Gluttony-Cluster/authentik/helmrelease-authentik.yaml
Tyler Perkins 8a39f2dc7f
All checks were successful
continuous-integration/drone/push Build is passing
Fix expected key layout
2024-05-04 17:13:38 -04:00

1029 lines
37 KiB
YAML

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik
namespace: authentik-ns
annotations:
force-recreate: true
spec:
chart:
spec:
chart: authentik
sourceRef:
kind: HelmRepository
name: authentik
namespace: flux-system
interval: 15m0s
timeout: 5m
releaseName: authentik
values:
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
nameOverride: ""
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
fullnameOverride: ""
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## Globally shared configuration for authentik components.
global:
# -- Provide a name in place of `authentik`
nameOverride: ""
# -- String to fully override `"authentik.fullname"`
fullnameOverride: ""
# -- Common labels for all resources.
additionalLabels: {}
# app: authentik
# Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
revisionHistoryLimit: 3
# Default image used by all authentik components. For GeoIP configuration, see the geoip values below.
image:
# -- If defined, a repository applied to all authentik deployments
repository: ghcr.io/goauthentik/server
# -- Overrides the global authentik whose default is the chart appVersion
tag: ""
# -- If defined, an image digest applied to all authentik deployments
digest: ""
# -- If defined, an imagePullPolicy applied to all authentik deployments
pullPolicy: IfNotPresent
# -- Secrets with credentials to pull images from a private registry
imagePullSecrets: []
# -- Annotations for all deployed Deployments
deploymentAnnotations: {}
# -- Annotations for all deployed pods
podAnnotations: {}
# -- Labels for all deployed pods
podLabels: {}
# -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors.
addPrometheusAnnotations: false
# -- Toggle and define pod-level security context.
# @default -- `{}` (See [values.yaml])
securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
hostAliases: []
# - ip: 10.20.30.40
# hostnames:
# - my.hostname
# -- Default priority class for all components
priorityClassName: ""
# -- Default node selector for all components
nodeSelector: {}
# -- Default tolerations for all components
tolerations: []
# Default affinity preset for all components
affinity:
# -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard`
podAntiAffinity: soft
# Node affinity rules
nodeAffinity:
# -- Default node affinity rules. Either `none`, `soft` or `hard`
type: hard
# -- Default match expressions for node affinity
matchExpressions: []
# - key: topology.kubernetes.io/zone
# operator: In
# values:
# - zonea
# - zoneb
# -- Default [TopologySpreadConstraints] rules for all components
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Deployment strategy for all deployed Deployments
deploymentStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
# See configuration options at https://goauthentik.io/docs/installation/configuration/
# @default -- `[]` (See [values.yaml])
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secret
key: secret-key
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secret
key: postgres-password
- name: AUTHENTIK_REDIS__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secret
key: redis-password
# - name: AUTHENTIK_VAR_NAME
# value: VALUE
# - name: AUTHENTIK_VAR_OTHER
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: AUTHENTIK_VAR_ANOTHER
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
# -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP
# @default -- `[]` (See [values.yaml])
volumeMounts: []
# - name: custom
# mountPath: /custom
# -- Additional volumes to all deployed Deployments.
# @default -- `[]` (See [values.yaml])
volumes: []
# - name: custom
# emptyDir: {}
## Authentik configuration
authentik:
# -- Log level for server and worker
log_level: info
# -- Secret key used for cookie singing and unique user IDs,
# don't change this after the first install
secret_key: ""
events:
context_processors:
# -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
geoip: /geoip/GeoLite2-City.mmdb
# -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
asn: /geoip/GeoLite2-ASN.mmdb
email:
# -- SMTP Server emails are sent from, fully optional
host: ""
# -- SMTP server port
port: 587
# -- SMTP credentials, when left empty, no authentication will be done
username: ""
# -- SMTP credentials, when left empty, no authentication will be done
password: ""
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_tls: false
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_ssl: false
# -- Connection timeout
timeout: 30
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
from: ""
outposts:
# -- Template used for managed outposts. The following placeholders can be used
# %(type)s - the type of the outpost
# %(version)s - version of your authentik install
# %(build_hash)s - only for beta versions, the build hash of the image
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
error_reporting:
# -- This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.beryju.org, and is fully opt-in
enabled: false
# -- This is a string that is sent to sentry with your error reports
environment: "k8s"
# -- Send PII (Personally identifiable information) data to sentry
send_pii: false
postgresql:
# -- set the postgresql hostname to talk to
# if unset and .Values.postgresql.enabled == true, will generate the default
# @default -- `{{ .Release.Name }}-postgresql`
host: "postgresql.postgresql-system.svc.cluster.local"
# -- postgresql Database name
# @default -- `authentik`
name: "authentik"
# -- postgresql Username
# @default -- `authentik`
user: "authentik"
#password: ""
port: 5432
redis:
# -- set the redis hostname to talk to
# @default -- `{{ .Release.Name }}-redis-master`
host: "redis-master.redis-system.svc.cluster.local"
#host: "{{ .Release.Name }}-redis-master"
#password: ""
blueprints:
