image: repository: ghcr.io/goauthentik/server tag: 2024.8.2@sha256:71984fdbb7a9414f5172bb446104d3fe4ab1ab412c8b3343bb97b04449dd53eb pullPolicy: IfNotPresent geoipImage: repository: ghcr.io/maxmind/geoipupdate tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0 pullPolicy: IfNotPresent ldapImage: repository: ghcr.io/goauthentik/ldap tag: 2024.8.2@sha256:1c3988c0a59cfbd6618ff889b8bcd1e1c5f526c8897135e08188b61007ae69b8 pullPolicy: IfNotPresent radiusImage: repository: ghcr.io/goauthentik/radius tag: 2024.8.2@sha256:32742939fff87efc43cb13e54f3008b17623d832f2c6da539ec716b89cdb9734 pullPolicy: IfNotPresent proxyImage: repository: ghcr.io/goauthentik/proxy tag: 2024.8.2@sha256:154f2b91fe243fe14d7a6f7d4137404564d544b4ff830a6ff79607513200c651 pullPolicy: IfNotPresent authentik: credentials: # Only works on initial install email: my-mail@example.com password: my-password # Optional, only set if you want to use it bootstrapToken: "" general: disableUpdateCheck: false disableStartupAnalytics: true allowUserChangeName: true allowUserChangeEmail: true allowUserChangeUsername: true overwriteDefaultBlueprints: false gdprCompliance: true tokenLength: 128 impersonation: true avatars: - gravatar - initials footerLinks: - name: Authentik href: https://goauthentik.io email: host: "" port: 587 username: password: useTLS: true useSSL: false timeout: 10 from: "" ldap: tlsCiphers: "null" taskTimeoutHours: 2 logging: # info, debug, warning, error, trace logLevel: info errorReporting: enabled: false sendPII: false environment: customer sentryDSN: "" geoip: enabled: false # Ignored if enabled is true # If enabled is false, and this is true, the # built-in GeoIP database will be wiped wipeBuiltInDb: false editionID: GeoLite2-City frequency: 8 accountID: "" licenseKey: "" outposts: proxy: enabled: false token: "" radius: enabled: false token: "" ldap: enabled: false token: "" # ===== DO NOT EDIT BELOW THIS LINE ===== workload: # ===== Server ===== main: enabled: true type: Deployment podSpec: containers: main: enabled: true primary: true imageSelector: image securityContext: runAsUser: 1000 runAsGroup: 1000 # readOnlyRootFilesystem: false envFrom: - configMapRef: name: server - secretRef: name: server-worker - configMapRef: name: server-worker args: - server probes: liveness: enabled: true type: exec command: - /lifecycle/ak - healthcheck readiness: enabled: true type: exec command: - /lifecycle/ak - healthcheck startup: enabled: true type: exec command: - /lifecycle/ak - healthcheck # ===== Worker ===== worker: enabled: true type: Deployment podSpec: containers: worker: enabled: true primary: true imageSelector: image securityContext: runAsUser: 1000 runAsGroup: 1000 # readOnlyRootFilesystem: false envFrom: - secretRef: name: server-worker - configMapRef: name: server-worker args: - worker probes: liveness: enabled: true type: exec command: - /lifecycle/ak - healthcheck readiness: enabled: true type: exec command: - /lifecycle/ak - healthcheck startup: enabled: true type: exec command: - /lifecycle/ak - healthcheck # ===== PROXY ===== proxy: enabled: true type: Deployment podSpec: containers: proxy: enabled: true primary: true imageSelector: proxyImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: proxy - secretRef: name: proxy probes: liveness: enabled: true type: exec command: - /proxy - healthcheck readiness: enabled: true type: exec command: - /proxy - healthcheck startup: enabled: true type: exec command: - /proxy - healthcheck # ===== RADIUS ===== radius: enabled: true type: Deployment podSpec: containers: radius: enabled: true primary: true imageSelector: radiusImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: radius - secretRef: name: radius probes: liveness: enabled: true type: exec command: - /radius - healthcheck readiness: enabled: true type: exec command: - /radius - healthcheck startup: enabled: true type: exec command: - /radius - healthcheck # ===== LDAP ===== ldap: enabled: true type: Deployment podSpec: containers: ldap: enabled: true primary: true imageSelector: ldapImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: ldap - secretRef: name: ldap probes: liveness: enabled: true type: exec command: - /ldap - healthcheck readiness: enabled: true type: exec command: - /ldap - healthcheck startup: enabled: true type: exec command: - /ldap - healthcheck # ===== GeoIP Updater ===== geoip: enabled: true type: Deployment podSpec: containers: geoip: enabled: true primary: true imageSelector: geoipImage securityContext: runAsUser: 0 runAsGroup: 0 capabilities: disableS6Caps: true envFrom: - configMapRef: name: geoip - secretRef: name: geoip probes: liveness: enabled: false readiness: enabled: false startup: enabled: false service: # Server HTTPS main: ports: main: protocol: https port: 10229 # Server HTTP http: enabled: true type: ClusterIP ports: http: enabled: true protocol: http port: 10230 # Proxy proxy: enabled: true targetSelector: proxy ports: http: enabled: true protocol: http port: 10227 targetSelector: proxy https: enabled: true protocol: https port: 10228 targetSelector: proxy # Radius radius: enabled: true targetSelector: radius ports: radius: enabled: true protocol: udp targetSelector: radius port: 1812 # LDAP ldap: enabled: true targetSelector: ldap ports: ldap: enabled: true port: 389 targetSelector: ldap # LDAPS ldaps: enabled: true targetSelector: ldap ports: ldaps: enabled: true port: 636 targetSelector: ldap # Server Metrics servermetrics: enabled: true type: ClusterIP ports: servermetrics: enabled: true protocol: http port: 10231 # Radius Metrics radiusmetrics: enabled: true type: ClusterIP targetSelector: radius ports: radiusmetrics: enabled: true protocol: http port: 10232 targetSelector: radius # LDAP Metrics ldapmetrics: enabled: true type: ClusterIP targetSelector: ldap ports: ldapmetrics: enabled: true protocol: http port: 10233 targetSelector: ldap # Proxy Metrics proxymetrics: enabled: true type: ClusterIP targetSelector: proxy ports: proxymetrics: enabled: true protocol: http port: 10234 targetSelector: proxy persistence: media: enabled: true targetSelector: main: main: mountPath: /media worker: worker: mountPath: /media templates: enabled: true targetSelector: main: main: mountPath: /templates worker: worker: mountPath: /templates blueprints: enabled: true targetSelector: worker: worker: # This will automatically change to `/blueprints` # if `overwriteDefaultBlueprints` is set to `true # Otherwise it will respect the value specified here mountPath: /blueprints/custom certs: enabled: true mountPath: /certs targetSelector: worker: worker: mountPath: /certs geoip: enabled: true targetSelector: main: main: mountPath: /geoip worker: worker: mountPath: /geoip geoip: geoip: mountPath: /usr/share/GeoIP cnpg: main: enabled: true user: authentik database: authentik redis: enabled: true includeCommon: true portal: open: enabled: true metrics: # FIXME: Metrics do not work yet servermetrics: enabled: true type: servicemonitor endpoints: - port: "{{ .Values.service.servermetrics.ports.servermetrics.port }}" path: /metrics prometheusRule: enabled: false radiusmetrics: enabled: true type: servicemonitor endpoints: - port: "{{ .Values.service.radiusmetrics.ports.radiusmetrics.port }}" path: /metrics prometheusRule: enabled: false ldapmetrics: enabled: true type: servicemonitor endpoints: - port: "{{ .Values.service.ldapmetrics.ports.ldapmetrics.port }}" path: /metrics prometheusRule: enabled: false proxymetrics: enabled: true type: servicemonitor endpoints: - port: "{{ .Values.service.proxymetrics.ports.proxymetrics.port }}" path: /metrics prometheusRule: enabled: false updated: true ingress: main: required: true