Commit new Chart releases for TrueCharts
Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
parent
f5b9399f9f
commit
b061424d73
|
@ -0,0 +1,88 @@
|
|||
**Important:**
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-12.0.0](https://github.com/truecharts/charts/compare/authentik-11.0.0...authentik-12.0.0) (2023-06-10)
|
||||
|
||||
### Feat
|
||||
|
||||
- hide advanced ingress options behind checbox ([#9203](https://github.com/truecharts/charts/issues/9203))
|
||||
- BREAKING CHANGE Port to new common ([#9426](https://github.com/truecharts/charts/issues/9426))
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
||||
|
||||
|
||||
|
||||
## [authentik-11.0.0](https://github.com/truecharts/charts/compare/authentik-10.0.46...authentik-11.0.0) (2023-05-24)
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: v2
|
||||
appVersion: "2023.4.1"
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 12.10.4
|
||||
- condition: redis.enabled
|
||||
name: redis
|
||||
repository: https://deps.truecharts.org
|
||||
version: 6.0.46
|
||||
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
|
||||
home: https://truecharts.org/charts/incubator/authentik
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
|
||||
keywords:
|
||||
- authentik
|
||||
kubeVersion: ">=1.16.0-0"
|
||||
maintainers:
|
||||
- email: info@truecharts.org
|
||||
name: TrueCharts
|
||||
url: https://truecharts.org
|
||||
name: authentik
|
||||
sources:
|
||||
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
|
||||
- https://github.com/goauthentik/authentik
|
||||
- https://goauthentik.io/docs/
|
||||
version: 12.0.0
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- authentication
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/grade: U
|
|
@ -0,0 +1,106 @@
|
|||
Business Source License 1.1
|
||||
|
||||
Parameters
|
||||
|
||||
Licensor: The TrueCharts Project, it's owner and it's contributors
|
||||
Licensed Work: The TrueCharts "Blocky" Helm Chart
|
||||
Additional Use Grant: You may use the licensed work in production, as long
|
||||
as it is directly sourced from a TrueCharts provided
|
||||
official repository, catalog or source. You may also make private
|
||||
modification to the directly sourced licenced work,
|
||||
when used in production.
|
||||
|
||||
The following cases are, due to their nature, also
|
||||
defined as 'production use' and explicitly prohibited:
|
||||
- Bundling, including or displaying the licensed work
|
||||
with(in) another work intended for production use,
|
||||
with the apparent intend of facilitating and/or
|
||||
promoting production use by third parties in
|
||||
violation of this license.
|
||||
|
||||
Change Date: 2050-01-01
|
||||
|
||||
Change License: 3-clause BSD license
|
||||
|
||||
For information about alternative licensing arrangements for the Software,
|
||||
please contact: legal@truecharts.org
|
||||
|
||||
Notice
|
||||
|
||||
The Business Source License (this document, or the “License”) is not an Open
|
||||
Source license. However, the Licensed Work will eventually be made available
|
||||
under an Open Source License, as stated in this License.
|
||||
|
||||
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
|
||||
“Business Source License” is a trademark of MariaDB Corporation Ab.
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
Business Source License 1.1
|
||||
|
||||
Terms
|
||||
|
||||
The Licensor hereby grants you the right to copy, modify, create derivative
|
||||
works, redistribute, and make non-production use of the Licensed Work. The
|
||||
Licensor may make an Additional Use Grant, above, permitting limited
|
||||
production use.
|
||||
|
||||
Effective on the Change Date, or the fourth anniversary of the first publicly
|
||||
available distribution of a specific version of the Licensed Work under this
|
||||
License, whichever comes first, the Licensor hereby grants you rights under
|
||||
the terms of the Change License, and the rights granted in the paragraph
|
||||
above terminate.
|
||||
|
||||
If your use of the Licensed Work does not comply with the requirements
|
||||
currently in effect as described in this License, you must purchase a
|
||||
commercial license from the Licensor, its affiliated entities, or authorized
|
||||
resellers, or you must refrain from using the Licensed Work.
