cscott/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2025.12 upgrade

Browse Source
This commit is contained in:
Conan Scott
2026-01-22 15:38:45 +11:00
parent 7e1f361aa3
commit a21da49351
112 changed files with 13484 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
templates/_common.tpl Normal file
View File

@@ -0,0 +1,81 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart
*/}}
{{- define "authentik.name" -}}
{{- $globalNameOverride := "" -}}
{{- if hasKey .Values "global" -}}
{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}}
{{- end -}}
{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "authentik.fullname" -}}
{{- $name := include "authentik.name" . -}}
{{- $globalFullNameOverride := "" -}}
{{- if hasKey .Values "global" -}}
{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}}
{{- end -}}
{{- if or .Values.fullnameOverride $globalFullNameOverride -}}
{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}}
{{- else -}}
{{- if contains $name .Release.Name -}}
{{- $name = .Release.Name -}}
{{- else -}}
{{- $name = printf "%s-%s" .Release.Name $name -}}
{{- end -}}
{{- end -}}
{{- trunc 63 $name | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label
*/}}
{{- define "authentik.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create Authentik app version
*/}}
{{- define "authentik.defaultTag" -}}
{{- default .Chart.AppVersion .Values.global.image.tag }}
{{- end -}}
{{/*
Return valid version label
*/}}
{{- define "authentik.versionLabelValue" -}}
{{ regexReplaceAll "[^-A-Za-z0-9_.]" (include "authentik.defaultTag" .) "-" | trunc 63 | trimAll "-" | trimAll "_" | trimAll "." | quote }}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "authentik.labels" -}}
helm.sh/chart: {{ include "authentik.chart" .context | quote }}
{{ include "authentik.selectorLabels" (dict "context" .context "component" .component) }}
app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }}
app.kubernetes.io/part-of: "authentik"
app.kubernetes.io/version: {{ include "authentik.versionLabelValue" .context }}
{{- with .context.Values.global.additionalLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "authentik.selectorLabels" -}}
app.kubernetes.io/name: {{ include "authentik.name" .context | quote }}
app.kubernetes.io/instance: {{ .context.Release.Name | quote }}
{{- if .component }}
app.kubernetes.io/component: {{ .component | quote }}
{{- end }}
{{- end }}

134
templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,134 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create authentik server name and version as used by the chart label.
*/}}
{{- define "authentik.server.fullname" -}}
{{- printf "%s-%s" (include "authentik.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the secret name for authentik configuration
*/}}
{{- define "authentik.secret.name" -}}
{{- if .Values.authentik.existingSecret.secretName -}}
{{- .Values.authentik.existingSecret.secretName -}}
{{- else -}}
{{- template "authentik.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Create authentik server worker and version as used by the chart label.
*/}}
{{- define "authentik.worker.fullname" -}}
{{- printf "%s-%s" (include "authentik.fullname" .) .Values.worker.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Determine the namespace to use, allowing for a namespace override.
*/}}
{{- define "authentik.namespace" -}}
{{- if .Values.namespaceOverride }}
{{- .Values.namespaceOverride }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end }}
{{/*
Create authentik configuration environment variables.
*/}}
{{- define "authentik.env" -}}
{{- range $k, $v := .values -}}
{{- if kindIs "map" $v -}}
{{- range $sk, $sv := $v -}}
{{- include "authentik.env" (dict "root" $.root "values" (dict (printf "%s__%s" (upper $k) (upper $sk)) $sv)) -}}
{{- end -}}
{{- else -}}
{{- $value := $v -}}
{{- if or (kindIs "bool" $v) (kindIs "float64" $v) (kindIs "int" $v) (kindIs "int64" $v) -}}
{{- $v = $v | toString | b64enc | quote -}}
{{- else -}}
{{- $v = tpl (toString $v) $.root | toString | b64enc | quote }}
{{- end -}}
{{- if and ($v) (ne $v "\"\"") }}
{{ printf "AUTHENTIK_%s" (upper $k) }}: {{ $v }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Common deployment strategy definition
- Recreate doesn't have additional fields, we need to remove them if added by the mergeOverwrite
*/}}
{{- define "authentik.strategy" -}}
{{- $preset := . -}}
{{- if (eq (toString $preset.type) "Recreate") }}
type: Recreate
{{- else if (eq (toString $preset.type) "RollingUpdate") }}
type: RollingUpdate
{{- with $preset.rollingUpdate }}
rollingUpdate:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Common affinity definition
Pod affinity
- Soft prefers different nodes
- Hard requires different nodes and prefers different availibility zones
Node affinity
- Soft prefers given user expressions
- Hard requires given user expressions
*/}}
{{- define "authentik.affinity" -}}
{{- with .component.affinity -}}
{{- toYaml . -}}
{{- else -}}
{{- $preset := .context.Values.global.affinity -}}
{{- if (eq $preset.podAntiAffinity "soft") }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 12 }}
topologyKey: kubernetes.io/hostname
{{- else if (eq $preset.podAntiAffinity "hard") }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 12 }}
topologyKey: topology.kubernetes.io/zone
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 10 }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- with $preset.nodeAffinity.matchExpressions }}
{{- if (eq $preset.nodeAffinity.type "soft") }}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
{{- toYaml . | nindent 10 }}
{{- else if (eq $preset.nodeAffinity.type "hard") }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

