truecharts.local
/
catalog
mirror of https://github.com/truecharts/catalog.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Commit new Chart releases for TrueCharts 

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
TrueCharts-Bot 2023-01-30 22:27:52 +00:00
parent e2cffa25db
commit 69a278e423
20 changed files with 3925 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
stable/authentik/10.0.36/CHANGELOG.md Normal file
View File

@ -0,0 +1,99 @@
**Important:**
*for the complete changelog, please refer to the website*
## [authentik-10.0.36](https://github.com/truecharts/charts/compare/authentik-10.0.35...authentik-10.0.36) (2023-01-30)
### Chore
- update authentik to v2023.1.2
## [authentik-10.0.35](https://github.com/truecharts/charts/compare/authentik-10.0.34...authentik-10.0.35) (2023-01-24)
### Chore
- update helm general non-major ([#6689](https://github.com/truecharts/charts/issues/6689))
## [authentik-10.0.34](https://github.com/truecharts/charts/compare/authentik-10.0.33...authentik-10.0.34) (2023-01-23)
### Chore
- update helm general non-major
## [authentik-10.0.33](https://github.com/truecharts/charts/compare/authentik-10.0.32...authentik-10.0.33) (2023-01-19)
### Chore
- update authentik to v2023.1.0
## [authentik-10.0.32](https://github.com/truecharts/charts/compare/authentik-10.0.31...authentik-10.0.32) (2023-01-17)
### Chore
- update helm general non-major ([#6430](https://github.com/truecharts/charts/issues/6430))
## [authentik-10.0.31](https://github.com/truecharts/charts/compare/authentik-10.0.30...authentik-10.0.31) (2023-01-10)
### Chore
- update container image tccr.io/truecharts/authentik to v2022.12.2
## [authentik-10.0.30](https://github.com/truecharts/charts/compare/authentik-10.0.29...authentik-10.0.30) (2023-01-07)
### Chore
- update helm general non-major ([#6121](https://github.com/truecharts/charts/issues/6121))
- update container image tccr.io/truecharts/authentik-proxy to v2022.12.2
## [authentik-10.0.29](https://github.com/truecharts/charts/compare/authentik-10.0.28...authentik-10.0.29) (2023-01-07)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.12.2
## [authentik-10.0.28](https://github.com/truecharts/charts/compare/authentik-10.0.27...authentik-10.0.28) (2023-01-05)
### Chore
- update container image tccr.io/truecharts/authentik-ldap to v2022.12.1
### Fix
- don't create empty secret if geoip is not enabled
## [authentik-10.0.27](https://github.com/truecharts/charts/compare/authentik-10.0.26...authentik-10.0.27) (2023-01-04)
### Chore
- update container image tccr.io/truecharts/authentik-proxy to v2022.12.1

35
stable/authentik/10.0.36/Chart.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v2
appVersion: "2023.1.0"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 11.1.2
- condition: postgresql.enabled
name: postgresql
repository: https://charts.truecharts.org/
version: 11.0.22
- condition: redis.enabled
name: redis
repository: https://charts.truecharts.org
version: 5.0.29
description: authentik is an open-source Identity Provider focused on flexibility and versatility.
home: https://truecharts.org/charts/stable/authentik
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authentik.png
keywords:
- authentik
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: authentik
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/authentik
- https://github.com/goauthentik/authentik
- https://goauthentik.io/docs/
version: 10.0.36
annotations:
truecharts.org/catagories: |
- authentication
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

27
stable/authentik/10.0.36/README.md Normal file
View File

@ -0,0 +1,27 @@
# README
## General Info
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
However only installations using the TrueNAS SCALE Apps system are supported.
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
*All Rights Reserved - The TrueCharts Project*

9
stable/authentik/10.0.36/app-changelog.md Normal file
View File

@ -0,0 +1,9 @@
## [authentik-10.0.36](https://github.com/truecharts/charts/compare/authentik-10.0.35...authentik-10.0.36) (2023-01-30)
### Chore
- update authentik to v2023.1.2

8
stable/authentik/10.0.36/app-readme.md Normal file
View File

@ -0,0 +1,8 @@
authentik is an open-source Identity Provider focused on flexibility and versatility.
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/stable/authentik](https://truecharts.org/charts/stable/authentik)
---
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!

