From b4af071a9230d80a4f150fcaaf7b88577c86bc26 Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Sat, 3 Sep 2022 21:58:20 +0300 Subject: [PATCH] feat(authentik): BREAKING CHANGE move to k8s integration instead of manual (#3673) * feat(authentik): move to k8s integration instead of manual * bumpo * update questiosn --- charts/incubator/authentik/Chart.yaml | 4 +- charts/incubator/authentik/questions.yaml | 143 ------------------ .../incubator/authentik/templates/_config.tpl | 17 +-- .../incubator/authentik/templates/_ldap.tpl | 52 ------- .../incubator/authentik/templates/_secret.tpl | 14 -- .../incubator/authentik/templates/common.yaml | 8 - charts/incubator/authentik/values.yaml | 99 ++++++++---- cspell.config.yaml | 3 + 8 files changed, 79 insertions(+), 261 deletions(-) delete mode 100644 charts/incubator/authentik/templates/_ldap.tpl diff --git a/charts/incubator/authentik/Chart.yaml b/charts/incubator/authentik/Chart.yaml index 9b5549acd54..4cecd2125ed 100644 --- a/charts/incubator/authentik/Chart.yaml +++ b/charts/incubator/authentik/Chart.yaml @@ -3,7 +3,7 @@ appVersion: "2022.8.2" dependencies: - name: common repository: https://library-charts.truecharts.org - version: 10.5.6 + version: 10.5.7 - condition: postgresql.enabled name: postgresql repository: https://charts.truecharts.org/ @@ -27,7 +27,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/incubator/authentik - https://github.com/goauthentik/authentik - https://goauthentik.io/docs/ -version: 3.0.16 +version: 4.0.0 annotations: truecharts.org/catagories: | - authentication diff --git a/charts/incubator/authentik/questions.yaml b/charts/incubator/authentik/questions.yaml index 9ab7c5f3864..88f8abe21f1 100644 --- a/charts/incubator/authentik/questions.yaml +++ b/charts/incubator/authentik/questions.yaml @@ -235,54 +235,6 @@ questions: schema: type: string default: "null" - - variable: outposts - group: "Container Configuration" - label: "Outpost Configuration" - schema: - additional_attrs: true - type: dict - attrs: - - variable: ldap - label: "LDAP" - schema: - additional_attrs: true - type: dict - attrs: - - variable: enabled - label: "Enable LDAP outpost" - description: "Enable only AFTER you created an LDAP Provider and an API Token" - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: insecure - label: "Insecure" - description: "Check only if you accessing Authentik in an unsecure way" - schema: - type: boolean - default: false - - variable: host - label: "Authentik Host" - description: "URL of your Authentik server. (e.g. https://auth.domain.com)" - schema: - type: string - required: true - default: "" - - variable: token - label: "API Token" - description: "Generated in the Authentik GUI > Directory > Token & App Passwords" - schema: - type: string - private: true - required: true - default: "" - - variable: metrics - label: "Metrics Endpoint" - description: "Enables metric endpoint in LDAP Outpost" - schema: - type: boolean - default: false - variable: geoip group: "Container Configuration" label: "GeoIP Configuration" @@ -445,101 +397,6 @@ questions: schema: type: int default: 9301 - - variable: ldap - label: "LDAP Service" - description: "The LDAP service." - schema: - additional_attrs: true - type: dict - attrs: -# Include{serviceSelector} - - variable: ldap1 - label: "ldap1 Service Port Configuration" - schema: - additional_attrs: true - type: dict - attrs: - - variable: port - label: "Port" - description: "This port exposes the container port on the service" - schema: - type: int - default: 389 - required: true -# Include{advancedPortHTTP} - - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" - schema: - type: int - default: 3389 - - variable: ldap2 - label: "ldap2 Service Port Configuration" - schema: - additional_attrs: true - type: dict - attrs: - - variable: port - label: "Port" - description: "This port exposes the container port on the service" - schema: - type: int - default: 636 - required: true - - variable: advanced - label: "Show Advanced settings" - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: protocol - label: "Port Type" - schema: - type: string - default: "HTTP" - enum: - - value: HTTP - description: "HTTP" - - value: "HTTPS" - description: "HTTPS" - - value: TCP - description: "TCP" - - value: "UDP" - description: "UDP" - - variable: nodePort - label: "Node Port (Optional)" - description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" - schema: - type: int - min: 9000 - max: 65535 - - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" - schema: - type: int - default: 6636 - - variable: ldap-metrics - label: "LDAP metrics Service Port Configuration" - schema: - additional_attrs: true - type: dict - attrs: - - variable: port - label: "Port" - description: "This port exposes the container port on the service" - schema: - type: int - default: 10232 - required: true -# Include{advancedPortHTTP} - - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" - schema: - type: int - default: 9300 # Include{serviceExpertRoot} default: false # Include{serviceExpert} diff --git a/charts/incubator/authentik/templates/_config.tpl b/charts/incubator/authentik/templates/_config.tpl index b8868f9168f..671b022698f 100644 --- a/charts/incubator/authentik/templates/_config.tpl +++ b/charts/incubator/authentik/templates/_config.tpl @@ -3,7 +3,6 @@ {{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }} {{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }} -{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }} --- {{/* This configmap are loaded on both main authentik container and worker */}} @@ -61,19 +60,9 @@ data: {{- end }} {{/* Metrics */}} AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }} ---- -{{/* This configmap is loaded on ldap container */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ $ldapConfigName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }} - {{- with .Values.outposts.ldap.host }} - AUTHENTIK_HOST: {{ . }} - {{- end }} + {{/* Metrics */}} + AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: {{ .Values.authentik.outposts.container_image_base | quote }} + AUTHENTIK_OUTPOSTS__DISCOVER: {{ .Values.authentik.outposts.discover | quote }} --- {{/* This configmap is loaded on geoip container */}} apiVersion: v1 diff --git a/charts/incubator/authentik/templates/_ldap.tpl b/charts/incubator/authentik/templates/_ldap.tpl deleted file mode 100644 index 3e87f36f96d..00000000000 --- a/charts/incubator/authentik/templates/_ldap.tpl +++ /dev/null @@ -1,52 +0,0 @@ -{{/* Define the ldap container */}} -{{- define "authentik.ldap" -}} -image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }} -imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}' -securityContext: - runAsUser: {{ .Values.podSecurityContext.runAsUser }} - runAsGroup: {{ .Values.podSecurityContext.runAsGroup }} - readOnlyRootFilesystem: true - runAsNonRoot: true -envFrom: - - secretRef: - name: '{{ include "tc.common.names.fullname" . }}-ldap-secret' - - configMapRef: - name: '{{ include "tc.common.names.fullname" . }}-ldap-config' -ports: - - containerPort: 3389 - - containerPort: 6636 -{{ if .Values.outposts.ldap.metrics }} - - containerPort: 9300 - name: ldap-metrics -{{ end }} -readinessProbe: - exec: - command: - - "wget" - - "--spider" - - "http://localhost:9300/outpost.goauthentik.io/ping" - initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} - periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} - timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} - failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} -livenessProbe: - exec: - command: - - "wget" - - "--spider" - - "http://localhost:9300/outpost.goauthentik.io/ping" - initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} - periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} - timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} - failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} -startupProbe: - exec: - command: - - "wget" - - "--spider" - - "http://localhost:9300/outpost.goauthentik.io/ping" - initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} - periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} - timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} - failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} -{{- end -}} diff --git a/charts/incubator/authentik/templates/_secret.tpl