8
templates/_versions.tpl Normal file
View File

@@ -0,0 +1,8 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "authentik.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}}
{{- end -}}

4
templates/additional-objects.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.additionalObjects }}
---
{{ tpl (toYaml . ) $ }}
{{- end }}

87
templates/deprectations.yaml Normal file
View File

@@ -0,0 +1,87 @@
{{ if .Values.image }}
{{ required "`image` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.global.image.pullSecrets }}
{{ required "`global.image.pullSecrets` does not exist. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.annotations }}
{{ required "`annotations` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.podAnnotations }}
{{ required "`podAnnotations` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.nodeSelector }}
{{ required "`nodeSelector` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.tolerations }}
{{ required "`tolerations` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.affinity }}
{{ required "`affinity` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if or .Values.env .Values.envValueFrom .Values.envFrom }}
{{ required "`env`, `envValueFrom` and `envFrom` are deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if or .Values.additionalContainers .Values.initContainers }}
{{ required "`additionalContainers` and `initContainers` are deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if or .Values.volumes .Values.volumeMounts }}
{{ required "`volumes` and `volumeMounts` are deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.replicas }}
{{ required "`replicas` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.strategy }}
{{ required "`strategy` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.priorityClassName }}
{{ required "`priorityClassName` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.containerSecurityContext }}
{{ required "`containerSecurityContext` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if or .Values.livenessProbe .Values.readinessProbe .Values.startupProbe }}
{{ required "`livenessProbe`, `readinessProbe` and `startupProbe` are deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.autoscaling }}
{{ required "`autoscaling` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.pdb }}
{{ required "`pdb` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.resources }}
{{ required "`resources` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.service }}
{{ required "`service` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.prometheus.serviceMonitor }}
{{ required "`prometheus.serviceMonitor` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.prometheus.rules.create }}
{{ required "`prometheus.rules.create` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}
{{ if .Values.ingress }}
{{ required "`ingress` is deprecated. See the release notes for a list of changes." .Values.undefined }}
{{ end }}