BIN
stable/authentik/10.0.36/charts/common-11.1.2.tgz Normal file
View File

Binary file not shown.

BIN
stable/authentik/10.0.36/charts/postgresql-11.0.22.tgz Normal file
View File

Binary file not shown.

BIN
stable/authentik/10.0.36/charts/redis-5.0.29.tgz Normal file
View File

Binary file not shown.

258
stable/authentik/10.0.36/ix_values.yaml Normal file
View File

@ -0,0 +1,258 @@
image:
repository: tccr.io/truecharts/authentik
tag: 2023.1.0@sha256:37a5878e0adda1f176f1e5826767dbe7647e12d8591397e9d9b5a0dbb2e37fef
pullPolicy: IfNotPresent
geoipImage:
repository: tccr.io/truecharts/geoipupdate
tag: v4.9@sha256:ce42b4252c8cd4a9e39275fd7c3312e5df7bda0d7034df565af4362d7e0d26ce
pullPolicy: IfNotPresent
ldapImage:
repository: tccr.io/truecharts/authentik-ldap
tag: 2023.1.2@sha256:546a930b2c8290465a96fd5c1f0c9e3000d52477d3aa47eb10b4e472bc809f1c
pullPolicy: IfNotPresent
proxyImage:
repository: tccr.io/truecharts/authentik-proxy
tag: 2023.1.2@sha256:cacfcbfb545f83bcf747d4386b21df19ddcd9f0081c8494f9265c8532452f51e
pullPolicy: IfNotPresent
args: ["server"]
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
securityContext:
readOnlyRootFilesystem: false
workerContainer:
enabled: true
authentik:
credentials:
password: "supersecret"
general:
disable_update_check: false
disable_startup_analytics: true
allow_user_name_change: true
allow_user_mail_change: true
allow_user_username_change: true
gdpr_compliance: true
impersonation: true
avatars: "gravatar"
token_length: 128
# Use single quotes for footer_links
footer_links: '[{"name": "Link Name", "href": "https://mylink.com"}]'
mail:
host: ""
port: 25
tls: false
ssl: false
timeout: 10
user: ""
pass: ""
from: ""
error_reporting:
enabled: false
send_pii: false
environment: "customer"
logging:
log_level: "info"
ldap:
tls_ciphers: "null"
geoip:
enabled: false
account_id: ""
license_key: ""
proxy: ""
proxy_user_pass: ""
edition_ids: "GeoLite2-City"
frequency: 8
host_server: "updates.maxmind.com"
preserve_file_times: false
verbose: false
outposts:
ldap:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
proxy:
# -- First you have to create an Outpost in the GUI. Applications > Outposts
enabled: false
# -- Host Browser by default is set to the first ingress host you set
# host_browser: ""
# -- As we use https://localhost:9443 it's an unsecure connection
# insecure: false
# -- Host should not need to be overridden. Defaults to https://localhost:9443
# host: ""
# -- Token is only needed if you accidentally deleted the token within the UI
# token: ""
metrics:
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
# @default -- See values.yaml
enabled: false
serviceMonitor:
interval: 1m
scrapeTimeout: 30s
labels: {}
# -- Enable and configure Prometheus Rules for the chart under this key.
# @default -- See values.yaml
prometheusRule:
enabled: false
useDefault: true
labels: {}
# -- Configure additional rules for the chart under this key.
# @default -- See prometheusrules.yaml
rules:
[]
# - alert: UnifiPollerAbsent
# annotations:
# description: Unifi Poller has disappeared from Prometheus service discovery.
# summary: Unifi Poller is down.
# expr: |
# absent(up{job=~".*unifi-poller.*"} == 1)
# for: 5m
# labels:
# severity: critical
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-server-config'
probes:
liveness:
type: HTTPS
path: /-/health/live/
port: "{{ .Values.service.main.ports.main.targetPort }}"
readiness:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
startup:
type: HTTPS
path: /-/health/ready/
port: "{{ .Values.service.main.ports.main.targetPort }}"
service:
main:
ports:
main:
protocol: HTTPS
port: 10229
targetPort: 9443
http:
enabled: true
type: ClusterIP
ports:
http:
enabled: true
protocol: HTTP
port: 10230
targetPort: 9000
# LDAP Outpost Services
ldapldaps:
enabled: true
ports:
ldapldaps:
enabled: true
port: 636
targetPort: 6636
ldapldap:
enabled: true
ports:
ldapldap:
enabled: true
port: 389
targetPort: 3389
# Proxy Outpost Services
proxyhttps:
enabled: true
ports:
proxyhttps:
enabled: true
port: 10233
protocol: HTTPS
targetPort: 9444
proxyhttp:
enabled: true
type: ClusterIP
ports:
proxyhttp:
enabled: true
port: 10234
protocol: HTTP
targetPort: 9001
# Metrics Services
metrics:
enabled: true
type: ClusterIP
ports:
metrics:
enabled: true
protocol: HTTP
port: 10231
targetPort: 9301
ldapmetrics:
enabled: true
type: ClusterIP
ports:
ldapmetrics:
enabled: true
port: 10232
protocol: HTTP
targetPort: 9302
proxymetrics:
enabled: true
type: ClusterIP
ports:
proxymetrics:
enabled: true
port: 10235
protocol: HTTP
targetPort: 9303
ingress:
proxyhttps:
autoLink: true
persistence:
media:
enabled: true
mountPath: "/media"
templates:
enabled: true
mountPath: "/templates"
certs:
enabled: true
mountPath: "/certs"
geoip:
enabled: true
mountPath: "/geoip"
postgresql:
enabled: true
existingSecret: "dbcreds"
postgresqlUsername: authentik
postgresqlDatabase: authentik
redis:
enabled: true
existingSecret: "rediscreds"
portal:
enabled: true

