Tyler Perkins
8938f0e6ac
All checks were successful
continuous-integration/drone/push Build is passing
1029 lines
37 KiB
YAML
1029 lines
37 KiB
YAML
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: authentik
|
|
namespace: authentik-ns
|
|
annotations:
|
|
force-recreate: true
|
|
spec:
|
|
chart:
|
|
spec:
|
|
chart: authentik
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: authentik
|
|
namespace: flux-system
|
|
interval: 15m0s
|
|
timeout: 5m
|
|
releaseName: authentik
|
|
values:
|
|
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
|
|
nameOverride: ""
|
|
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
|
|
fullnameOverride: ""
|
|
# -- Override the Kubernetes version, which is used to evaluate certain manifests
|
|
kubeVersionOverride: ""
|
|
|
|
|
|
## Globally shared configuration for authentik components.
|
|
global:
|
|
# -- Provide a name in place of `authentik`
|
|
nameOverride: ""
|
|
# -- String to fully override `"authentik.fullname"`
|
|
fullnameOverride: ""
|
|
# -- Common labels for all resources.
|
|
additionalLabels: {}
|
|
# app: authentik
|
|
|
|
# Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
|
|
revisionHistoryLimit: 3
|
|
|
|
# Default image used by all authentik components. For GeoIP configuration, see the geoip values below.
|
|
image:
|
|
# -- If defined, a repository applied to all authentik deployments
|
|
repository: ghcr.io/goauthentik/server
|
|
# -- Overrides the global authentik whose default is the chart appVersion
|
|
tag: ""
|
|
# -- If defined, an image digest applied to all authentik deployments
|
|
digest: ""
|
|
# -- If defined, an imagePullPolicy applied to all authentik deployments
|
|
pullPolicy: IfNotPresent
|
|
|
|
# -- Secrets with credentials to pull images from a private registry
|
|
imagePullSecrets: []
|
|
|
|
# -- Annotations for all deployed Deployments
|
|
deploymentAnnotations: {}
|
|
|
|
# -- Annotations for all deployed pods
|
|
podAnnotations: {}
|
|
|
|
# -- Labels for all deployed pods
|
|
podLabels: {}
|
|
|
|
# -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors.
|
|
addPrometheusAnnotations: false
|
|
|
|
# -- Toggle and define pod-level security context.
|
|
# @default -- `{}` (See [values.yaml])
|
|
securityContext: {}
|
|
# runAsUser: 1000
|
|
# runAsGroup: 1000
|
|
# fsGroup: 1000
|
|
|
|
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
|
|
hostAliases: []
|
|
# - ip: 10.20.30.40
|
|
# hostnames:
|
|
# - my.hostname
|
|
|
|
# -- Default priority class for all components
|
|
priorityClassName: ""
|
|
|
|
# -- Default node selector for all components
|
|
nodeSelector: {}
|
|
|
|
# -- Default tolerations for all components
|
|
tolerations: []
|
|
|
|
# Default affinity preset for all components
|
|
affinity:
|
|
# -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard`
|
|
podAntiAffinity: soft
|
|
# Node affinity rules
|
|
nodeAffinity:
|
|
# -- Default node affinity rules. Either `none`, `soft` or `hard`
|
|
type: hard
|
|
# -- Default match expressions for node affinity
|
|
matchExpressions: []
|
|
# - key: topology.kubernetes.io/zone
|
|
# operator: In
|
|
# values:
|
|
# - zonea
|
|
# - zoneb
|
|
|
|
# -- Default [TopologySpreadConstraints] rules for all components
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
|
topologySpreadConstraints: []
|
|
# - maxSkew: 1
|
|
# topologyKey: topology.kubernetes.io/zone
|
|
# whenUnsatisfiable: DoNotSchedule
|
|
|
|
# -- Deployment strategy for all deployed Deployments
|
|
deploymentStrategy: {}
|
|
# type: RollingUpdate
|
|
# rollingUpdate:
|
|
# maxSurge: 25%
|
|
# maxUnavailable: 25%
|
|
|
|
# -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
|
|
# See configuration options at https://goauthentik.io/docs/installation/configuration/
|
|
# @default -- `[]` (See [values.yaml])
|
|
env:
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secret
|
|
key: secret-key
|
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secret
|
|
key: postgres-password
|
|
- name: AUTHENTIK_REDIS__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secret
|
|
key: redis-password
|
|
# - name: AUTHENTIK_VAR_NAME
|
|
# value: VALUE
|
|
# - name: AUTHENTIK_VAR_OTHER
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: secret-name
|
|
# key: secret-key
|
|
# - name: AUTHENTIK_VAR_ANOTHER
|
|
# valueFrom:
|
|
# configMapKeyRef:
|
|
# name: config-map-name
|
|
# key: config-map-key
|
|
|
|
# -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP
|
|
# @default -- `[]` (See [values.yaml])
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: config-map-name
|
|
# - secretRef:
|
|
# name: secret-name
|
|
|
|
# -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP
|
|
# @default -- `[]` (See [values.yaml])
|
|
volumeMounts: []