b/charts/incubator/authentik/templates/_secret.tpl index 4547e3dd7f9..c2f8dbf0713 100644 --- a/charts/incubator/authentik/templates/_secret.tpl +++ b/charts/incubator/authentik/templates/_secret.tpl @@ -3,7 +3,6 @@ {{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }} {{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }} -{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }} --- {{/* This secrets are loaded on both main authentik container and worker */}} @@ -45,19 +44,6 @@ data: AUTHENTIK_EMAIL__FROM: {{ . | b64enc }} {{- end }} --- -{{/* This secrets are loaded on ldap container */}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ $ldapSecretName }} - labels: - {{- include "tc.common.labels" . | nindent 4 }} -data: - {{- with .Values.outposts.ldap.token }} - AUTHENTIK_TOKEN: {{ . | b64enc }} - {{- end }} ---- {{/* This secrets are loaded on geoip container */}} apiVersion: v1 kind: Secret diff --git a/charts/incubator/authentik/templates/common.yaml b/charts/incubator/authentik/templates/common.yaml index 8acd79b2756..b712df5a4a4 100644 --- a/charts/incubator/authentik/templates/common.yaml +++ b/charts/incubator/authentik/templates/common.yaml @@ -21,13 +21,5 @@ {{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}} {{- end -}} -{{- if .Values.outposts.ldap.enabled -}} -{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}} -{{/* - if .Values.outposts.ldap.metrics - */}} -{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}} -{{/* We can't define multiple ports/endpoints with annotations */}} -{{/* - end - */}} -{{- end -}} - {{/* Render the templates */}} {{ include "tc.common.loader.apply" . }} diff --git a/charts/incubator/authentik/values.yaml b/charts/incubator/authentik/values.yaml index ecb14b96a66..327b2041e62 100644 --- a/charts/incubator/authentik/values.yaml +++ b/charts/incubator/authentik/values.yaml @@ -8,11 +8,6 @@ geoipImage: tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce pullPolicy: IfNotPresent -ldapImage: - repository: tccr.io/truecharts/authentik-ldap - tag: 2022.8.2@sha256:53c681184a447add074fda306acd58e69e48a6189dc5046de27769f1dceac835 - pullPolicy: IfNotPresent - extraArgs: ["server"] podSecurityContext: @@ -26,6 +21,9 @@ authentik: credentials: password: "supersecret" token: "supersecretapitoken" + outposts: + container_image_base: tccr.io/truecharts/authentik-%(type)s:%(version)s + discover: true general: disable_update_check: false disable_startup_analytics: true @@ -73,13 +71,74 @@ geoip: preserve_file_times: false verbose: false -outposts: - ldap: - enabled: false - insecure: false - host: "" - token: "test" - metrics: true +serviceAccount: + main: + enabled: true + +rbac: + main: + enabled: true + rules: + - apiGroups: + - "" + resources: + - secrets + - services + - configmaps + verbs: + - get + - create + - delete + - list + - patch + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - create + - delete + - list + - patch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - create + - delete + - list + - patch + - apiGroups: + - traefik.containo.us + resources: + - middlewares + verbs: + - get + - create + - delete + - list + - patch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - delete + - list + - patch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list envFrom: - secretRef: @@ -136,22 +195,6 @@ service: protocol: HTTP port: 10231 targetPort: 9301 - ldap: - enabled: true - ports: - ldap1: - enabled: true - port: 389 - targetPort: 3389 - ldap2: - enabled: true - port: 636 - targetPort: 6636 - ldap-metrics: - enabled: true - port: 10232 - protocol: HTTP - targetPort: 9300 persistence: media: diff --git a/cspell.config.yaml b/cspell.config.yaml index 2a3a9f19ac7..6535acedde6 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -3,6 +3,7 @@ words: - airsonic - aliasgroup - allowtransparency + - apiextensions - APITOKEN - appname - appnamehere @@ -24,6 +25,7 @@ words: - configfile - configmap - containo + - customresourcedefinitions - daemonset - dbcreds - dbengine @@ -135,6 +137,7 @@ words: - SERVERCONFIG - serverstransports - serviceexpert + - servicemonitors - smallblock - sonarr - sonarrsabnzbd