root: remove old helm chart
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
6868b7722c
commit
02b06838e2
|
@ -19,16 +19,8 @@ values =
|
|||
|
||||
[bumpversion:file:website/docs/installation/docker-compose.md]
|
||||
|
||||
[bumpversion:file:website/docs/installation/kubernetes.md]
|
||||
|
||||
[bumpversion:file:docker-compose.yml]
|
||||
|
||||
[bumpversion:file:helm/values.yaml]
|
||||
|
||||
[bumpversion:file:helm/README.md]
|
||||
|
||||
[bumpversion:file:helm/Chart.yaml]
|
||||
|
||||
[bumpversion:file:.github/workflows/release.yml]
|
||||
|
||||
[bumpversion:file:authentik/__init__.py]
|
||||
|
|
|
@ -25,15 +25,6 @@ jobs:
|
|||
docker-compose up --no-start
|
||||
docker-compose start postgresql redis
|
||||
docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
|
||||
- name: Install Helm
|
||||
run: |
|
||||
apt update && apt install -y curl
|
||||
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
|
||||
- name: Helm package
|
||||
run: |
|
||||
helm dependency update helm/
|
||||
helm package helm/
|
||||
mv authentik-*.tgz authentik-chart.tgz
|
||||
- name: Extract version number
|
||||
id: get_version
|
||||
uses: actions/github-script@0.2.0
|
||||
|
@ -51,13 +42,3 @@ jobs:
|
|||
release_name: Release ${{ steps.get_version.outputs.result }}
|
||||
draft: true
|
||||
prerelease: false
|
||||
- name: Upload packaged Helm Chart
|
||||
id: upload-release-asset
|
||||
uses: actions/upload-release-asset@v1.0.1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
||||
asset_path: ./authentik-chart.tgz
|
||||
asset_name: authentik-chart.tgz
|
||||
asset_content_type: application/gzip
|
||||
|
|
|
@ -1,21 +0,0 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
|
@ -1,9 +0,0 @@
|
|||
dependencies:
|
||||
- name: postgresql
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 9.3.2
|
||||
- name: redis
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 10.7.16
|
||||
digest: sha256:fd31e2e2b9ff17a5ed906a77a4f15ffa1ab7f5aecaea1e5db77f0d199ae4f19e
|
||||
generated: "2020-08-25T17:57:49.684549+02:00"
|
|
@ -1,17 +0,0 @@
|
|||
apiVersion: v2
|
||||
description: authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.
|
||||
name: authentik
|
||||
home: https://goauthentik.io
|
||||
sources:
|
||||
- https://github.com/goauthentik/authentik
|
||||
version: "2021.4.5"
|
||||
icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: 9.4.1
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: install.postgresql
|
||||
- name: redis
|
||||
version: 10.9.0
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: install.redis
|
|
@ -1,47 +0,0 @@
|
|||
# authentik Helm Chart
|
||||
|
||||
| Name | Default | Description |
|
||||
|-----------------------------------|-------------------------|-------------|
|
||||
| image.name | beryju/authentik | Image used to run the authentik server and worker |
|
||||
| image.name_static | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
|
||||
| image.name_outposts | beryju/authentik-%(type)s:%(version)s | Image used for managed outposts. Placeholders: %(type)s: Outpost type; proxy, ldap, etc. %(version)s: Current version; 2021.4.1 |
|
||||
| image.tag | 2021.4.5 | Image tag |
|
||||
| image.pullPolicy | IfNotPresent | Image Pull Policy used for all deployments |
|
||||
| serverReplicas | 1 | Replicas for the Server deployment |
|
||||
| workerReplicas | 1 | Replicas for the Worker deployment |
|
||||
| kubernetesIntegration | true | Enable/disable the Kubernetes integration for authentik. This will create a service account for authentik to create and update outposts in authentik |
|
||||
| config.secretKey | | Secret key used to sign session cookies, generate with `pwgen 50 1` or `openssl rand -base64 36` for example. |
|
||||
| config.errorReporting.enabled | false | Enable/disable error reporting |
|
||||
| config.errorReporting.environment | customer | Environment sent with the error reporting |
|
||||
| config.errorReporting.sendPii | false | Whether to send Personally-identifiable data with the error reporting |
|
||||
| config.logLevel | warning | Log level of authentik |
|
||||
| config.email.host | localhost | SMTP Host Emails are sent to |
|
||||
| config.email.port | 25 | SMTP Port Emails are sent to |
|
||||
| config.email.username | | SMTP Username |
|
||||
| config.email.password | | SMTP Password |
|
||||
| config.email.use_tls | false | Enable StartTLS |
|
||||
| config.email.use_ssl | false | Enable SSL |
|
||||
| config.email.timeout | 10 | SMTP Timeout |
|
||||
| config.email.from | authentik@localhost | Email address authentik will send from, should have a correct @domain |
