diff --git a/projects/authentik/project.yml b/projects/authentik/project.yml new file mode 100644 index 00000000..a13a36a8 --- /dev/null +++ b/projects/authentik/project.yml @@ -0,0 +1,20 @@ +config: + description: Authentik Authentication + +apps: + - name: authentik + repoURL: https://charts.goauthentik.io/ + chart: authentik + targetRevision: 4.0.3 + secrets: + - name: authentik + keys: + - secret_key + - name: postgres + keys: + - postgresql-username + - postgresql-password + - postgresql-postgres-password + - name: redis + keys: + - password diff --git a/projects/authentik/values/authentik.yaml b/projects/authentik/values/authentik.yaml new file mode 100644 index 00000000..86f06e46 --- /dev/null +++ b/projects/authentik/values/authentik.yaml @@ -0,0 +1,186 @@ +# -- Server replicas +replicas: 1 +worker: + # -- worker replicas + replicas: 1 + +ingress: + enabled: true + ingressClassName: "" + annotations: + cert-manager.io/cluster-issuer: vault-issuer + labels: {} + hosts: + - host: auth.dc + paths: + - path: "/" + pathType: Prefix + tls: + - hosts: ['auth.dc'] + secretName: "auth-tls" + +authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + secret_key: "" + # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + # -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none' + avatars: none + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + port: 587 + # -- SMTP credentials, when left empty, not authentication will be done + username: "" + # -- SMTP credentials, when left empty, not authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: goauthentik.io/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: '{{ .Release.Name }}-postgresql' + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + port: 5432 +# redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` +# host: '{{ .Release.Name }}-redis-master' +# password: fuckyou + +# -- see configuration options at https://goauthentik.io/docs/installation/configuration/ +env: {} + +envFrom: [] +# - configMapRef: +# name: special-config + +envValueFrom: + AUTHENTIK_SECRET_KEY: + secretKeyRef: + key: secret_key + name: authentik + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + key: postgresql-password + name: postgres + AUTHENTIK_REDIS__PASSWORD: + secretKeyRef: + key: password + name: redis + +service: + # -- Service that is created to access authentik + enabled: true + type: ClusterIP + port: 80 + name: http + protocol: TCP + labels: {} + annotations: {} + +volumes: [] + +volumeMounts: [] + +# -- affinity applied to the deployments +affinity: {} + +resources: + server: {} + worker: {} + +# WARNING! When initially deploying, authentik has to do a few DB migrations. This may cause it to die from probe +# failure, but will continue on reboot. You can disable this during deployment if this is not desired +livenessProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + initialDelaySeconds: 50 + periodSeconds: 10 + +readinessProbe: + enabled: true + httpGet: + path: /-/health/ready/ + port: http + initialDelaySeconds: 50 + periodSeconds: 10 + +serviceAccount: + # -- Service account is needed for managed outposts + create: true + +prometheus: + serviceMonitor: + create: false + interval: 30s + scrapeTimeout: 3s + rules: + create: false + +geoip: + # -- optional GeoIP, deploys a cronjob to download the maxmind database + enabled: false + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + editionIds: "GeoLite2-City" + image: maxmindinc/geoipupdate:v4.8 + # -- number of hours between update runs + updateInterval: 8 + +postgresql: + # -- enable the bundled bitnami postgresql chart + enabled: true + postgresqlUsername: "authentik" + # postgresqlPassword: "" + postgresqlDatabase: "authentik" + persistence: + enabled: true + # storageClass: + accessModes: + - ReadWriteOnce + existingSecret: postgres + +redis: + # -- enable the bundled bitnami redis chart + enabled: true + architecture: standalone + auth: + enabled: true + existingSecret: redis + existingSecretPasswordKey: password