From 38149900591a4358dd89cb860428a0a9803f50dc Mon Sep 17 00:00:00 2001 From: Tyler Perkins Date: Fri, 22 Nov 2024 19:18:42 -0500 Subject: [PATCH] Add authentik --- cluster/authentik/helmrelease-authentik.yaml | 1029 ++++++++++++++++++ cluster/authentik/sealed-secret.yaml | 17 + 2 files changed, 1046 insertions(+) create mode 100644 cluster/authentik/helmrelease-authentik.yaml create mode 100644 cluster/authentik/sealed-secret.yaml diff --git a/cluster/authentik/helmrelease-authentik.yaml b/cluster/authentik/helmrelease-authentik.yaml new file mode 100644 index 0000000..d378d75 --- /dev/null +++ b/cluster/authentik/helmrelease-authentik.yaml @@ -0,0 +1,1029 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authentik + namespace: authentik + annotations: + force-recreate: true +spec: + chart: + spec: + chart: authentik + sourceRef: + kind: HelmRepository + name: authentik + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: authentik + values: + # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible + nameOverride: "" + # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible + fullnameOverride: "" + # -- Override the Kubernetes version, which is used to evaluate certain manifests + kubeVersionOverride: "" + + + ## Globally shared configuration for authentik components. + global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + + # Number of old deployment ReplicaSets to retain. The rest will be garbage collected. + revisionHistoryLimit: 3 + + # Default image used by all authentik components. For GeoIP configuration, see the geoip values below. + image: + # -- If defined, a repository applied to all authentik deployments + repository: ghcr.io/goauthentik/server + # -- Overrides the global authentik whose default is the chart appVersion + tag: "" + # -- If defined, an image digest applied to all authentik deployments + digest: "" + # -- If defined, an imagePullPolicy applied to all authentik deployments + pullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # -- Annotations for all deployed Deployments + deploymentAnnotations: {} + + # -- Annotations for all deployed pods + podAnnotations: {} + + # -- Labels for all deployed pods + podLabels: {} + + # -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors. + addPrometheusAnnotations: false + + # -- Toggle and define pod-level security context. + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files + hostAliases: [] + # - ip: 10.20.30.40 + # hostnames: + # - my.hostname + + # -- Default priority class for all components + priorityClassName: "" + + # -- Default node selector for all components + nodeSelector: {} + + # -- Default tolerations for all components + tolerations: [] + + # Default affinity preset for all components + affinity: + # -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard` + podAntiAffinity: soft + # Node affinity rules + nodeAffinity: + # -- Default node affinity rules. Either `none`, `soft` or `hard` + type: hard + # -- Default match expressions for node affinity + matchExpressions: [] + # - key: topology.kubernetes.io/zone + # operator: In + # values: + # - zonea + # - zoneb + + # -- Default [TopologySpreadConstraints] rules for all components + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy for all deployed Deployments + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-secret + key: secret-key + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-secret + key: postgres-password + - name: AUTHENTIK_REDIS__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-secret + key: redis-password + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to all deployed Deployments. + # @default -- `[]` (See [values.yaml]) + volumes: [] + # - name: custom + # emptyDir: {} + + + ## Authentik configuration + authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + secret_key: "" + events: + context_processors: + # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. + asn: /geoip/GeoLite2-ASN.mmdb + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + # -- SMTP server port + port: 587 + # -- SMTP credentials, when left empty, no authentication will be done + username: "" + # -- SMTP credentials, when left empty, no authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "postgresql.postgresql-system.svc.cluster.local" + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + #password: "" + port: 5432 + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "redis-master.redis-system.svc.cluster.local" + #host: "{{ .Release.Name }}-redis-master" + #password: "" + + + blueprints: + # -- List of config maps to mount blueprints from. + # Only keys in the configMap ending with `.yaml` will be discovered