|
||||
| pvc.mode | ReadWriteMany | Mode that the PVCs are created in (uploads and GeoIP, if enabled) |
|
||||
| pvc.uploadsSize | 5Gi | Size for the uploads PVC |
|
||||
| pvc.uploadsStorageClass | null | Storage class for the uploads PVC (default: use default storage class) |
|
||||
| pvc.geoIpSize | 1Gi | Size for the GeoIP PVC |
|
||||
| pvc.geoIpStorageClass | null | Storage class for the GeoIP PVC (default: use default storage class) |
|
||||
| geoip.enabled | false | Optionally enable GeoIP |
|
||||
| geoip.accountId | | GeoIP MaxMind Account ID |
|
||||
| geoip.licenseKey | | GeoIP MaxMind License key |
|
||||
| geoip.image | maxmindinc/geoipupdate:latest | GeoIP Updater image |
|
||||
| backup.accessKey | | Optionally enable S3 Backup, Access Key |
|
||||
| backup.secretKey | | Optionally enable S3 Backup, Secret Key |
|
||||
| backup.bucket | | Optionally enable S3 Backup, Bucket |
|
||||
| backup.region | | Optionally enable S3 Backup, Region |
|
||||
| backup.host | | Optionally enable S3 Backup, to custom Endpoint like minio |
|
||||
| ingress.annotations | {} | Annotations for the ingress object |
|
||||
| ingress.hosts | [authentik.k8s.local] | Hosts which the ingress will match |
|
||||
| ingress.tls | [] | TLS Configuration, same as Ingress objects |
|
||||
| install.postgresql | true | Enables/disables the packaged PostgreSQL Chart
|
||||
| install.redis | true | Enables/disables the packaged Redis Chart
|
||||
| postgresql.postgresqlPassword | | Password used for PostgreSQL, generated automatically.
|
||||
|
||||
For more info, see https://goauthentik.io/ and https://goauthentik.io/docs/installation/kubernetes/
|
|
@ -1,11 +0,0 @@
|
|||
Access authentik using the following URL:
|
||||
{{- if .Release.IsUpgrade -}}
|
||||
{{- range .Values.ingress.hosts }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- range .Values.ingress.hosts }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}/if/flow/initial-setup/
|
||||
{{- end }}
|
||||
To configure your authentik instance, and set a password for the akadmin user.
|
||||
{{- end }}
|
|
@ -1,28 +0,0 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "authentik.name" -}}
|
||||
{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "authentik.fullname" -}}
|
||||
{{- $name := default .Chart.Name -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "authentik.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-config
|
||||
data:
|
||||
POSTGRESQL__HOST: "{{ .Release.Name }}-postgresql"
|
||||
POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
|
||||
POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
|
||||
{{- if .Values.backup }}
|
||||
POSTGRESQL__S3_BACKUP__ACCESS_KEY: "{{ .Values.backup.accessKey }}"
|
||||
POSTGRESQL__S3_BACKUP__BUCKET: "{{ .Values.backup.bucket }}"
|
||||
POSTGRESQL__S3_BACKUP__REGION: "{{ .Values.backup.region }}"
|
||||
POSTGRESQL__S3_BACKUP__HOST: "{{ .Values.backup.host }}"
|
||||
{{- end}}
|
||||
REDIS__HOST: "{{ .Release.Name }}-redis-master"
|
||||
ERROR_REPORTING__ENABLED: "{{ .Values.config.errorReporting.enabled }}"
|
||||
ERROR_REPORTING__ENVIRONMENT: "{{ .Values.config.errorReporting.environment }}"
|
||||
ERROR_REPORTING__SEND_PII: "{{ .Values.config.errorReporting.sendPii }}"
|
||||
LOG_LEVEL: "{{ .Values.config.logLevel }}"
|
||||
OUTPOSTS__DOCKER_IMAGE_BASE: "{{ .Values.image.name_outposts }}"
|
||||
EMAIL__HOST: "{{ .Values.config.email.host }}"
|
||||
EMAIL__PORT: "{{ .Values.config.email.port }}"
|
||||
EMAIL__USERNAME: "{{ .Values.config.email.username }}"
|
||||
EMAIL__USE_TLS: "{{ .Values.config.email.use_tls }}"
|
||||
EMAIL__USE_SSL: "{{ .Values.config.email.use_ssl }}"
|
||||
EMAIL__TIMEOUT: "{{ .Values.config.email.timeout }}"
|
||||
EMAIL__FROM: "{{ .Values.config.email.from }}"
|
|
@ -1,11 +0,0 @@
|
|||
{{- if .Values.geoip.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-geoip-config
|
||||
data:
|
||||
GEOIPUPDATE_ACCOUNT_ID: "{{ .Values.geoip.accountId }}"
|
||||
GEOIPUPDATE_LICENSE_KEY: "{{ .Values.geoip.licenseKey }}"
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||
GEOIPUPDATE_FREQUENCY: "8"
|
||||
{{- end }}
|
|
@ -1,39 +0,0 @@
|
|||
{{- if .Values.geoip.enabled -}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-geoip
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
k8s.goauthentik.io/component: geoip
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: geoip
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: geoip
|
||||
spec:
|
||||
containers:
|
||||
- name: geoip
|
||||
image: "{{ .Values.geoip.image }}"