# -- List of config maps to mount blueprints from.
# Only keys in the configMap ending with `.yaml` will be discovered and applied.
configMaps: []
# -- List of secrets to mount blueprints from.
# Only keys in the secret ending with `.yaml` will be discovered and applied.
secrets: []
## authentik server
server:
# -- authentik server name
name: server
# -- The number of server pods to run
replicas: 1
## authentik server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server
enabled: false
# -- Minimum number of replicas for the authentik server [HPA]
minReplicas: 1
# -- Maximum number of replicas for the authentik server [HPA]
maxReplicas: 5
# -- Average CPU utilization percentage for the authentik server [HPA]
targetCPUUtilizationPercentage: 50
# -- Average memory utilization percentage for the authentik server [HPA]
targetMemoryUtilizationPercentage: ~
# -- Configures the scaling behavior of the target in both Up and Down directions.
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
# -- Configures custom HPA metrics for the authentik server
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
metrics: []
## authentik server Pod Disruption Budget
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
# -- Deploy a [PodDistrubtionBudget] for the authentik server
enabled: false
# -- Labels to be added to the authentik server pdb
labels: {}
# -- Annotations to be added to the authentik server pdb
annotations: {}
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
# @default -- `""` (defaults to 0 if not specified)
minAvailable: ""
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
## Has higher precedence over `server.pdb.minAvailable`
maxUnavailable: ""
## authentik server image
## This should match what is deployed in the worker. Prefer using global.image
image:
# -- Repository to use to the authentik server
# @default -- `""` (defaults to global.image.repository)
repository: "" # defaults to global.image.repository
# -- Tag to use to the authentik server
# @default -- `""` (defaults to global.image.tag)
tag: "" # defaults to global.image.tag
# -- Digest to use to the authentik server
# @default -- `""` (defaults to global.image.digest)
digest: "" # defaults to global.image.digest
# -- Image pull policy to use to the authentik server
# @default -- `""` (defaults to global.image.pullPolicy)
pullPolicy: "" # defaults to global.image.pullPolicy
# -- Secrets with credentials to pull images from a private registry
# @default -- `[]` (defaults to global.imagePullSecrets)
imagePullSecrets: []
# -- Environment variables to pass to the authentik server. Does not apply to GeoIP
# See configuration options at https://goauthentik.io/docs/installation/configuration/
# @default -- `[]` (See [values.yaml])
env: []
# - name: AUTHENTIK_VAR_NAME
# value: VALUE
# - name: AUTHENTIK_VAR_OTHER
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: AUTHENTIK_VAR_ANOTHER
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
# -- envFrom to pass to the authentik server. Does not apply to GeoIP
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Specify postStart and preStop lifecycle hooks for you authentik server container
lifecycle: {}
# -- Additional containers to be added to the authentik server pod
## Note: Supports use of custom Helm templates
extraContainers: []
# - name: my-sidecar
# image: nginx:latest
# -- Init containers to add to the authentik server pod
## Note: Supports use of custom Helm templates
initContainers: []
# - name: download-tools
# image: alpine:3
# command: [sh, -c]
# args:
# - echo init
# -- Additional volumeMounts to the authentik server main container
volumeMounts: []
# - name: custom
# mountPath: /custom
# -- Additional volumes to the authentik server pod
volumes: []
# - name: custom
# emptyDir: {}
# -- Annotations to be added to the authentik server Deployment
deploymentAnnotations: {}
# -- Annotations to be added to the authentik server pods
podAnnotations: {}
# -- Labels to be added to the authentik server pods
podLabels: {}
# -- Resource limits and requests for the authentik server
resources: {}
# requests:
# cpu: 100m
# memory: 512Mi
# limits:
# memory: 512Mi
# authentik server container ports
containerPorts:
# -- http container port
http: 9000
# -- https container port
https: 9443
# -- metrics container port
metrics: 9300
# -- Host Network for authentik server pods
hostNetwork: false
# -- [DNS configuration]
dnsConfig: {}
# -- Alternative DNS policy for authentik server pods
dnsPolicy: ""
# -- authentik server pod-level security context
# @default -- `{}` (See [values.yaml])
securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# -- authentik server container-level security context
