Commit new Chart releases for TrueCharts

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
TrueCharts-Bot 2023-06-10 11:06:07 +00:00
parent f5b9399f9f
commit b061424d73
21 changed files with 4029 additions and 0 deletions

View File

@ -0,0 +1,88 @@
**Important:**
*for the complete changelog, please refer to the website*
## [authentik-12.0.0](https://github.com/truecharts/charts/compare/authentik-11.0.0...authentik-12.0.0) (2023-06-10)
### Feat
- hide advanced ingress options behind checbox ([#9203](https://github.com/truecharts/charts/issues/9203))
- BREAKING CHANGE Port to new common ([#9426](https://github.com/truecharts/charts/issues/9426))
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)

View File

@ -0,0 +1,31 @@
apiVersion: v2
appVersion: "2023.4.1"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 12.10.4
- condition: redis.enabled
name: redis
repository: https://deps.truecharts.org
version: 6.0.46
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
home: https://truecharts.org/charts/incubator/authentik
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
keywords:
- authentik
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: authentik
sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 12.0.0
annotations:
truecharts.org/catagories: |
- authentication
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

View File

@ -0,0 +1,106 @@
Business Source License 1.1
Parameters
Licensor: The TrueCharts Project, it's owner and it's contributors
Licensed Work: The TrueCharts "Blocky" Helm Chart
Additional Use Grant: You may use the licensed work in production, as long
as it is directly sourced from a TrueCharts provided
official repository, catalog or source. You may also make private
modification to the directly sourced licenced work,
when used in production.
The following cases are, due to their nature, also
defined as 'production use' and explicitly prohibited:
- Bundling, including or displaying the licensed work
with(in) another work intended for production use,
with the apparent intend of facilitating and/or
promoting production use by third parties in
violation of this license.
Change Date: 2050-01-01
Change License: 3-clause BSD license
For information about alternative licensing arrangements for the Software,
please contact: legal@truecharts.org
Notice
The Business Source License (this document, or the “License”) is not an Open
Source license. However, the Licensed Work will eventually be made available
under an Open Source License, as stated in this License.
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
“Business Source License” is a trademark of MariaDB Corporation Ab.
-----------------------------------------------------------------------------
Business Source License 1.1
Terms
The Licensor hereby grants you the right to copy, modify, create derivative
works, redistribute, and make non-production use of the Licensed Work. The
Licensor may make an Additional Use Grant, above, permitting limited
production use.
Effective on the Change Date, or the fourth anniversary of the first publicly
available distribution of a specific version of the Licensed Work under this
License, whichever comes first, the Licensor hereby grants you rights under
the terms of the Change License, and the rights granted in the paragraph
above terminate.
If your use of the Licensed Work does not comply with the requirements
currently in effect as described in this License, you must purchase a
commercial license from the Licensor, its affiliated entities, or authorized
resellers, or you must refrain from using the Licensed Work.
All copies of the original and modified Licensed Work, and derivative works
of the Licensed Work, are subject to this License. This License applies
separately for each version of the Licensed Work and the Change Date may vary
for each version of the Licensed Work released by Licensor.
You must conspicuously display this License on each original or modified copy
of the Licensed Work. If you receive the Licensed Work in original or
modified form from a third party, the terms and conditions set forth in this
License apply to your use of that work.
Any use of the Licensed Work in violation of this License will automatically
terminate your rights under this License for the current and all other
versions of the Licensed Work.
This License does not grant you any right in any trademark or logo of
Licensor or its affiliates (provided that you may use a trademark or logo of
Licensor as expressly required by this License).
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
TITLE.
MariaDB hereby grants you permission to use this Licenses text to license
your works, and to refer to it using the trademark “Business Source License”,
as long as you comply with the Covenants of Licensor below.
Covenants of Licensor
In consideration of the right to use this Licenses text and the “Business
Source License” name and trademark, Licensor covenants to MariaDB, and to all
other recipients of the licensed work to be provided by Licensor:
1. To specify as the Change License the GPL Version 2.0 or any later version,
or a license that is compatible with GPL Version 2.0 or a later version,
where “compatible” means that software provided under the Change License can
be included in a program with software provided under GPL Version 2.0 or a
later version. Licensor may specify additional Change Licenses without
limitation.
2. To either: (a) specify an additional grant of rights to use that does not
impose any additional restriction on the right granted in this License, as
the Additional Use Grant; or (b) insert the text “None”.
3. To specify a Change Date.
4. Not to modify this License in any other way.