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: {{ include "authentik.fullname" . }}-geoip-config
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: /usr/share/GeoIP
|
||||
volumes:
|
||||
- name: geoip
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "authentik.fullname" . }}-geoip
|
||||
{{- end }}
|
|
@ -1,18 +0,0 @@
|
|||
{{- if .Values.geoip.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-geoip
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ .Values.pvc.mode }}
|
||||
storageClassName: {{ .Values.pvc.geoIpStorageClass }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.pvc.geoIpSize }}
|
||||
{{- end }}
|
|
@ -1,35 +0,0 @@
|
|||
{{- $fullName := include "authentik.fullname" . -}}
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.ingress.tls }}
|
||||
tls:
|
||||
{{- range .Values.ingress.tls }}
|
||||
- hosts:
|
||||
{{- range .hosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ .secretName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.ingress.hosts }}
|
||||
- host: {{ . | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
backend:
|
||||
serviceName: {{ $fullName }}-web
|
||||
servicePort: http
|
||||
{{- end }}
|
|
@ -1,121 +0,0 @@
|
|||
{{- if .Values.monitoring.enabled -}}
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-static-rules
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
spec:
|
||||
groups:
|
||||
- name: Aggregate request counters
|
||||
rules:
|
||||
- record: job:django_http_requests_before_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_unknown_latency_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job)
|
||||
- record: job:django_http_ajax_requests_total:sum_rate30s
|
||||
expr: sum(rate(django_http_ajax_requests_total[30s])) by (job)
|
||||
- record: job:django_http_responses_before_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job)
|
||||
- record: job:django_http_requests_body_total_bytes:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job)
|
||||
- record: job:django_http_responses_streaming_total:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_streaming_total[30s])) by (job)
|
||||
- record: job:django_http_responses_body_total_bytes:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job)
|
||||
- record: job:django_http_requests_total:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job)
|
||||
- record: job:django_http_requests_total_by_method:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method)
|
||||
- record: job:django_http_requests_total_by_transport:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport)
|
||||
- record: job:django_http_requests_total_by_view:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view)
|
||||
- record: job:django_http_requests_total_by_view_transport_method:sum_rate30s
|
||||
expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method)
|
||||
- record: job:django_http_responses_total_by_templatename:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename)
|
||||
- record: job:django_http_responses_total_by_status:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status)
|
||||
- record: job:django_http_responses_total_by_status_name_method:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method)
|
||||
- record: job:django_http_responses_total_by_charset:sum_rate30s
|
||||
expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset)
|
||||
- record: job:django_http_exceptions_total_by_type:sum_rate30s
|
||||
expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type)
|
||||
- record: job:django_http_exceptions_total_by_view:sum_rate30s
|
||||
expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view)
|
||||
- name: Aggregate latency histograms
|
||||
rules:
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "50"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "95"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99"
|
||||
- record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99.9"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "50"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "95"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99"
|
||||
- record: job:django_http_requests_latency_seconds:quantile_rate30s
|
||||
expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le))
|
||||
labels:
|
||||
quantile: "99.9"
|
||||
- name: Aggregate model operations
|
||||
rules:
|
||||
- record: job:django_model_inserts_total:sum_rate1m
|
||||
expr: sum(rate(django_model_inserts_total[1m])) by (job, model)
|
||||
- record: job:django_model_updates_total:sum_rate1m
|
||||
expr: sum(rate(django_model_updates_total[1m])) by (job, model)
|
||||
- record: job:django_model_deletes_total:sum_rate1m
