feat(authentik): add authentik (#2535)
* feat(authentik): add authentik * add secret * try something crazy * run geoip as a cronjob * test * whoops * add gui options * pin image * add secret togui * try http as main * whops * clear up * clean
This commit is contained in:
parent
484cc57392
commit
c843864fa5
|
@ -0,0 +1,34 @@
|
|||
apiVersion: v2
|
||||
appVersion: "10.6.2"
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: https://library-charts.truecharts.org
|
||||
version: 9.2.9
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://charts.truecharts.org/
|
||||
version: 7.0.48
|
||||
- condition: redis.enabled
|
||||
name: redis
|
||||
repository: https://charts.truecharts.org
|
||||
version: 2.0.40
|
||||
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
|
||||
home: https://github.com/truecharts/apps/tree/master/charts/stable/authentik
|
||||
icon: https://truecharts.org/_static/img/appicons/authentik.png
|
||||
keywords:
|
||||
- authentik
|
||||
kubeVersion: '>=1.16.0-0'
|
||||
maintainers:
|
||||
- email: info@truecharts.org
|
||||
name: TrueCharts
|
||||
url: https://truecharts.org
|
||||
name: authentik
|
||||
sources:
|
||||
- https://github.com/goauthentik/authentik
|
||||
- https://goauthentik.io/docs/
|
||||
version: 0.0.1
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- authentication
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/grade: U
|
|
@ -0,0 +1,712 @@
|
|||
# Include{groups}
|
||||
portals:
|
||||
open:
|
||||
protocols:
|
||||
- "$kubernetes-resource_configmap_portal_protocol"
|
||||
host:
|
||||
- "$kubernetes-resource_configmap_portal_host"
|
||||
ports:
|
||||
- "$kubernetes-resource_configmap_portal_port"
|
||||
questions:
|
||||
- variable: portal
|
||||
group: "Container Image"
|
||||
label: "Configure Portal Button"
|
||||
schema:
|
||||
type: dict
|
||||
hidden: true
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: "Enable"
|
||||
description: "enable the portal button"
|
||||
schema:
|
||||
hidden: true
|
||||
editable: false
|
||||
type: boolean
|
||||
default: true
|
||||
# Include{global}
|
||||
- variable: controller
|
||||
group: "Controller"
|
||||
label: ""
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: advanced
|
||||
label: "Show Advanced Controller Settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: type
|
||||
description: "Please specify type of workload to deploy"
|
||||
label: "(Advanced) Controller Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "deployment"
|
||||
required: true
|
||||
enum:
|
||||
- value: "deployment"
|
||||
description: "Deployment"
|
||||
- value: "statefulset"
|
||||
description: "Statefulset"
|
||||
- value: "daemonset"
|
||||
description: "Daemonset"
|
||||
- variable: replicas
|
||||
description: "Number of desired pod replicas"
|
||||
label: "Desired Replicas"
|
||||
schema:
|
||||
type: int
|
||||
default: 1
|
||||
required: true
|
||||
- variable: strategy
|
||||
description: "Please specify type of workload to deploy"
|
||||
label: "(Advanced) Update Strategy"
|
||||
schema:
|
||||
type: string
|
||||
default: "Recreate"
|
||||
required: true
|
||||
enum:
|
||||
- value: "Recreate"
|
||||
description: "Recreate: Kill existing pods before creating new ones"
|
||||
- value: "RollingUpdate"
|
||||
description: "RollingUpdate: Create new pods and then kill old ones"
|
||||
- value: "OnDelete"
|
||||
description: "(Legacy) OnDelete: ignore .spec.template changes"
|
||||
# Include{controllerExpert}
|
||||
- variable: secret
|
||||
group: "Container Configuration"
|
||||
label: "Image Secrets"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: AK_ADMIN_PASS
|
||||
label: "AK_ADMIN_PASS (Initial Install Only)"
|
||||
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: AK_ADMIN_TOKEN
|
||||
label: "AK_ADMIN_TOKEN (Initial Install Only)"
|
||||
description: "This will only have effect in the first installation or always if OVERRIDE_SERVER_PROPERTIES is enabled"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
required: true
|
||||
default: ""
|
||||
- variable: env
|
||||
group: "Container Configuration"
|
||||
label: "Image Environment"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_NAME"
|
||||
description: "Enable the ability for users to change their name."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL"
|
||||
description: "Enable the ability for users to change their Email address."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
|
||||
label: "AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME"
|
||||
description: "Enable the ability for users to change their Usernames."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_GDPR_COMPLIANCE
|
||||
label: "AUTHENTIK_GDPR_COMPLIANCE"
|
||||
description: "When enabled, all the events caused by a user will be deleted upon the user's deletion."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_IMPERSONATION
|
||||
label: "AUTHENTIK_IMPERSONATION"
|
||||
description: "Globally enable/disable impersonation."