2823
stable/authentik/10.0.36/questions.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

143
stable/authentik/10.0.36/templates/_config.tpl Normal file
View File

@ -0,0 +1,143 @@
{{/* Define the configmap */}}
{{- define "authentik.config" -}}
{{- $authServerWorkerConfigName := printf "%s-authentik-config" (include "tc.common.names.fullname" .) }}
{{- $authServerConfigName := printf "%s-authentik-server-config" (include "tc.common.names.fullname" .) }}
{{- $geoipConfigName := printf "%s-geoip-config" (include "tc.common.names.fullname" .) }}
{{- $ldapConfigName := printf "%s-ldap-config" (include "tc.common.names.fullname" .) }}
{{- $proxyConfigName := printf "%s-proxy-config" (include "tc.common.names.fullname" .) }}
{{ $host := printf "https://localhost:%v" .Values.service.main.ports.main.targetPort }}
{{- if .Values.ingress.main.enabled }}
{{ $first := (first .Values.ingress.main.hosts) }}
{{- if $first }}
{{ $host = printf "https://%s" $first.host }}
{{- end }}
{{- end }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerWorkerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Dependencies */}}
AUTHENTIK_REDIS__HOST: {{ printf "%v-%v" .Release.Name "redis" }}
AUTHENTIK_REDIS__PORT: "6379"
AUTHENTIK_POSTGRESQL__NAME: {{ .Values.postgresql.postgresqlDatabase }}
AUTHENTIK_POSTGRESQL__USER: {{ .Values.postgresql.postgresqlUsername }}
AUTHENTIK_POSTGRESQL__HOST: {{ printf "%v-%v" .Release.Name "postgresql" }}
AUTHENTIK_POSTGRESQL__PORT: "5432"
{{/* Mail */}}
{{- with .Values.authentik.mail.port }}
AUTHENTIK_EMAIL__PORT: {{ . | quote }}
{{- end }}
AUTHENTIK_EMAIL__USE_TLS: {{ .Values.authentik.mail.tls | quote }}
AUTHENTIK_EMAIL__USE_SSL: {{ .Values.authentik.mail.ssl | quote }}
{{- with .Values.authentik.mail.timeout }}
AUTHENTIK_EMAIL__TIMEOUT: {{ . | quote }}
{{- end }}
{{/* Logging */}}
{{- with .Values.authentik.logging.log_level }}
AUTHENTIK_LOG_LEVEL: {{ . }}
{{- end }}
{{/* General */}}
AUTHENTIK_DISABLE_STARTUP_ANALYTICS: {{ .Values.authentik.general.disable_startup_analytics | quote }}
AUTHENTIK_DISABLE_UPDATE_CHECK: {{ .Values.authentik.general.disable_update_check | quote }}
{{- with .Values.authentik.general.avatars }}
AUTHENTIK_AVATARS: {{ . }}
{{- end }}
AUTHENTIK_DEFAULT_USER_CHANGE_NAME: {{ .Values.authentik.general.allow_user_name_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL: {{ .Values.authentik.general.allow_user_mail_change | quote }}
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME: {{ .Values.authentik.general.allow_user_username_change | quote }}
AUTHENTIK_GDPR_COMPLIANCE: {{ .Values.authentik.general.gdpr_compliance | quote }}
AUTHENTIK_IMPERSONATION: {{ .Values.authentik.general.impersonation | quote }}
AUTHENTIK_DEFAULT_TOKEN_LENGTH: {{ .Values.authentik.general.token_length | quote }}
{{- with .Values.authentik.general.footer_links }}
AUTHENTIK_FOOTER_LINKS: {{ . | squote }}
{{- end }}
{{/* Error Reporting */}}