|
||||
expr: sum(rate(django_model_deletes_total[1m])) by (job, model)
|
||||
- name: Aggregate database operations
|
||||
rules:
|
||||
- record: job:django_db_new_connections_total:sum_rate30s
|
||||
expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_new_connection_errors_total:sum_rate30s
|
||||
expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_execute_total:sum_rate30s
|
||||
expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_execute_many_total:sum_rate30s
|
||||
expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor)
|
||||
- record: job:django_db_errors_total:sum_rate30s
|
||||
expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type)
|
||||
- name: Aggregate migrations
|
||||
rules:
|
||||
- record: job:django_migrations_applied_total:max
|
||||
expr: max(django_migrations_applied_total) by (job, connection)
|
||||
- record: job:django_migrations_unapplied_total:max
|
||||
expr: max(django_migrations_unapplied_total) by (job, connection)
|
||||
- name: Alerts
|
||||
rules:
|
||||
- alert: UnappliedMigrations
|
||||
expr: job:django_migrations_unapplied_total:max > 0
|
||||
for: 1m
|
||||
labels:
|
||||
severity: testing
|
||||
{{- end }}
|
|
@ -1,16 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-uploads
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
spec:
|
||||
accessModes:
|
||||
- {{ .Values.pvc.mode }}
|
||||
storageClassName: {{ .Values.pvc.uploadsStorageClass }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.pvc.uploadsSize }}
|
|
@ -1,16 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-secret-key
|
||||
data:
|
||||
monitoring_username: bW9uaXRvcg== # monitor in base64
|
||||
{{- if .Values.config.secretKey }}
|
||||
SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }}
|
||||
{{- else }}
|
||||
SECRET_KEY: {{ randAlphaNum 50 | b64enc | quote}}
|
||||
{{- end }}
|
||||
{{- if .Values.backup }}
|
||||
POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secretKey | b64enc }}"
|
||||
{{- end}}
|
||||
EMAIL__PASSWORD: "{{ .Values.config.email.password | b64enc }}"
|
|
@ -1,64 +0,0 @@
|
|||
{{- if .Values.kubernetesIntegration }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-sa-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- services
|
||||
verbs:
|
||||
- "get"
|
||||
- "create"
|
||||
- "delete"
|
||||
- "read"
|
||||
- "patch"
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
- "apps"
|
||||
resources:
|
||||
- "deployments"
|
||||
verbs:
|
||||
- "get"
|
||||
- "create"
|
||||
- "delete"
|
||||
- "read"
|
||||
- "patch"
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
- "networking.k8s.io"
|
||||
resources:
|
||||
- "ingresses"
|
||||
verbs:
|
||||
- "get"
|
||||
- "create"
|
||||
- "delete"
|
||||
- "read"
|
||||
- "patch"
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
verbs:
|
||||
- list
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-sa
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-sa-role-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "authentik.fullname" . }}-sa-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "authentik.fullname" . }}-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
|
@ -1,114 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-web
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
k8s.goauthentik.io/component: web
|
||||
spec:
|
||||
replicas: {{ .Values.serverReplicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: web
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: web
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "authentik.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: k8s.goauthentik.io/component
|
||||
operator: In
|
||||
values:
|
||||
- web
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
|
||||
args: [server]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: {{ include "authentik.fullname" . }}-config
|
||||
prefix: AUTHENTIK_
|
||||
- secretRef:
|
||||
name: {{ include "authentik.fullname" . }}-secret-key
|
||||
prefix: AUTHENTIK_
|
||||
env:
|
||||
- name: AUTHENTIK_REDIS__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Release.Name }}-redis"
|
||||
key: "redis-password"
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Release.Name }}-postgresql"
|
||||
key: "postgresql-password"
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
- name: AUTHENTIK_AUTHENTIK__GEOIP
|
||||
value: /geoip/GeoLite2-City.mmdb
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: authentik-uploads
|
||||
mountPath: /media
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
- name: geoip
|
||||
mountPath: /geoip