|
||||
|
||||
All copies of the original and modified Licensed Work, and derivative works
|
||||
of the Licensed Work, are subject to this License. This License applies
|
||||
separately for each version of the Licensed Work and the Change Date may vary
|
||||
for each version of the Licensed Work released by Licensor.
|
||||
|
||||
You must conspicuously display this License on each original or modified copy
|
||||
of the Licensed Work. If you receive the Licensed Work in original or
|
||||
modified form from a third party, the terms and conditions set forth in this
|
||||
License apply to your use of that work.
|
||||
|
||||
Any use of the Licensed Work in violation of this License will automatically
|
||||
terminate your rights under this License for the current and all other
|
||||
versions of the Licensed Work.
|
||||
|
||||
This License does not grant you any right in any trademark or logo of
|
||||
Licensor or its affiliates (provided that you may use a trademark or logo of
|
||||
Licensor as expressly required by this License).
|
||||
|
||||
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
|
||||
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
||||
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
|
||||
TITLE.
|
||||
|
||||
MariaDB hereby grants you permission to use this License’s text to license
|
||||
your works, and to refer to it using the trademark “Business Source License”,
|
||||
as long as you comply with the Covenants of Licensor below.
|
||||
|
||||
Covenants of Licensor
|
||||
|
||||
In consideration of the right to use this License’s text and the “Business
|
||||
Source License” name and trademark, Licensor covenants to MariaDB, and to all
|
||||
other recipients of the licensed work to be provided by Licensor:
|
||||
|
||||
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
||||
or a license that is compatible with GPL Version 2.0 or a later version,
|
||||
where “compatible” means that software provided under the Change License can
|
||||
be included in a program with software provided under GPL Version 2.0 or a
|
||||
later version. Licensor may specify additional Change Licenses without
|
||||
limitation.
|
||||
|
||||
2. To either: (a) specify an additional grant of rights to use that does not
|
||||
impose any additional restriction on the right granted in this License, as
|
||||
the Additional Use Grant; or (b) insert the text “None”.
|
||||
|
||||
3. To specify a Change Date.
|
||||
|
||||
4. Not to modify this License in any other way.
|
|
@ -0,0 +1,27 @@
|
|||
# README
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/incubator/)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
*All Rights Reserved - The TrueCharts Project*
|
|
@ -0,0 +1,10 @@
|
|||
|
||||
|
||||
## [authentik-12.0.0](https://github.com/truecharts/charts/compare/authentik-11.0.0...authentik-12.0.0) (2023-06-10)
|
||||
|
||||
### Feat
|
||||
|
||||
- hide advanced ingress options behind checbox ([#9203](https://github.com/truecharts/charts/issues/9203))
|
||||
- BREAKING CHANGE Port to new common ([#9426](https://github.com/truecharts/charts/issues/9426))
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
authentik is an open-source Identity Provider focused on flexibility and versatility.
