diff --git a/authentik/helmrelease-authentik.yaml b/authentik/helmrelease-authentik.yaml new file mode 100644 index 0000000..19fad55 --- /dev/null +++ b/authentik/helmrelease-authentik.yaml @@ -0,0 +1,281 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authentik + namespace: authentik-ns + annotations: + force-recreate: true +spec: + chart: + spec: + chart: authentik + sourceRef: + kind: HelmRepository + name: authentik + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: authentik + values: + # -- Server replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- server securityContext + securityContext: {} + # -- server containerSecurityContext + containerSecurityContext: {} + + worker: + # -- worker replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- worker securityContext + securityContext: {} + # -- server containerSecurityContext + containerSecurityContext: {} + + image: + repository: ghcr.io/goauthentik/server + tag: 2023.8.3 + #tag: latest + # -- optional container image digest + digest: "" + pullPolicy: IfNotPresent + pullSecrets: [] + + # -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used + initContainers: {} + + # -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. + additionalContainers: {} + + ingress: + enabled: false + ingressClassName: "" + annotations: {} + labels: {} + hosts: + - host: authentik.domain.tld + paths: + - path: "/" + pathType: Prefix + tls: [] + + # -- Annotations to add to the server and worker deployments + annotations: {} + + # -- Annotations to add to the server and worker pods + podAnnotations: {} + + authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + #secret_key: "" + # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + port: 587 + # -- SMTP credentials, when left empty, not authentication will be done + username: "" + # -- SMTP credentials, when left empty, not authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "postgresql-system.postgresql.svc.cluster.local" + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + #password: "" + port: 5432 + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "redis-system.redis-master.svc.cluster.local" + #password: "" + + # -- List of config maps to mount blueprints from. Only keys in the + # configmap ending with ".yaml" wil be discovered and applied + blueprints: [] + + # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ + env: {} + # AUTHENTIK_VAR_NAME: VALUE + + envFrom: [] + # - configMapRef: + # name: special-config + + envValueFrom: + AUTHENTIK_SECRET_KEY: + secretKeyRef: + name: authentik-secret + key: secret-key + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + name: authentik-secret + key: postgres-password + AUTHENTIK_REDIS__PASSWORD: + secretKeyRef: + name: authentik-secret + key: redis-password + + service: + # -- Service that is created to access authentik + enabled: true + type: LoadBalancer + port: 80 + name: http + protocol: TCP + labels: {} + annotations: {} + + volumes: [] + + volumeMounts: [] + + # -- affinity applied to the deployments + affinity: {} + + # -- tolerations applied to the deployments + tolerations: [] + + # -- nodeSelector applied to the deployments + nodeSelector: {} + + resources: + server: {} + worker: {} + + autoscaling: + server: + # -- Create a HPA for the server deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + worker: + # -- Create a HPA for the worker deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + + livenessProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + + startupProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + failureThreshold: 60 + periodSeconds: 5 + + readinessProbe: + enabled: true + httpGet: + path: /-/health/ready/ + port: http + periodSeconds: 10 + + serviceAccount: + # -- Service account is needed for managed outposts + create: true + annotations: {} + serviceAccountSecret: + # -- As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, disable its creation + enabled: false + fullnameOverride: authentik + nameOverride: authentik + + prometheus: + serviceMonitor: + create: false + interval: 30s + scrapeTimeout: 3s + # -- labels additional on ServiceMonitor + labels: {} + rules: + create: false + # -- labels additional on PrometheusRule + labels: {} + + geoip: + # -- optional GeoIP, deploys a cronjob to download the maxmind database + enabled: false + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + editionIds: "GeoLite2-City" + image: maxmindinc/geoipupdate:v4.8 + # -- number of hours between update runs + updateInterval: 8 + # -- server containerSecurityContext + containerSecurityContext: {} + postgresql: + # -- enable the bundled bitnami postgresql chart + enabled: false + postgresqlMaxConnections: 500 + postgresqlUsername: "authentik" + # postgresqlPassword: "" + postgresqlDatabase: "authentik" + # persistence: + # enabled: true + # storageClass: + # accessModes: + # - ReadWriteOnce + image: + tag: 15.4.0-debian-11-r0 + redis: + # -- enable the bundled bitnami redis chart + enabled: false + architecture: standalone + auth: + enabled: false + image: + tag: 6.2.10-debian-11-r13 +