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: AUTHENTIK_DISABLE_UPDATE_CHECK
|
||||
label: "AUTHENTIK_DISABLE_UPDATE_CHECK"
|
||||
description: "Disable the inbuilt update-checker."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
||||
label: "AUTHENTIK_DISABLE_STARTUP_ANALYTICS"
|
||||
description: "Disable the startup analytics."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||
label: "AUTHENTIK_ERROR_REPORTING__ENABLED"
|
||||
description: "Enable error reporting."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__SEND_PII
|
||||
label: "AUTHENTIK_ERROR_REPORTING__SEND_PII"
|
||||
description: "Whether or not to send personal data, like usernames."
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
|
||||
label: "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT"
|
||||
description: "Unique environment that is attached to your error reports, should be set to your email address for example."
|
||||
schema:
|
||||
type: string
|
||||
default: "customer"
|
||||
- variable: AUTHENTIK_DEFAULT_TOKEN_LENGTH
|
||||
label: "AUTHENTIK_DEFAULT_TOKEN_LENGTH"
|
||||
description: "Configure the length of generated tokens. Defaults to 128."
|
||||
schema:
|
||||
type: int
|
||||
default: 128
|
||||
- variable: AUTHENTIK_AVATARS
|
||||
label: "AUTHENTIK_AVATARS"
|
||||
description: "Configure how authentik should show avatars for users."
|
||||
schema:
|
||||
type: string
|
||||
default: "gravatar"
|
||||
- variable: AUTHENTIK_LOG_LEVEL
|
||||
label: "AUTHENTIK_LOG_LEVEL"
|
||||
description: "Log level for the server and worker containers."
|
||||
schema:
|
||||
type: string
|
||||
default: "info"
|
||||
enum:
|
||||
- value: trace
|
||||
description: "trace"
|
||||
- value: debug
|
||||
description: "debug"
|
||||
- value: info
|
||||
description: "info"
|
||||
- value: warning
|
||||
description: "warning"
|
||||
- value: error
|
||||
description: "error"
|
||||
- variable: enable_mail_config
|
||||
label: "Enable Email Settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: AUTHENTIK_EMAIL__HOST
|
||||
label: "AUTHENTIK_EMAIL__HOST"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__PORT
|
||||
label: "AUTHENTIK_EMAIL__PORT"
|
||||
schema:
|
||||
type: int
|
||||
default: 25
|
||||
- variable: AUTHENTIK_EMAIL__USERNAME
|
||||
label: "AUTHENTIK_EMAIL__USERNAME"
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__PASSWORD
|
||||
label: "AUTHENTIK_EMAIL__PASSWORD"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: AUTHENTIK_EMAIL__USE_TLS
|
||||
label: "AUTHENTIK_EMAIL__USE_TLS"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_EMAIL__USE_SSL
|
||||
label: "AUTHENTIK_EMAIL__USE_SSL"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: AUTHENTIK_EMAIL__TIMEOUT
|
||||
label: "AUTHENTIK_EMAIL__TIMEOUT"
|
||||
schema:
|
||||
type: int
|
||||
default: 10
|
||||
- variable: AUTHENTIK_EMAIL__FROM
|
||||
label: "AUTHENTIK_EMAIL__FROM"
|
||||
description: "Email address authentik will send from, should have a correct @domain. To change the sender's display name, use a format like Name <account@domain>."