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/incubator/authentik](https://truecharts.org/charts/incubator/authentik)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,290 @@
|
|||
image:
|
||||
repository: tccr.io/truecharts/authentik
|
||||
tag: 2023.4.1@sha256:7d60414d9d5f2395b703228193e8b03c616d7fed6c3cee620940845dd0b725cb
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
geoipImage:
|
||||
repository: tccr.io/truecharts/geoipupdate
|
||||
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
ldapImage:
|
||||
repository: tccr.io/truecharts/authentik-ldap
|
||||
tag: 2023.4.1@sha256:f737b534c6f3a022b002bb5d635ef491273fd40f8c0b6dd64efa7f5f6265d8cf
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
proxyImage:
|
||||
repository: tccr.io/truecharts/authentik-proxy
|
||||
tag: 2023.4.1@sha256:b6e40435836333bdc53afde38f4c4bfb342005b0636d769c641c79348ce1aae4
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
securityContext:
|
||||
container:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
workload:
|
||||
main:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
args: ["server"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-server-config'
|
||||
probes:
|
||||
liveness:
|
||||
type: https
|
||||
path: /-/health/live/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
readiness:
|
||||
type: https
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
startup:
|
||||
type: https
|
||||
path: /-/health/ready/
|
||||
port: "{{ .Values.service.main.ports.main.targetPort }}"
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
protocol: https
|
||||
port: 10229
|
||||
targetPort: 9443
|
||||
http:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
http:
|
||||
enabled: true
|
||||
protocol: http
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
# LDAP Outpost Services
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldaps:
|
||||
enabled: true
|
||||
port: 636
|
||||
targetPort: 6636
|
||||
ldapldap:
|
||||
enabled: true
|
||||
ports:
|
||||
ldapldap:
|
||||
enabled: true
|
||||
port: 389
|
||||
targetPort: 3389
|
||||
# Proxy Outpost Services
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
ports:
|
||||
proxyhttps:
|
||||
enabled: true
|
||||
port: 10233
|
||||
protocol: https
|
||||
targetPort: 9444
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxyhttp:
|
||||
enabled: true
|
||||
port: 10234
|
||||
protocol: http
|
||||
targetPort: 9001
|
||||
# Metrics Services
|
||||
metrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
protocol: http
|
||||
port: 10231
|
||||
targetPort: 9301
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
ldapmetrics:
|
||||
enabled: true
|
||||
port: 10232
|
||||
protocol: http
|
||||
targetPort: 9302
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
ports:
|
||||
proxymetrics:
|
||||
enabled: true
|
||||
port: 10235
|
||||
protocol: http
|
||||
targetPort: 9303
|
||||
|
||||
metrics:
|
||||
# TODO
|
||||
main:
|
||||
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
enabled: false
|
||||
type: "servicemonitor"
|
||||
endpoints:
|
||||
- port: main
|
||||
path: /metrics
|
||||
interval: 1m
|
||||
scrapeTimeout: 30s
|
||||
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
labels: {}
|
||||
# -- Configure additionial rules for the chart under this key.
|
||||
# @default -- See prometheusrules.yaml
|
||||
rules:
|
||||
[]
|
||||
# - alert: UnifiPollerAbsent
|
||||
# annotations:
|
||||
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||||
# summary: Unifi Poller is down.
|
||||
# expr: |
|
||||
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
|
||||
ingress:
|
||||
proxyhttps:
|
||||
autoLink: true
|
||||
|
||||
# Target selectors taken from authentik's compose file:
|
||||
# See https://github.com/goauthentik/authentik/blob/main/docker-compose.yml
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
mountPath: "/media"
|
||||
targetSelector:
|
||||
main:
|
||||
main: {}
|
||||
worker: {}
|
||||
templates:
|
||||
enabled: true
|
||||
mountPath: "/templates"
|
||||
targetSelector:
|
||||
main:
|
||||
main: {}
|
||||
worker: {}
|
||||
certs:
|
||||
enabled: true
|
||||
mountPath: "/certs"
|
||||
targetSelector:
|
||||
main:
|
||||
worker: {}
|
||||
geoip:
|
||||
enabled: true
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
targetSelector:
|
||||
main:
|
||||
geoip: {}
|
||||
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: authentik
|
||||
database: authentik
|
||||
|
||||
cnpgProvider:
|
||||
port: 5432
|
||||
|
||||
# Enabled redis
|
||||
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
|
||||
redis:
|
||||
enabled: true
|
||||
|
||||
redisProvider:
|
||||
port: 6379
|
||||
|
||||
workerContainer:
|
||||
enabled: true
|
||||
|
||||
authentik:
|
||||
credentials:
|
||||
password: "supersecret"
|
||||
general:
|
||||
disable_update_check: false