195
templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,195 @@
{{- if .Values.prometheus.rules.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "authentik.fullname" . }}
namespace: {{ .Values.prometheus.rules.namespace | default (include "authentik.namespace" .) | quote }}
labels:
{{- include "authentik.labels" (dict "context" .) | nindent 4 }}
{{- if .Values.prometheus.rules.selector }}
{{- toYaml .Values.prometheus.rules.selector | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.rules.labels }}
{{- toYaml .Values.prometheus.rules.labels | nindent 4 }}
{{- end }}
{{- with .Values.prometheus.rules.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: authentik Aggregate request counters
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
- record: job:django_http_ajax_requests_total:sum_rate30s
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
- record: job:django_http_requests_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
- record: job:django_http_responses_streaming_total:sum_rate30s
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
- record: job:django_http_responses_body_total_bytes:sum_rate30s
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
- record: job:django_http_requests_total:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
- record: job:django_http_requests_total_by_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
- record: job:django_http_requests_total_by_transport:sum_rate30s
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
- record: job:django_http_requests_total_by_view:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
- record: job:django_http_responses_total_by_templatename:sum_rate30s
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
- record: job:django_http_responses_total_by_status:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
- record: job:django_http_responses_total_by_charset:sum_rate30s
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
- record: job:django_http_exceptions_total_by_type:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
- record: job:django_http_exceptions_total_by_view:sum_rate30s
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
- name: authentik Aggregate latency histograms
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "50"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "95"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99"
- record: job:django_http_requests_latency_seconds:quantile_rate30s
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
labels:
quantile: "99.9"
- name: authentik Aggregate model operations
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- record: job:django_model_inserts_total:sum_rate1m
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
- record: job:django_model_updates_total:sum_rate1m
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
- record: job:django_model_deletes_total:sum_rate1m
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
- name: authentik Aggregate database operations
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- record: job:django_db_new_connections_total:sum_rate30s
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
- record: job:django_db_new_connection_errors_total:sum_rate30s
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
- record: job:django_db_execute_total:sum_rate30s
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
- record: job:django_db_execute_many_total:sum_rate30s
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
- record: job:django_db_errors_total:sum_rate30s
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
- name: authentik Aggregate migrations
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- record: job:django_migrations_applied_total:max
expr: max(django_migrations_applied_total) by (job, connection)
- record: job:django_migrations_unapplied_total:max
expr: max(django_migrations_unapplied_total) by (job, connection)
- name: authentik Alerts
{{- if .Values.prometheus.rules.additionalRuleGroupAnnotations }}
annotations:
{{- toYaml .Values.prometheus.rules.additionalRuleGroupAnnotations | nindent 8 }}
{{- end }}
rules:
- alert: NoWorkersConnected
labels:
severity: critical
expr: max (authentik_tasks_workers) < 1
for: 10m
annotations:
{{`
summary: No workers connected
message: authentik instance {{ $labels.instance }}'s worker are either not running or not connected.
`}}
- alert: PendingMigrations
labels:
severity: critical
expr: max without (pid) (django_migrations_unapplied_total) > 0
for: 10m
annotations:
{{`
summary: Pending database migrations
message: authentik instance {{ $labels.instance }} has pending database migrations
`}}
- alert: FailedSystemTasks
labels:
severity: critical
expr: sum(increase(authentik_tasks_errors_total[2h])) by (actor_name) > 0
for: 2h
annotations:
{{`
summary: Failed system tasks
message: System task {{ $labels.actor_name }} has failed on authentik instance {{ $labels.instance }}
`}}
- alert: DisconnectedOutposts
labels:
severity: critical
expr: sum by (outpost) (max without (pid) (authentik_outposts_connected{uid!~"specific.*"})) < 1
for: 30m
annotations:
{{`
summary: Disconnected outpost
message: Outpost {{ $labels.outpost }} has at least 1 disconnected instance
`}}
{{- end }}

19
templates/secret.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and .Values.authentik.enabled (not .Values.authentik.existingSecret.secretName) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "authentik.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" .) | nindent 4 }}
{{- if .Values.global.secretAnnotations }}
annotations:
{{- toYaml .Values.global.secretAnnotations | nindent 4 }}
{{- end }}
data:
{{- include "authentik.env" (dict "root" . "values" .Values.authentik) | indent 2 }}
{{- if and .Values.geoip.enabled (not .Values.geoip.existingSecret.secretName) }}
GEOIPUPDATE_ACCOUNT_ID: {{ required "geoip account id required" .Values.geoip.accountId | b64enc | quote }}
GEOIPUPDATE_LICENSE_KEY: {{ required "geoip license key required" .Values.geoip.licenseKey | b64enc | quote }}
{{- end }}
{{- end }}