and applied. + configMaps: [] + # -- List of secrets to mount blueprints from. + # Only keys in the secret ending with `.yaml` will be discovered and applied. + secrets: [] + + + ## authentik server + server: + # -- authentik server name + name: server + + # -- The number of server pods to run + replicas: 1 + + ## authentik server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server + enabled: false + # -- Minimum number of replicas for the authentik server [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the authentik server [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik server [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the authentik server [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik server + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] + + ## authentik server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik server + enabled: false + # -- Labels to be added to the authentik server pdb + labels: {} + # -- Annotations to be added to the authentik server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `server.pdb.minAvailable` + maxUnavailable: "" + + ## authentik server image + ## This should match what is deployed in the worker. Prefer using global.image + image: + # -- Repository to use to the authentik server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik server + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik server + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik server. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik server. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik server container + lifecycle: {} + + # -- Additional containers to be added to the authentik server pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik server pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik server main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik server pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik server Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik server pods + podAnnotations: {} + + # -- Labels to be added to the authentik server pods + podLabels: {} + + # -- Resource limits and requests for the authentik server + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # authentik server container ports + containerPorts: + # -- http container port + http: 9000 + # -- https container port + https: 9443 + # -- metrics container port + metrics: 9300 + + # -- Host Network for authentik server pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik server pods + dnsPolicy: "" + + # -- authentik server pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + ## Liveness, readiness and startup probes for authentik server + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/ready/ + port: http + + startupProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 60 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik server pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik server + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik server Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + ## authentik server service configuration + service: + # -- authentik server service annotations + annotations: {} + # -- authentik server service labels + labels: {} + # -- authentik server service type + type: LoadBalancer + # -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttp: 30080 + # -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttps: 30443 + # -- authentik server service http port + servicePortHttp: 80 + # -- authentik server service https port + servicePortHttps: 443 + # -- authentik server service http port name + servicePortHttpName: http + # -- authentik server service https port name + servicePortHttpsName: https + # -- authentik server service http port appProtocol + # servicePortHttpAppProtocol: HTTP + # -- authentik server service https port appProtocol + # servicePortHttpsAppProtocol: HTTPS + # -- LoadBalancer will get created with the IP specified in this field + loadBalancerIP: "" + # -- Source IP ranges to allow access to service from + loadBalancerSourceRanges: [] + # -- authentik server service external IPs + externalIPs: [] + # -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints + externalTrafficPolicy: "" + # -- Used to maintain session affinity. Supports `ClientIP` and `None` + sessionAffinity: "" + # -- Session affinity configuration + sessionAffinityConfig: {} + + ## authentik server metrics service configuration + metrics: + # -- deploy metrics service + enabled: true + service: + # -- metrics service type + type: ClusterIP + # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP) + clusterIP: "" + # -- metrics service