|
|
# - name: custom
|
|
# mountPath: /custom
|
|
|
|
# -- Additional volumes to all deployed Deployments.
|
|
# @default -- `[]` (See [values.yaml])
|
|
volumes: []
|
|
# - name: custom
|
|
# emptyDir: {}
|
|
|
|
|
|
## Authentik configuration
|
|
authentik:
|
|
# -- Log level for server and worker
|
|
log_level: info
|
|
# -- Secret key used for cookie singing and unique user IDs,
|
|
# don't change this after the first install
|
|
secret_key: ""
|
|
events:
|
|
context_processors:
|
|
# -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
|
|
geoip: /geoip/GeoLite2-City.mmdb
|
|
# -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
|
|
asn: /geoip/GeoLite2-ASN.mmdb
|
|
email:
|
|
# -- SMTP Server emails are sent from, fully optional
|
|
host: ""
|
|
# -- SMTP server port
|
|
port: 587
|
|
# -- SMTP credentials, when left empty, no authentication will be done
|
|
username: ""
|
|
# -- SMTP credentials, when left empty, no authentication will be done
|
|
password: ""
|
|
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
|
|
use_tls: false
|
|
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
|
|
use_ssl: false
|
|
# -- Connection timeout
|
|
timeout: 30
|
|
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
|
|
from: ""
|
|
outposts:
|
|
# -- Template used for managed outposts. The following placeholders can be used
|
|
# %(type)s - the type of the outpost
|
|
# %(version)s - version of your authentik install
|
|
# %(build_hash)s - only for beta versions, the build hash of the image
|
|
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
|
|
error_reporting:
|
|
# -- This sends anonymous usage-data, stack traces on errors and
|
|
# performance data to sentry.beryju.org, and is fully opt-in
|
|
enabled: false
|
|
# -- This is a string that is sent to sentry with your error reports
|
|
environment: "k8s"
|
|
# -- Send PII (Personally identifiable information) data to sentry
|
|
send_pii: false
|
|
postgresql:
|
|
# -- set the postgresql hostname to talk to
|
|
# if unset and .Values.postgresql.enabled == true, will generate the default
|
|
# @default -- `{{ .Release.Name }}-postgresql`
|
|
host: "postgresql.postgresql-system.svc.cluster.local"
|
|
# -- postgresql Database name
|
|
# @default -- `authentik`
|
|
name: "authentik"
|
|
# -- postgresql Username
|
|
# @default -- `authentik`
|
|
user: "authentik"
|
|
#password: ""
|
|
port: 5432
|
|
redis:
|
|
# -- set the redis hostname to talk to
|
|
# @default -- `{{ .Release.Name }}-redis-master`
|
|
host: "redis-master.redis-system.svc.cluster.local"
|
|
#host: "{{ .Release.Name }}-redis-master"
|
|
#password: ""
|
|
|
|
|
|
blueprints:
|
|
# -- List of config maps to mount blueprints from.
|
|
# Only keys in the configMap ending with `.yaml` will be discovered and applied.
|
|
configMaps: []