AUTHENTIK_ERROR_REPORTING__ENABLED: {{ .Values.authentik.error_reporting.enabled | quote }}
AUTHENTIK_ERROR_REPORTING__SEND_PII: {{ .Values.authentik.error_reporting.send_pii | quote }}
{{- with .Values.authentik.error_reporting.environment }}
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: {{ . }}
{{- end }}
{{/* LDAP */}}
{{- with .Values.authentik.ldap.tls_ciphers }}
AUTHENTIK_LDAP__TLS__CIPHERS: {{ . | quote }}
{{- end }}
{{/* Outposts */}}
AUTHENTIK_OUTPOSTS__DISCOVER: {{ "false" | quote }}
---
{{/* This configmap are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $authServerConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Listen */}}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.main.ports.main.targetPort | default 9443 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.http.ports.http.targetPort | default 9000 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.metrics.ports.metrics.targetPort | default 9301 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $ldapConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.ldap.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.ldap.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.ldap.host_browser | default $host }}
AUTHENTIK_LISTEN__LDAPS: 0.0.0.0:{{ .Values.service.ldapldaps.ports.ldapldaps.targetPort | default 6636 }}
AUTHENTIK_LISTEN__LDAP: 0.0.0.0:{{ .Values.service.ldapldap.ports.ldapldap.targetPort | default 3389 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort | default 9302 }}
---
{{/* This configmap is loaded on ldap container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $proxyConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
AUTHENTIK_INSECURE: {{ .Values.outposts.proxy.insecure | default "true" | quote }}
AUTHENTIK_HOST: {{ .Values.outposts.proxy.host | default (printf "https://localhost:%v" .Values.service.main.ports.main.targetPort) }}
AUTHENTIK_HOST_BROWSER: {{ .Values.outposts.proxy.host_browser | default $host }}
AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:{{ .Values.service.proxyhttps.ports.proxyhttps.targetPort | default 9444 }}
AUTHENTIK_LISTEN__HTTP: 0.0.0.0:{{ .Values.service.proxyhttp.ports.proxyhttp.targetPort | default 9001 }}
AUTHENTIK_LISTEN__METRICS: 0.0.0.0:{{ .Values.service.proxymetrics.ports.proxymetrics.targetPort | default 9303 }}
---
{{/* This configmap is loaded on geoip container */}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $geoipConfigName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.geoip.edition_ids }}
GEOIPUPDATE_EDITION_IDS: {{ . }}
{{- end }}
GEOIPUPDATE_FREQUENCY: {{ .Values.geoip.frequency | quote }}
{{- with .Values.geoip.host_server }}
GEOIPUPDATE_HOST: {{ . }}
{{- end }}
GEOIPUPDATE_PRESERVE_FILE_TIMES: {{ ternary "1" "0" .Values.geoip.preserve_file_times | quote }}
GEOIPUPDATE_VERBOSE: {{ ternary "1" "0" .Values.geoip.verbose | quote }}
{{- end -}}