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9000
|
||||
protocol: TCP
|
||||
- name: https
|
||||
containerPort: 9443
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /-/health/live/
|
||||
port: http
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 30
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /-/health/ready/
|
||||
port: http
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 30
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 300M
|
||||
limits:
|
||||
cpu: 300m
|
||||
memory: 600M
|
||||
volumes:
|
||||
- name: authentik-uploads
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "authentik.fullname" . }}-uploads
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
- name: geoip
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "authentik.fullname" . }}-geoip
|
||||
{{- end }}
|
|
@ -1,21 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-web
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
k8s.goauthentik.io/component: web
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 9000
|
||||
targetPort: http
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: web
|
|
@ -1,26 +0,0 @@
|
|||
{{- if .Values.monitoring.enabled -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
name: {{ include "authentik.fullname" . }}-web-monitoring
|
||||
spec:
|
||||
endpoints:
|
||||
- basicAuth:
|
||||
password:
|
||||
name: {{ include "authentik.fullname" . }}-secret-key
|
||||
key: SECRET_KEY
|
||||
username:
|
||||
name: {{ include "authentik.fullname" . }}-secret-key
|
||||
key: monitoring_username
|
||||
port: http
|
||||
path: /metrics/
|
||||
interval: 10s
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s.goauthentik.io/component: web
|
||||
{{- end }}
|
|
@ -1,94 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "authentik.fullname" . }}-worker
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
helm.sh/chart: {{ include "authentik.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
k8s.goauthentik.io/component: worker
|
||||
spec:
|
||||
replicas: {{ .Values.workerReplicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: worker
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "authentik.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
k8s.goauthentik.io/component: worker
|
||||
spec:
|
||||
{{- if .Values.kubernetesIntegration }}
|
||||
serviceAccountName: {{ include "authentik.fullname" . }}-sa
|
||||
{{- else }}
|
||||
automountServiceAccountToken: false
|
||||
{{- end }}
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- {{ include "authentik.name" . }}
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Release.Name }}
|
||||
- key: k8s.goauthentik.io/component
|
||||
operator: In
|
||||
values:
|
||||
- worker
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
|
||||
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
|
||||
args: [worker]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: "{{ include "authentik.fullname" . }}-config"
|
||||
prefix: "AUTHENTIK_"
|
||||
- secretRef:
|
||||
name: {{ include "authentik.fullname" . }}-secret-key
|
||||
prefix: AUTHENTIK_
|
||||
env:
|
||||
- name: AUTHENTIK_REDIS__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Release.Name }}-redis"
|
||||
key: "redis-password"
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "{{ .Release.Name }}-postgresql"
|
||||
key: "postgresql-password"
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
- name: AUTHENTIK_AUTHENTIK__GEOIP
|
||||
value: /geoip/GeoLite2-City.mmdb
|
||||
{{- end }}
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
volumeMounts:
|
||||
- name: geoip
|
||||
mountPath: /geoip
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 400M
|
||||
limits:
|
||||
cpu: 300m
|
||||
memory: 600M
|
||||
{{ if .Values.geoip.enabled -}}
|
||||
volumes:
|
||||
- name: geoip
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "authentik.fullname" . }}-geoip
|
||||
{{- end -}}
|
100
helm/values.yaml
100
helm/values.yaml
|
@ -1,100 +0,0 @@
|
|||
###################################
|
||||
# Values directly affecting authentik
|
||||
###################################
|
||||
image:
|
||||
name: beryju/authentik
|
||||
name_static: beryju/authentik-static
|
||||
# Image used for managed outposts. Placeholders:
|
||||
# %(type)s: Outpost type; proxy, ldap, etc
|
||||
# %(version)s: Current version; 2021.4.1
|
||||
name_outposts: "beryju/authentik-%(type)s:%(version)s"
|
||||
tag: 2021.4.5
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
serverReplicas: 1
|
||||
workerReplicas: 1
|
||||
|
||||
# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes
|