|
|
# -- List of secrets to mount blueprints from.
|
|
# Only keys in the secret ending with `.yaml` will be discovered and applied.
|
|
secrets: []
|
|
|
|
|
|
## authentik server
|
|
server:
|
|
# -- authentik server name
|
|
name: server
|
|
|
|
# -- The number of server pods to run
|
|
replicas: 1
|
|
|
|
## authentik server Horizontal Pod Autoscaler
|
|
autoscaling:
|
|
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server
|
|
enabled: false
|
|
# -- Minimum number of replicas for the authentik server [HPA]
|
|
minReplicas: 1
|
|
# -- Maximum number of replicas for the authentik server [HPA]
|
|
maxReplicas: 5
|
|
# -- Average CPU utilization percentage for the authentik server [HPA]
|
|
targetCPUUtilizationPercentage: 50
|
|
# -- Average memory utilization percentage for the authentik server [HPA]
|
|
targetMemoryUtilizationPercentage: ~
|
|
# -- Configures the scaling behavior of the target in both Up and Down directions.
|
|
behavior: {}
|
|
# scaleDown:
|
|
# stabilizationWindowSeconds: 300
|
|
# policies:
|
|
# - type: Pods
|
|
# value: 1
|
|
# periodSeconds: 180
|
|
# scaleUp:
|
|
# stabilizationWindowSeconds: 300
|
|
# policies:
|
|
# - type: Pods
|
|
# value: 2
|
|
# periodSeconds: 60
|
|
# -- Configures custom HPA metrics for the authentik server
|
|
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
|
metrics: []
|
|
|
|
## authentik server Pod Disruption Budget
|
|
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
|
|
pdb:
|
|
# -- Deploy a [PodDistrubtionBudget] for the authentik server
|
|
enabled: false
|
|
# -- Labels to be added to the authentik server pdb
|
|
labels: {}
|
|
# -- Annotations to be added to the authentik server pdb
|
|
annotations: {}
|
|
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
|
|
# @default -- `""` (defaults to 0 if not specified)
|
|
minAvailable: ""
|
|
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
|
|
## Has higher precedence over `server.pdb.minAvailable`
|
|
maxUnavailable: ""
|
|
|
|
## authentik server image
|
|
## This should match what is deployed in the worker. Prefer using global.image
|
|
image:
|
|
# -- Repository to use to the authentik server
|
|
# @default -- `""` (defaults to global.image.repository)
|
|
repository: "" # defaults to global.image.repository
|
|
# -- Tag to use to the authentik server
|
|
# @default -- `""` (defaults to global.image.tag)
|
|
tag: "" # defaults to global.image.tag
|
|
# -- Digest to use to the authentik server
|
|
# @default -- `""` (defaults to global.image.digest)
|
|
digest: "" # defaults to global.image.digest
|
|
# -- Image pull policy to use to the authentik server
|
|
# @default -- `""` (defaults to global.image.pullPolicy)
|
|
pullPolicy: "" # defaults to global.image.pullPolicy
|
|
|
|
# -- Secrets with credentials to pull images from a private registry
|
|
# @default -- `[]` (defaults to global.imagePullSecrets)
|
|
imagePullSecrets: []
|
|
|
|
# -- Environment variables to pass to the authentik server. Does not apply to GeoIP
|
|
# See configuration options at https://goauthentik.io/docs/installation/configuration/
|
|
# @default -- `[]` (See [values.yaml])
|
|
env: []
|
|
# - name: AUTHENTIK_VAR_NAME
|
|
# value: VALUE
|
|
# - name: AUTHENTIK_VAR_OTHER
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: secret-name
|
|
# key: secret-key
|
|
# - name: AUTHENTIK_VAR_ANOTHER
|
|
# valueFrom:
|
|
# configMapKeyRef:
|
|
# name: config-map-name
|
|
# key: config-map-key
|
|
|
|
# -- envFrom to pass to the authentik server. Does not apply to GeoIP
|
|
# @default -- `[]` (See [values.yaml])
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: config-map-name
|
|
# - secretRef:
|
|
# name: secret-name
|
|
|
|
# -- Specify postStart and preStop lifecycle hooks for you authentik server container
|
|
lifecycle: {}
|
|
|
|
# -- Additional containers to be added to the authentik server pod
|
|
## Note: Supports use of custom Helm templates
|
|
extraContainers: []
|