238
templates/server/deployment.yaml Normal file
View File

@@ -0,0 +1,238 @@
{{- if .Values.server.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "authentik.server.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.server.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key}}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with include "authentik.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.server.deploymentStrategy) }}
strategy:
{{- trim . | nindent 4 }}
{{- end }}
{{- if not .Values.server.autoscaling.enabled }}
replicas: {{ .Values.server.replicas }}
{{- end }}
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.server.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.serviceAccountName }}
serviceAccountName: {{ . }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.server.securityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.server.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
{{- end }}
{{- with .Values.server.initContainers }}
initContainers:
{{- tpl (toYaml . ) $ | nindent 6 }}
{{- end }}
containers:
- name: {{ .Values.server.name }}
image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "authentik.defaultTag" .) .Values.server.image.tag }}{{- if (default .Values.global.image.digest .Values.server.image.digest) -}}@{{ default .Values.global.image.digest .Values.server.image.digest }}{{- end }}
imagePullPolicy: {{ default .Values.global.image.pullPolicy .Values.server.image.pullPolicy }}
args:
- server
env:
{{- with (concat .Values.global.env .Values.server.env) }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: AUTHENTIK_LISTEN__HTTP
value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.http | quote }}
- name: AUTHENTIK_LISTEN__HTTPS
value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.https | quote }}
- name: AUTHENTIK_LISTEN__METRICS
value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.metrics | quote }}
envFrom:
- secretRef:
name: {{ template "authentik.secret.name" . }}
{{- with (concat .Values.global.envFrom .Values.server.envFrom) }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.geoip.enabled .Values.global.volumeMounts .Values.server.volumeMounts }}
volumeMounts:
{{- with .Values.global.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.server.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip-db
mountPath: /geoip
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.server.containerPorts.http }}
protocol: TCP
- name: https
containerPort: {{ .Values.server.containerPorts.https }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.server.containerPorts.metrics }}
protocol: TCP
{{- with .Values.server.livenessProbe }}
livenessProbe:
{{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.server.readinessProbe }}
readinessProbe:
{{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.server.startupProbe }}
startupProbe:
{{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
{{- with .Values.server.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.server.lifecycle }}
lifecycle:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip
image: {{ .Values.geoip.image.repository }}:{{ .Values.geoip.image.tag }}{{- if .Values.geoip.image.digest -}}@{{ .Values.geoip.image.digest }}{{- end }}
imagePullPolicy: {{ .Values.geoip.image.pullPolicy }}
env:
{{- with .Values.geoip.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: GEOIPUPDATE_FREQUENCY
value: {{ .Values.geoip.updateInterval | quote }}
- name: GEOIPUPDATE_PRESERVE_FILE_TIMES
value: "1"
{{- if not .Values.geoip.existingSecret.secretName }}
- name: GEOIPUPDATE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: {{ template "authentik.fullname" . }}
key: GEOIPUPDATE_ACCOUNT_ID
- name: GEOIPUPDATE_LICENSE_KEY
valueFrom:
secretKeyRef:
name: {{ template "authentik.fullname" . }}
key: GEOIPUPDATE_LICENSE_KEY
{{- else }}
- name: GEOIPUPDATE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.geoip.existingSecret.secretName }}
key: {{ .Values.geoip.existingSecret.accountId }}
- name: GEOIPUPDATE_LICENSE_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.geoip.existingSecret.secretName }}
key: {{ .Values.geoip.existingSecret.licenseKey }}
{{- end }}
- name: GEOIPUPDATE_EDITION_IDS
value: {{ required "geoip edition id required" .Values.geoip.editionIds | quote }}
{{- with .Values.geoip.envFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- with .Values.geoip.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: geoip-db
mountPath: /usr/share/GeoIP
resources:
{{- toYaml .Values.geoip.resources | nindent 12 }}
{{- with .Values.geoip.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.server.extraContainers }}
{{- tpl (toYaml . ) $ | nindent 8 }}
{{- end }}
{{- with include "authentik.affinity" (dict "context" . "component" .Values.server) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.server.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" $ "component" $.Values.server.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.geoip.enabled .Values.global.volumes .Values.server.volumes }}
volumes:
{{- with .Values.global.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip-db
emptyDir: {}
{{- end }}
{{- end }}
enableServiceLinks: true
{{- if .Values.server.hostNetwork }}
hostNetwork: {{ .Values.server.hostNetwork }}
{{- end }}
{{- with .Values.server.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.server.dnsPolicy }}
dnsPolicy: {{ .Values.server.dnsPolicy }}
{{- end }}
{{- end }}