|
||||
disable_startup_analytics: true
|
||||
allow_user_name_change: true
|
||||
allow_user_mail_change: true
|
||||
allow_user_username_change: true
|
||||
gdpr_compliance: true
|
||||
impersonation: true
|
||||
avatars: "gravatar,initials"
|
||||
token_length: 128
|
||||
# Use single quotes for footer_links
|
||||
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
|
||||
mail:
|
||||
host: ""
|
||||
port: 25
|
||||
tls: false
|
||||
ssl: false
|
||||
timeout: 10
|
||||
user: ""
|
||||
pass: ""
|
||||
from: ""
|
||||
error_reporting:
|
||||
enabled: false
|
||||
send_pii: false
|
||||
environment: "customer"
|
||||
logging:
|
||||
log_level: "info"
|
||||
ldap:
|
||||
tls_ciphers: "null"
|
||||
|
||||
geoip:
|
||||
enabled: false
|
||||
account_id: ""
|
||||
license_key: ""
|
||||
proxy: ""
|
||||
proxy_user_pass: ""
|
||||
edition_ids: "GeoLite2-City"
|
||||
frequency: 8
|
||||
host_server: "updates.maxmind.com"
|
||||
preserve_file_times: false
|
||||
verbose: false
|
||||
|
||||
outposts:
|
||||
ldap:
|
||||
# -- First you have to create an Outpost in the GUI. Applications > Outposts
|
||||
enabled: false
|
||||
# -- Host Browser by default is set to the first ingress host you set
|
||||
# host_browser: ""
|
||||
# -- Host should not need to be overridden. Defaults to https://localhost:9443
|
||||
# host: ""
|
||||
# -- As we use https://localhost:9443 it's an unsecure connection
|
||||
# insecure: false
|
||||
# -- Token is only needed if you accidentally deleted the token within the UI
|
||||
# token: ""
|
||||
proxy:
|
||||
# -- First you have to create an Outpost in the GUI. Applications > Outposts
|
||||
enabled: false
|
||||
# -- Host Browser by default is set to the first ingress host you set
|
||||
# host_browser: ""
|
||||
# -- As we use https://localhost:9443 it's an unsecure connection
|
||||
# insecure: false
|
||||
# -- Host should not need to be overridden. Defaults to https://localhost:9443
|
||||
# host: ""
|
||||
# -- Token is only needed if you accidentally deleted the token within the UI
|
||||
# token: ""
|
||||
|
||||
portal:
|
||||
open:
|
||||
enabled: true
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,118 @@
|
|||
{{/* Define the configmaps */}}
|
||||
{{- define "authentik.configmaps" -}}
|
||||
|
||||
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
|
||||
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
|
||||
{{- if .Values.ingress.main.enabled }}
|
||||
{{ $first := (first .Values.ingress.main.hosts) }}
|
||||
{{- if $first }}
|
||||
{{ $host = printf "https://%s" $first.host }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This configmap is loaded in both the main authentik container and worker */}}
|
||||
{{ $authServerWorkerConfigName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_REDIS__HOST: {{ .Values.redis.creds.plain }}
|
||||
{{- with $redis := .Values.redisProvider }}
|
||||
AUTHENTIK_REDIS__PORT: {{ default 6379 $redis.port | quote }}
|
||||
{{- end }}
|
||||
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.cnpg.main.database }}
|
||||
AUTHENTIK_POSTGRESQL__USER: {{ .Values.cnpg.main.user }}
|
||||
AUTHENTIK_POSTGRESQL__HOST: {{ .Values.cnpg.main.creds.host }}
|
||||
{{- with $cnpg := .Values.cnpgProvider }}
|
||||
AUTHENTIK_POSTGRESQL__PORT: {{ default 5432 $cnpg.port | quote }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.port }}
|
||||
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
|
||||
{{- end }}
|
||||
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
|
||||
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
|
||||
{{- with .Values.authentik.mail.timeout }}
|
||||
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Logging */}}
|
||||
{{- with .Values.authentik.logging.log_level }}
|
||||
AUTHENTIK_LOG_LEVEL: {{ . }}
|
||||
{{- end }}
|
||||
{{/* General */}}
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
|
||||
{{- with .Values.authentik.general.avatars }}
|
||||
AUTHENTIK_AVATARS: {{ . }}
|
||||
{{- end }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
|
||||
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
|
||||
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
|
||||
{{- with .Values.authentik.general.footer_links }}
|
||||
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
|
||||
{{- end }}
|
||||
{{/* Error Reporting */}}
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
|
||||
{{- with .Values.authentik.error_reporting.environment }}
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
|
||||
{{- end }}
|
||||
{{/* LDAP */}}
|
||||
{{- with .Values.authentik.ldap.tls_ciphers }}
|
||||
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{/* Outposts */}}
|
||||
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
|
||||
|
||||
{{/* This configmap is loaded in both the main authentik container and worker */}}
|