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: geoip
|
||||
group: "Container Configuration"
|
||||
label: "Image GeoIP Updater"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: ENABLE_GEOIPUPDATER
|
||||
label: "Enable CronJob for GeoIP Updater"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: GEOIPUPDATE_ACCOUNT_ID
|
||||
label: "GEOIPUPDATE_ACCOUNT_ID"
|
||||
description: "Your MaxMind account ID"
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: GEOIPUPDATE_LICENSE_KEY
|
||||
label: "GEOIPUPDATE_LICENSE_KEY"
|
||||
description: "Your case-sensitive MaxMind license key."
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: GEOIPUPDATE_EDITION_IDS
|
||||
label: "GEOIPUPDATE_EDITION_IDS"
|
||||
description: "ist of space-separated database edition IDs. Edition IDs may consist of letters, digits, and dashes."
|
||||
schema:
|
||||
type: string
|
||||
default: "GeoIP2-City"
|
||||
- variable: GEOIPUPDATE_HOST
|
||||
label: "GEOIPUPDATE_HOST"
|
||||
description: "The host name of the server to use. The default is updates.maxmind.com."
|
||||
schema:
|
||||
type: string
|
||||
default: "updates.maxmind.com"
|
||||
- variable: GEOIPUPDATE_PRESERVE_FILE_TIMES
|
||||
label: "GEOIPUPDATE_PRESERVE_FILE_TIMES"
|
||||
description: "Whether to preserve modification times of files downloaded from the server. This option is either 0 or 1. The default is 0."
|
||||
schema:
|
||||
type: int
|
||||
default: 0
|
||||
- variable: freqhours
|
||||
label: "FREQUENCY"
|
||||
description: "The number of hours between geoipupdate runs."
|
||||
schema:
|
||||
type: int
|
||||
default: 8
|
||||
|
||||
# Include{containerConfig}
|
||||
|
||||
- variable: service
|
||||
group: "Networking and Services"
|
||||
label: "Configure Service(s)"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: main
|
||||
label: "Main Service"
|
||||
description: "The Primary service on which the healthcheck runs, often the webUI"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: main
|
||||
label: "Main Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10230
|
||||
required: true
|
||||
- variable: advanced
|
||||
label: "Show Advanced settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: protocol
|
||||
label: "Port Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "HTTP"
|
||||
enum:
|
||||
- value: HTTP
|
||||
description: "HTTP"
|
||||
- value: "HTTPS"
|
||||
description: "HTTPS"
|
||||
- value: TCP
|
||||
description: "TCP"
|
||||
- value: "UDP"
|
||||
description: "UDP"
|
||||
- variable: nodePort
|
||||
label: "Node Port (Optional)"
|
||||
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
|
||||
schema:
|
||||
type: int
|
||||
min: 9000
|
||||
max: 65535
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9000
|
||||
- variable: https
|
||||
label: "https Service"
|
||||
description: "The https service."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{serviceSelector}
|
||||
- variable: https
|
||||
label: "https Service Port Configuration"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: port
|
||||
label: "Port"
|
||||
description: "This port exposes the container port on the service"
|
||||
schema:
|
||||
type: int
|
||||
default: 10229
|
||||
required: true
|
||||
- variable: advanced
|
||||
label: "Show Advanced settings"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: protocol
|
||||
label: "Port Type"
|
||||
schema:
|
||||
type: string
|
||||
default: "HTTPS"
|
||||
enum:
|
||||
- value: HTTP
|
||||
description: "HTTP"
|
||||
- value: "HTTPS"
|
||||
description: "HTTPS"
|
||||
- value: TCP
|
||||
description: "TCP"
|
||||
- value: "UDP"
|
||||
description: "UDP"
|
||||
- variable: nodePort
|
||||