47
templates/server/hpa.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.server.enabled }}
{{- if .Values.server.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "authentik.server.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- with .Values.server.autoscaling.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "authentik.server.fullname" . }}
minReplicas: {{ .Values.server.autoscaling.minReplicas }}
maxReplicas: {{ .Values.server.autoscaling.maxReplicas }}
metrics:
{{- with .Values.server.autoscaling.metrics }}
{{- toYaml . | nindent 4 }}
{{- else }}
{{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.server.autoscaling.behavior }}
behavior:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

73
templates/server/ingress.yaml Normal file
View File

@@ -0,0 +1,73 @@
{{- if .Values.server.enabled }}
{{- if .Values.server.ingress.enabled -}}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
{{- $paths := .Values.server.ingress.paths -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $pathType := .Values.server.ingress.pathType -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "authentik.server.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- with .Values.server.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
{{- if .Values.server.ingress.hosts }}
{{- range $host := .Values.server.ingress.hosts }}
- host: {{ $host | quote }}
http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ tpl (toYaml $p) $ }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "authentik.server.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
paths:
{{- with $extraPaths }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ tpl (toYaml $p) $ }}
pathType: {{ $pathType }}
backend:
service:
name: {{ include "authentik.server.fullname" $ }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- with .Values.server.ingress.tls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

36
templates/server/metrics.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if .Values.server.enabled }}
{{- if .Values.server.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "authentik.server.fullname" . }}-metrics
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }}
{{- with .Values.server.metrics.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.server.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
annotations:
{{- if .Values.global.addPrometheusAnnotations }}
prometheus.io/port: {{ .Values.server.metrics.service.servicePort | quote }}
prometheus.io/scrape: "true"
{{- end }}
{{- range $key, $value := .Values.server.metrics.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.server.metrics.service.type }}
{{- if and .Values.server.metrics.service.clusterIP (eq .Values.server.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.server.metrics.service.clusterIP }}
{{- end }}
ports:
- name: {{ .Values.server.metrics.service.portName }}
protocol: TCP
port: {{ .Values.server.metrics.service.servicePort }}
targetPort: metrics
selector:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- end }}
{{- end }}

27
templates/server/pdb.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.server.enabled }}
{{- if .Values.server.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "authentik.server.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- with .Values.server.pdb.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{ with .Values.server.pdb.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.server.pdb.maxUnavailable }}
maxUnavailable: {{ . }}
{{- else }}
minAvailable: {{ .Values.server.pdb.minAvailable | default 0 }}
{{- end }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }}
{{- end }}
{{- end }}

