2025.12 upgrade

2026-01-22 15:38:45 +11:00
parent 7e1f361aa3
commit a21da49351
112 changed files with 13484 additions and 0 deletions
--- a/charts/authentik-remote-cluster/templates/NOTES.txt
+++ b/charts/authentik-remote-cluster/templates/NOTES.txt
@@ -0,0 +1,26 @@
+Run the commands below to get a kubeconfig file for authentik:
+
+KUBE_API=$(kubectl config view --minify --output jsonpath="{.clusters[*].cluster.server}")
+NAMESPACE={{ .Release.Namespace }}
+SECRET_NAME=$(kubectl get serviceaccount {{ include "authentik-remote-cluster.fullname" . }} -o jsonpath='{.secrets[0].name}' 2>/dev/null || echo -n "{{ include "authentik-remote-cluster.fullname" . }}")
+KUBE_CA=$(kubectl -n $NAMESPACE get secret/$SECRET_NAME -o jsonpath='{.data.ca\.crt}')
+KUBE_TOKEN=$(kubectl -n $NAMESPACE get secret/$SECRET_NAME -o jsonpath='{.data.token}' | base64 --decode)
+
+echo "apiVersion: v1
+kind: Config
+clusters:
+- name: default-cluster
+  cluster:
+    certificate-authority-data: ${KUBE_CA}
+    server: ${KUBE_API}
+contexts:
+- name: default-context
+  context:
+    cluster: default-cluster
+    namespace: $NAMESPACE
+    user: authentik-user
+current-context: default-context
+users:
+- name: authentik-user
+  user:
+    token: ${KUBE_TOKEN}"
--- a/charts/authentik-remote-cluster/templates/_helpers.tpl
+++ b/charts/authentik-remote-cluster/templates/_helpers.tpl
@@ -0,0 +1,76 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the chart
+*/}}
+{{- define "authentik-remote-cluster.name" -}}
+{{- $globalNameOverride := "" -}}
+{{- if hasKey .Values "global" -}}
+{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}}
+{{- end -}}
+{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Determine the namespace to use, allowing for a namespace override.
+*/}}
+{{- define "authauthentik-remote-cluster.namespace" -}}
+  {{- if .Values.namespaceOverride }}
+    {{- .Values.namespaceOverride }}
+  {{- else }}
+    {{- .Release.Namespace }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "authentik-remote-cluster.fullname" -}}
+{{- $name := include "authentik-remote-cluster.name" . -}}
+{{- $globalFullNameOverride := "" -}}
+{{- if hasKey .Values "global" -}}
+{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}}
+{{- end -}}
+{{- if or .Values.fullnameOverride $globalFullNameOverride -}}
+{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}}
+{{- else -}}
+{{- if contains $name .Release.Name -}}
+{{- $name = .Release.Name -}}
+{{- else -}}
+{{- $name = printf "%s-%s" .Release.Name $name -}}
+{{- end -}}
+{{- end -}}
+{{- trunc 63 $name | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "authentik-remote-cluster.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "authentik-remote-cluster.labels" -}}
+helm.sh/chart: {{ include "authentik-remote-cluster.chart" .context | quote }}
+app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" .context | quote }}
+app.kubernetes.io/instance: {{ .context.Release.Name | quote }}
+app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }}
+app.kubernetes.io/part-of: "authentik"
+app.kubernetes.io/version: {{ .context.Chart.Version | quote }}
+{{- with .context.Values.global.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "authentik-remote-cluster.api-verbs-rw" -}}
+- get
+- create
+- delete
+- list
+- patch
+{{- end -}}
--- a/charts/authentik-remote-cluster/templates/clusterrole.yaml
+++ b/charts/authentik-remote-cluster/templates/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.clusterRole.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+{{- end }}
--- a/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml
+++ b/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.clusterRole.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) (include "authauthentik-remote-cluster.namespace" .) | quote }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "authentik-remote-cluster.fullname" . }}
+    namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
+{{- end }}
--- a/charts/authentik-remote-cluster/templates/role.yaml
+++ b/charts/authentik-remote-cluster/templates/role.yaml
@@ -0,0 +1,59 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - services
+      - configmaps
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - extensions
+      - apps
+    resources:
+      - deployments
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - traefik.containo.us
+      - traefik.io
+    resources:
+      - middlewares
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - httproutes
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
--- a/charts/authentik-remote-cluster/templates/rolebinding.yaml
+++ b/charts/authentik-remote-cluster/templates/rolebinding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "authentik-remote-cluster.fullname" . }}
+    namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
--- a/charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml
+++ b/charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccountSecret.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "authentik-remote-cluster.fullname" . }}
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: kubernetes.io/service-account-token
+{{- end }}
--- a/charts/authentik-remote-cluster/templates/serviceaccount.yaml
+++ b/charts/authentik-remote-cluster/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ include "authauthentik-remote-cluster.namespace" . | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}