label: "Node Port (Optional)"
|
||||
description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer"
|
||||
schema:
|
||||
type: int
|
||||
min: 9000
|
||||
max: 65535
|
||||
- variable: targetPort
|
||||
label: "Target Port"
|
||||
description: "The internal(!) port on the container the Application runs on"
|
||||
schema:
|
||||
type: int
|
||||
default: 9443
|
||||
|
||||
- variable: serviceexpert
|
||||
group: "Networking and Services"
|
||||
label: "Show Expert Config"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: hostNetwork
|
||||
group: "Networking and Services"
|
||||
label: "Host-Networking (Complicated)"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
# Include{serviceExpert}
|
||||
|
||||
# Include{serviceList}
|
||||
|
||||
- variable: persistence
|
||||
label: "Integrated Persistent Storage"
|
||||
description: "Integrated Persistent Storage"
|
||||
group: "Storage and Persistence"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: media
|
||||
label: "App Media Storage"
|
||||
description: "Stores the Application Media."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: type
|
||||
label: "Type of Storage"
|
||||
description: "Sets the persistence type, Anything other than PVC could break rollback!"
|
||||
schema:
|
||||
type: string
|
||||
default: "simplePVC"
|
||||
enum:
|
||||
- value: "simplePVC"
|
||||
description: "PVC (simple)"
|
||||
- value: "simpleHP"
|
||||
description: "HostPath (simple)"
|
||||
- value: "emptyDir"
|
||||
description: "emptyDir"
|
||||
- value: "pvc"
|
||||
description: "pvc"
|
||||
- value: "hostPath"
|
||||
description: "hostPath"
|
||||
# Include{persistenceBasic}
|
||||
- variable: hostPath
|
||||
label: "hostPath"
|
||||
description: "Path inside the container the storage is mounted"
|
||||
schema:
|
||||
show_if: [["type", "=", "hostPath"]]
|
||||
type: hostpath
|
||||
- variable: medium
|
||||
label: "EmptyDir Medium"
|
||||
schema:
|
||||
show_if: [["type", "=", "emptyDir"]]
|
||||
type: string
|
||||
default: ""
|
||||
enum:
|
||||
- value: ""
|
||||
description: "Default"
|
||||
- value: "Memory"
|
||||
description: "Memory"
|
||||
# Include{persistenceAdvanced}
|
||||
- variable: templates
|
||||
label: "App Templates Storage"
|
||||
description: "Stores the Application Templates."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: type
|
||||
label: "Type of Storage"
|
||||
description: "Sets the persistence type, Anything other than PVC could break rollback!"
|
||||
schema:
|
||||
type: string
|
||||
default: "simplePVC"
|
||||
enum:
|
||||
- value: "simplePVC"
|
||||
description: "PVC (simple)"
|
||||
- value: "simpleHP"
|
||||
description: "HostPath (simple)"
|
||||
- value: "emptyDir"
|
||||
description: "emptyDir"
|
||||
- value: "pvc"
|
||||
description: "pvc"
|
||||
- value: "hostPath"
|
||||
description: "hostPath"
|
||||
# Include{persistenceBasic}
|
||||
- variable: hostPath
|
||||
label: "hostPath"
|
||||
description: "Path inside the container the storage is mounted"
|
||||
schema:
|
||||
show_if: [["type", "=", "hostPath"]]
|
||||
type: hostpath
|
||||
- variable: medium
|
||||
label: "EmptyDir Medium"
|
||||
schema:
|
||||
show_if: [["type", "=", "emptyDir"]]
|
||||
type: string
|
||||
default: ""
|
||||
enum:
|
||||
- value: ""
|
||||
description: "Default"
|
||||
- value: "Memory"
|
||||
description: "Memory"
|
||||
# Include{persistenceAdvanced}
|
||||
- variable: certs
|
||||
label: "App Certs Storage"
|
||||
description: "Stores the Application Certs."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: type
|
||||
label: "Type of Storage"
|
||||
description: "Sets the persistence type, Anything other than PVC could break rollback!"
