truecharts.local
/
catalog
mirror of https://github.com/truecharts/catalog.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Commit new Chart releases for TrueCharts 

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
TrueCharts-Bot 2022-12-03 14:00:42 +00:00
parent 6b0670b8c5
commit 2a1b50c1fa
20 changed files with 3942 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
stable/authentik/10.0.14/CHANGELOG.md Normal file
View File

@ -0,0 +1,99 @@
**Important:**
*for the complete changelog, please refer to the website*
## [authentik-10.0.14](https://github.com/truecharts/charts/compare/authentik-10.0.13...authentik-10.0.14) (2022-12-03)
## [authentik-10.0.13](https://github.com/truecharts/charts/compare/authentik-10.0.12...authentik-10.0.13) (2022-12-03)
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.11.1
## [authentik-10.0.12](https://github.com/truecharts/charts/compare/authentik-10.0.10...authentik-10.0.12) (2022-11-30)

35
stable/authentik/10.0.14/Chart.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v2
appVersion: "2022.11.2"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.0.4
- condition: postgresql.enabled
name: postgresql
repository: https://charts.truecharts.org/
version: 11.0.5
- condition: redis.enabled
name: redis
repository: https://charts.truecharts.org
version: 5.0.5
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
home: https://truecharts.org/docs/charts/stable/authentik
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
keywords:
- authentik
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: authentik
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 10.0.14
annotations:
truecharts.org/catagories: |
- authentication
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

109
stable/authentik/10.0.14/README.md Normal file
View File

@ -0,0 +1,109 @@
# authentik
authentik is an open-source Identity Provider focused on flexibility and versatility.
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
This readme is just an automatically generated general guide on installing our Helm Charts and Apps.
For more information, please click here: [authentik](https://truecharts.org/docs/charts/stable/authentik)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Source Code
* <https://github.com/truecharts/charts/tree/master/charts/stable/authentik>
* <https://github.com/goauthentik/authentik>
* <https://goauthentik.io/docs/>
## Requirements
Kubernetes: `>=1.16.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
| https://charts.truecharts.org/ | postgresql | 8.0.122 |
| https://charts.truecharts.org | redis | 3.0.121 |
| https://library-charts.truecharts.org | common | 10.9.4 |
## Installing the Chart
### TrueNAS SCALE
To install this Chart on TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/docs/manual/SCALE%20Apps/Installing-an-App).
### Helm
To install the chart with the release name `authentik`
```console
helm repo add TrueCharts https://charts.truecharts.org
helm repo update
helm install authentik TrueCharts/authentik
```
## Uninstall
### TrueNAS SCALE
**Upgrading, Rolling Back and Uninstalling the Chart**
To upgrade, rollback or delete this Chart from TrueNAS SCALE check our [Quick-Start Guide](https://truecharts.org/docs/manual/SCALE%20Apps/Upgrade-rollback-delete-an-App).
### Helm
To uninstall the `authentik` deployment
```console
helm uninstall authentik
```
## Configuration
### Helm
#### Available Settings
Read through the values.yaml file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/truecharts/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/truecharts/library-charts/tree/main/charts/common).
#### Configure using the command line
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install authentik \
--set env.TZ="America/New York" \
TrueCharts/authentik
```
#### Configure using a yaml file
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install authentik TrueCharts/authentik -f values.yaml
```
#### Connecting to other charts
If you need to connect this Chart to other Charts on TrueNAS SCALE, please refer to our [Linking Charts Internally](https://truecharts.org/docs/manual/SCALE%20Apps/linking-apps) quick-start guide.
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/docs/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/apps/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
---
All Rights Reserved - The TrueCharts Project

4
stable/authentik/10.0.14/app-changelog.md Normal file
View File

@ -0,0 +1,4 @@
## [authentik-10.0.14](https://github.com/truecharts/charts/compare/authentik-10.0.13...authentik-10.0.14) (2022-12-03)

8
stable/authentik/10.0.14/app-readme.md Normal file
View File

@ -0,0 +1,8 @@
authentik is an open-source Identity Provider focused on flexibility and versatility.
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/docs/charts/stable/authentik](https://truecharts.org/docs/charts/stable/authentik)
---
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/docs/about/sponsor) or contributing back to the project any way you can!

