From c843864fa50a5a82d7660bfa6c3ddfe5bf4acc3f Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Sat, 23 Apr 2022 00:44:57 +0300 Subject: [PATCH] feat(authentik): add authentik (#2535) * feat(authentik): add authentik * add secret * try something crazy * run geoip as a cronjob * test * whoops * add gui options * pin image * add secret togui * try http as main * whops * clear up * clean --- charts/incubator/authentik/Chart.yaml | 34 + charts/incubator/authentik/questions.yaml | 712 ++++++++++++++++++ .../authentik/templates/_cronjob.tpl | 53 ++ .../authentik/templates/_secrets.tpl | 20 + .../incubator/authentik/templates/common.yaml | 13 + charts/incubator/authentik/values.yaml | 223 ++++++ 6 files changed, 1055 insertions(+) create mode 100644 charts/incubator/authentik/Chart.yaml create mode 100644 charts/incubator/authentik/questions.yaml create mode 100644 charts/incubator/authentik/templates/_cronjob.tpl create mode 100644 charts/incubator/authentik/templates/_secrets.tpl create mode 100644 charts/incubator/authentik/templates/common.yaml create mode 100644 charts/incubator/authentik/values.yaml diff --git a/charts/incubator/authentik/Chart.yaml b/charts/incubator/authentik/Chart.yaml new file mode 100644 index 00000000000..5890c4a5ea1 --- /dev/null +++ b/charts/incubator/authentik/Chart.yaml @@ -0,0 +1,34 @@ +apiVersion: v2 +appVersion: "10.6.2" +dependencies: +- name: common + repository: https://library-charts.truecharts.org + version: 9.2.9 +- condition: postgresql.enabled + name: postgresql + repository: https://charts.truecharts.org/ + version: 7.0.48 +- condition: redis.enabled + name: redis + repository: https://charts.truecharts.org + version: 2.0.40 +description: authentik is an open-source Identity Provider focused on flexibility and versatility. +home: https://github.com/truecharts/apps/tree/master/charts/stable/authentik +icon: https://truecharts.org/_static/img/appicons/authentik.png +keywords: +- authentik +kubeVersion: '>=1.16.0-0' +maintainers: +- email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: authentik +sources: +- https://github.com/goauthentik/authentik +- https://goauthentik.io/docs/ +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - authentication + truecharts.org/SCALE-support: "true" + truecharts.org/grade: U diff --git a/charts/incubator/authentik/questions.yaml b/charts/incubator/authentik/questions.yaml new file mode 100644 index 00000000000..2809a7ca5b6 --- /dev/null +++ b/charts/incubator/authentik/questions.yaml @@ -0,0 +1,712 @@ +# Include{groups} +portals: + open: + protocols: + - "$kubernetes-resource_configmap_portal_protocol" + host: + - "$kubernetes-resource_configmap_portal_host" + ports: + - "$kubernetes-resource_configmap_portal_port" +questions: + - variable: portal + group: "Container Image" + label: "Configure Portal Button" + schema: + type: dict + hidden: true + attrs: + - variable: enabled + label: "Enable" + description: "enable the portal button" + schema: + hidden: true + editable: false + type: boolean + default: true +# Include{global} + - variable: controller + group: "Controller" + label: "" + schema: + additional_attrs: true + type: dict + attrs: + - variable: advanced + label: "Show Advanced Controller Settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: type + description: "Please specify type of workload to deploy" + label: "(Advanced) Controller Type" + schema: + type: string + default: "deployment" + required: true + enum: + - value: "deployment" + description: "Deployment" + - value: "statefulset" + description: "Statefulset" + - value: "daemonset" + description: "Daemonset" + - variable: replicas + description: "Number of desired pod replicas" + label: "Desired Replicas" + schema: + type: int + default: 1 + required: true + - variable: strategy + description: "Please specify type of workload to deploy" + label: "(Advanced) Update Strategy" + schema: + type: string + default: "Recreate" + required: true + enum: + - value: "Recreate" + description: "Recreate: Kill existing pods before creating new ones" + - value: "RollingUpdate" + description: "RollingUpdate: Create new pods and then kill old ones" + - value: "OnDelete" + description: "(Legacy) OnDelete: ignore .spec.template changes" +# Include{controllerExpert} + - variable: secret + group: "Container Configuration" + label: "Image Secrets" + schema: + additional_attrs: true + type: dict + attrs: + - variable: AK_ADMIN_PASS + label: "AK_ADMIN_PASS (Initial Install Only)" + description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled" + schema: + type: string + private: true + required: true + default: "" + - variable: AK_ADMIN_TOKEN + label: "AK_ADMIN_TOKEN (Initial Install Only)" + description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled" + schema: + type: string + private: true + required: true + default: "" + - variable: env + group: "Container Configuration" + label: "Image Environment" + schema: + additional_attrs: true + type: dict + attrs: + - variable: AUTHENTIK_DEFAULT_USER_CHANGE_NAME + label: "AUTHENTIK_DEFAULT_USER_CHANGE_NAME" + description: "Enable the ability for users to change their name." + schema: + type: boolean + default: true + - variable: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL + label: "AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL" + description: "Enable the ability for users to change their Email address." + schema: + type: boolean + default: true + - variable: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME + label: "AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME" + description: "Enable the ability for users to change their Usernames." + schema: + type: boolean + default: true + - variable: AUTHENTIK_GDPR_COMPLIANCE + label: "AUTHENTIK_GDPR_COMPLIANCE" + description: "When enabled, all the events caused by a user will be deleted upon the user's deletion." + schema: + type: boolean + default: true + - variable: AUTHENTIK_IMPERSONATION + label: "AUTHENTIK_IMPERSONATION" + description: "Globally enable/disable impersonation." + schema: + type: boolean + default: true + - variable: AUTHENTIK_DISABLE_UPDATE_CHECK + label: "AUTHENTIK_DISABLE_UPDATE_CHECK" + description: "Disable the inbuilt update-checker." + schema: + type: boolean + default: false + - variable: AUTHENTIK_DISABLE_STARTUP_ANALYTICS + label: "AUTHENTIK_DISABLE_STARTUP_ANALYTICS" + description: "Disable the startup analytics." + schema: + type: boolean + default: false + - variable: AUTHENTIK_ERROR_REPORTING__ENABLED + label: "AUTHENTIK_ERROR_REPORTING__ENABLED" + description: "Enable error reporting." + schema: + type: boolean + default: false + - variable: AUTHENTIK_ERROR_REPORTING__SEND_PII + label: "AUTHENTIK_ERROR_REPORTING__SEND_PII" + description: "Whether or not to send personal data, like usernames." + schema: + type: boolean + default: false + - variable: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT + label: "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT" + description: "Unique environment that is attached to your error reports, should be set to your email address for example." + schema: + type: string + default: "customer" + - variable: AUTHENTIK_DEFAULT_TOKEN_LENGTH + label: "AUTHENTIK_DEFAULT_TOKEN_LENGTH" + description: "Configure the length of generated tokens. Defaults to 128." + schema: + type: int + default: 128 + - variable: AUTHENTIK_AVATARS + label: "AUTHENTIK_AVATARS" + description: "Configure how authentik should show avatars for users." + schema: + type: string + default: "gravatar" + - variable: AUTHENTIK_LOG_LEVEL + label: "AUTHENTIK_LOG_LEVEL" + description: "Log level for the server and worker containers." + schema: + type: string + default: "info" + enum: + - value: trace + description: "trace" + - value: debug + description: "debug" + - value: info + description: "info" + - value: warning + description: "warning" + - value: error + description: "error" + - variable: enable_mail_config + label: "Enable Email Settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: AUTHENTIK_EMAIL__HOST + label: "AUTHENTIK_EMAIL__HOST" + schema: + type: string + default: "" + - variable: AUTHENTIK_EMAIL__PORT + label: "AUTHENTIK_EMAIL__PORT" + schema: + type: int + default: 25 + - variable: AUTHENTIK_EMAIL__USERNAME + label: "AUTHENTIK_EMAIL__USERNAME" + schema: + type: string + default: "" + - variable: AUTHENTIK_EMAIL__PASSWORD + label: "AUTHENTIK_EMAIL__PASSWORD" + schema: + type: string + private: true + default: "" + - variable: AUTHENTIK_EMAIL__USE_TLS + label: "AUTHENTIK_EMAIL__USE_TLS" + schema: + type: boolean + default: false + - variable: AUTHENTIK_EMAIL__USE_SSL + label: "AUTHENTIK_EMAIL__USE_SSL" + schema: + type: boolean + default: false + - variable: AUTHENTIK_EMAIL__TIMEOUT + label: "AUTHENTIK_EMAIL__TIMEOUT" + schema: + type: int + default: 10 + - variable: AUTHENTIK_EMAIL__FROM + label: "AUTHENTIK_EMAIL__FROM" + description: "Email address authentik will send from, should have a correct @domain. To change the sender's display name, use a format like Name ." + schema: + type: string + default: "" + - variable: geoip + group: "Container Configuration" + label: "Image GeoIP Updater" + schema: + additional_attrs: true + type: dict + attrs: + - variable: ENABLE_GEOIPUPDATER + label: "Enable CronJob for GeoIP Updater" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: GEOIPUPDATE_ACCOUNT_ID + label: "GEOIPUPDATE_ACCOUNT_ID" + description: "Your MaxMind account ID" + schema: + type: string + private: true + default: "" + - variable: GEOIPUPDATE_LICENSE_KEY + label: "GEOIPUPDATE_LICENSE_KEY" + description: "Your case-sensitive MaxMind license key." + schema: + type: string + private: true + default: "" + - variable: GEOIPUPDATE_EDITION_IDS + label: "GEOIPUPDATE_EDITION_IDS" + description: "ist of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes." + schema: + type: string + default: "GeoIP2-City" + - variable: GEOIPUPDATE_HOST + label: "GEOIPUPDATE_HOST" + description: "The host name of the server to use. The default is updates.maxmind.com." + schema: + type: string + default: "updates.maxmind.com" + - variable: GEOIPUPDATE_PRESERVE_FILE_TIMES + label: "GEOIPUPDATE_PRESERVE_FILE_TIMES" + description: "Whether to preserve modification times of files downloaded from the server. This option is either 0 or 1. The default is 0." + schema: + type: int + default: 0 + - variable: freqhours + label: "FREQUENCY" + description: "The number of hours between geoipupdate runs." + schema: + type: int + default: 8 + +# Include{containerConfig} + + - variable: service + group: "Networking and Services" + label: "Configure Service(s)" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Service" + description: "The Primary service on which the healthcheck runs, often the webUI" + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: main + label: "Main Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10230 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTP" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 9000 + - variable: https + label: "https Service" + description: "The https service." + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelector} + - variable: https + label: "https Service Port Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: "Port" + description: "This port exposes the container port on the service" + schema: + type: int + default: 10229 + required: true + - variable: advanced + label: "Show Advanced settings" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: protocol + label: "Port Type" + schema: + type: string + default: "HTTPS" + enum: + - value: HTTP + description: "HTTP" + - value: "HTTPS" + description: "HTTPS" + - value: TCP + description: "TCP" + - value: "UDP" + description: "UDP" + - variable: nodePort + label: "Node Port (Optional)" + description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" + schema: + type: int + min: 9000 + max: 65535 + - variable: targetPort + label: "Target Port" + description: "The internal(!) port on the container the Application runs on" + schema: + type: int + default: 9443 + + - variable: serviceexpert + group: "Networking and Services" + label: "Show Expert Config" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: hostNetwork + group: "Networking and Services" + label: "Host-Networking (Complicated)" + schema: + type: boolean + default: false + +# Include{serviceExpert} + +# Include{serviceList} + + - variable: persistence + label: "Integrated Persistent Storage" + description: "Integrated Persistent Storage" + group: "Storage and Persistence" + schema: + additional_attrs: true + type: dict + attrs: + - variable: media + label: "App Media Storage" + description: "Stores the Application Media." + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" +# Include{persistenceBasic} + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" +# Include{persistenceAdvanced} + - variable: templates + label: "App Templates Storage" + description: "Stores the Application Templates." + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" +# Include{persistenceBasic} + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" +# Include{persistenceAdvanced} + - variable: certs + label: "App Certs Storage" + description: "Stores the Application Certs." + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" +# Include{persistenceBasic} + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" +# Include{persistenceAdvanced} + - variable: geoip + label: "App GeoIP Storage" + description: "Stores the Application GeoIP." + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" +# Include{persistenceBasic} + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" +# Include{persistenceAdvanced} + +# Include{persistenceList} + + - variable: ingress + label: "" + group: "Ingress" + schema: + additional_attrs: true + type: dict + attrs: + - variable: main + label: "Main Ingress" + schema: + additional_attrs: true + type: dict + attrs: +# Include{ingressDefault} + +# Include{ingressTLS} + +# Include{ingressTraefik} + +# Include{ingressExpert} + +# Include{ingressList} + +# Include{security} + + - variable: advancedSecurity + label: "Show Advanced Security Settings" + group: "Security and Permissions" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: securityContext + label: "Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: privileged + label: "Privileged mode" + schema: + type: boolean + default: false + - variable: readOnlyRootFilesystem + label: "ReadOnly Root Filesystem" + schema: + type: boolean + default: true + - variable: allowPrivilegeEscalation + label: "Allow Privilege Escalation" + schema: + type: boolean + default: false + - variable: runAsNonRoot + label: "runAsNonRoot" + schema: + type: boolean + default: true +# Include{securityContextAdvanced} + + - variable: podSecurityContext + group: "Security and Permissions" + label: "Pod Security Context" + schema: + additional_attrs: true + type: dict + attrs: + - variable: runAsUser + label: "runAsUser" + description: "The UserID of the user running the application" + schema: + type: int + default: 1000 + - variable: runAsGroup + label: "runAsGroup" + description: "The groupID this App of the user running the application" + schema: + type: int + default: 1000 + - variable: fsGroup + label: "fsGroup" + description: "The group that should own ALL storage." + schema: + type: int + default: 568 +# Include{podSecurityContextAdvanced} + +# Include{resources} + +# Include{advanced} + +# Include{addons} diff --git a/charts/incubator/authentik/templates/_cronjob.tpl b/charts/incubator/authentik/templates/_cronjob.tpl new file mode 100644 index 00000000000..d8129700975 --- /dev/null +++ b/charts/incubator/authentik/templates/_cronjob.tpl @@ -0,0 +1,53 @@ +{{/* Define the cronjob */}} +{{- define "authentik.cronjob" -}} +{{- $jobName := include "common.names.fullname" . }} + +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: {{ printf "%s-cronjob" $jobName }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + schedule: "0 */{{ .Values.geoip.freqhours }} * * *" + concurrencyPolicy: Forbid + {{- with .Values.cronjob.failedJobsHistoryLimit }} + failedJobsHistoryLimit: {{ . }} + {{- end }} + {{- with .Values.cronjob.successfulJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ . }} + {{- end }} + jobTemplate: + metadata: + spec: + template: + metadata: + spec: + restartPolicy: Never + {{- with (include "common.controller.volumes" . | trim) }} + volumes: + {{- nindent 12 . }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}" + env: + - name: GEOIPUPDATE_FREQUENCY + value: "{{ .Values.geoip.GEOIPUPDATE_FREQUENCY }}" + - name: GEOIPUPDATE_PRESERVE_FILE_TIMES + value: "{{ .Values.geoip.GEOIPUPDATE_PRESERVE_FILE_TIMES }}" + - name: GEOIPUPDATE_ACCOUNT_ID + value: {{ .Values.geoip.GEOIPUPDATE_ACCOUNT_ID }} + - name: GEOIPUPDATE_LICENSE_KEY + value: {{ .Values.geoip.GEOIPUPDATE_LICENSE_KEY }} + - name: GEOIPUPDATE_EDITION_IDS + value: {{ .Values.geoip.GEOIPUPDATE_EDITION_IDS }} + - name: GEOIPUPDATE_HOST + value: {{ .Values.geoip.GEOIPUPDATE_HOST }} + volumeMounts: + - name: geoip + mountPath: "/usr/share/GeoIP" + resources: +{{ toYaml .Values.resources | indent 16 }} +{{- end -}} diff --git a/charts/incubator/authentik/templates/_secrets.tpl b/charts/incubator/authentik/templates/_secrets.tpl new file mode 100644 index 00000000000..2769adbb299 --- /dev/null +++ b/charts/incubator/authentik/templates/_secrets.tpl @@ -0,0 +1,20 @@ +{{/* Define the secrets */}} +{{- define "authentik.secrets" -}} +--- + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: authentik-secrets +{{- $authentikprevious := lookup "v1" "Secret" .Release.Namespace "authentik-secrets" }} +{{- $secret_key := "" }} +data: + {{- if $authentikprevious}} + AUTHENTIK_SECRET_KEY: {{ index $authentikprevious.data "AUTHENTIK_SECRET_KEY" }} + {{- else }} + {{- $secret_key := randAlphaNum 32 }} + AUTHENTIK_SECRET_KEY: {{ $secret_key | b64enc }} + {{- end }} + +{{- end -}} diff --git a/charts/incubator/authentik/templates/common.yaml b/charts/incubator/authentik/templates/common.yaml new file mode 100644 index 00000000000..d2efa6c4e25 --- /dev/null +++ b/charts/incubator/authentik/templates/common.yaml @@ -0,0 +1,13 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.setup" . }} + +{{/* Render secrets for authentik */}} +{{- include "authentik.secrets" . }} + +{{- if .Values.geoip.ENABLE_GEOIPUPDATER }} +{{/* Render cronjob for authentik */}} +{{- include "authentik.cronjob" . }} +{{- end -}} + +{{/* Render the templates */}} +{{ include "common.postSetup" . }} diff --git a/charts/incubator/authentik/values.yaml b/charts/incubator/authentik/values.yaml new file mode 100644 index 00000000000..e870d1c8c31 --- /dev/null +++ b/charts/incubator/authentik/values.yaml @@ -0,0 +1,223 @@ +image: + repository: ghcr.io/goauthentik/server + tag: 2022.4.1@sha256:bb668ae68e9cbab81539fcd79bec5f2de4eefba461e35c770f35d525d48333cb + pullPolicy: IfNotPresent + +geoipImage: + repository: maxmindinc/geoipupdate + tag: v4.9@sha256:ea0b06e4b753410fa865897622f256ed4b5217ff96c5cab35c61017d18830217 + pullPolicy: IfNotPresent + +extraArgs: ["server"] + +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + +secret: + AK_ADMIN_PASS: "supersecret" + AK_ADMIN_TOKEN: "supersecretapitoken" + +env: + AUTHENTIK_POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}" + AUTHENTIK_POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}" + AUTHENTIK_POSTGRESQL__PORT: "5432" + AUTHENTIK_REDIS__PORT: "6379" + # User Defined + AUTHENTIK_DISABLE_UPDATE_CHECK: false + AUTHENTIK_DEFAULT_USER_CHANGE_NAME: true + AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: true + AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: true + AUTHENTIK_GDPR_COMPLIANCE: true + AUTHENTIK_IMPERSONATION: true + AUTHENTIK_DISABLE_STARTUP_ANALYTICS: false + AUTHENTIK_ERROR_REPORTING__ENABLED: false + AUTHENTIK_ERROR_REPORTING__SEND_PII: false + AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: " " + AUTHENTIK_DEFAULT_TOKEN_LENGTH: 128 + AUTHENTIK_AVATARS: "gravatar" + AUTHENTIK_LOG_LEVEL: "warning" + AUTHENTIK_EMAIL__HOST: "" + AUTHENTIK_EMAIL__PORT: 25 + AUTHENTIK_EMAIL__USERNAME: "" + AUTHENTIK_EMAIL__PASSWORD: "" + AUTHENTIK_EMAIL__USE_TLS: false + AUTHENTIK_EMAIL__USE_SSL: false + AUTHENTIK_EMAIL__TIMEOUT: 10 + AUTHENTIK_EMAIL__FROM: "" + +envValueFrom: + AUTHENTIK_POSTGRESQL__HOST: + secretKeyRef: + name: dbcreds + key: plainhost + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + name: dbcreds + key: postgresql-password + AUTHENTIK_REDIS__HOST: + secretKeyRef: + name: rediscreds + key: plainhost + AUTHENTIK_REDIS__PASSWORD: + secretKeyRef: + name: rediscreds + key: redis-password + AUTHENTIK_SECRET_KEY: + secretKeyRef: + name: authentik-secrets + key: AUTHENTIK_SECRET_KEY + +geoip: + # Set image's frequence to 0, so it executes once and exits. + GEOIPUPDATE_FREQUENCY: 0 + # User Defined + ENABLE_GEOIPUPDATER: false + # How