|
||||
schema:
|
||||
type: string
|
||||
default: "simplePVC"
|
||||
enum:
|
||||
- value: "simplePVC"
|
||||
description: "PVC (simple)"
|
||||
- value: "simpleHP"
|
||||
description: "HostPath (simple)"
|
||||
- value: "emptyDir"
|
||||
description: "emptyDir"
|
||||
- value: "pvc"
|
||||
description: "pvc"
|
||||
- value: "hostPath"
|
||||
description: "hostPath"
|
||||
# Include{persistenceBasic}
|
||||
- variable: hostPath
|
||||
label: "hostPath"
|
||||
description: "Path inside the container the storage is mounted"
|
||||
schema:
|
||||
show_if: [["type", "=", "hostPath"]]
|
||||
type: hostpath
|
||||
- variable: medium
|
||||
label: "EmptyDir Medium"
|
||||
schema:
|
||||
show_if: [["type", "=", "emptyDir"]]
|
||||
type: string
|
||||
default: ""
|
||||
enum:
|
||||
- value: ""
|
||||
description: "Default"
|
||||
- value: "Memory"
|
||||
description: "Memory"
|
||||
# Include{persistenceAdvanced}
|
||||
- variable: geoip
|
||||
label: "App GeoIP Storage"
|
||||
description: "Stores the Application GeoIP."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: type
|
||||
label: "Type of Storage"
|
||||
description: "Sets the persistence type, Anything other than PVC could break rollback!"
|
||||
schema:
|
||||
type: string
|
||||
default: "simplePVC"
|
||||
enum:
|
||||
- value: "simplePVC"
|
||||
description: "PVC (simple)"
|
||||
- value: "simpleHP"
|
||||
description: "HostPath (simple)"
|
||||
- value: "emptyDir"
|
||||
description: "emptyDir"
|
||||
- value: "pvc"
|
||||
description: "pvc"
|
||||
- value: "hostPath"
|
||||
description: "hostPath"
|
||||
# Include{persistenceBasic}
|
||||
- variable: hostPath
|
||||
label: "hostPath"
|
||||
description: "Path inside the container the storage is mounted"
|
||||
schema:
|
||||
show_if: [["type", "=", "hostPath"]]
|
||||
type: hostpath
|
||||
- variable: medium
|
||||
label: "EmptyDir Medium"
|
||||
schema:
|
||||
show_if: [["type", "=", "emptyDir"]]
|
||||
type: string
|
||||
default: ""
|
||||
enum:
|
||||
- value: ""
|
||||
description: "Default"
|
||||
- value: "Memory"
|
||||
description: "Memory"
|
||||
# Include{persistenceAdvanced}
|
||||
|
||||
# Include{persistenceList}
|
||||
|
||||
- variable: ingress
|
||||
label: ""
|
||||
group: "Ingress"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: main
|
||||
label: "Main Ingress"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
# Include{ingressDefault}
|
||||
|
||||
# Include{ingressTLS}
|
||||
|
||||
# Include{ingressTraefik}
|
||||
|
||||
# Include{ingressExpert}
|
||||
|
||||
# Include{ingressList}
|
||||
|
||||
# Include{security}
|
||||
|
||||
- variable: advancedSecurity
|
||||
label: "Show Advanced Security Settings"
|
||||
group: "Security and Permissions"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
show_subquestions_if: true
|
||||
subquestions:
|
||||
- variable: securityContext
|
||||
label: "Security Context"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: privileged
|
||||
label: "Privileged mode"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: readOnlyRootFilesystem
|
||||
label: "ReadOnly Root Filesystem"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: allowPrivilegeEscalation
|
||||
label: "Allow Privilege Escalation"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: runAsNonRoot
|
||||
label: "runAsNonRoot"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
# Include{securityContextAdvanced}
|
||||
|
||||
- variable: podSecurityContext
|
||||
group: "Security and Permissions"
|
||||
label: "Pod Security Context"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: runAsUser
|
||||
label: "runAsUser"
|
||||
description: "The UserID of the user running the application"
|
||||
schema:
|
||||
type: int
|
||||
default: 1000
|
||||
- variable: runAsGroup
|
||||
label: "runAsGroup"
|
||||
description: "The groupID this App of the user running the application"
|
||||
schema:
|
||||
type: int
|
||||
default: 1000
|
||||
- variable: fsGroup
|
||||
label: "fsGroup"
|
||||
description: "The group that should own ALL storage."