# @default -- See [values.yaml]
containerSecurityContext: {}
# Not all of the following has been tested. Use at your own risk.
# runAsNonRoot: true
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# seccomProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
## Liveness, readiness and startup probes for authentik server
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
livenessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 5
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
httpGet:
path: /-/health/live/
port: http
readinessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 5
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
httpGet:
path: /-/health/ready/
port: http
startupProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 60
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 5
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
httpGet:
path: /-/health/live/
port: http
# -- terminationGracePeriodSeconds for container lifecycle hook
terminationGracePeriodSeconds: 30
# -- Prority class for the authentik server pods
# @default -- `""` (defaults to global.priorityClassName)
priorityClassName: ""
# -- [Node selector]
# @default -- `{}` (defaults to global.nodeSelector)
nodeSelector: {}
# -- [Tolerations] for use with node taints
# @default -- `[]` (defaults to global.tolerations)
tolerations: []
# -- Assign custom [affinity] rules to the deployment
# @default -- `{}` (defaults to the global.affinity preset)
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the authentik server
# @default -- `[]` (defaults to global.topologySpreadConstraints)
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Deployment strategy to be added to the authentik server Deployment
# @default -- `{}` (defaults to global.deploymentStrategy)
deploymentStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
## authentik server service configuration
service:
# -- authentik server service annotations
annotations: {}
# -- authentik server service labels
labels: {}
# -- authentik server service type
type: LoadBalancer
# -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`)
nodePortHttp: 30080
# -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`)
nodePortHttps: 30443
# -- authentik server service http port
servicePortHttp: 80
# -- authentik server service https port
servicePortHttps: 443
# -- authentik server service http port name
servicePortHttpName: http
# -- authentik server service https port name
servicePortHttpsName: https
# -- authentik server service http port appProtocol
# servicePortHttpAppProtocol: HTTP
# -- authentik server service https port appProtocol
# servicePortHttpsAppProtocol: HTTPS
# -- LoadBalancer will get created with the IP specified in this field
loadBalancerIP: ""
# -- Source IP ranges to allow access to service from
loadBalancerSourceRanges: []
# -- authentik server service external IPs
externalIPs: []
# -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints
externalTrafficPolicy: ""
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
sessionAffinity: ""
# -- Session affinity configuration
sessionAffinityConfig: {}
## authentik server metrics service configuration
metrics:
# -- deploy metrics service
enabled: true
service:
# -- metrics service type
type: ClusterIP
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
clusterIP: ""
# -- metrics service annotations
annotations: {}
# -- metrics service labels
labels: {}
# -- metrics service port
servicePort: 9300
# -- metrics service port name
portName: metrics
serviceMonitor:
# -- enable a prometheus ServiceMonitor
enabled: false
# -- Prometheus ServiceMonitor interval
interval: 30s
# -- Prometheus ServiceMonitor scrape timeout
scrapeTimeout: 3s
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
relabelings: []
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
metricRelabelings: []
# -- Prometheus ServiceMonitor selector
selector: {}
# prometheus: kube-prometheus
# -- Prometheus ServiceMonitor scheme
scheme: ""
# -- Prometheus ServiceMonitor tlsConfig
tlsConfig: {}
# -- Prometheus ServiceMonitor namespace
namespace: ""
# -- Prometheus ServiceMonitor labels
labels: {}
# -- Prometheus ServiceMonitor annotations
annotations: {}
ingress:
# -- enable an ingress resource for the authentik server
enabled: false
# -- additional ingress annotations
annotations: {}
# -- additional ingress labels
labels: {}
# -- defines which ingress controller will implement the resource
ingressClassName: ""
# -- List of ingress hosts
hosts: []
# - authentik.domain.tld
# -- List of ingress paths
paths:
- /
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- additional ingress paths
extraPaths: []
# - path: /*
# pathType: Prefix
# backend:
# service:
# name: ssl-redirect
# port:
# name: use-annotation
# -- ingress TLS configuration
tls: []
# - secretName: authentik-tls
# hosts:
# - authentik.domain.tld
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
https: false
## authentik worker
worker:
# -- authentik worker name
name: worker
# -- The number of worker pods to run
replicas: 1
## authentik worker Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker
enabled: true
# -- Minimum number of replicas for the authentik worker [HPA]
minReplicas: 1
# -- Maximum number of replicas for the authentik worker [HPA]
maxReplicas: 5
# -- Average CPU utilization percentage for the authentik worker [HPA]
targetCPUUtilizationPercentage: 50
# -- Average memory utilization percentage for the authentik worker [HPA]
targetMemoryUtilizationPercentage: ~
# -- Configures the scaling behavior of the target in both Up and Down directions.
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
# -- Configures custom HPA metrics for the authentik worker
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
metrics: []
## authentik worker Pod Disruption Budget
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
# -- Deploy a [PodDistrubtionBudget] for the authentik worker
enabled: false
# -- Labels to be added to the authentik worker pdb
labels: {}
# -- Annotations to be added to the authentik worker pdb
annotations: {}
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
# @default -- `""` (defaults to 0 if not specified)
minAvailable: ""
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
## Has higher precedence over `worker.pdb.minAvailable`
maxUnavailable: ""
## authentik worker image
## This should match what is deployed in the server. Prefer using global.image
image:
# -- Repository to use to the authentik worker
# @default -- `""` (defaults to global.image.repository)
repository: "" # defaults to global.image.repository
# -- Tag to use to the authentik worker
# @default -- `""` (defaults to global.image.tag)
tag: "" # defaults to global.image.tag
# -- Digest to use to the authentik worker
# @default -- `""` (defaults to global.image.digest)
digest: "" # defaults to global.image.digest
# -- Image pull policy to use to the authentik worker
# @default -- `""` (defaults to global.image.pullPolicy)
pullPolicy: "" # defaults to global.image.pullPolicy
# -- Secrets with credentials to pull images from a private registry
# @default -- `[]` (defaults to global.imagePullSecrets)
imagePullSecrets: []
# -- Environment variables to pass to the authentik worker. Does not apply to GeoIP
# See configuration options at https://goauthentik.io/docs/installation/configuration/
# @default -- `[]` (See [values.yaml])
env:
- name: AUTHENTIK_REDIS__DB
value: "1"
# - name: AUTHENTIK_VAR_NAME
# value: VALUE
# - name: AUTHENTIK_VAR_OTHER
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: AUTHENTIK_VAR_ANOTHER
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
# -- envFrom to pass to the authentik worker. Does not apply to GeoIP
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Specify postStart and preStop lifecycle hooks for you authentik worker container
lifecycle: {}
# -- Additional containers to be added to the authentik worker pod
## Note: Supports use of custom Helm templates
extraContainers: []
# - name: my-sidecar
# image: nginx:latest
# -- Init containers to add to the authentik worker pod
## Note: Supports use of custom Helm templates
initContainers: []
# - name: download-tools
# image: alpine:3
# command: [sh, -c]
# args:
# - echo init
# -- Additional volumeMounts to the authentik worker main container
volumeMounts: []
# - name: custom
# mountPath: /custom
# -- Additional volumes to the authentik worker pod
volumes: []
# - name: custom
# emptyDir: {}
# -- Annotations to be added to the authentik worker Deployment
deploymentAnnotations: {}
# -- Annotations to be added to the authentik worker pods
podAnnotations: {}
# -- Labels to be added to the authentik worker pods
podLabels: {}
# -- Resource limits and requests for the authentik worker
resources: {}
# requests:
# cpu: 100m
# memory: 512Mi
# limits:
# memory: 512Mi
# -- Host Network for authentik worker pods
hostNetwork: false
# -- [DNS configuration]
dnsConfig: {}
# -- Alternative DNS policy for authentik worker pods
dnsPolicy: ""