|
# - name: my-sidecar
|
|
# image: nginx:latest
|
|
|
|
# -- Init containers to add to the authentik server pod
|
|
## Note: Supports use of custom Helm templates
|
|
initContainers: []
|
|
# - name: download-tools
|
|
# image: alpine:3
|
|
# command: [sh, -c]
|
|
# args:
|
|
# - echo init
|
|
|
|
# -- Additional volumeMounts to the authentik server main container
|
|
volumeMounts: []
|
|
# - name: custom
|
|
# mountPath: /custom
|
|
|
|
# -- Additional volumes to the authentik server pod
|
|
volumes: []
|
|
# - name: custom
|
|
# emptyDir: {}
|
|
|
|
# -- Annotations to be added to the authentik server Deployment
|
|
deploymentAnnotations: {}
|
|
|
|
# -- Annotations to be added to the authentik server pods
|
|
podAnnotations: {}
|
|
|
|
# -- Labels to be added to the authentik server pods
|
|
podLabels: {}
|
|
|
|
# -- Resource limits and requests for the authentik server
|
|
resources: {}
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 512Mi
|
|
# limits:
|
|
# memory: 512Mi
|
|
|
|
# authentik server container ports
|
|
containerPorts:
|
|
# -- http container port
|
|
http: 9000
|
|
# -- https container port
|
|
https: 9443
|
|
# -- metrics container port
|
|
metrics: 9300
|
|
|
|
# -- Host Network for authentik server pods
|
|
hostNetwork: false
|
|
|
|
# -- [DNS configuration]
|
|
dnsConfig: {}
|
|
# -- Alternative DNS policy for authentik server pods
|
|
dnsPolicy: ""
|
|
|
|
# -- authentik server pod-level security context
|
|
# @default -- `{}` (See [values.yaml])
|
|
securityContext: {}
|
|
# runAsUser: 1000
|
|
# runAsGroup: 1000
|
|
# fsGroup: 1000
|
|
|
|
# -- authentik server container-level security context
|
|
# @default -- See [values.yaml]
|
|
containerSecurityContext: {}
|
|
# Not all of the following has been tested. Use at your own risk.
|
|
# runAsNonRoot: true
|
|
# readOnlyRootFilesystem: true
|
|
# allowPrivilegeEscalation: false
|
|
# seccomProfile:
|
|
# type: RuntimeDefault
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
|
|
## Liveness, readiness and startup probes for authentik server
|
|
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
livenessProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 3
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 5
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
httpGet:
|
|
path: /-/health/live/
|
|
port: http
|
|
|
|
readinessProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 3
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 5
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
httpGet:
|
|
path: /-/health/ready/
|
|
port: http
|
|
|
|
startupProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 60
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 5
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
httpGet:
|
|
path: /-/health/live/
|
|
port: http
|
|
|
|
# -- terminationGracePeriodSeconds for container lifecycle hook
|
|
terminationGracePeriodSeconds: 30
|
|
|
|
# -- Prority class for the authentik server pods
|
|
# @default -- `""` (defaults to global.priorityClassName)
|
|
priorityClassName: ""
|
|
|
|
# -- [Node selector]
|
|
# @default -- `{}` (defaults to global.nodeSelector)
|
|
nodeSelector: {}
|
|
|
|
# -- [Tolerations] for use with node taints
|
|
# @default -- `[]` (defaults to global.tolerations)
|
|
tolerations: []
|
|
|
|
# -- Assign custom [affinity] rules to the deployment
|
|
# @default -- `{}` (defaults to the global.affinity preset)
|
|
affinity: {}
|
|
|
|
# -- Assign custom [TopologySpreadConstraints] rules to the authentik server
|
|
# @default -- `[]` (defaults to global.topologySpreadConstraints)
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
|
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
|
|
topologySpreadConstraints: []
|
|
# - maxSkew: 1
|
|
# topologyKey: topology.kubernetes.io/zone
|
|
# whenUnsatisfiable: DoNotSchedule
|
|
|
|
# -- Deployment strategy to be added to the authentik server Deployment
|
|