|
||||
schema:
|
||||
type: int
|
||||
default: 568
|
||||
# Include{podSecurityContextAdvanced}
|
||||
|
||||
# Include{resources}
|
||||
|
||||
# Include{advanced}
|
||||
|
||||
# Include{addons}
|
|
@ -0,0 +1,53 @@
|
|||
{{/* Define the cronjob */}}
|
||||
{{- define "authentik.cronjob" -}}
|
||||
{{- $jobName := include "common.names.fullname" . }}
|
||||
|
||||
---
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ printf "%s-cronjob" $jobName }}
|
||||
labels:
|
||||
{{- include "common.labels" . | nindent 4 }}
|
||||
spec:
|
||||
schedule: "0 */{{ .Values.geoip.freqhours }} * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
{{- with .Values.cronjob.failedJobsHistoryLimit }}
|
||||
failedJobsHistoryLimit: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.cronjob.successfulJobsHistoryLimit }}
|
||||
successfulJobsHistoryLimit: {{ . }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
metadata:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
{{- with (include "common.controller.volumes" . | trim) }}
|
||||
volumes:
|
||||
{{- nindent 12 . }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}"
|
||||
env:
|
||||
- name: GEOIPUPDATE_FREQUENCY
|
||||
value: "{{ .Values.geoip.GEOIPUPDATE_FREQUENCY }}"
|
||||
- name: GEOIPUPDATE_PRESERVE_FILE_TIMES
|
||||
value: "{{ .Values.geoip.GEOIPUPDATE_PRESERVE_FILE_TIMES }}"
|
||||
- name: GEOIPUPDATE_ACCOUNT_ID
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_ACCOUNT_ID }}
|
||||
- name: GEOIPUPDATE_LICENSE_KEY
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_LICENSE_KEY }}
|
||||
- name: GEOIPUPDATE_EDITION_IDS
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_EDITION_IDS }}
|
||||
- name: GEOIPUPDATE_HOST
|
||||
value: {{ .Values.geoip.GEOIPUPDATE_HOST }}
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: "/usr/share/GeoIP"
|
||||
resources:
|
||||
{{ toYaml .Values.resources | indent 16 }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,20 @@
|
|||
{{/* Define the secrets */}}
|
||||
{{- define "authentik.secrets" -}}
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: authentik-secrets
|
||||
{{- $authentikprevious := lookup "v1" "Secret" .Release.Namespace "authentik-secrets" }}
|
||||
{{- $secret_key := "" }}
|
||||
data:
|
||||
{{- if $authentikprevious}}
|
||||
AUTHENTIK_SECRET_KEY: {{ index $authentikprevious.data "AUTHENTIK_SECRET_KEY" }}
|
||||
{{- else }}
|
||||
{{- $secret_key := randAlphaNum 32 }}
|
||||
AUTHENTIK_SECRET_KEY: {{ $secret_key | b64enc }}
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
|
@ -0,0 +1,13 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "common.setup" . }}