often should we run the cronjob to update geoip + freqhours: 8 + GEOIPUPDATE_ACCOUNT_ID: "" + GEOIPUPDATE_LICENSE_KEY: "" + GEOIPUPDATE_EDITION_IDS: "GeoIP2-City" + GEOIPUPDATE_HOST: "updates.maxmind.com" + GEOIPUPDATE_PRESERVE_FILE_TIMES: 0 + +probes: + liveness: + path: "/-/health/live" + readiness: + path: "/-/health/ready" + +service: + main: + ports: + main: + port: 10230 + targetPort: 9000 + https: + enabled: true + ports: + https: + enabled: true + protocol: "HTTPS" + port: 10229 + targetPort: 9443 + +additionalContainers: + worker: + name: worker + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + args: ["worker"] + volumeMounts: + - name: media + mountPath: "/media" + - name: templates + mountPath: "/templates" + - name: certs + mountPath: "/certs" + - name: geoip + mountPath: "/geoip" + env: + - name: AUTHENTIK_REDIS__PORT + value: "6379" + - name: AUTHENTIK_REDIS__HOST + valueFrom: + secretKeyRef: + name: rediscreds + key: plainhost + - name: AUTHENTIK_REDIS__PASSWORD + valueFrom: + secretKeyRef: + name: rediscreds + key: redis-password + - name: AUTHENTIK_POSTGRESQL__NAME + value: "{{ .Values.postgresql.postgresqlDatabase }}" + - name: AUTHENTIK_POSTGRESQL__USER + value: "{{ .Values.postgresql.postgresqlUsername }}" + - name: AUTHENTIK_POSTGRESQL__PORT + value: "5432" + - name: AUTHENTIK_POSTGRESQL__HOST + valueFrom: + secretKeyRef: + name: dbcreds + key: plainhost + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: dbcreds + key: postgresql-password + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-secrets + key: AUTHENTIK_SECRET_KEY + - name: AUTHENTIK_LOG_LEVEL + value: "{{ .Values.env.AUTHENTIK_LOG_LEVEL }}" + - name: AUTHENTIK_DISABLE_UPDATE_CHECK + value: "{{ .Values.env.AUTHENTIK_DISABLE_UPDATE_CHECK }}" + - name: AUTHENTIK_ERROR_REPORTING__ENABLED + value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENABLED }}" + - name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT + value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENVIRONMENT }}" + - name: AUTHENTIK_ERROR_REPORTING__SEND_PII + value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__SEND_PII }}" + - name: AUTHENTIK_EMAIL__HOST + value: "{{ .Values.env.AUTHENTIK_EMAIL__HOST }}" + - name: AUTHENTIK_EMAIL__PORT + value: "{{ .Values.env.AUTHENTIK_EMAIL__PORT }}" + - name: AUTHENTIK_EMAIL__USERNAME + value: "{{ .Values.env.AUTHENTIK_EMAIL__USERNAME }}" + - name: AUTHENTIK_EMAIL__PASSWORD + value: "{{ .Values.env.AUTHENTIK_EMAIL__PASSWORD }}" + - name: AUTHENTIK_EMAIL__USE_TLS + value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_TLS }}" + - name: AUTHENTIK_EMAIL__USE_SSL + value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_SSL }}" + - name: AUTHENTIK_EMAIL__TIMEOUT + value: "{{ .Values.env.AUTHENTIK_EMAIL__TIMEOUT }}" + - name: AUTHENTIK_EMAIL__FROM + value: "{{ .Values.env.AUTHENTIK_EMAIL__FROM }}" + - name: AUTHENTIK_AVATARS + value: "{{ .Values.env.AUTHENTIK_AVATARS }}" + - name: AUTHENTIK_DEFAULT_USER_CHANGE_NAME + value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_NAME }}" + - name: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL + value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL }}" + - name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME + value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME }}" + - name: AUTHENTIK_GDPR_COMPLIANCE + value: "{{ .Values.env.AUTHENTIK_GDPR_COMPLIANCE }}" + - name: AUTHENTIK_DEFAULT_TOKEN_LENGTH + value: "{{ .Values.env.AUTHENTIK_DEFAULT_TOKEN_LENGTH }}" + - name: AUTHENTIK_IMPERSONATION + value: "{{ .Values.env.AUTHENTIK_IMPERSONATION }}" + - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS + value: "{{ .Values.env.AUTHENTIK_DISABLE_STARTUP_ANALYTICS }}" + +cronjob: + annotations: {} + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 2 + +persistence: + media: + enabled: true + mountPath: "/media" + templates: + enabled: true + mountPath: "/templates" + certs: + enabled: true + mountPath: "/certs" + geoip: + enabled: true + mountPath: "/geoip" + +postgresql: + enabled: true + existingSecret: "dbcreds" + postgresqlUsername: baserow + postgresqlDatabase: baserow + +redis: + enabled: true + existingSecret: "rediscreds"