54
templates/server/route.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if .Values.server.enabled }}
{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
{{- range $name, $route := .Values.server.route }}
{{- if $route.enabled }}
apiVersion: {{ $route.apiVersion | default "gateway.networking.k8s.io/v1" }}
kind: {{ $route.kind | default "HTTPRoute" }}
metadata:
name: {{ include "authentik.server.fullname" $ }}{{ if ne $name "main" }}-{{ $name }}{{ end }}
namespace: {{ include "authentik.namespace" $ | quote }}
labels:
{{- include "authentik.labels" (dict "context" $ "component" $.Values.server.name) | nindent 4 }}
{{- with $route.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $route.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with $route.parentRefs }}
parentRefs:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $route.hostnames }}
hostnames:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
rules:
{{- if $route.additionalRules }}
{{- tpl (toYaml $route.additionalRules) $ | nindent 4 }}
{{- end }}
{{- if $route.httpsRedirect }}
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
{{- else }}
- backendRefs:
- name: {{ include "authentik.server.fullname" $ }}
port: {{ $servicePort }}
{{- with $route.filters }}
filters:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $route.matches }}
matches:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
---
{{- end }}
{{- end }}

71
templates/server/service.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- if .Values.server.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "authentik.server.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- with .Values.server.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.server.service.type }}
ports:
- name: {{ .Values.server.service.servicePortHttpName }}
protocol: TCP
port: {{ .Values.server.service.servicePortHttp }}
targetPort: {{ .Values.server.containerPorts.http }}
{{- if eq .Values.server.service.type "NodePort" }}
nodePort: {{ .Values.server.service.nodePortHttp }}
{{- end }}
{{- with .Values.server.service.servicePortHttpAppProtocol }}
appProtocol: {{ . }}
{{- end }}
- name: {{ .Values.server.service.servicePortHttpsName }}
protocol: TCP
port: {{ .Values.server.service.servicePortHttps }}
targetPort: {{ .Values.server.containerPorts.https }}
{{- if eq .Values.server.service.type "NodePort" }}
nodePort: {{ .Values.server.service.nodePortHttps }}
{{- end }}
{{- with .Values.server.service.servicePortHttpsAppProtocol }}
appProtocol: {{ . }}
{{- end }}
selector:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
{{- if eq .Values.server.service.type "LoadBalancer" }}
{{- if .Values.server.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.server.service.loadBalancerIP | quote }}
{{- end }}
{{- if .Values.server.service.externalIPs }}
externalIPs: {{ .Values.server.service.externalIPs }}
{{- end }}
{{- if .Values.server.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.server.service.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- end -}}
{{- if eq .Values.server.service.type "ClusterIP" }}
{{- if .Values.server.service.clusterIP }}
clusterIP: {{ .Values.server.service.clusterIP | quote }}
{{- end }}
{{- end -}}
{{- with .Values.server.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ . }}
{{- end }}
{{- with .Values.server.service.sessionAffinity }}
sessionAffinity: {{ . }}
{{- end }}
{{- with .Values.server.service.sessionAffinityConfig }}
sessionAffinityConfig:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.service.publishNotReadyAddresses }}
publishNotReadyAddresses: {{ . }}
{{- end }}
{{- end }}

52
templates/server/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,52 @@
{{- if .Values.server.enabled }}
{{- if and .Values.server.metrics.enabled .Values.server.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "authentik.server.fullname" . }}
namespace: {{ .Values.server.metrics.serviceMonitor.namespace | default (include "authentik.namespace" .) | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }}
{{- with .Values.server.metrics.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.server.metrics.service.portName }}
{{- with .Values.server.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.server.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.server.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "authentik.namespace" . }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 6 }}
{{- end }}
{{- end }}