# @default -- `{}` (defaults to global.deploymentStrategy)
|
|
deploymentStrategy: {}
|
|
# type: RollingUpdate
|
|
# rollingUpdate:
|
|
# maxSurge: 25%
|
|
# maxUnavailable: 25%
|
|
|
|
## authentik server service configuration
|
|
service:
|
|
# -- authentik server service annotations
|
|
annotations: {}
|
|
# -- authentik server service labels
|
|
labels: {}
|
|
# -- authentik server service type
|
|
type: LoadBalancer
|
|
# -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`)
|
|
nodePortHttp: 30080
|
|
# -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`)
|
|
nodePortHttps: 30443
|
|
# -- authentik server service http port
|
|
servicePortHttp: 80
|
|
# -- authentik server service https port
|
|
servicePortHttps: 443
|
|
# -- authentik server service http port name
|
|
servicePortHttpName: http
|
|
# -- authentik server service https port name
|
|
servicePortHttpsName: https
|
|
# -- authentik server service http port appProtocol
|
|
# servicePortHttpAppProtocol: HTTP
|
|
# -- authentik server service https port appProtocol
|
|
# servicePortHttpsAppProtocol: HTTPS
|
|
# -- LoadBalancer will get created with the IP specified in this field
|
|
loadBalancerIP: ""
|
|
# -- Source IP ranges to allow access to service from
|
|
loadBalancerSourceRanges: []
|
|
# -- authentik server service external IPs
|
|
externalIPs: []
|
|
# -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints
|
|
externalTrafficPolicy: ""
|
|
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
|
|
sessionAffinity: ""
|
|
# -- Session affinity configuration
|
|
sessionAffinityConfig: {}
|
|
|
|
## authentik server metrics service configuration
|
|
metrics:
|
|
# -- deploy metrics service
|
|
enabled: true
|
|
service:
|
|
# -- metrics service type
|
|
type: ClusterIP
|
|
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
|
|
clusterIP: ""
|
|
# -- metrics service annotations
|
|
annotations: {}
|
|
# -- metrics service labels
|
|
labels: {}
|
|
# -- metrics service port
|
|
servicePort: 9300
|
|
# -- metrics service port name
|
|
portName: metrics
|
|
serviceMonitor:
|
|
# -- enable a prometheus ServiceMonitor
|
|
enabled: false
|
|
# -- Prometheus ServiceMonitor interval
|
|
interval: 30s
|
|
# -- Prometheus ServiceMonitor scrape timeout
|
|
scrapeTimeout: 3s
|
|
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
|
|
relabelings: []
|
|
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
|
|
metricRelabelings: []
|
|
# -- Prometheus ServiceMonitor selector
|
|
selector: {}
|
|
# prometheus: kube-prometheus
|
|
|
|
# -- Prometheus ServiceMonitor scheme
|
|
scheme: ""
|
|
# -- Prometheus ServiceMonitor tlsConfig
|
|
tlsConfig: {}
|
|
# -- Prometheus ServiceMonitor namespace
|
|
namespace: ""
|
|
# -- Prometheus ServiceMonitor labels
|
|
labels: {}
|
|
# -- Prometheus ServiceMonitor annotations
|
|
annotations: {}
|
|
|
|
ingress:
|
|
# -- enable an ingress resource for the authentik server
|
|
enabled: false
|
|
# -- additional ingress annotations
|
|
annotations: {}
|
|
# -- additional ingress labels
|
|
labels: {}
|
|
# -- defines which ingress controller will implement the resource
|
|
ingressClassName: ""
|
|
# -- List of ingress hosts
|
|
hosts: []
|
|
# - authentik.domain.tld
|
|
|
|
# -- List of ingress paths
|
|
paths:
|
|
- /
|
|
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
|
|
pathType: Prefix
|
|
# -- additional ingress paths
|
|
extraPaths: []
|
|
# - path: /*
|
|
# pathType: Prefix
|
|
# backend:
|
|
# service:
|
|
# name: ssl-redirect
|
|
# port:
|
|
# name: use-annotation
|
|
|
|
# -- ingress TLS configuration
|
|
tls: []
|
|
# - secretName: authentik-tls
|
|
# hosts:
|
|
# - authentik.domain.tld
|
|
|
|
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
|
|
https: false
|
|
|
|
|
|
## authentik worker
|
|
worker:
|
|
# -- authentik worker name
|
|
name: worker
|
|
|
|
# -- The number of worker pods to run
|
|
replicas: 1
|
|
|
|
## authentik worker Horizontal Pod Autoscaler
|
|
autoscaling:
|
|
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker
|
|
enabled: true
|
|
# -- Minimum number of replicas for the authentik worker [HPA]
|
|
minReplicas: 1
|
|
# -- Maximum number of replicas for the authentik worker [HPA]
|
|
maxReplicas: 5
|
|
# -- Average CPU utilization percentage for the authentik worker [HPA]
|
|
targetCPUUtilizationPercentage: 50
|
|
# -- Average memory utilization percentage for the authentik worker [HPA]
|
|
targetMemoryUtilizationPercentage: ~
|
|
# -- Configures the scaling behavior of the target in both Up and Down directions.
|
|
behavior: {}
|
|
# scaleDown:
|
|
# stabilizationWindowSeconds: 300
|
|
# policies:
|
|
# - type: Pods
|
|
# value: 1
|
|
# periodSeconds: 180
|
|
# scaleUp:
|
|
# stabilizationWindowSeconds: 300
|
|
# policies:
|
|
# - type: Pods
|
|
# value: 2
|
|
# periodSeconds: 60
|
|
# -- Configures custom HPA metrics for the authentik worker
|
|
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
|
metrics: []
|
|
|
|
## authentik worker Pod Disruption Budget
|
|
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
|
|
pdb:
|
|
# -- Deploy a [PodDistrubtionBudget] for the authentik worker
|
|
enabled: false
|
|
# -- Labels to be added to the authentik worker pdb
|
|
labels: {}
|
|
# -- Annotations to be added to the authentik worker pdb
|
|
annotations: {}
|
|
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
|
|
# @default -- `""` (defaults to 0 if not specified)
|
|
minAvailable: ""
|
|
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
|
|
## Has higher precedence over `worker.pdb.minAvailable`
|
|
maxUnavailable: ""
|
|
|
|
## authentik worker image
|
|
## This should match what is deployed in the server. Prefer using global.image
|
|
image:
|
|
# -- Repository to use to the authentik worker
|
|
# @default -- `""` (defaults to global.image.repository)
|
|
repository: "" # defaults to global.image.repository
|
|
# -- Tag to use to the authentik worker
|
|
# @default -- `""` (defaults to global.image.tag)
|
|
tag: "" # defaults to global.image.tag
|
|
# -- Digest to use to the authentik worker
|
|
# @default -- `""` (defaults to global.image.digest)
|
|
digest: "" # defaults to global.image.digest
|
|
# -- Image pull policy to use to the authentik worker
|
|
# @default -- `""` (defaults to global.image.pullPolicy)
|
|
pullPolicy: "" # defaults to global.image.pullPolicy
|
|
|
|
# -- Secrets with credentials to pull images from a private registry
|
|
# @default -- `[]` (defaults to global.imagePullSecrets)
|
|
imagePullSecrets: []
|
|
|
|
# -- Environment variables to pass to the authentik worker. Does not apply to GeoIP
|
|
# See configuration options at https://goauthentik.io/docs/installation/configuration/
|
|
# @default -- `[]` (See [values.yaml])
|
|
env:
|
|
- name: AUTHENTIK_REDIS__DB
|
|
value: "1"
|
|
# - name: AUTHENTIK_VAR_NAME
|
|
# value: VALUE
|
|
# - name: AUTHENTIK_VAR_OTHER
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: secret-name
|
|
# key: secret-key
|
|
# - name: AUTHENTIK_VAR_ANOTHER
|
|
# valueFrom:
|
|
# configMapKeyRef:
|
|
# name: config-map-name
|
|
# key: config-map-key
|
|
|
|
# -- envFrom to pass to the authentik worker. Does not apply to GeoIP
|
|
# @default -- `[]` (See [values.yaml])
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: config-map-name
|
|
# - secretRef:
|
|
# name: secret-name
|
|
|
|
# -- Specify postStart and preStop lifecycle hooks for you authentik worker container
|
|
lifecycle: {}
|
|
|
|
# -- Additional containers to be added to the authentik worker pod
|
|
## Note: Supports use of custom Helm templates
|
|
extraContainers: []
|
|
# - name: my-sidecar
|
|
# image: nginx:latest
|
|
|
|
# -- Init containers to add to the authentik worker pod
|
|
## Note: Supports use of custom Helm templates
|
|
initContainers: []