# -- authentik worker pod-level security context
# @default -- `{}` (See [values.yaml])
securityContext: {}
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
# -- authentik worker container-level security context
# @default -- See [values.yaml]
containerSecurityContext: {}
# Not all of the following has been tested. Use at your own risk.
# runAsNonRoot: true
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# seccomProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
livenessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 5
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
exec:
command:
- ak
- healthcheck
readinessProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 3
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 5
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
exec:
command:
- ak
- healthcheck
startupProbe:
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
failureThreshold: 60
# -- Number of seconds after the container has started before [probe] is initiated
initialDelaySeconds: 30
# -- How often (in seconds) to perform the [probe]
periodSeconds: 10
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
successThreshold: 1
# -- Number of seconds after which the [probe] times out
timeoutSeconds: 1
## Probe configuration
exec:
command:
- ak
- healthcheck
# -- terminationGracePeriodSeconds for container lifecycle hook
terminationGracePeriodSeconds: 30
# -- Prority class for the authentik worker pods
# @default -- `""` (defaults to global.priorityClassName)
priorityClassName: ""
# -- [Node selector]
# @default -- `{}` (defaults to global.nodeSelector)
nodeSelector: {}
# -- [Tolerations] for use with node taints
# @default -- `[]` (defaults to global.tolerations)
tolerations: []
# -- Assign custom [affinity] rules to the deployment
# @default -- `{}` (defaults to the global.affinity preset)
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the authentik worker
# @default -- `[]` (defaults to global.topologySpreadConstraints)
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Deployment strategy to be added to the authentik worker Deployment
# @default -- `{}` (defaults to global.deploymentStrategy)
deploymentStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
serviceAccount:
# -- Create service account. Needed for managed outposts
create: true
# -- additional service account annotations
annotations: {}
serviceAccountSecret:
# As we use the authentik-remote-cluster chart as subchart, and that chart
# creates a service account secret by default which we don't need here,
# disable its creation
enabled: false
fullnameOverride: authentik
geoip:
# -- enable GeoIP sidecars for the authentik server and worker pods
enabled: false
editionIds: "GeoLite2-City GeoLite2-ASN"
# -- GeoIP update frequency, in hours
updateInterval: 8
# -- sign up under https://www.maxmind.com/en/geolite2/signup
accountId: ""
# -- sign up under https://www.maxmind.com/en/geolite2/signup
licenseKey: ""
## use existing secret instead of values above
existingSecret:
# -- name of an existing secret to use instead of values above
secretName: ""
# -- key in the secret containing the account ID
accountId: "account_id"
# -- key in the secret containing the license key
licenseKey: "license_key"
image:
# -- If defined, a repository for GeoIP images
repository: ghcr.io/maxmind/geoipupdate
# -- If defined, a tag for GeoIP images
tag: v6.0.0
# -- If defined, an image digest for GeoIP images
digest: ""
# -- If defined, an imagePullPolicy for GeoIP images
pullPolicy: IfNotPresent
# -- Environment variables to pass to the GeoIP containers
# @default -- `[]` (See [values.yaml])
env: []
# - name: GEOIPUPDATE_VAR_NAME
# value: VALUE
# - name: GEOIPUPDATE_VAR_OTHER
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: GEOIPUPDATE_VAR_ANOTHER
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
# -- envFrom to pass to the GeoIP containers
# @default -- `[]` (See [values.yaml])
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
# -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker.
volumeMounts: []
# - name: custom
# mountPath: /custom
# -- Resource limits and requests for GeoIP containers
resources: {}
# requests:
# cpu: 100m
# memory: 128Mi
# limits:
# memory: 128Mi
# -- GeoIP container-level security context
# @default -- See [values.yaml]
containerSecurityContext: {}
# Not all of the following has been tested. Use at your own risk.
# runAsNonRoot: true
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# seccomProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
prometheus:
rules:
enabled: false
# -- PrometheusRule namespace
namespace: ""
# -- PrometheusRule selector
selector: {}
# prometheus: kube-prometheus
# -- PrometheusRule labels
labels: {}
# -- PrometheusRule annotations
annotations: {}
postgresql:
# -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values.
enabled: false
auth:
username: authentik
database: authentik
# password: ""
primary:
extendedConfiguration: |
max_connections = 500
# persistence:
# enabled: true
# storageClass:
# accessModes:
# - ReadWriteOnce
redis:
# -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values.
enabled: false
architecture: standalone
auth:
enabled: false
# -- additional resources to deploy. Those objects are templated.
additionalObjects: []