BIN
stable/authentik/10.0.14/charts/common-11.0.4.tgz Normal file
View File

Binary file not shown.

BIN
stable/authentik/10.0.14/charts/postgresql-11.0.5.tgz Normal file
View File

Binary file not shown.

BIN
stable/authentik/10.0.14/charts/redis-5.0.5.tgz Normal file
View File

Binary file not shown.

258
stable/authentik/10.0.14/ix_values.yaml Normal file
View File

@ -0,0 +1,258 @@
image:
repository: tccr.io/truecharts/authentik
tag: 2022.11.2@sha256:693fdca0d4c0bd4cd49d6a267b602270aecdd2f7cf68adb0e4b7d2b695f216d1
pullPolicy: IfNotPresent
geoipImage:
repository: tccr.io/truecharts/geoipupdate
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
repository: tccr.io/truecharts/authentik-ldap
tag: 2022.11.3@sha256:1b915868320e0d7a932383c0b4c479823ce2fc4507255a0bdf8e8dc6f5876570
pullPolicy: IfNotPresent
proxyImage:
repository: tccr.io/truecharts/authentik-proxy
tag: 2022.11.1@sha256:4f872527575395d4be8a694c745ab2c3ebe0427f80d3278f12b5aad9c3bc7973
pullPolicy: IfNotPresent
args: ["server"]
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
securityContext:
readOnlyRootFilesystem: false
workerContainer:
enabled: true
authentik:
credentials:
password: "supersecret"
general:
disable_update_check: false
disable_startup_analytics: true
allow_user_name_change: true
allow_user_mail_change: true
allow_user_username_change: true
gdpr_compliance: true
impersonation: true
avatars: "gravatar"
token_length: 128
# Use single quotes for footer_links
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
mail:
host: ""
port: 25
tls: false
ssl: false
timeout: 10
user: ""
pass: ""
from: ""
error_reporting:
enabled: false
send_pii: false
environment: "customer"
logging:
log_level: "info"
ldap:
tls_ciphers: "null"
geoip:
enabled: false
account_id: ""
license_key: ""
proxy: ""
proxy_user_pass: ""
edition_ids: "GeoLite2-City"
frequency: 8
host_server: "updates.maxmind.com"
preserve_file_times: false
verbose: false
outposts:
ldap:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
proxy:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
metrics:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
serviceMonitor:
interval: 1m
scrapeTimeout: 30s
labels: {}
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
useDefault: true
labels: {}
# -- Configure additional rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: HTTPS
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: HTTPS
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: HTTP
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: HTTPS
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: HTTP
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: HTTP
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: HTTP
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: HTTP
targetPort: 9303
ingress:
proxyhttps:
autoLink: true
persistence:
media:
enabled: true
mountPath: "/media"
templates:
enabled: true
mountPath: "/templates"
certs:
enabled: true
mountPath: "/certs"
geoip:
enabled: true
mountPath: "/geoip"
postgresql:
enabled: true
existingSecret: "dbcreds"
postgresqlUsername: authentik
postgresqlDatabase: authentik
redis:
enabled: true
existingSecret: "rediscreds"
portal:
enabled: true

2760
stable/authentik/10.0.14/questions.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

143
stable/authentik/10.0.14/templates/_config.tpl Normal file
View File

@ -0,0 +1,143 @@
{{/* Define the configmap */}}
{{- define "authentik.config" -}}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
{{- if .Values.ingress.main.enabled }}
{{ $first := (first .Values.ingress.main.hosts) }}
{{- if $first }}
{{ $host = printf "https://%s" $first.host }}
{{- end }}
{{- end }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerWorkerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
AUTHENTIK_REDIS__PORT: "6379"
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
AUTHENTIK_POSTGRESQL__PORT: "5432"
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $proxyConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $geoipConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{- end -}}

20
stable/authentik/10.0.14/templates/_geoip.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip" -}}
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
{{- end -}}

48
stable/authentik/10.0.14/templates/_ldap.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
ports:
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
name: ldapldaps
- containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
name: ldapldap
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
name: ldapmetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

