chore(authentik): add proxy outpost and knob for disabling embeded outpost for testing (#9704)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [x] ⚖️ My code follows the style guidelines of this project
- [x] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [x] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [x] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This commit is contained in:
Stavros Kois 2023-06-17 01:54:52 +03:00 committed by GitHub
parent 01d79606f9
commit 3a88f87da1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 198 additions and 6 deletions

View File

@ -23,7 +23,7 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 13.0.2
version: 13.0.3
annotations:
truecharts.org/catagories: |
- authentication

View File

@ -329,6 +329,40 @@ questions:
additional_attrs: true
type: dict
attrs:
- variable: disableEmbeddedOutpost
label: EXPERIMENTAL - Disable Embedded Outpost
description: |
Disables the embedded outpost.</br>
This will disable the embedded outpost, and will require you to deploy your own outpost.</br>
Only use this for testing, it might be removed without notice.
schema:
type: boolean
default: false
- variable: proxy
label: Proxy
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enabled
description: |
Enables and configures the Proxy container.</br>
This will deploy the Proxy container.
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: token
label: Token
description: |
The token used to authenticate with the authentik server.
schema:
type: string
private: true
required: true
default: ""
- variable: radius
label: Radius
schema:
@ -404,6 +438,41 @@ questions:
type: int
default: 10229
required: true
- variable: proxy
label: Proxy Service
description: The Proxy service.
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: http
label: HTTP Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 10227
required: true
- variable: https
label: HTTPS Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 10228
required: true
- variable: radius
label: RADIUS Service
description: The RADIUS service.
@ -525,6 +594,16 @@ questions:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressAdvanced}
- variable: proxy
label: Proxy (HTTPS) Ingress
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressAdvanced}
# Include{ingressList}
# Include{securityContextRoot}

View File

@ -2,6 +2,7 @@
{{- define "authentik.configmaps" -}}
{{- $fullname := include "tc.v1.common.lib.chart.names.fullname" $ -}}
{{- $serverHost := printf "https://%v:%v" $fullname .Values.service.main.ports.main.port -}}
{{- $host := .Values.chartContext.APPURL }}
server:
enabled: true
@ -23,6 +24,7 @@ server-worker:
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: "false"
AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST: {{ .Values.authentik.outposts.disableEmbeddedOutpost | quote }}
{{/* GeoIP */}}
{{- $geoipPath := (printf "/geoip/%v.mmdb" .Values.authentik.geoip.editionID) -}}
@ -74,13 +76,26 @@ server-worker:
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.tokenLength | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
{{- if .Values.authentik.outposts.proxy.enabled }}
proxy:
enabled: true
data:
AUTHENTIK_LISTEN__HTTP: {{ printf "0.0.0.0:%v" .Values.service.proxy.ports.http.port | quote }}
AUTHENTIK_LISTEN__HTTPS: {{ printf "0.0.0.0:%v" .Values.service.proxy.ports.https.port | quote }}
AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.proxymetrics.ports.proxymetrics.port | quote }}
AUTHENTIK_HOST: {{ $serverHost }}
AUTHENTIK_INSECURE: "true"
# TODO: node ip or ingress host
AUTHENTIK_HOST_BROWSER: {{ $host }}
{{- end -}}
{{- if .Values.authentik.outposts.radius.enabled }}
radius:
enabled: true
data:
AUTHENTIK_LISTEN__RADIUS: {{ printf "0.0.0.0:%v" .Values.service.radius.ports.radius.port | quote }}
AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.radiusmetrics.ports.radiusmetrics.port | quote }}
AUTHENTIK_HOST: {{ printf "https://%v:%v" $fullname .Values.service.main.ports.main.port }}
AUTHENTIK_HOST: {{ $serverHost }}
AUTHENTIK_INSECURE: "true"
# TODO: node ip or ingress host
AUTHENTIK_HOST_BROWSER: {{ $host }}
@ -93,7 +108,7 @@ ldap:
AUTHENTIK_LISTEN__LDAP: {{ printf "0.0.0.0:%v" .Values.service.ldap.ports.ldap.port | quote }}
AUTHENTIK_LISTEN__LDAPS: {{ printf "0.0.0.0:%v" .Values.service.ldaps.ports.ldaps.port | quote }}
AUTHENTIK_LISTEN__METRICS: {{ printf "0.0.0.0:%v" .Values.service.ldapmetrics.ports.ldapmetrics.port | quote }}
AUTHENTIK_HOST: {{ printf "https://%v:%v" $fullname .Values.service.main.ports.main.port }}
AUTHENTIK_HOST: {{ $serverHost }}
AUTHENTIK_INSECURE: "true"
# TODO: node ip or ingress host
AUTHENTIK_HOST_BROWSER: {{ $host }}