|
|
# - name: download-tools
|
|
# image: alpine:3
|
|
# command: [sh, -c]
|
|
# args:
|
|
# - echo init
|
|
|
|
# -- Additional volumeMounts to the authentik worker main container
|
|
volumeMounts: []
|
|
# - name: custom
|
|
# mountPath: /custom
|
|
|
|
# -- Additional volumes to the authentik worker pod
|
|
volumes: []
|
|
# - name: custom
|
|
# emptyDir: {}
|
|
|
|
# -- Annotations to be added to the authentik worker Deployment
|
|
deploymentAnnotations: {}
|
|
|
|
# -- Annotations to be added to the authentik worker pods
|
|
podAnnotations: {}
|
|
|
|
# -- Labels to be added to the authentik worker pods
|
|
podLabels: {}
|
|
|
|
# -- Resource limits and requests for the authentik worker
|
|
resources: {}
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 512Mi
|
|
# limits:
|
|
# memory: 512Mi
|
|
|
|
# -- Host Network for authentik worker pods
|
|
hostNetwork: false
|
|
|
|
# -- [DNS configuration]
|
|
dnsConfig: {}
|
|
# -- Alternative DNS policy for authentik worker pods
|
|
dnsPolicy: ""
|
|
|
|
# -- authentik worker pod-level security context
|
|
# @default -- `{}` (See [values.yaml])
|
|
securityContext: {}
|
|
# runAsUser: 1000
|
|
# runAsGroup: 1000
|
|
# fsGroup: 1000
|
|
|
|
# -- authentik worker container-level security context
|
|
# @default -- See [values.yaml]
|
|
containerSecurityContext: {}
|
|
# Not all of the following has been tested. Use at your own risk.
|
|
# runAsNonRoot: true
|
|
# readOnlyRootFilesystem: true
|
|
# allowPrivilegeEscalation: false
|
|
# seccomProfile:
|
|
# type: RuntimeDefault
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
|
|
livenessProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 3
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 5
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
exec:
|
|
command:
|
|
- ak
|
|
- healthcheck
|
|
|
|
readinessProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 3
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 5
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
exec:
|
|
command:
|
|
- ak
|
|
- healthcheck
|
|
|
|
startupProbe:
|
|
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
|
|
failureThreshold: 60
|
|
# -- Number of seconds after the container has started before [probe] is initiated
|
|
initialDelaySeconds: 30
|
|
# -- How often (in seconds) to perform the [probe]
|
|
periodSeconds: 10
|
|
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
|
|
successThreshold: 1
|
|
# -- Number of seconds after which the [probe] times out
|
|
timeoutSeconds: 1
|
|
## Probe configuration
|
|
exec:
|
|
command:
|
|
- ak
|
|
- healthcheck
|
|
|
|
# -- terminationGracePeriodSeconds for container lifecycle hook
|
|
terminationGracePeriodSeconds: 30
|
|
|
|
# -- Prority class for the authentik worker pods
|
|
# @default -- `""` (defaults to global.priorityClassName)
|
|
priorityClassName: ""
|
|
|
|
# -- [Node selector]
|
|
# @default -- `{}` (defaults to global.nodeSelector)
|
|
nodeSelector: {}
|
|
|
|
# -- [Tolerations] for use with node taints
|
|
# @default -- `[]` (defaults to global.tolerations)
|
|
tolerations: []
|
|
|
|
# -- Assign custom [affinity] rules to the deployment
|
|
# @default -- `{}` (defaults to the global.affinity preset)
|
|
affinity: {}
|
|
|
|
# -- Assign custom [TopologySpreadConstraints] rules to the authentik worker
|
|
# @default -- `[]` (defaults to global.topologySpreadConstraints)
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
|
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
|
|
topologySpreadConstraints: []
|
|
# - maxSkew: 1
|
|
# topologyKey: topology.kubernetes.io/zone
|
|
# whenUnsatisfiable: DoNotSchedule
|
|
|
|
# -- Deployment strategy to be added to the authentik worker Deployment
|
|
# @default -- `{}` (defaults to global.deploymentStrategy)
|
|
deploymentStrategy: {}
|