48
stable/authentik/10.0.14/templates/_proxy.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/* Define the proxy container */}}
{{- define "authentik.proxy" -}}
image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
ports:
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
name: proxyhttps
- containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
name: proxyhttp
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
name: proxymetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

109
stable/authentik/10.0.14/templates/_secret.tpl Normal file
View File

@ -0,0 +1,109 @@
{{/* Define the secret */}}
{{- define "authentik.secret" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
{{- $token := randAlphaNum 128 | b64enc }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $authentikSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $geoipSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $proxySecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{- end }}

52
stable/authentik/10.0.14/templates/_worker.tpl Normal file
View File

@ -0,0 +1,52 @@
{{/* Define the worker container */}}
{{- define "authentik.worker" -}}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
readinessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: 10
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

45
stable/authentik/10.0.14/templates/common.yaml Normal file
View File

@ -0,0 +1,45 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render secret */}}
{{- include "authentik.secret" . }}
{{/* Render config */}}
{{- include "authentik.config" . }}
{{- if hasKey .Values "metrics" -}}
{{- if .Values.metrics.enabled -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
{{- end -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{- if .Values.outposts.proxy.enabled -}}
{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

160
stable/authentik/10.0.14/templates/prometheusrules.yaml Normal file
View File

@ -0,0 +1,160 @@
{{- if hasKey .Values "metrics" }}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "tc.common.names.fullname" . }}
rules:
{{- with .Values.metrics.prometheusRule.rules }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.useDefault }}
- name: authentik Aggregate request counters
rules:
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
- record: job:django_http_ajax_requests_total:sum_rate30s
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
- record: job:django_http_requests_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
- record: job:django_http_responses_streaming_total:sum_rate30s
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
- record: job:django_http_responses_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
- record: job:django_http_requests_total:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
- record: job:django_http_requests_total_by_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
- record: job:django_http_requests_total_by_transport:sum_rate30s
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
- record: job:django_http_requests_total_by_view:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
- record: job:django_http_responses_total_by_templatename:sum_rate30s
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
- record: job:django_http_responses_total_by_status:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
- record: job:django_http_responses_total_by_charset:sum_rate30s
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
- record: job:django_http_exceptions_total_by_type:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
- record: job:django_http_exceptions_total_by_view:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
- name: authentik Aggregate latency histograms
rules:
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- name: authentik Aggregate model operations
rules:
- record: job:django_model_inserts_total:sum_rate1m
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
- record: job:django_model_updates_total:sum_rate1m
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
- record: job:django_model_deletes_total:sum_rate1m
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
- name: authentik Aggregate database operations
rules:
- record: job:django_db_new_connections_total:sum_rate30s
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
- record: job:django_db_new_connection_errors_total:sum_rate30s
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
- record: job:django_db_execute_total:sum_rate30s
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
- record: job:django_db_execute_many_total:sum_rate30s
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
- record: job:django_db_errors_total:sum_rate30s
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
- name: authentik Aggregate migrations
rules:
- record: job:django_migrations_applied_total:max
expr: max(django_migrations_applied_total) by (job, connection)
- record: job:django_migrations_unapplied_total:max
expr: max(django_migrations_unapplied_total) by (job, connection)
- name: authentik Alerts
rules:
- alert: NoWorkersConnected
expr: max without (pid) (authentik_admin_workers) < 1
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
summary: No workers connected
for: 10m
labels:
severity: critical
- alert: PendingMigrations
expr: max without (pid) (django_migrations_unapplied_total) > 0
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
summary: Pending database migrations
for: 10m
labels:
severity: critical
- alert: FailedSystemTasks
expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
annotations:
message: |
System task {{ printf "{{ $labels.task_name }}" }} has failed
summary: Failed system tasks
for: 2h
labels:
severity: critical
- alert: DisconnectedOutposts
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
annotations:
message: |
Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
summary: Disconnected outpost
for: 30m
labels:
severity: critical
{{- end }}
{{- end }}
{{- end }}

44
stable/authentik/10.0.14/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- if hasKey .Values "metrics" }}
{{- if .Values.metrics.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
endpoints:
- port: metrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: ldapmetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: proxymetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- end }}
{{- end }}

0
stable/authentik/10.0.14/values.yaml Normal file
View File