258
templates/worker/deployment.yaml Normal file
View File

@@ -0,0 +1,258 @@
{{- if .Values.worker.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "authentik.worker.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.worker.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key}}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with include "authentik.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.worker.deploymentStrategy) }}
strategy:
{{- trim . | nindent 4 }}
{{- end }}
{{- if not .Values.worker.autoscaling.enabled }}
replicas: {{ .Values.worker.replicas }}
{{- end }}
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.worker.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.worker.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.worker.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.worker.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.serviceAccountName }}
serviceAccountName: {{ . }}
{{- with $.Values.worker.automountServiceAccountToken }}
automountServiceAccountToken: {{ . }}
{{- end }}
{{- else }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }}
{{- end }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.worker.securityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.worker.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }}
{{- end }}
{{- with .Values.worker.initContainers }}
initContainers:
{{- tpl (toYaml . ) $ | nindent 6 }}
{{- end }}
containers:
- name: {{ .Values.worker.name }}
image: {{ default .Values.global.image.repository .Values.worker.image.repository }}:{{ default (include "authentik.defaultTag" .) .Values.worker.image.tag }}{{- if (default .Values.global.image.digest .Values.worker.image.digest) -}}@{{ default .Values.global.image.digest .Values.worker.image.digest }}{{- end }}
imagePullPolicy: {{ default .Values.global.image.pullPolicy .Values.worker.image.pullPolicy }}
args:
- worker
env:
{{- with (concat .Values.global.env .Values.worker.env) }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: AUTHENTIK_LISTEN__HTTP
value: {{ printf "0.0.0.0:%v" .Values.worker.containerPorts.http | quote }}
- name: AUTHENTIK_LISTEN__METRICS
value: {{ printf "0.0.0.0:%v" .Values.worker.containerPorts.metrics | quote }}
envFrom:
- secretRef:
name: {{ template "authentik.secret.name" . }}
{{- with (concat .Values.global.envFrom .Values.worker.envFrom) }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.geoip.enabled .Values.global.volumeMounts .Values.worker.volumeMounts .Values.blueprints.configMaps .Values.blueprints.secrets }}
volumeMounts:
{{- with .Values.global.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip-db
mountPath: /geoip
{{- end }}
{{- range $name := .Values.blueprints.configMaps }}
- name: blueprints-cm-{{ $name }}
mountPath: /blueprints/mounted/cm-{{ $name }}
{{- end }}
{{- range $name := .Values.blueprints.secrets }}
- name: blueprints-secret-{{ $name }}
mountPath: /blueprints/mounted/secret-{{ $name }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.worker.containerPorts.http }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.worker.containerPorts.metrics }}
protocol: TCP
{{- with .Values.worker.livenessProbe }}
livenessProbe:
{{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.readinessProbe }}
readinessProbe:
{{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.startupProbe }}
startupProbe:
{{ toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.worker.resources | nindent 12 }}
{{- with .Values.worker.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.worker.lifecycle }}
lifecycle:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip
image: {{ .Values.geoip.image.repository }}:{{ .Values.geoip.image.tag }}{{- if .Values.geoip.image.digest -}}@{{ .Values.geoip.image.digest }}{{- end }}
imagePullPolicy: {{ .Values.geoip.image.pullPolicy }}
env:
{{- with .Values.geoip.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: GEOIPUPDATE_FREQUENCY
value: {{ .Values.geoip.updateInterval | quote }}
- name: GEOIPUPDATE_PRESERVE_FILE_TIMES
value: "1"
{{- if not .Values.geoip.existingSecret.secretName }}
- name: GEOIPUPDATE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: {{ template "authentik.fullname" . }}
key: GEOIPUPDATE_ACCOUNT_ID
- name: GEOIPUPDATE_LICENSE_KEY
valueFrom:
secretKeyRef:
name: {{ template "authentik.fullname" . }}
key: GEOIPUPDATE_LICENSE_KEY
{{- else }}
- name: GEOIPUPDATE_ACCOUNT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.geoip.existingSecret.secretName }}
key: {{ .Values.geoip.existingSecret.accountId }}
- name: GEOIPUPDATE_LICENSE_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.geoip.existingSecret.secretName }}
key: {{ .Values.geoip.existingSecret.licenseKey }}
{{- end }}
- name: GEOIPUPDATE_EDITION_IDS
value: {{ required "geoip edition id required" .Values.geoip.editionIds | quote }}
{{- with .Values.geoip.envFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- with .Values.geoip.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: geoip-db
mountPath: /usr/share/GeoIP
resources:
{{- toYaml .Values.geoip.resources | nindent 12 }}
{{- with .Values.geoip.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.worker.extraContainers }}
{{- tpl (toYaml . ) $ | nindent 8 }}
{{- end }}
{{- with include "authentik.affinity" (dict "context" . "component" .Values.worker) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.worker.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" $ "component" $.Values.worker.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.geoip.enabled .Values.global.volumes .Values.worker.volumes .Values.blueprints.configMaps .Values.blueprints.secrets }}
volumes:
{{- with .Values.global.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.geoip.enabled }}
- name: geoip-db
emptyDir: {}
{{- end }}
{{- range $name := .Values.blueprints.configMaps }}
- name: blueprints-cm-{{ $name }}
configMap:
name: {{ $name }}
{{- end }}
{{- range $name := .Values.blueprints.secrets }}
- name: blueprints-secret-{{ $name }}
secret:
secretName: {{ $name }}
{{- end }}
{{- end }}
enableServiceLinks: true
{{- if .Values.worker.hostNetwork }}
hostNetwork: {{ .Values.worker.hostNetwork }}
{{- end }}
{{- with .Values.worker.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.worker.dnsPolicy }}
dnsPolicy: {{ .Values.worker.dnsPolicy }}
{{- end }}
{{- end }}