View File

@ -0,0 +1,27 @@
# README
## General Info
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
However only installations using the TrueNAS SCALE Apps system are supported.
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/incubator/)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
*All Rights Reserved - The TrueCharts Project*

View File

@ -0,0 +1,10 @@
## [authentik-12.0.0](https://github.com/truecharts/charts/compare/authentik-11.0.0...authentik-12.0.0) (2023-06-10)
### Feat
- hide advanced ingress options behind checbox ([#9203](https://github.com/truecharts/charts/issues/9203))
- BREAKING CHANGE Port to new common ([#9426](https://github.com/truecharts/charts/issues/9426))

View File

@ -0,0 +1,8 @@
authentik is an open-source Identity Provider focused on flexibility and versatility.
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/incubator/authentik](https://truecharts.org/charts/incubator/authentik)
---
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,290 @@
image:
repository: tccr.io/truecharts/authentik
tag: 2023.4.1@sha256:7d60414d9d5f2395b703228193e8b03c616d7fed6c3cee620940845dd0b725cb
pullPolicy: IfNotPresent
geoipImage:
repository: tccr.io/truecharts/geoipupdate
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
repository: tccr.io/truecharts/authentik-ldap
tag: 2023.4.1@sha256:f737b534c6f3a022b002bb5d635ef491273fd40f8c0b6dd64efa7f5f6265d8cf
pullPolicy: IfNotPresent
proxyImage:
repository: tccr.io/truecharts/authentik-proxy
tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
pullPolicy: IfNotPresent
securityContext:
container:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: false
workload:
main:
replicas: 1
strategy: RollingUpdate
podSpec:
containers:
main:
args: ["server"]
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: https
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: https
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: https
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: https
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: http
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: https
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: http
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: http
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: http
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: http
targetPort: 9303
metrics:
# TODO
main:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
type: "servicemonitor"
endpoints:
- port: main
path: /metrics
interval: 1m
scrapeTimeout: 30s
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
labels: {}
# -- Configure additionial rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
ingress:
proxyhttps:
autoLink: true
# Target selectors taken from authentik's compose file:
# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
persistence:
media:
enabled: true
mountPath: "/media"
targetSelector:
main:
main: {}
worker: {}
templates:
enabled: true
mountPath: "/templates"
targetSelector:
main:
main: {}
worker: {}
certs:
enabled: true
mountPath: "/certs"
targetSelector:
main:
worker: {}
geoip:
enabled: true
mountPath: "/usr/share/GeoIP"
targetSelector:
main:
geoip: {}
cnpg:
main:
enabled: true
user: authentik
database: authentik
cnpgProvider:
port: 5432
# Enabled redis
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
redis:
enabled: true
redisProvider:
port: 6379
workerContainer:
enabled: true
authentik:
credentials:
password: "supersecret"
general:
disable_update_check: false
disable_startup_analytics: true
allow_user_name_change: true
allow_user_mail_change: true
allow_user_username_change: true
gdpr_compliance: true
impersonation: true
avatars: "gravatar,initials"
token_length: 128
# Use single quotes for footer_links
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
mail:
host: ""
port: 25
tls: false
ssl: false
timeout: 10
user: ""
pass: ""
from: ""
error_reporting:
enabled: false
send_pii: false
environment: "customer"
logging:
log_level: "info"
ldap:
tls_ciphers: "null"
geoip:
enabled: false
account_id: ""
license_key: ""
proxy: ""
proxy_user_pass: ""
edition_ids: "GeoLite2-City"
frequency: 8
host_server: "updates.maxmind.com"
preserve_file_times: false
verbose: false
outposts:
ldap:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
proxy:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
portal:
open:
enabled: true

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1 @@
{{- include "tc.v1.common.lib.chart.notes" $ -}}

View File

@ -0,0 +1,118 @@
{{/* Define the configmaps */}}
{{- define "authentik.configmaps" -}}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
{{- if .Values.ingress.main.enabled }}
{{ $first := (first .Values.ingress.main.hosts) }}
{{- if $first }}
{{ $host = printf "https://%s" $first.host }}
{{- end }}
{{- end }}
{{/* This configmap is loaded in both the main authentik container and worker */}}
{{ $authServerWorkerConfigName }}:
enabled: true
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
{{- with $redis := .Values.redisProvider }}
AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
{{- end }}
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
{{- with $cnpg := .Values.cnpgProvider }}
AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
{{/* This configmap is loaded in both the main authentik container and worker */}}
{{ $authServerConfigName }}:
enabled: true
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
{{/* This configmap is loaded in the geoip container */}}
{{ $geoipConfigName }}:
enabled: {{ .Values.geoip.enabled }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{/* This configmap is loaded in the ldap container */}}
{{ $ldapConfigName }}:
enabled: {{ .Values.outposts.ldap.enabled }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
{{/* This configmap is loaded in the proxy container */}}
{{ $proxyConfigName }}:
enabled: {{ .Values.outposts.proxy.enabled }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
{{- end -}}

View File

@ -0,0 +1,23 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip.container" -}}
enabled: true
primary: false
imageSelector: geoipImage
securityContext:
runAsUser: 0
runAsGroup: 0
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
probes:
readiness:
enabled: false
liveness:
enabled: false
startup:
enabled: false
{{- end -}}

View File

@ -0,0 +1,39 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap.container" -}}
enabled: true
primary: false
imageSelector: ldapImage
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
ports:
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
name: ldapldaps
- containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
name: ldapldap
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
name: ldapmetrics
{{- end }}
probes:
readiness:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
liveness:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
startup:
enabled: true
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
{{- end -}}