20
stable/authentik/10.0.36/templates/_geoip.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* Define the geoip container */}}
{{- define "authentik.geoip" -}}
image: {{ .Values.geoipImage.repository }}:{{ .Values.geoipImage.tag }}
imagePullPolicy: {{ .Values.geoipImage.pullPolicy }}
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- name: geoip
mountPath: "/usr/share/GeoIP"
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-geoip-config'
{{/* TODO: Add healthchecks */}}
{{/* TODO: https://github.com/maxmind/geoipupdate/issues/105 */}}
{{- end -}}

48
stable/authentik/10.0.36/templates/_ldap.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/* Define the ldap container */}}
{{- define "authentik.ldap" -}}
image: {{ .Values.ldapImage.repository }}:{{ .Values.ldapImage.tag }}
imagePullPolicy: {{ .Values.ldapImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-ldap-config'
ports:
- containerPort: {{ .Values.service.ldapldaps.ports.ldapldaps.targetPort }}
name: ldapldaps
- containerPort: {{ .Values.service.ldapldap.ports.ldapldap.targetPort }}
name: ldapldap
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
name: ldapmetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.ldapmetrics.ports.ldapmetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

48
stable/authentik/10.0.36/templates/_proxy.tpl Normal file
View File

@ -0,0 +1,48 @@
{{/* Define the proxy container */}}
{{- define "authentik.proxy" -}}
image: {{ .Values.proxyImage.repository }}:{{ .Values.proxyImage.tag }}
imagePullPolicy: {{ .Values.proxyImage.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: true
runAsNonRoot: true
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-proxy-config'
ports:
- containerPort: {{ .Values.service.proxyhttps.ports.proxyhttps.targetPort }}
name: proxyhttps
- containerPort: {{ .Values.service.proxyhttp.ports.proxyhttp.targetPort }}
name: proxyhttp
{{- if .Values.metrics.enabled }}
- containerPort: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
name: proxymetrics
{{- end }}
readinessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
httpGet:
path: /outpost.goauthentik.io/ping
port: {{ .Values.service.proxymetrics.ports.proxymetrics.targetPort }}
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

