feat(authentik): BREAKING CHANGE move to k8s integration instead of manual (#3673)
* feat(authentik): move to k8s integration instead of manual * bumpo * update questiosn
This commit is contained in:
parent
b09bb26f15
commit
b4af071a92
|
@ -3,7 +3,7 @@ appVersion: "2022.8.2"
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 10.5.6
|
||||
version: 10.5.7
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://charts.truecharts.org/
|
||||
|
@ -27,7 +27,7 @@ sources:
|
|||
- https://github.com/truecharts/charts/tree/master/charts/incubator/authentik
|
||||
- https://github.com/goauthentik/authentik
|
||||
- https://goauthentik.io/docs/
|
||||
version: 3.0.16
|
||||
version: 4.0.0
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- authentication
|
||||
|
|
|
@ -235,54 +235,6 @@ questions:
|
|||
schema:
|
||||
type: string
|
||||
default: "null"
|
||||
- variable: outposts
|
||||
group: "Container Configuration"
|
||||
label: "Outpost Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: ldap
|
||||
label: "LDAP"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable LDAP outpost"
|
||||
description: "Enable only AFTER you created an LDAP Provider and an API Token"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: insecure
|
||||
label: "Insecure"
|
||||
description: "Check only if you accessing Authentik in an unsecure way"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: host
|
||||
label: "Authentik Host"
|
||||
description: "URL of your Authentik server. (e.g. https://auth.domain.com)"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: token
|
||||
label: "API Token"
|
||||
description: "Generated in the Authentik GUI > Directory > Token & App Passwords"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: metrics
|
||||
label: "Metrics Endpoint"
|
||||
description: "Enables metric endpoint in LDAP Outpost"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: geoip
|
||||
group: "Container Configuration"
|
||||
label: "GeoIP Configuration"
|
||||
|
@ -445,101 +397,6 @@ questions:
|
|||
schema:
|
||||
type: int
|
||||
default: 9301
|
||||
- variable: ldap
|
||||
label: "LDAP Service"
|
||||
description: "The LDAP service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: ldap1
|
||||
label: "ldap1 Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 389
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 3389
|
||||
- variable: ldap2
|
||||
label: "ldap2 Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 636
|
||||
required: true
|
||||
- variable: advanced
|
||||
label: "Show Advanced settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: protocol
|
||||
label: "Port Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "HTTP"
|
||||
enum:
|
||||
- value: HTTP
|
||||
description: "HTTP"
|
||||
- value: "HTTPS"
|
||||
description: "HTTPS"
|
||||
- value: TCP
|
||||
description: "TCP"
|
||||
- value: "UDP"
|
||||
description: "UDP"
|
||||
- variable: nodePort
|
||||
label: "Node Port (Optional)"
|
||||
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
|
||||
schema:
|
||||
type: int
|
||||
min: 9000
|
||||
max: 65535
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 6636
|
||||
- variable: ldap-metrics
|
||||
label: "LDAP metrics Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10232
|
||||
required: true
|
||||
# Include{advancedPortHTTP}
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9300
|
||||
# Include{serviceExpertRoot}
|
||||
default: false
|
||||
# Include{serviceExpert}
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
|
||||
{{- $authentikConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
|
||||
|
||||
---
|
||||
{{/* This configmap are loaded on both main authentik container and worker */}}
|
||||
|
@ -61,19 +60,9 @@ data:
|
|||
{{- end }}
|
||||
{{/* Metrics */}}
|
||||
AUTHENTIK_LISTEN__METRICS: {{ .Values.authentik.metrics.internalPort | quote }}
|
||||
---
|
||||
{{/* This configmap is loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $ldapConfigName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | quote }}
|
||||
{{- with .Values.outposts.ldap.host }}
|
||||
AUTHENTIK_HOST: {{ . }}
|
||||
{{- end }}
|
||||
{{/* Metrics */}}
|
||||
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: {{ .Values.authentik.outposts.container_image_base | quote }}
|
||||
AUTHENTIK_OUTPOSTS__DISCOVER: {{ .Values.authentik.outposts.discover | quote }}
|
||||
---
|
||||
{{/* This configmap is loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
{{/* Define the ldap container */}}
|
||||
{{- define "authentik.ldap" -}}
|
||||
