worker.tpl

@@ -0,0 +1,52 @@
+{{/* Define the worker container */}}
+{{- define "authentik.worker" -}}
+image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+imagePullPolicy: {{ .Values.image.pullPolicy }}
+securityContext:
+  runAsUser: {{ .Values.podSecurityContext.runAsUser }}
+  runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
+  readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
+  runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+args: ["worker"]
+envFrom:
+  - secretRef:
+      name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
+  - configMapRef:
+      name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
+volumeMounts:
+  - name: media
+    mountPath: "/media"
+  - name: templates
+    mountPath: "/templates"
+  - name: certs
+    mountPath: "/certs"
+  - name: geoip
+    mountPath: "/geoip"
+readinessProbe:
+  exec:
+    command:
+      - /lifecycle/ak
+      - healthcheck
+  initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
+livenessProbe:
+  exec:
+    command:
+      - /lifecycle/ak
+      - healthcheck
+  initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
+  timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
+  periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
+startupProbe:
+  exec:
+    command:
+      - /lifecycle/ak
+      - healthcheck
+  initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
+  timeoutSeconds: 10
+  periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
+  failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
+{{- end -}}

stable/authentik/10.0.40/templates/common.yaml

@@ -0,0 +1,45 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "tc.common.loader.init" . }}
+
+{{/* Render secret */}}
+{{- include "authentik.secret" . }}
+
+{{/* Render config */}}
+{{- include "authentik.config" . }}
+
+{{- if hasKey .Values "metrics" -}}
+{{- if .Values.metrics.enabled -}}
+{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
+{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
+{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if .Values.workerContainer.enabled -}}
+{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
+{{- end -}}
+
+{{- if .Values.geoip.enabled -}}
+{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
+{{- end -}}
+
+{{- if .Values.outposts.ldap.enabled -}}
+{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
+{{/* - if .Values.metrics.enabled - */}}
+{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
+{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
+{{/* We can't define multiple ports/endpoints with annotations */}}
+{{/* - end - */}}
+{{- end -}}
+
+{{- if .Values.outposts.proxy.enabled -}}
+{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
+{{/* - if .Values.metrics.enabled - */}}
+{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
+{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
+{{/* We can't define multiple ports/endpoints with annotations */}}
+{{/* - end - */}}
+{{- end -}}
+
+{{/* Render the templates */}}
+{{ include "tc.common.loader.apply" . }}

stable/authentik/10.0.40/templates/prometheusrules.yaml

@@ -0,0 +1,160 @@
+{{- if hasKey .Values "metrics" }}
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "tc.common.names.fullname" . }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+    {{- with .Values.metrics.prometheusRule.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    - name: {{ include "tc.common.names.fullname" . }}
+      rules:
+        {{- with .Values.metrics.prometheusRule.rules }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    {{- if .Values.metrics.prometheusRule.useDefault }}
+    - name: authentik Aggregate request counters
+      rules:
+        - record: job:django_http_requests_before_middlewares_total:sum_rate30s
+          expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
+        - record: job:django_http_requests_unknown_latency_total:sum_rate30s
+          expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
+        - record: job:django_http_ajax_requests_total:sum_rate30s
+          expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
+        - record: job:django_http_responses_before_middlewares_total:sum_rate30s
+          expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
+        - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
+          expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
+        - record: job:django_http_requests_body_total_bytes:sum_rate30s
+          expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
+        - record: job:django_http_responses_streaming_total:sum_rate30s
+          expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
+        - record: job:django_http_responses_body_total_bytes:sum_rate30s
+          expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
+        - record: job:django_http_requests_total:sum_rate30s
+          expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
+        - record: job:django_http_requests_total_by_method:sum_rate30s
+          expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
+        - record: job:django_http_requests_total_by_transport:sum_rate30s
+          expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
+        - record: job:django_http_requests_total_by_view:sum_rate30s
+          expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
+        - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
+          expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
+        - record: job:django_http_responses_total_by_templatename:sum_rate30s
+          expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
+        - record: job:django_http_responses_total_by_status:sum_rate30s
+          expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
+        - record: job:django_http_responses_total_by_status_name_method:sum_rate30s
+          expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
+        - record: job:django_http_responses_total_by_charset:sum_rate30s
+          expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
+        - record: job:django_http_exceptions_total_by_type:sum_rate30s
+          expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
+        - record: job:django_http_exceptions_total_by_view:sum_rate30s
+          expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
+    - name: authentik Aggregate latency histograms
+      rules:
+        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+          expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "50"
+        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+          expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "95"
+        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+          expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "99"
+        - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
+          expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "99.9"
+        - record: job:django_http_requests_latency_seconds:quantile_rate30s
+          expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "50"
+        - record: job:django_http_requests_latency_seconds:quantile_rate30s
+          expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "95"
+        - record: job:django_http_requests_latency_seconds:quantile_rate30s
+          expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "99"
+        - record: job:django_http_requests_latency_seconds:quantile_rate30s
+          expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
+          labels:
+            quantile: "99.9"
+    - name: authentik Aggregate model operations
+      rules:
+        - record: job:django_model_inserts_total:sum_rate1m
+          expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
+        - record: job:django_model_updates_total:sum_rate1m
+          expr: sum(rate(django_model_updates_total[1m])) by (job, model)
+        - record: job:django_model_deletes_total:sum_rate1m
+          expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
+    - name: authentik Aggregate database operations
+      rules:
+        - record: job:django_db_new_connections_total:sum_rate30s
+          expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
+        - record: job:django_db_new_connection_errors_total:sum_rate30s
+          expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
+        - record: job:django_db_execute_total:sum_rate30s
+          expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
+        - record: job:django_db_execute_many_total:sum_rate30s
+          expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
+        - record: job:django_db_errors_total:sum_rate30s
+          expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
+    - name: authentik Aggregate migrations
+      rules:
+        - record: job:django_migrations_applied_total:max
+          expr: max(django_migrations_applied_total) by (job, connection)
+        - record: job:django_migrations_unapplied_total:max
+          expr: max(django_migrations_unapplied_total) by (job, connection)
+    - name: authentik Alerts
+      rules:
+        - alert: NoWorkersConnected
+          expr: max without (pid) (authentik_admin_workers) < 1
+          annotations:
+            message: |
+              authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
+            summary: No workers connected
+          for: 10m
+          labels:
+            severity: critical
+        - alert: PendingMigrations
+          expr: max without (pid) (django_migrations_unapplied_total) > 0
+          annotations:
+            message: |
+              authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
+            summary: Pending database migrations
+          for: 10m
+          labels:
+            severity: critical
+        - alert: FailedSystemTasks
+          expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
+          annotations:
+            message: |
+              System task {{ printf "{{ $labels.task_name }}" }} has failed
+            summary: Failed system tasks
+          for: 2h
+          labels:
+            severity: critical
+        - alert: DisconnectedOutposts
+          expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"}))  < 1
+          annotations:
+            message: |
+              Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
+            summary: Disconnected outpost
+          for: 30m
+          labels:
+            severity: critical
+    {{- end }}
+{{- end }}
+{{- end }}

stable/authentik/10.0.40/templates/servicemonitor.yaml

@@ -0,0 +1,44 @@
+{{- if hasKey .Values "metrics" }}
+{{- if .Values.metrics.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "tc.common.names.fullname" . }}
+  labels:
+    {{- include "tc.common.labels" . | nindent 4 }}
+    {{- with .Values.metrics.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: metrics
+      {{- with .Values.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+
+    - port: ldapmetrics
+      {{- with .Values.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+
+    - port: proxymetrics
+      {{- with .Values.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+{{- end }}
+{{- end }}