|
||||
|
||||
{{/* Render secrets for authentik */}}
|
||||
{{- include "authentik.secrets" . }}
|
||||
|
||||
{{- if .Values.geoip.ENABLE_GEOIPUPDATER }}
|
||||
{{/* Render cronjob for authentik */}}
|
||||
{{- include "authentik.cronjob" . }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "common.postSetup" . }}
|
|
@ -0,0 +1,223 @@
|
|||
image:
|
||||
repository: ghcr.io/goauthentik/server
|
||||
tag: 2022.4.1@sha256:bb668ae68e9cbab81539fcd79bec5f2de4eefba461e35c770f35d525d48333cb
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
geoipImage:
|
||||
repository: maxmindinc/geoipupdate
|
||||
tag: v4.9@sha256:ea0b06e4b753410fa865897622f256ed4b5217ff96c5cab35c61017d18830217
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
extraArgs: ["server"]
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
|
||||
secret:
|
||||
AK_ADMIN_PASS: "supersecret"
|
||||
AK_ADMIN_TOKEN: "supersecretapitoken"
|
||||
|
||||
env:
|
||||
AUTHENTIK_POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
AUTHENTIK_POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
AUTHENTIK_POSTGRESQL__PORT: "5432"
|
||||
AUTHENTIK_REDIS__PORT: "6379"
|
||||
# User Defined
|
||||
AUTHENTIK_DISABLE_UPDATE_CHECK: false
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: true
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: true
|
||||
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: true
|
||||
AUTHENTIK_GDPR_COMPLIANCE: true
|
||||
AUTHENTIK_IMPERSONATION: true
|
||||
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: false
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED: false
|
||||
AUTHENTIK_ERROR_REPORTING__SEND_PII: false
|
||||
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: " "
|
||||
AUTHENTIK_DEFAULT_TOKEN_LENGTH: 128
|
||||
AUTHENTIK_AVATARS: "gravatar"
|
||||
AUTHENTIK_LOG_LEVEL: "warning"
|
||||
AUTHENTIK_EMAIL__HOST: ""
|
||||
AUTHENTIK_EMAIL__PORT: 25
|
||||
AUTHENTIK_EMAIL__USERNAME: ""
|
||||
AUTHENTIK_EMAIL__PASSWORD: ""
|
||||
AUTHENTIK_EMAIL__USE_TLS: false
|
||||
AUTHENTIK_EMAIL__USE_SSL: false
|
||||
AUTHENTIK_EMAIL__TIMEOUT: 10
|
||||
AUTHENTIK_EMAIL__FROM: ""
|
||||
|
||||
envValueFrom:
|
||||
AUTHENTIK_POSTGRESQL__HOST:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: plainhost
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: postgresql-password
|
||||
AUTHENTIK_REDIS__HOST:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: plainhost
|
||||
AUTHENTIK_REDIS__PASSWORD:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: redis-password
|
||||
AUTHENTIK_SECRET_KEY:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
|
||||
geoip:
|
||||
# Set image's frequence to 0, so it executes once and exits.
|
||||
GEOIPUPDATE_FREQUENCY: 0
|
||||
# User Defined
|
||||
ENABLE_GEOIPUPDATER: false
|
||||
# How often should we run the cronjob to update geoip
|
||||
freqhours: 8
|
||||
GEOIPUPDATE_ACCOUNT_ID: ""
|
||||
GEOIPUPDATE_LICENSE_KEY: ""
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoIP2-City"
|
||||
GEOIPUPDATE_HOST: "updates.maxmind.com"
|
||||
GEOIPUPDATE_PRESERVE_FILE_TIMES: 0
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
path: "/-/health/live"
|
||||
readiness:
|
||||
path: "/-/health/ready"
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
port: 10230
|
||||
targetPort: 9000
|
||||
https:
|
||||
enabled: true
|
||||
ports:
|
||||
https:
|
||||
enabled: true
|
||||
protocol: "HTTPS"
|
||||
port: 10229
|
||||
targetPort: 9443
|
||||
|
||||
additionalContainers:
|
||||
worker:
|
||||
name: worker
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
args: ["worker"]
|
||||
volumeMounts:
|
||||
- name: media
|
||||
mountPath: "/media"
|
||||
- name: templates
|
||||
mountPath: "/templates"
|
||||
- name: certs
|
||||
mountPath: "/certs"
|
||||
- name: geoip
|
||||
mountPath: "/geoip"
|
||||
env:
|
||||
- name: AUTHENTIK_REDIS__PORT
|
||||
value: "6379"
|
||||
- name: AUTHENTIK_REDIS__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: plainhost
|
||||
- name: AUTHENTIK_REDIS__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: rediscreds
|
||||
key: redis-password
|
||||
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||
value: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
- name: AUTHENTIK_POSTGRESQL__USER
|
||||
value: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
- name: AUTHENTIK_POSTGRESQL__PORT
|
||||
value: "5432"
|
||||
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: plainhost
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: dbcreds
|
||||
key: postgresql-password
|
||||
- name: AUTHENTIK_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-secrets
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
- name: AUTHENTIK_LOG_LEVEL
|
||||
value: "{{ .Values.env.AUTHENTIK_LOG_LEVEL }}"
|
||||
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
|
||||
value: "{{ .Values.env.AUTHENTIK_DISABLE_UPDATE_CHECK }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__ENABLED
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENABLED }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__ENVIRONMENT
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__ENVIRONMENT }}"
|
||||
- name: AUTHENTIK_ERROR_REPORTING__SEND_PII
|
||||
value: "{{ .Values.env.AUTHENTIK_ERROR_REPORTING__SEND_PII }}"
|
||||
- name: AUTHENTIK_EMAIL__HOST
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__HOST }}"
|
||||
- name: AUTHENTIK_EMAIL__PORT
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__PORT }}"
|
||||
- name: AUTHENTIK_EMAIL__USERNAME
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USERNAME }}"
|
||||
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__PASSWORD }}"
|
||||
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_TLS }}"
|
||||
- name: AUTHENTIK_EMAIL__USE_SSL
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__USE_SSL }}"
|
||||
- name: AUTHENTIK_EMAIL__TIMEOUT
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__TIMEOUT }}"
|
||||
- name: AUTHENTIK_EMAIL__FROM
|
||||
value: "{{ .Values.env.AUTHENTIK_EMAIL__FROM }}"
|
||||
- name: AUTHENTIK_AVATARS
|
||||
value: "{{ .Values.env.AUTHENTIK_AVATARS }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_NAME
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_NAME }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL }}"
|
||||
- name: AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME }}"
|
||||
- name: AUTHENTIK_GDPR_COMPLIANCE
|
||||
value: "{{ .Values.env.AUTHENTIK_GDPR_COMPLIANCE }}"
|
||||
- name: AUTHENTIK_DEFAULT_TOKEN_LENGTH
|
||||
value: "{{ .Values.env.AUTHENTIK_DEFAULT_TOKEN_LENGTH }}"
|
||||
- name: AUTHENTIK_IMPERSONATION
|
||||
value: "{{ .Values.env.AUTHENTIK_IMPERSONATION }}"
|
||||
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
||||
value: "{{ .Values.env.AUTHENTIK_DISABLE_STARTUP_ANALYTICS }}"
|
||||
|
||||
cronjob:
|
||||
annotations: {}
|
||||
failedJobsHistoryLimit: 5
|
||||
successfulJobsHistoryLimit: 2
|
||||
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
mountPath: "/media"
|
||||
templates:
|
||||
enabled: true
|
||||
mountPath: "/templates"
|
||||
certs:
|
||||
enabled: true
|
||||
mountPath: "/certs"
|
||||
geoip:
|
||||
enabled: true
|
||||
mountPath: "/geoip"
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
existingSecret: "dbcreds"
|
||||
postgresqlUsername: baserow
|
||||
postgresqlDatabase: baserow
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
existingSecret: "rediscreds"
|
Loading…
Reference in New Issue