cscott/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2025.12 upgrade

Browse Source
This commit is contained in:
Conan Scott
2026-01-22 15:38:45 +11:00
parent 7e1f361aa3
commit a21da49351
112 changed files with 13484 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
charts/authentik-remote-cluster/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

40
charts/authentik-remote-cluster/Chart.yaml Normal file
View File

@@ -0,0 +1,40 @@
annotations:
artifacthub.io/license: MIT
artifacthub.io/links: |
- name: Github
url: https://github.com/goauthentik/authentik
- name: Docs
url: https://goauthentik.io/docs/
artifacthub.io/maintainers: |
- name: authentik Team
email: hello@goauthentik.io
url: https://goauthentik.io
apiVersion: v2
appVersion: 2025.4.0
description: RBAC required for a remote cluster to be connected to authentik.
home: https://goauthentik.io
icon: https://goauthentik.io/img/icon.png
keywords:
- authentication
- directory
- identity
- idp
- ldap
- oauth
- oidc
- proxy
- saml
- scim
- single-sign-on
- sp
- sso
maintainers:
- email: hello@goauthentik.io
name: authentik Team
url: https://goauthentik.io
name: authentik-remote-cluster
sources:
- https://goauthentik.io/docs/
- https://github.com/goauthentik/authentik
type: application
version: 2.1.0

39
charts/authentik-remote-cluster/README.md Normal file
View File

@@ -0,0 +1,39 @@
<p align="center">
<img src="https://goauthentik.io/img/icon_top_brand_colour.svg" height="150" alt="authentik logo">
</p>
---
[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=for-the-badge)
![AppVersion: 2025.4.0](https://img.shields.io/badge/AppVersion-2025.4.0-informational?style=for-the-badge)
RBAC required for a remote cluster to be connected to authentik.
**Homepage:** <https://goauthentik.io>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| authentik Team | <hello@goauthentik.io> | <https://goauthentik.io> |
## Source Code
* <https://goauthentik.io/docs/>
* <https://github.com/goauthentik/authentik>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| annotations | object | `{}` | Annotations to apply to all resources |
| clusterRole.enabled | bool | `true` | Create a clusterole in addition to a namespaced role. |
| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible |
| global.additionalLabels | object | `{}` | Common labels for all resources. |
| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` |
| global.nameOverride | string | `""` | Provide a name in place of `authentik` |
| global.namespaceOverride | string | `""` | A custom namespace to override the default namespace for the deployed resources. |
| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
| nameOverride | string | `""` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible |
| serviceAccountSecret.enabled | bool | `true` | Create a secret with the service account credentials |

23
charts/authentik-remote-cluster/README.md.gotmpl Normal file
View File

@@ -0,0 +1,23 @@
<p align="center">
<img src="https://goauthentik.io/img/icon_top_brand_colour.svg" height="150" alt="authentik logo">
</p>
---
[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
![Version: 2.1.0](https://img.shields.io/badge/Version-2.1.0-informational?style=for-the-badge)
![AppVersion: 2025.4.0](https://img.shields.io/badge/AppVersion-2025.4.0-informational?style=for-the-badge)
{{ template "chart.deprecationWarning" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}

26
charts/authentik-remote-cluster/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,26 @@
Run the commands below to get a kubeconfig file for authentik:
KUBE_API=$(kubectl config view --minify --output jsonpath="{.clusters[*].cluster.server}")
NAMESPACE={{ .Release.Namespace }}
SECRET_NAME=$(kubectl get serviceaccount {{ include "authentik-remote-cluster.fullname" . }} -o jsonpath='{.secrets[0].name}' 2>/dev/null || echo -n "{{ include "authentik-remote-cluster.fullname" . }}")
KUBE_CA=$(kubectl -n $NAMESPACE get secret/$SECRET_NAME -o jsonpath='{.data.ca\.crt}')
KUBE_TOKEN=$(kubectl -n $NAMESPACE get secret/$SECRET_NAME -o jsonpath='{.data.token}' | base64 --decode)
echo "apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
certificate-authority-data: ${KUBE_CA}
server: ${KUBE_API}
contexts:
- name: default-context
context:
cluster: default-cluster
namespace: $NAMESPACE
user: authentik-user
current-context: default-context
users:
- name: authentik-user
user:
token: ${KUBE_TOKEN}"

76
charts/authentik-remote-cluster/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,76 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart
*/}}
{{- define "authentik-remote-cluster.name" -}}
{{- $globalNameOverride := "" -}}
{{- if hasKey .Values "global" -}}
{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}}
{{- end -}}
{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Determine the namespace to use, allowing for a namespace override.
*/}}
{{- define "authauthentik-remote-cluster.namespace" -}}
{{- if .Values.namespaceOverride }}
{{- .Values.namespaceOverride }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "authentik-remote-cluster.fullname" -}}
{{- $name := include "authentik-remote-cluster.name" . -}}
{{- $globalFullNameOverride := "" -}}
{{- if hasKey .Values "global" -}}
{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}}
{{- end -}}
{{- if or .Values.fullnameOverride $globalFullNameOverride -}}
{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}}
{{- else -}}
{{- if contains $name .Release.Name -}}
{{- $name = .Release.Name -}}
{{- else -}}
{{- $name = printf "%s-%s" .Release.Name $name -}}
{{- end -}}
{{- end -}}
{{- trunc 63 $name | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "authentik-remote-cluster.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "authentik-remote-cluster.labels" -}}
helm.sh/chart: {{ include "authentik-remote-cluster.chart" .context | quote }}
app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" .context | quote }}
app.kubernetes.io/instance: {{ .context.Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }}
app.kubernetes.io/part-of: "authentik"
app.kubernetes.io/version: {{ .context.Chart.Version | quote }}
{{- with .context.Values.global.additionalLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- define "authentik-remote-cluster.api-verbs-rw" -}}
- get
- create
- delete
- list
- patch
{{- end -}}

19
charts/authentik-remote-cluster/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.clusterRole.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
{{- end }}

20
charts/authentik-remote-cluster/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.clusterRole.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
subjects:
- kind: ServiceAccount
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
{{- end }}

59
charts/authentik-remote-cluster/templates/role.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- secrets
- services
- configmaps
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- middlewares
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list

19
charts/authentik-remote-cluster/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "authentik-remote-cluster.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}

15
charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.serviceAccountSecret.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
annotations:
kubernetes.io/service-account.name: {{ template "authentik-remote-cluster.fullname" . }}
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: kubernetes.io/service-account-token
{{- end }}

11
charts/authentik-remote-cluster/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "authentik-remote-cluster.fullname" . }}
namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
labels:
{{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

30
charts/authentik-remote-cluster/values.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
nameOverride: ""
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
fullnameOverride: ""
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## Globally shared configuration for authentik components.
global:
# -- Provide a name in place of `authentik`
nameOverride: ""
# -- String to fully override `"authentik.fullname"`
fullnameOverride: ""
# -- A custom namespace to override the default namespace for the deployed resources.
namespaceOverride: ""
# -- Common labels for all resources.
additionalLabels: {}
# app: authentik
# -- Annotations to apply to all resources
annotations: {}
serviceAccountSecret:
# -- Create a secret with the service account credentials
enabled: true
clusterRole:
# -- Create a clusterole in addition to a namespaced role.
enabled: true