106
stable/authentik/10.0.36/templates/_secret.tpl Normal file
View File

@ -0,0 +1,106 @@
{{/* Define the secret */}}
{{- define "authentik.secret" -}}
{{- $authentikSecretName := printf "%s-authentik-secret" (include "tc.common.names.fullname" .) }}
{{- $geoipSecretName := printf "%s-geoip-secret" (include "tc.common.names.fullname" .) }}
{{- $ldapSecretName := printf "%s-ldap-secret" (include "tc.common.names.fullname" .) }}
{{- $proxySecretName := printf "%s-proxy-secret" (include "tc.common.names.fullname" .) }}
{{- $token := randAlphaNum 128 | b64enc }}
---
{{/* This secrets are loaded on both main authentik container and worker */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $authentikSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Secret Key */}}
{{- with (lookup "v1" "Secret" .Release.Namespace $authentikSecretName) }}
AUTHENTIK_SECRET_KEY: {{ index .data "AUTHENTIK_SECRET_KEY" }}
{{ $token = index .data "AUTHENTIK_BOOTSTRAP_TOKEN" }}
{{- else }}
AUTHENTIK_SECRET_KEY: {{ randAlphaNum 32 | b64enc }}
{{- end }}
AUTHENTIK_BOOTSTRAP_TOKEN: {{ $token }}
{{/* Dependencies */}}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ .Values.postgresql.postgresqlPassword | trimAll "\"" | b64enc }}
AUTHENTIK_REDIS__PASSWORD: {{ .Values.redis.redisPassword | trimAll "\"" | b64enc }}
{{/* Credentials */}}
{{- with .Values.authentik.credentials.password }}
AUTHENTIK_BOOTSTRAP_PASSWORD: {{ . | b64enc }}
{{- end }}
{{/* Mail */}}
{{- with .Values.authentik.mail.host }}
AUTHENTIK_EMAIL__HOST: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.user }}
AUTHENTIK_EMAIL__USERNAME: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.pass }}
AUTHENTIK_EMAIL__PASSWORD: {{ . | b64enc }}
{{- end }}
{{- with .Values.authentik.mail.from }}
AUTHENTIK_EMAIL__FROM: {{ . | b64enc }}
{{- end }}
{{- if .Values.geoip.enabled }}
---
{{/* This secrets are loaded on geoip container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $geoipSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{/* Credentials */}}
{{- with .Values.geoip.account_id }}
GEOIPUPDATE_ACCOUNT_ID: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.license_key }}
GEOIPUPDATE_LICENSE_KEY: {{ . | b64enc }}
{{- end }}
{{/* Proxy */}}
{{- with .Values.geoip.proxy }}
GEOIPUPDATE_PROXY: {{ . | b64enc }}
{{- end }}
{{- with .Values.geoip.proxy_user_pass }}
GEOIPUPDATE_PROXY_USER_PASSWORD: {{ . | b64enc }}
{{- end }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $ldapSecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.ldap.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
---
{{/* This secrets are loaded on ldap container */}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $proxySecretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
{{- with .Values.outposts.proxy.token }}
AUTHENTIK_TOKEN: {{ . | b64enc }}
{{- else }}
AUTHENTIK_TOKEN: {{ $token }}
{{- end }}
{{- end }}

52
stable/authentik/10.0.36/templates/_worker.tpl Normal file
View File

@ -0,0 +1,52 @@
{{/* Define the worker container */}}
{{- define "authentik.worker" -}}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
runAsGroup: {{ .Values.podSecurityContext.runAsGroup }}
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
args: ["worker"]
envFrom:
- secretRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-secret'
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-authentik-config'
volumeMounts:
- name: media
mountPath: "/media"
- name: templates
mountPath: "/templates"
- name: certs
mountPath: "/certs"
- name: geoip
mountPath: "/geoip"
readinessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }}
livenessProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }}
timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }}
periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }}
startupProbe:
exec:
command:
- /lifecycle/ak
- healthcheck
initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }}
timeoutSeconds: 10
periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }}
failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }}
{{- end -}}

45
stable/authentik/10.0.36/templates/common.yaml Normal file
View File

@ -0,0 +1,45 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render secret */}}
{{- include "authentik.secret" . }}
{{/* Render config */}}
{{- include "authentik.config" . }}
{{- if hasKey .Values "metrics" -}}
{{- if .Values.metrics.enabled -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/scrape" "true" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/path" "/metrics" -}}
{{- $_ := set .Values.podAnnotations "prometheus.io/port" (.Values.service.metrics.ports.metrics.targetPort | default 9301 | quote) -}}
{{- end -}}
{{- end -}}
{{- if .Values.workerContainer.enabled -}}
{{- $_ := set .Values.additionalContainers "worker" (include "authentik.worker" . | fromYaml) -}}
{{- end -}}
{{- if .Values.geoip.enabled -}}
{{- $_ := set .Values.additionalContainers "geoip" (include "authentik.geoip" . | fromYaml) -}}
{{- end -}}
{{- if .Values.outposts.ldap.enabled -}}
{{- $_ := set .Values.additionalContainers "ldap-outpost" (include "authentik.ldap" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{- if .Values.outposts.proxy.enabled -}}
{{- $_ := set .Values.additionalContainers "proxy-outpost" (include "authentik.proxy" . | fromYaml) -}}
{{/* - if .Values.metrics.enabled - */}}
{{/* https://github.com/prometheus/prometheus/issues/3756 */}}
{{/* TODO: Figure how the pipe works to connect it to prometheus operator */}}
{{/* We can't define multiple ports/endpoints with annotations */}}
{{/* - end - */}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