||||
{{ $authServerConfigName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Listen */}}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
|
||||
|
||||
{{/* This configmap is loaded in the geoip container */}}
|
||||
{{ $geoipConfigName }}:
|
||||
enabled: {{ .Values.geoip.enabled }}
|
||||
data:
|
||||
{{- with .Values.geoip.edition_ids }}
|
||||
GEOIPUPDATE_EDITION_IDS: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
|
||||
{{- with .Values.geoip.host_server }}
|
||||
GEOIPUPDATE_HOST: {{ . }}
|
||||
{{- end }}
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
|
||||
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
|
||||
|
||||
{{/* This configmap is loaded in the ldap container */}}
|
||||
{{ $ldapConfigName }}:
|
||||
enabled: {{ .Values.outposts.ldap.enabled }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
|
||||
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
|
||||
|
||||
{{/* This configmap is loaded in the proxy container */}}
|
||||
{{ $proxyConfigName }}:
|
||||
enabled: {{ .Values.outposts.proxy.enabled }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
|
||||
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
|
||||
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
|
||||
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
|
||||
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
|
||||
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,23 @@
|
|||
{{/* Define the geoip container */}}
|
||||
{{- define "authentik.geoip.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: geoipImage
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-geoip-config'
|
||||
{{/* TODO: Add healthchecks */}}
|
||||
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
|
||||
probes:
|
||||
readiness:
|
||||
enabled: false
|
||||
liveness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
{{- end -}}
|
|
@ -0,0 +1,39 @@
|
|||
{{/* Define the ldap container */}}
|
||||
{{- define "authentik.ldap.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: ldapImage
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-ldap-config'
|
||||
ports:
|
||||
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
|
||||
name: ldapldaps
|
||||
- containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
|
||||
name: ldapldap
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
name: ldapmetrics
|
||||
{{- end }}
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
liveness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
startup:
|
||||
enabled: true
|
||||
type: {{ .Values.service.ldapmetrics.ports.ldapmetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,39 @@
|
|||
{{/* Define the proxy container */}}
|
||||
{{- define "authentik.proxy.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: proxyImage
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-proxy-config'
|
||||
ports:
|
||||
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
|
||||
name: proxyhttps
|
||||
- containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
|
||||
name: proxyhttp
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
name: proxymetrics
|
||||
{{- end }}
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
liveness:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
startup:
|
||||
enabled: true
|
||||
type: {{ .Values.service.proxymetrics.ports.proxymetrics.protocol }}
|
||||
path: /outpost.goauthentik.io/ping
|
||||
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,81 @@
|
|||
{{/* Define the secrets */}}
|
||||
{{- define "authentik.secrets" -}}
|
||||
|
||||
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.v1.common.lib.chart.names.fullname" .) }}
|
||||
{{- $token := randAlphaNum 128 }}
|
||||
|
||||
{{/* This secret is loaded in both the main authentik container and worker */}}
|
||||
{{ $authentikSecretName }}:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Secret Key */}}
|
||||
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
|
||||
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
|
||||
{{- else }}
|
||||
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 }}
|
||||
{{- end }}
|
||||
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
|
||||
{{/* Dependencies */}}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
|
||||
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.authentik.credentials.password }}
|
||||
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
{{/* Mail */}}
|
||||
{{- with .Values.authentik.mail.host }}
|
||||
AUTHENTIK_EMAIL__HOST: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.user }}
|
||||
AUTHENTIK_EMAIL__USERNAME: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.pass }}
|
||||
AUTHENTIK_EMAIL__PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.authentik.mail.from }}
|
||||
AUTHENTIK_EMAIL__FROM: {{ . }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This secret is loaded in the geoip container */}}