|
# type: RollingUpdate
|
|
# rollingUpdate:
|
|
# maxSurge: 25%
|
|
# maxUnavailable: 25%
|
|
|
|
|
|
serviceAccount:
|
|
# -- Create service account. Needed for managed outposts
|
|
create: true
|
|
# -- additional service account annotations
|
|
annotations: {}
|
|
serviceAccountSecret:
|
|
# As we use the authentik-remote-cluster chart as subchart, and that chart
|
|
# creates a service account secret by default which we don't need here,
|
|
# disable its creation
|
|
enabled: false
|
|
fullnameOverride: authentik
|
|
|
|
|
|
geoip:
|
|
# -- enable GeoIP sidecars for the authentik server and worker pods
|
|
enabled: false
|
|
|
|
editionIds: "GeoLite2-City GeoLite2-ASN"
|
|
# -- GeoIP update frequency, in hours
|
|
updateInterval: 8
|
|
# -- sign up under https://www.maxmind.com/en/geolite2/signup
|
|
accountId: ""
|
|
# -- sign up under https://www.maxmind.com/en/geolite2/signup
|
|
licenseKey: ""
|
|
## use existing secret instead of values above
|
|
existingSecret:
|
|
# -- name of an existing secret to use instead of values above
|
|
secretName: ""
|
|
# -- key in the secret containing the account ID
|
|
accountId: "account_id"
|
|
# -- key in the secret containing the license key
|
|
licenseKey: "license_key"
|
|
|
|
image:
|
|
# -- If defined, a repository for GeoIP images
|
|
repository: ghcr.io/maxmind/geoipupdate
|
|
# -- If defined, a tag for GeoIP images
|
|
tag: v6.0.0
|
|
# -- If defined, an image digest for GeoIP images
|
|
digest: ""
|
|
# -- If defined, an imagePullPolicy for GeoIP images
|
|
pullPolicy: IfNotPresent
|
|
|
|
# -- Environment variables to pass to the GeoIP containers
|
|
# @default -- `[]` (See [values.yaml])
|
|
env: []
|
|
# - name: GEOIPUPDATE_VAR_NAME
|
|
# value: VALUE
|
|
# - name: GEOIPUPDATE_VAR_OTHER
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: secret-name
|
|
# key: secret-key
|
|
# - name: GEOIPUPDATE_VAR_ANOTHER
|
|
# valueFrom:
|
|
# configMapKeyRef:
|
|
# name: config-map-name
|
|
# key: config-map-key
|
|
|
|
# -- envFrom to pass to the GeoIP containers
|
|
# @default -- `[]` (See [values.yaml])
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: config-map-name
|
|
# - secretRef:
|
|
# name: secret-name
|
|
|
|
# -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker.
|
|
volumeMounts: []
|
|
# - name: custom
|
|
# mountPath: /custom
|
|
|
|
# -- Resource limits and requests for GeoIP containers
|
|
resources: {}
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# limits:
|
|
# memory: 128Mi
|
|
|
|
# -- GeoIP container-level security context
|
|
# @default -- See [values.yaml]
|
|
containerSecurityContext: {}
|
|
# Not all of the following has been tested. Use at your own risk.
|
|
# runAsNonRoot: true
|
|
# readOnlyRootFilesystem: true
|
|
# allowPrivilegeEscalation: false
|
|
# seccomProfile:
|
|
# type: RuntimeDefault
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
|
|
|
|
prometheus:
|
|
rules:
|
|
enabled: false
|
|
# -- PrometheusRule namespace
|
|
namespace: ""
|
|
# -- PrometheusRule selector
|
|
selector: {}
|
|
# prometheus: kube-prometheus
|
|
|
|
# -- PrometheusRule labels
|
|
labels: {}
|
|
# -- PrometheusRule annotations
|
|
annotations: {}
|
|
|
|
|
|
postgresql:
|
|
# -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values.
|
|
enabled: false
|
|
auth:
|
|
username: authentik
|
|
database: authentik
|
|
# password: ""
|
|
primary:
|
|
extendedConfiguration: |
|
|
max_connections = 500
|
|
# persistence:
|
|
# enabled: true
|
|
# storageClass:
|
|
# accessModes:
|
|
# - ReadWriteOnce
|
|
|
|
|
|
redis:
|
|
# -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values.
|
|
enabled: false
|
|
architecture: standalone
|
|
auth:
|
|
enabled: false
|
|
|
|
|
|
# -- additional resources to deploy. Those objects are templated.
|
|
additionalObjects: []
|