Revert "feat(authentik): BREAKING CHANGE move to k8s integration inst… (#3678)

* Revert "feat(authentik): BREAKING CHANGE move to k8s integration instead of manual (#3673)"

This reverts commit b4af071a92.

* bump agian
This commit is contained in:
Stavros Kois 2022-09-03 23:47:37 +03:00 committed by GitHub
parent 0fcbc80408
commit 0635475600
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 260 additions and 78 deletions

View File

@ -27,7 +27,7 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 4.0.0
version: 5.0.0
annotations:
truecharts.org/catagories: |
- authentication

View File

@ -235,6 +235,54 @@ questions:
schema:
type: string
default: "null"
- variable: outposts
group: "Container Configuration"
label: "Outpost Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: ldap
label: "LDAP"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable LDAP outpost"
description: "Enable only AFTER you created an LDAP Provider and an API Token"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: insecure
label: "Insecure"
description: "Check only if you accessing Authentik in an unsecure way"
schema:
type: boolean
default: false
- variable: host
label: "Authentik Host"
description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
schema:
type: string
required: true
default: ""
- variable: token
label: "API Token"
description: "Generated in the Authentik GUI > Directory > Token & App Passwords"
schema:
type: string
private: true
required: true
default: ""
- variable: metrics
label: "Metrics Endpoint"
description: "Enables metric endpoint in LDAP Outpost"
schema:
type: boolean
default: false
- variable: geoip
group: "Container Configuration"
label: "GeoIP Configuration"
@ -397,6 +445,101 @@ questions:
schema:
type: int
default: 9301
- variable: ldap
label: "LDAP Service"
description: "The LDAP service."
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: ldap1
label: "ldap1 Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 389
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 3389
- variable: ldap2
label: "ldap2 Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 636
required: true
- variable: advanced
label: "Show Advanced settings"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: protocol
label: "Port Type"
schema:
type: string
default: "HTTP"
enum:
- value: HTTP
description: "HTTP"
- value: "HTTPS"
description: "HTTPS"
- value: TCP
description: "TCP"
- value: "UDP"
description: "UDP"
- variable: nodePort
label: "Node Port (Optional)"
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
schema:
type: int
min: 9000
max: 65535
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 6636
- variable: ldap-metrics
label: "LDAP metrics Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 10232
required: true
# Include{advancedPortHTTP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 9300
# Include{serviceExpertRoot}
default: false
# Include{serviceExpert}

View File

@ -3,6 +3,7 @@
{{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
@ -60,9 +61,19 @@ data:
{{- end }}
{{/* Metrics */}}
AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }}
{{/* Metrics */}}
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: {{ .Values.authentik.outposts.container_image_base | quote }}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ .Values.authentik.outposts.discover | quote }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }}
{{- with .Values.outposts.ldap.host }}
AUTHENTIK_HOST: {{ . }}
{{- end }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1

View File

@ -0,0 +1,52 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}'
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
ports:
- containerPort: 3389
- containerPort: 6636
{{ if .Values.outposts.ldap.metrics }}
- containerPort: 9300
name: ldap-metrics
{{ end }}
readinessProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- "wget"
- "--spider"
- "http://localhost:9300/outpost.goauthentik.io/ping"
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

View File

@ -3,6 +3,7 @@
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
@ -44,6 +45,19 @@ data:
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret

View File

@ -21,5 +21,13 @@
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}}
{{/* - if .Values.outposts.ldap.metrics - */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

View File

@ -8,6 +8,11 @@ geoipImage:
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
repository: tccr.io/truecharts/authentik-ldap
tag: 2022.8.2@sha256:53c681184a447add074fda306acd58e69e48a6189dc5046de27769f1dceac835
pullPolicy: IfNotPresent
extraArgs: ["server"]
podSecurityContext:
@ -21,9 +26,6 @@ authentik:
credentials:
password: "supersecret"
token: "supersecretapitoken"
outposts:
container_image_base: tccr.io/truecharts/authentik-%(type)s:%(version)s
discover: true
general:
disable_update_check: false
disable_startup_analytics: true
@ -71,74 +73,13 @@ geoip:
preserve_file_times: false
verbose: false
serviceAccount:
main:
enabled: true
rbac:
main:
enabled: true
rules:
- apiGroups:
- ""
resources:
- secrets
- services
- configmaps
verbs:
- get
- create
- delete
- list
- patch
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- create
- delete
- list
- patch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- create
- delete
- list
- patch
- apiGroups:
- traefik.containo.us
resources:
- middlewares
verbs:
- get
- create
- delete
- list
- patch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- delete
- list
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
outposts:
ldap:
enabled: false
insecure: false
host: ""
token: "test"
metrics: true
envFrom:
- secretRef:
@ -195,6 +136,22 @@ service:
protocol: HTTP
port: 10231
targetPort: 9301
ldap:
enabled: true
ports:
ldap1:
enabled: true
port: 389
targetPort: 3389
ldap2:
enabled: true
port: 636
targetPort: 6636
ldap-metrics:
enabled: true
port: 10232
protocol: HTTP
targetPort: 9300
persistence:
media:

View File

@ -3,7 +3,6 @@ words:
- airsonic
- aliasgroup
- allowtransparency
- apiextensions
- APITOKEN
- appname
- appnamehere
@ -25,7 +24,6 @@ words:
- configfile
- configmap
- containo
- customresourcedefinitions
- daemonset
- dbcreds
- dbengine
@ -137,7 +135,6 @@ words:
- SERVERCONFIG
- serverstransports
- serviceexpert
- servicemonitors
- smallblock
- sonarr
- sonarrsabnzbd