View File

@ -0,0 +1,39 @@
{{/* Define the proxy container */}}
{{- define "authentik.proxy.container" -}}
enabled: true
primary: false
imageSelector: proxyImage
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
ports:
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
name: proxyhttps
- containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
name: proxyhttp
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
name: proxymetrics
{{- end }}
probes:
readiness:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
liveness:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
startup:
enabled: true
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
{{- end -}}

View File

@ -0,0 +1,81 @@
{{/* Define the secrets */}}
{{- define "authentik.secrets" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
{{- $token := randAlphaNum 128 }}
{{/* This secret is loaded in both the main authentik container and worker */}}
{{ $authentikSecretName }}:
enabled: true
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . }}
{{- end }}
{{/* This secret is loaded in the geoip container */}}
{{ $geoipSecretName }}:
enabled: {{ .Values.geoip.enabled }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
{{- end }}
{{/* This secret is loaded in the ldap container */}}
{{ $ldapSecretName }}:
enabled: {{ .Values.outposts.ldap.enabled }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{/* This secret is loaded in the proxy container */}}
{{ $proxySecretName }}:
enabled: {{ .Values.outposts.proxy.enabled }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,31 @@
{{/* Define the worker container */}}
{{- define "authentik.worker.container" -}}
enabled: true
primary: false
imageSelector: image
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
probes:
readiness:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
liveness:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
startup:
enabled: true
type: exec
command:
- /lifecycle/ak
- healthcheck
{{- end -}}

View File

@ -0,0 +1,46 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.v1.common.loader.init" . }}
{{/* Render secrets for authentik and friends */}}
{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
{{- if $authentikSecrets -}}
{{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
{{- $_ := set .Values "secret" $secrets -}}
{{- end -}}
{{/* Render configmaps for authentik and friends */}}
{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
{{- if $authentikConfigmaps -}}
{{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
{{- $_ := set .Values "configmap" $configmaps -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{- if .Values.outposts.proxy.enabled -}}
{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.v1.common.loader.apply" . }}

View File

@ -0,0 +1,160 @@
{{- if hasKey .Values "metrics" }}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
rules:
{{- with .Values.metrics.prometheusRule.rules }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.useDefault }}
- name: authentik Aggregate request counters
rules:
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
- record: job:django_http_ajax_requests_total:sum_rate30s
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
- record: job:django_http_requests_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
- record: job:django_http_responses_streaming_total:sum_rate30s
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
- record: job:django_http_responses_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
- record: job:django_http_requests_total:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
- record: job:django_http_requests_total_by_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
- record: job:django_http_requests_total_by_transport:sum_rate30s
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
- record: job:django_http_requests_total_by_view:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
- record: job:django_http_responses_total_by_templatename:sum_rate30s
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
- record: job:django_http_responses_total_by_status:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
- record: job:django_http_responses_total_by_charset:sum_rate30s
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
- record: job:django_http_exceptions_total_by_type:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
- record: job:django_http_exceptions_total_by_view:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
- name: authentik Aggregate latency histograms
rules:
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- name: authentik Aggregate model operations
rules:
- record: job:django_model_inserts_total:sum_rate1m
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
- record: job:django_model_updates_total:sum_rate1m
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
- record: job:django_model_deletes_total:sum_rate1m
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
- name: authentik Aggregate database operations
rules:
- record: job:django_db_new_connections_total:sum_rate30s
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
- record: job:django_db_new_connection_errors_total:sum_rate30s
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
- record: job:django_db_execute_total:sum_rate30s
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
- record: job:django_db_execute_many_total:sum_rate30s
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
- record: job:django_db_errors_total:sum_rate30s
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
- name: authentik Aggregate migrations
rules:
- record: job:django_migrations_applied_total:max
expr: max(django_migrations_applied_total) by (job, connection)
- record: job:django_migrations_unapplied_total:max
expr: max(django_migrations_unapplied_total) by (job, connection)
- name: authentik Alerts
rules:
- alert: NoWorkersConnected
expr: max without (pid) (authentik_admin_workers) < 1
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
summary: No workers connected
for: 10m
labels:
severity: critical
- alert: PendingMigrations
expr: max without (pid) (django_migrations_unapplied_total) > 0
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
summary: Pending database migrations
for: 10m
labels:
severity: critical
- alert: FailedSystemTasks
expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
annotations:
message: |
System task {{ printf "{{ $labels.task_name }}" }} has failed
summary: Failed system tasks
for: 2h
labels:
severity: critical
- alert: DisconnectedOutposts
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
annotations:
message: |
Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
summary: Disconnected outpost
for: 30m
labels:
severity: critical
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,44 @@
{{- if hasKey .Values "metrics" }}
{{- if .Values.metrics.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
endpoints:
- port: metrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: ldapmetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: proxymetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- end }}
{{- end }}

View File