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
|
||||
imagePullPolicy: '{{ .Values.ldapImage.pullPolicy }}'
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
|
||||
- configMapRef:
|
||||
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
|
||||
ports:
|
||||
- containerPort: 3389
|
||||
- containerPort: 6636
|
||||
{{ if .Values.outposts.ldap.metrics }}
|
||||
- containerPort: 9300
|
||||
name: ldap-metrics
|
||||
{{ end }}
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
|
||||
startupProbe:
|
||||
exec:
|
||||
command:
|
||||
- "wget"
|
||||
- "--spider"
|
||||
- "http://localhost:9300/outpost.goauthentik.io/ping"
|
||||
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
|
||||
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
|
||||
{{- end -}}
|
|
@ -3,7 +3,6 @@
|
|||
|
||||
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
|
||||
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
|
||||
|
||||
---
|
||||
{{/* This secrets are loaded on both main authentik container and worker */}}
|
||||
|
@ -45,19 +44,6 @@ data:
|
|||
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This secrets are loaded on ldap container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ $ldapSecretName }}
|
||||
labels:
|
||||
{{- include "tc.common.labels" . | nindent 4 }}
|
||||
data:
|
||||
{{- with .Values.outposts.ldap.token }}
|
||||
AUTHENTIK_TOKEN: {{ . | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
{{/* This secrets are loaded on geoip container */}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
|
|
@ -21,13 +21,5 @@
|
|||
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.outposts.ldap.enabled -}}
|
||||
{{- $_ := set .Values.additionalContainers "ldap" (include "authentik.ldap" . | fromYaml) -}}
|
||||
{{/* - if .Values.outposts.ldap.metrics - */}}
|
||||
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
|
||||
{{/* We can't define multiple ports/endpoints with annotations */}}
|
||||
{{/* - end - */}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.common.loader.apply" . }}
|
||||
|
|
|
@ -8,11 +8,6 @@ geoipImage:
|
|||
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
ldapImage:
|
||||
repository: tccr.io/truecharts/authentik-ldap
|
||||
tag: 2022.8.2@sha256:53c681184a447add074fda306acd58e69e48a6189dc5046de27769f1dceac835
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
extraArgs: ["server"]
|
||||
|
||||
podSecurityContext:
|
||||
|
@ -26,6 +21,9 @@ authentik:
|
|||
credentials:
|
||||
password: "supersecret"
|
||||
token: "supersecretapitoken"
|
||||
outposts:
|
||||
container_image_base: tccr.io/truecharts/authentik-%(type)s:%(version)s
|
||||
discover: true
|
||||
general:
|
||||
disable_update_check: false
|
||||
disable_startup_analytics: true
|
||||
|
@ -73,13 +71,74 @@ geoip:
|
|||
preserve_file_times: false
|
||||
verbose: false
|
||||
|
||||
outposts:
|
||||
ldap:
|
||||
enabled: false
|
||||
insecure: false
|
||||
host: ""
|
||||
token: "test"
|
||||
metrics: true
|
||||
serviceAccount:
|
||||
main:
|
||||
enabled: true
|
||||
|
||||
rbac:
|
||||
main:
|
||||
enabled: true
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- services
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- apps
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- monitoring.coreos.com
|
||||
resources:
|
||||
- servicemonitors
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- delete
|
||||
- list
|
||||
- patch
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- list
|
||||
|
||||
envFrom:
|
||||
- secretRef:
|
||||
|
@ -136,22 +195,6 @@ service:
|
|||
protocol: HTTP
|
||||
port: 10231
|
||||
targetPort: 9301
|
||||
ldap:
|
||||
enabled: true
|
||||
ports:
|
||||
ldap1:
|
||||
enabled: true
|
||||
port: 389
|
||||
targetPort: 3389
|
||||
ldap2:
|
||||
enabled: true
|
||||
port: 636
|
||||
targetPort: 6636
|
||||
ldap-metrics:
|
||||
enabled: true
|
||||
port: 10232
|
||||
protocol: HTTP
|
||||
targetPort: 9300
|
||||
|
||||
persistence:
|
||||
media:
|
||||
|
|
|
@ -3,6 +3,7 @@ words:
|
|||
- airsonic
|
||||
- aliasgroup
|
||||
- allowtransparency
|
||||
- apiextensions
|
||||
- APITOKEN
|
||||
- appname
|
||||
- appnamehere
|
||||
|
@ -24,6 +25,7 @@ words:
|
|||
- configfile
|
||||
- configmap
|
||||
- containo
|
||||
- customresourcedefinitions
|
||||
- daemonset
|
||||
- dbcreds
|
||||
- dbengine
|
||||
|
@ -135,6 +137,7 @@ words:
|
|||
- SERVERCONFIG
|
||||
- serverstransports
|
||||
- serviceexpert
|
||||
- servicemonitors
|
||||
- smallblock
|
||||
- sonarr
|
||||
- sonarrsabnzbd
|
||||
|
|
Loading…
Reference in New Issue