annotations + annotations: {} + # -- metrics service labels + labels: {} + # -- metrics service port + servicePort: 9300 + # -- metrics service port name + portName: metrics + serviceMonitor: + # -- enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus ServiceMonitor scrape timeout + scrapeTimeout: 3s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" + # -- Prometheus ServiceMonitor labels + labels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} + + ingress: + # -- enable an ingress resource for the authentik server + enabled: false + # -- additional ingress annotations + annotations: {} + # -- additional ingress labels + labels: {} + # -- defines which ingress controller will implement the resource + ingressClassName: "" + # -- List of ingress hosts + hosts: [] + # - authentik.domain.tld + + # -- List of ingress paths + paths: + - / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- additional ingress paths + extraPaths: [] + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- ingress TLS configuration + tls: [] + # - secretName: authentik-tls + # hosts: + # - authentik.domain.tld + + # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp` + https: false + + + ## authentik worker + worker: + # -- authentik worker name + name: worker + + # -- The number of worker pods to run + replicas: 1 + + ## authentik worker Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker + enabled: true + # -- Minimum number of replicas for the authentik worker [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the authentik worker [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik worker [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the authentik worker [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik worker + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] + + ## authentik worker Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik worker + enabled: false + # -- Labels to be added to the authentik worker pdb + labels: {} + # -- Annotations to be added to the authentik worker pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `worker.pdb.minAvailable` + maxUnavailable: "" + + ## authentik worker image + ## This should match what is deployed in the server. Prefer using global.image + image: + # -- Repository to use to the authentik worker + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik worker + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik worker + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik worker + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik worker. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: + - name: AUTHENTIK_REDIS__DB + value: "1" + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik worker. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik worker container + lifecycle: {} + + # -- Additional containers to be added to the authentik worker pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik worker pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik worker main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik worker pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik worker Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik worker pods + podAnnotations: {} + + # -- Labels to be added to the authentik worker pods + podLabels: {} + + # -- Resource limits and requests for the authentik worker + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # -- Host Network for authentik worker pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik worker pods + dnsPolicy: "" + + # -- authentik worker pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik worker container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + startupProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 60 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + exec: + command: + - ak + - healthcheck + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik worker pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik worker + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik worker Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + + serviceAccount: + # -- Create service account. Needed for managed outposts + create: true + # -- additional service account annotations + annotations: {} + serviceAccountSecret: + # As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, + # disable its creation + enabled: false + fullnameOverride: authentik + + + geoip: + # -- enable GeoIP sidecars for the authentik server and worker pods + enabled: false + + editionIds: "GeoLite2-City GeoLite2-ASN" + # -- GeoIP update frequency, in hours + updateInterval: 8 + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + ## use existing secret instead of values above + existingSecret: + # -- name of an existing secret to use instead of values above + secretName: "" + # -- key in the secret containing the account ID + accountId: "account_id" + # -- key in the secret containing the license key + licenseKey: "license_key" + + image: + # -- If defined, a repository for GeoIP images + repository: ghcr.io/maxmind/geoipupdate + # -- If defined, a tag for GeoIP images + tag: v6.0.0 + # -- If defined, an image digest for GeoIP images + digest: "" + # -- If defined, an imagePullPolicy for GeoIP images + pullPolicy: IfNotPresent + + # -- Environment variables to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: GEOIPUPDATE_VAR_NAME + # value: VALUE + # - name: GEOIPUPDATE_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: GEOIPUPDATE_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker. + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Resource limits and requests for GeoIP containers + resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # memory: 128Mi + + # -- GeoIP container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + + prometheus: + rules: + enabled: false + # -- PrometheusRule namespace + namespace: "" + # -- PrometheusRule selector + selector: {} + # prometheus: kube-prometheus + + # -- PrometheusRule labels + labels: {} + # -- PrometheusRule annotations + annotations: {} + + + postgresql: + # -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. + enabled: false + auth: + username: authentik + database: authentik + # password: "" + primary: + extendedConfiguration: | + max_connections = 500 + # persistence: + # enabled: true + # storageClass: + # accessModes: + # - ReadWriteOnce + + + redis: + # -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values. + enabled: false + architecture: standalone + auth: + enabled: false + + + # -- additional resources to deploy. Those objects are templated. + additionalObjects: [] + diff --git a/cluster/authentik/sealed-secret.yaml b/cluster/authentik/sealed-secret.yaml new file mode 100644 index 0000000..1350d03 --- /dev/null +++ b/cluster/authentik/sealed-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: authentik-secret + namespace: authentik +spec: + encryptedData: + postgres-password: AgAMy24eO6S45eGelPTwjEk+JpnQmX/OroOp8KpcMFTI/sOLQYog3LAcqlMbPYITGKUrpPLfLZbdocSK1CY23oG900V6PmhvpLFcslKWpo7JyLc0B5fiYM2ZkEPbbmJXzfe8pw/4mimoZvypNP1xY+S8GvrZhg6FczWGLHv2K/Cr1Xfxe+oRYfrzDoANBoToJcRjeahYzfaE02NSKQj1RExuGaTQiAhPdUziz3BPmVYWx0cBF+kqBQN/zwTYQ3IgI784aDuJ703lvFHaJJYFdoKGvAWuhJDURthw65D4LEbxB9lFXtmqmmyLdMD8b8Qb0w6iS8vKAnoYBOxuW6KPHCFjtOsHoAqBHvEy+W8n8MHZPYRONy7s7DNQQmY6zsh8AJ0WFW33OlA2vADUnqwYFEoO5p8cLBCiNxSwpsMC4pE5oHbCGQin79zDGSkJS6hZSEZXA+CRkQ/RJWXRto5fzIQBGQyUi5TXKf+A+NGj7nSh54e4fZPFk5MgslPMESPgXL7qJr88LRwhBuBEJVBWVumSX/gTWVEt9+8XknQc00N2OoEMU+GaLbRd2LLjrhSykvSp7mFGA+rfRHIwTtUDDJcfSdMfQVDqS2OtFrlZVj5nA6Ls3hbes/IHt7LjSANV5BqC99wbqLkkl1WyH0SXl5xJ6UMeYw2VFzGcWQ3FDgdncI94M0yprVbSjApD2wwLHwJAAztLVxL42yW9E/QBi4oozKxK231fm+0= + redis-password: AgBLzqi336o4mFXTOjAUrTJwETKe3Ec3mIFYK0Td+BD2gZ3TLsacMgzKbFf0uEcKwCPlOUrfCY1F/GfnkV7334ChQikaGKNXEDgSOCwRmeSotfbI1PKwFuageEJtNfCedr0QjReVuaONb8MrbPx+c3G5g3WV4jh/h37Vo4HMwmvxlGO15wYGAXwKWhSW8ydtg2OA6BDv9nVNC1+NBw2VmZYxgAxjfhWZWQlrwNGUy3D/ksLgGuEjpHWB1UApDr1QmwA49PuuiirSKsZwUKxaT/vv5tJLYqvMYQGT0Xjkp1q6+4TEXcERgZ4LNcPGSP6W8KvUyXkILR3gRZp8jra4+4kLorAViOPmCkCYF88I1zUXT47qFt+9ATZHZAKGN78eqK61fwD/GFOlj8ZJrqTztSsz77R63ixrWgHW3NxMbwXGJfZN29uVz54dzw0C6MKOxmwBz7+iAqUOco1qqR4y9HYUagwgxVu1uPLR5dXT6GsKRcr07v/toq8dotq50wt0yXibQQniamWq/OEj0QWHk9VWE1YyJ/CfaRg2BPAh74qlRu3SoNewfQ3cYIXqoSPhmtxvIkylXaSZ5mGqRt6orTFfj8sPkUN/HF//6txy/XPeYkayAt7MCy2ekxTBZuvu27cITti3jXlUUM4+489OR3L3kpU6HTCzoZOC7xNXUPGvPnmtNLL4bMWf9534588Wna6S86dh5lZYETbVrI6krAcP0Mny1o/Kef0= + secret-key: AgBZT4cKd4Qkj5SNOuuKWm/Dk8b4Ry1EqCXHgN0esOI1pdlb21g5+Q2rrgYFC2K6UYxO1yoO26eFAMbyWFUk/OPodKQqsWvT7QcklHOMT6h7BtETGw3WEyiVzVW77I8z1J07aBj234JuYsUirmFLBs6WcBRpz8Md2bE4ps6kaSENpaBg5YBzBwZZRniZO6Pt44X/JzOM5TMIvclU9TWgt/58lCxmgq31GfF5KihRgAEmWrHIUJAwo5lwgz0jwiYnlEuplxEHxgp0vb7OIW/HlTiWFhyNrS/YaD9JFghSiHVW4MvGscOU8929Se4vsucP6/TIPR9ZVkGUGaChD/DRv862YaURM68KlrFTFNDvLx4ds/p+4Cr1CbZR0B64EIi66wX2PFvpxaAvwU5Uta5lrjGkQKTvmf/qJCTMAcpg59T2PeTJHUcXavgb2iqrQQT3pJQ6qjf/jo5cKRjpIoFLSLFHXgtMq15QmM/RcSrEUpXbKCYzI2HK9+9XlaFa1Rrl0YJujhYYb8pbf7jOAkEfUU+dzbvYd7JLEQp78i7BuxM0vu9IItvZ0FTxi/fCeCC/I04Vjqu7kmQTWvf0V4OynOkhUOYiY6cRnE4ZVxeJJ6Gu2U5zdZk4O6Ex18Isw38E5VZWB9qJOV+V3zYaoOc61brIgAjOnYd7+CgqcSSPIgPcfmaiZcu1lGld2LZL70XaiBkAfg6nECMCNGnt3fuD3M+wNid+sdlVttwKjJSal8uxONboG8JJRrM9xwt2+T7akj4= + template: + metadata: + creationTimestamp: null + name: authentik-secret + namespace: authentik + type: Opaque