160
stable/authentik/10.0.36/templates/prometheusrules.yaml Normal file
View File

@ -0,0 +1,160 @@
{{- if hasKey .Values "metrics" }}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "tc.common.names.fullname" . }}
rules:
{{- with .Values.metrics.prometheusRule.rules }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.metrics.prometheusRule.useDefault }}
- name: authentik Aggregate request counters
rules:
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
- record: job:django_http_ajax_requests_total:sum_rate30s
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
- record: job:django_http_requests_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
- record: job:django_http_responses_streaming_total:sum_rate30s
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
- record: job:django_http_responses_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
- record: job:django_http_requests_total:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
- record: job:django_http_requests_total_by_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
- record: job:django_http_requests_total_by_transport:sum_rate30s
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
- record: job:django_http_requests_total_by_view:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
- record: job:django_http_responses_total_by_templatename:sum_rate30s
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
- record: job:django_http_responses_total_by_status:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
- record: job:django_http_responses_total_by_charset:sum_rate30s
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
- record: job:django_http_exceptions_total_by_type:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
- record: job:django_http_exceptions_total_by_view:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
- name: authentik Aggregate latency histograms
rules:
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- name: authentik Aggregate model operations
rules:
- record: job:django_model_inserts_total:sum_rate1m
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
- record: job:django_model_updates_total:sum_rate1m
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
- record: job:django_model_deletes_total:sum_rate1m
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
- name: authentik Aggregate database operations
rules:
- record: job:django_db_new_connections_total:sum_rate30s
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
- record: job:django_db_new_connection_errors_total:sum_rate30s
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
- record: job:django_db_execute_total:sum_rate30s
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
- record: job:django_db_execute_many_total:sum_rate30s
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
- record: job:django_db_errors_total:sum_rate30s
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
- name: authentik Aggregate migrations
rules:
- record: job:django_migrations_applied_total:max
expr: max(django_migrations_applied_total) by (job, connection)
- record: job:django_migrations_unapplied_total:max
expr: max(django_migrations_unapplied_total) by (job, connection)
- name: authentik Alerts
rules:
- alert: NoWorkersConnected
expr: max without (pid) (authentik_admin_workers) < 1
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }}'s worker are either not running or not connected.
summary: No workers connected
for: 10m
labels:
severity: critical
- alert: PendingMigrations
expr: max without (pid) (django_migrations_unapplied_total) > 0
annotations:
message: |
authentik instance {{ printf "{{ $labels.instance }}" }} has pending database migrations
summary: Pending database migrations
for: 10m
labels:
severity: critical
- alert: FailedSystemTasks
expr: sum(increase(authentik_system_tasks{status="TaskResultStatus.ERROR"}[2h])) > 0
annotations:
message: |
System task {{ printf "{{ $labels.task_name }}" }} has failed
summary: Failed system tasks
for: 2h
labels:
severity: critical
- alert: DisconnectedOutposts
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
annotations:
message: |
Outpost {{ printf "{{ $labels.outpost }}" }} has at least 1 disconnected instance
summary: Disconnected outpost
for: 30m
labels:
severity: critical
{{- end }}
{{- end }}
{{- end }}

44
stable/authentik/10.0.36/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- if hasKey .Values "metrics" }}
{{- if .Values.metrics.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "tc.common.names.fullname" . }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "tc.common.labels.selectorLabels" . | nindent 6 }}
endpoints:
- port: metrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: ldapmetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
- port: proxymetrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- end }}
{{- end }}

0
stable/authentik/10.0.36/values.yaml Normal file
View File