View File

@ -47,6 +47,13 @@ geoip:
GEOIPUPDATE_LICENSE_KEY: {{ .Values.authentik.geoip.licenseKey | quote }}
{{- end -}}
{{- if .Values.authentik.outposts.proxy.enabled }}
proxy:
enabled: true
data:
AUTHENTIK_TOKEN: {{ .Values.authentik.outposts.proxy.token | quote }}
{{- end -}}
{{- if .Values.authentik.outposts.radius.enabled }}
radius:
enabled: true

View File

@ -1,9 +1,11 @@
{{- define "authentik.validation" -}}
{{- range $outpost, $values := .Values.authentik.outposts -}}
{{- if (kindIs "dict" $values) -}}
{{- if and $values.enabled (not $values.token) -}}
{{- fail (printf "Authentik - Outpost [%v] is enabled, but [token] was not provided" ($outpost | upper)) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if .Values.authentik.geoip.enabled -}}
{{- if not .Values.authentik.geoip.accountID -}}

View File

@ -23,6 +23,18 @@
{{- $_ := set .Values.workload.geoip "enabled" false -}}
{{- end -}}
{{- if .Values.authentik.outposts.proxy.enabled -}}
{{- $_ := set .Values.workload.proxy "enabled" true -}}
{{- $_ := set .Values.service.proxy "enabled" true -}}
{{- $_ := set .Values.service.proxymetrics "enabled" true -}}
{{- $_ := set .Values.metrics.proxymetrics "enabled" true -}}
{{- else -}}
{{- $_ := set .Values.workload.proxy "enabled" false -}}
{{- $_ := set .Values.service.proxy "enabled" false -}}
{{- $_ := set .Values.service.proxymetrics "enabled" false -}}
{{- $_ := set .Values.metrics.proxymetrics "enabled" false -}}
{{- end -}}
{{- if .Values.authentik.outposts.radius.enabled -}}
{{- $_ := set .Values.workload.radius "enabled" true -}}
{{- $_ := set .Values.service.radius "enabled" true -}}
@ -51,10 +63,12 @@
{{/* FIXME: See values.yaml */}}
{{- $_ := set .Values.service.servermetrics "enabled" false -}}
{{- $_ := set .Values.service.proxymetrics "enabled" false -}}
{{- $_ := set .Values.service.radiusmetrics "enabled" false -}}
{{- $_ := set .Values.service.ldapmetrics "enabled" false -}}
{{- $_ := set .Values.metrics.servermetrics "enabled" false -}}
{{- $_ := set .Values.metrics.proxymetrics "enabled" false -}}
{{- $_ := set .Values.metrics.radiusmetrics "enabled" false -}}
{{- $_ := set .Values.metrics.ldapmetrics "enabled" false -}}

View File

@ -18,6 +18,11 @@ radiusImage:
tag: v2023.5.3@sha256:d46f4dbc727d5d6f6c91df0f6a2bf98d2c941de908fdc15193552413331e375b
pullPolicy: IfNotPresent
proxyImage:
repository: tccr.io/truecharts/authentik-proxy
tag: v2023.5.3@sha256:d46f4dbc727d5d6f6c91df0f6a2bf98d2c941de908fdc15193552413331e375b
pullPolicy: IfNotPresent
authentik:
credentials:
# Only works on initial install
@ -65,6 +70,11 @@ authentik:
accountID: ""
licenseKey: ""
outposts:
# Experimental feature
disableEmbeddedOutpost: false
proxy:
enabled: false
token: ""
radius:
enabled: false
token: ""
@ -158,6 +168,44 @@ workload:
- /lifecycle/ak
- healthcheck
# ===== PROXY =====
proxy:
enabled: true
type: Deployment
podSpec:
containers:
proxy:
enabled: true
primary: true
imageSelector: proxyImage
securityContext:
runAsUser: 1000
runAsGroup: 1000
envFrom:
- configMapRef:
name: proxy
- secretRef:
name: proxy
probes:
liveness:
enabled: true
type: exec
command:
- /proxy
- healthcheck
readiness:
enabled: true
type: exec
command:
- /proxy
- healthcheck
startup:
enabled: true
type: exec
command:
- /proxy
- healthcheck
# ===== RADIUS =====
radius:
enabled: true
@ -278,6 +326,16 @@ service:
enabled: true
protocol: http
port: 10230
# Proxy
proxy:
ports:
http:
protocol: http
port: 10227
https:
enabled: true
protocol: https
port: 10228
# Radius
radius:
enabled: true
@ -327,6 +385,15 @@ service:
enabled: true
protocol: http
port: 10233
# Proxy Metrics
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
protocol: http
port: 10234
persistence:
media:
@ -387,7 +454,7 @@ portal:
enabled: true
metrics:
# FIXME: Metris do not work yet
# FIXME: Metrics do not work yet
servermetrics:
enabled: true
type: servicemonitor
@ -412,3 +479,11 @@ metrics:
path: /metrics
prometheusRule:
enabled: false
proxymetrics:
enabled: true
type: servicemonitor
endpoints:
- port: "{{ .Values.service.proxymetrics.ports.proxymetrics.port }}"
path: /metrics
prometheusRule:
enabled: false