|
||||
{{ $geoipSecretName }}:
|
||||
enabled: {{ .Values.geoip.enabled }}
|
||||
data:
|
||||
{{/* Credentials */}}
|
||||
{{- with .Values.geoip.account_id }}
|
||||
GEOIPUPDATE_ACCOUNT_ID: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.license_key }}
|
||||
GEOIPUPDATE_LICENSE_KEY: {{ . }}
|
||||
{{- end }}
|
||||
{{/* Proxy */}}
|
||||
{{- with .Values.geoip.proxy }}
|
||||
GEOIPUPDATE_PROXY: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.geoip.proxy_user_pass }}
|
||||
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This secret is loaded in the ldap container */}}
|
||||
{{ $ldapSecretName }}:
|
||||
enabled: {{ .Values.outposts.ldap.enabled }}
|
||||
data:
|
||||
{{- with .Values.outposts.ldap.token }}
|
||||
AUTHENTIK_TOKEN: {{ . }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
|
||||
{{/* This secret is loaded in the proxy container */}}
|
||||
{{ $proxySecretName }}:
|
||||
enabled: {{ .Values.outposts.proxy.enabled }}
|
||||
data:
|
||||
{{- with .Values.outposts.proxy.token }}
|
||||
AUTHENTIK_TOKEN: {{ . }}
|
||||
{{- else }}
|
||||
AUTHENTIK_TOKEN: {{ $token }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,31 @@
|
|||
{{/* Define the worker container */}}
|
||||
{{- define "authentik.worker.container" -}}
|
||||
enabled: true
|
||||
primary: false
|
||||
imageSelector: image
|
||||
args: ["worker"]
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.v1.common.lib.chart.names.fullname" . }}-authentik-config'
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
liveness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
startup:
|
||||
enabled: true
|
||||
type: exec
|
||||
command:
|
||||
- /lifecycle/ak
|
||||
- healthcheck
|
||||
{{- end -}}
|
|
@ -0,0 +1,46 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{/* Render secrets for authentik and friends */}}
|
||||
{{- $authentikSecrets := include "authentik.secrets" . | fromYaml -}}
|
||||
{{- if $authentikSecrets -}}
|
||||
{{ $secrets := (mustMerge $.Values.secret $authentikSecrets) }}
|
||||
{{- $_ := set .Values "secret" $secrets -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render configmaps for authentik and friends */}}
|
||||
{{- $authentikConfigmaps := include "authentik.configmaps" . | fromYaml -}}
|
||||
{{- if $authentikConfigmaps -}}
|
||||
{{ $configmaps := (mustMerge $.Values.configmap $authentikConfigmaps) }}
|
||||
{{- $_ := set .Values "configmap" $configmaps -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- if .Values.workerContainer.enabled -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "worker" (include "authentik.worker.container" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.geoip.enabled -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "geoip" (include "authentik.geoip.container" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.ldap.enabled -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "ldap-outpost" (include "authentik.ldap.container" . | fromYaml) -}}
|
||||
{{/* - if .Values.metrics.enabled - */}}
|
||||
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
{{/* We can't define multiple ports/endpoints with annotations */}}
|
||||
{{/* - end - */}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.proxy.enabled -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "proxy-outpost" (include "authentik.proxy.container" . | fromYaml) -}}
|
||||
{{/* - if .Values.metrics.enabled - */}}
|
||||
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
{{/* We can't define multiple ports/endpoints with annotations */}}
|
||||
{{/* - end - */}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
|
@ -0,0 +1,160 @@
|
|||
{{- if hasKey .Values "metrics" }}
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
{{- with .Values.metrics.prometheusRule.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
groups:
|
||||
- name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
rules:
|
||||
{{- with .Values.metrics.prometheusRule.rules }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.prometheusRule.useDefault }}
|
||||
- name: authentik Aggregate request counters
|
||||
rules:
|
||||
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
|
||||
- record: job:django_http_ajax_requests_total:sum_rate30s
|
||||
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
|
||||
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_body_total_bytes:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
|
||||
- record: job:django_http_responses_streaming_total:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
|
||||
- record: job:django_http_responses_body_total_bytes:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
|
||||
- record: job:django_http_requests_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
|
||||
