mirror of
https://github.com/nold360/hive-apps
synced 2024-12-23 06:01:18 +00:00
add(authentik)
This commit is contained in:
parent
0cd2a224f7
commit
351d66311b
3 changed files with 227 additions and 0 deletions
43
projects/authentik/manifests/postgre.yaml
Normal file
43
projects/authentik/manifests/postgre.yaml
Normal file
|
@ -0,0 +1,43 @@
|
|||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: authentik-db
|
||||
namespace: authentik
|
||||
spec:
|
||||
instances: 1
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:15
|
||||
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: app
|
||||
owner: app
|
||||
|
||||
backup:
|
||||
barmanObjectStore:
|
||||
destinationPath: "s3://authentik-db/"
|
||||
endpointURL: "http://minio.minio.svc.cluster.local:9000"
|
||||
s3Credentials:
|
||||
accessKeyId:
|
||||
name: bucket
|
||||
key: accesskey
|
||||
secretAccessKey:
|
||||
name: bucket
|
||||
key: secretkey
|
||||
wal:
|
||||
compression: gzip
|
||||
#encryption: AES256
|
||||
data:
|
||||
compression: gzip
|
||||
#encryption: AES256
|
||||
retentionPolicy: "90d"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "50m"
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "1"
|
||||
|
||||
storage:
|
||||
size: 10Gi
|
16
projects/authentik/project.yml
Normal file
16
projects/authentik/project.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
config:
|
||||
description: Authentik OIDC
|
||||
|
||||
apps:
|
||||
- name: authentik
|
||||
repoURL: https://charts.goauthentik.io/
|
||||
chart: authentik
|
||||
targetRevision: 2022.11.3
|
||||
secrets:
|
||||
- name: authentik
|
||||
keys:
|
||||
- secret_key
|
||||
- name: bucket
|
||||
keys:
|
||||
- secretkey
|
||||
- accesskey
|
168
projects/authentik/values/authentik.yaml
Normal file
168
projects/authentik/values/authentik.yaml
Normal file
|
@ -0,0 +1,168 @@
|
|||
# -- Server replicas
|
||||
replicas: 1
|
||||
|
||||
# -- server securityContext
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
|
||||
worker:
|
||||
# -- worker replicas
|
||||
replicas: 1
|
||||
# -- Custom priority class for different treatment by the scheduler
|
||||
priorityClassName:
|
||||
# -- worker securityContext
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
|
||||
|
||||
image:
|
||||
repository: ghcr.io/goauthentik/server
|
||||
tag: 2022.11.3
|
||||
|
||||
# -- See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values
|
||||
initContainers: {}
|
||||
|
||||
# -- See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values
|
||||
additionalContainers: {}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "ingress-internal-traefik"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "vault-issuer"
|
||||
traefik.ingress.kubernetes.io/router.tls: 'true'
|
||||
labels: {}
|
||||
hosts:
|
||||
- host: auth.dc
|
||||
paths:
|
||||
- path: "/"
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: auth.dc-tls
|
||||
hosts:
|
||||
- auth.dc
|
||||
|
||||
authentik:
|
||||
# -- Log level for server and worker
|
||||
log_level: info
|
||||
# -- Secret key used for cookie singing and unique user IDs,
|
||||
# don't change this after the first install
|
||||
#secret_key: ""
|
||||
# -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled.
|
||||
geoip: /geoip/GeoLite2-City.mmdb
|
||||
# -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none'
|
||||
avatars: none
|
||||
email:
|
||||
# -- SMTP Server emails are sent from, fully optional
|
||||
host: ""
|
||||
port: 587
|
||||
# -- SMTP credentials, when left empty, not authentication will be done
|
||||
username: ""
|
||||
# -- SMTP credentials, when left empty, not authentication will be done
|
||||
password: ""
|
||||
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
|
||||
use_tls: false
|
||||
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
|
||||
use_ssl: false
|
||||
# -- Connection timeout
|
||||
timeout: 30
|
||||
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
|
||||
from: ""
|
||||
outposts:
|
||||
# -- Template used for managed outposts. The following placeholders can be used
|
||||
# %(type)s - the type of the outpost
|
||||
# %(version)s - version of your authentik install
|
||||
# %(build_hash)s - only for beta versions, the build hash of the image
|
||||
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
|
||||
error_reporting:
|
||||
# -- This sends anonymous usage-data, stack traces on errors and
|
||||
# performance data to sentry.beryju.org, and is fully opt-in
|
||||
enabled: false
|
||||
# -- This is a string that is sent to sentry with your error reports
|
||||
environment: "k8s"
|
||||
# -- Send PII (Personally identifiable information) data to sentry
|
||||
send_pii: false
|
||||
postgresql:
|
||||
# -- set the postgresql hostname to talk to
|
||||
# if unset and .Values.postgresql.enabled == true, will generate the default
|
||||
# @default -- `{{ .Release.Name }}-postgresql`
|
||||
host: 'authentik-db-rw.authentik.svc.cluster.local'
|
||||
# -- postgresql Database name
|
||||
# @default -- `authentik`
|
||||
name: "app"
|
||||
# -- postgresql Username
|
||||
# @default -- `authentik`
|
||||
user: "app"
|
||||
#password: ""
|
||||
port: 5432
|
||||
redis:
|
||||
# -- set the redis hostname to talk to
|
||||
# @default -- `{{ .Release.Name }}-redis-master`
|
||||
host: '{{ .Release.Name }}-redis-master'
|
||||
password: ""
|
||||
|
||||
# -- List of config maps to mount blueprints from. Only keys in the
|
||||
# configmap ending with ".yaml" wil be discovered and applied
|
||||
blueprints: []
|
||||
|
||||
# -- see configuration options at https://goauthentik.io/docs/installation/configuration/
|
||||
env: {}
|
||||
# AUTHENTIK_VAR_NAME: VALUE
|
||||
|
||||
envFrom: []
|
||||
# - configMapRef:
|
||||
# name: special-config
|
||||
|
||||
envValueFrom:
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: authentik-db-app
|
||||
AUTHENTIK_SECRET_KEY:
|
||||
secretKeyRef:
|
||||
key: secret_key
|
||||
name: authentik
|
||||
|
||||
|
||||
service:
|
||||
# -- Service that is created to access authentik
|
||||
enabled: true
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
name: http
|
||||
protocol: TCP
|
||||
labels: {}
|
||||
annotations: {}
|
||||
|
||||
volumes: []
|
||||
|
||||
volumeMounts: []
|
||||
|
||||
resources:
|
||||
server: {}
|
||||
worker: {}
|
||||
|
||||
serviceAccount:
|
||||
# -- Service account is needed for managed outposts
|
||||
create: true
|
||||
|
||||
prometheus:
|
||||
serviceMonitor:
|
||||
create: false
|
||||
interval: 30s
|
||||
scrapeTimeout: 3s
|
||||
rules:
|
||||
create: false
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
architecture: standalone
|
||||
auth:
|
||||
enabled: false
|
Loading…
Reference in a new issue