47
templates/worker/hpa.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.worker.enabled }}
{{- if .Values.worker.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "authentik.worker.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
{{- with .Values.worker.autoscaling.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "authentik.worker.fullname" . }}
minReplicas: {{ .Values.worker.autoscaling.minReplicas }}
maxReplicas: {{ .Values.worker.autoscaling.maxReplicas }}
metrics:
{{- with .Values.worker.autoscaling.metrics }}
{{- toYaml . | nindent 4 }}
{{- else }}
{{- with .Values.worker.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.worker.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.worker.autoscaling.behavior }}
behavior:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

34
templates/worker/metrics.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if and .Values.worker.enabled .Values.worker.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "authentik.worker.fullname" . }}-metrics
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.worker.name)) | nindent 4 }}
{{- with .Values.worker.metrics.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.worker.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
annotations:
{{- if .Values.global.addPrometheusAnnotations }}
prometheus.io/port: {{ .Values.worker.metrics.service.servicePort | quote }}
prometheus.io/scrape: "true"
{{- end }}
{{- range $key, $value := .Values.worker.metrics.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.worker.metrics.service.type }}
{{- if and .Values.worker.metrics.service.clusterIP (eq .Values.worker.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.worker.metrics.service.clusterIP }}
{{- end }}
ports:
- name: {{ .Values.worker.metrics.service.portName }}
protocol: TCP
port: {{ .Values.worker.metrics.service.servicePort }}
targetPort: metrics
selector:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
{{- end }}

27
templates/worker/pdb.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if .Values.worker.enabled }}
{{- if .Values.worker.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "authentik.worker.fullname" . }}
namespace: {{ include "authentik.namespace" . | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
{{- with .Values.worker.pdb.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{ with .Values.worker.pdb.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.worker.pdb.maxUnavailable }}
maxUnavailable: {{ . }}
{{- else }}
minAvailable: {{ .Values.worker.pdb.minAvailable | default 0 }}
{{- end }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" .Values.worker.name) | nindent 6 }}
{{- end }}
{{- end }}

50
templates/worker/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if and .Values.worker.enabled .Values.worker.metrics.enabled .Values.worker.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "authentik.worker.fullname" . }}
namespace: {{ .Values.worker.metrics.serviceMonitor.namespace | default (include "authentik.namespace" .) | quote }}
labels:
{{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.worker.name)) | nindent 4 }}
{{- with .Values.worker.metrics.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.worker.metrics.service.portName }}
{{- with .Values.worker.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.worker.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.worker.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "authentik.namespace" . }}
selector:
matchLabels:
{{- include "authentik.selectorLabels" (dict "context" . "component" (printf "%s-metrics" .Values.worker.name)) | nindent 6 }}
{{- end }}