- record: job:django_http_requests_total_by_method:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
|
||||
- record: job:django_http_requests_total_by_transport:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
|
||||
- record: job:django_http_requests_total_by_view:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
|
||||
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
|
||||
- record: job:django_http_responses_total_by_templatename:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
|
||||
- record: job:django_http_responses_total_by_status:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
|
||||
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
|
||||
- record: job:django_http_responses_total_by_charset:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
|
||||
- record: job:django_http_exceptions_total_by_type:sum_rate30s
|
||||
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
|
||||
- record: job:django_http_exceptions_total_by_view:sum_rate30s
|
||||
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
|
||||
- name: authentik Aggregate latency histograms
|
||||
rules:
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "50"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "95"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99.9"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "50"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "95"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99.9"
|
||||
- name: authentik Aggregate model operations
|
||||
rules:
|
||||
- record: job:django_model_inserts_total:sum_rate1m
|
||||
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
|
||||
- record: job:django_model_updates_total:sum_rate1m
|
||||
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
|
||||
- record: job:django_model_deletes_total:sum_rate1m
|
||||
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
|
||||
- name: authentik Aggregate database operations
|
||||
rules:
|
||||
- record: job:django_db_new_connections_total:sum_rate30s
|
||||
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_new_connection_errors_total:sum_rate30s
|
||||
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_execute_total:sum_rate30s
|
||||
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_execute_many_total:sum_rate30s
|
||||
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_errors_total:sum_rate30s
|
||||
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
|
||||
- name: authentik Aggregate migrations
|
||||
rules:
|
||||
- record: job:django_migrations_applied_total:max
|
||||
expr: max(django_migrations_applied_total) by (job, connection)
|
||||
- record: job:django_migrations_unapplied_total:max
|
||||
expr: max(django_migrations_unapplied_total) by (job, connection)
|
||||
- name: authentik Alerts
|
||||
rules:
|
||||
- alert: NoWorkersConnected
|
||||
expr: max without (pid) (authentik_admin_workers) < 1
|
||||
annotations:
|
||||
message: |
|
||||
authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
|
||||
summary: No workers connected
|
||||
for: 10m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: PendingMigrations
|
||||
expr: max without (pid) (django_migrations_unapplied_total) > 0
|
||||
annotations:
|
||||
message: |
|
||||
authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
|
||||
summary: Pending database migrations
|
||||
for: 10m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: FailedSystemTasks
|
||||
expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
|
||||
annotations:
|
||||
message: |
|
||||
System task {{ printf "{{ $labels.task_name }}" }} has failed
|
||||
summary: Failed system tasks
|
||||
for: 2h
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: DisconnectedOutposts
|
||||
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
|
||||
annotations:
|
||||
message: |
|
||||
Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
|
||||
summary: Disconnected outpost
|
||||
for: 30m
|
||||
labels:
|
||||
severity: critical
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,44 @@
|
|||
{{- if hasKey .Values "metrics" }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "tc.v1.common.lib.chart.names.fullname" . }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
{{- with .Values.metrics.serviceMonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
|
||||
endpoints:
|
||||
- port: metrics
|
||||
{{- with .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ . }}
|
||||
{{- end }}
|
||||
path: /metrics
|
||||
|
||||
- port: ldapmetrics
|
||||
{{- with .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ . }}
|
||||
{{- end }}
|
||||
path: /metrics
|
||||
|
||||
- port: proxymetrics
|
||||
{{- with .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ . }}
|
||||
{{- end }}
|
||||
path: /metrics
|
||||
{{- end }}
|
||||
{{- end }}
|
Loading…
Reference in New Issue