||||
kubernetesIntegration: true
|
||||
|
||||
monitoring:
|
||||
enabled: false
|
||||
|
||||
pvc:
|
||||
mode: ReadWriteMany
|
||||
uploadsSize: 5Gi
|
||||
uploadsStorageClass: null
|
||||
geoIpSize: 1Gi
|
||||
geoIpStorageClass: null
|
||||
|
||||
config:
|
||||
# Optionally specify fixed secret_key, otherwise generated automatically
|
||||
# secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
|
||||
# Enable error reporting
|
||||
errorReporting:
|
||||
enabled: false
|
||||
environment: customer
|
||||
sendPii: false
|
||||
# Log level used by web and worker
|
||||
# Can be either debug, info, warning, error
|
||||
logLevel: warning
|
||||
# Global Email settings
|
||||
email:
|
||||
# SMTP Host Emails are sent to
|
||||
host: localhost
|
||||
port: 25
|
||||
# Optionally authenticate
|
||||
username: ""
|
||||
password: ""
|
||||
# Use StartTLS
|
||||
useTls: false
|
||||
# Use SSL
|
||||
useSsl: false
|
||||
timeout: 10
|
||||
# Email address authentik will send from, should have a correct @domain
|
||||
from: authentik@localhost
|
||||
|
||||
# Enable MaxMind GeoIP
|
||||
geoip:
|
||||
enabled: false
|
||||
accountId: ""
|
||||
licenseKey: ""
|
||||
image: maxmindinc/geoipupdate:latest
|
||||
|
||||
# Enable Database Backups to S3
|
||||
# backup:
|
||||
# accessKey: access-key
|
||||
# secretKey: secret-key
|
||||
# bucket: s3-bucket
|
||||
# region: eu-central-1
|
||||
# host: s3-host
|
||||
|
||||
ingress:
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- authentik.k8s.local
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - authentik.k8s.local
|
||||
|
||||
###################################
|
||||
# Values controlling dependencies
|
||||
###################################
|
||||
|
||||
install:
|
||||
postgresql: true
|
||||
redis: true
|
||||
|
||||
# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect
|
||||
postgresql:
|
||||
postgresqlDatabase: authentik
|
||||
|
||||
redis:
|
||||
cluster:
|
||||
enabled: false
|
||||
master:
|
||||
# https://stackoverflow.com/a/59189742
|
||||
disableCommands: []
|
|
@ -15,13 +15,14 @@ redis:
|
|||
password: "<another password you generated>"
|
||||
config:
|
||||
secretKey: "<another password you generated>"
|
||||
# Optionally configure more things, as seen in the full values.yaml file below.
|
||||
```
|
||||
|
||||
See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).
|
||||
|
||||
Afterwards, run these commands to install authentik:
|
||||
|
||||
```
|
||||
helm repo add authentik https://docker.beryju.org/chartrepo/authentik
|
||||
helm repo add authentik https://helm.goauthentik.io
|
||||
helm repo update
|
||||
helm install authentik/authentik -f values.yaml
|
||||
```
|
||||
|
@ -29,95 +30,3 @@ helm install authentik/authentik -f values.yaml
|
|||
This installation automatically applies database migrations on startup. After the installation is done, navigate to the `https://<ingress you've specified>/if/flow/initial-setup/`, to set a password for the akadmin user.
|
||||
|
||||
It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by [Email stages](flow/stages/email/index.md) to send verification/recovery emails.
|
||||
|
||||
```yaml
|
||||
###################################
|
||||
# Values directly affecting authentik
|
||||
###################################
|
||||
image:
|
||||
name: beryju/authentik
|
||||
name_static: beryju/authentik-static
|
||||
# Image used for managed outposts. Placeholders:
|
||||
# %(type)s: Outpost type; proxy, ldap, etc
|
||||
# %(version)s: Current version; 2021.4.1
|
||||
name_outposts: "beryju/authentik-%(type)s:%(version)s"
|
||||
tag: 2021.4.5
|
||||
|
||||
serverReplicas: 1
|
||||
workerReplicas: 1
|
||||
|
||||
# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes
|
||||
kubernetesIntegration: true
|
||||
|
||||
monitoring: # Optionally deploy Prometheus Rules and ServiceMonitors
|
||||
enabled: false
|
||||
|
||||
pvc:
|
||||
mode: ReadWriteMany
|
||||
uploadsSize: 5Gi
|
||||
uploadsStorageClass: null # null uses the default storage class
|
||||
geoIpSize: 1Gi
|
||||
geoIpStorageClass: null
|
||||
|
||||
config:
|
||||
# Optionally specify fixed secret_key, otherwise generated automatically
|
||||
# secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
|
||||
# Enable error reporting
|
||||
errorReporting:
|
||||
enabled: false
|
||||
environment: customer
|
||||
sendPii: false
|
||||
# Log level used by web and worker
|
||||
# Can be either debug, info, warning, error
|
||||
logLevel: warning
|
||||
# Global Email settings
|
||||
email:
|
||||
# SMTP Host Emails are sent to
|
||||
host: localhost
|
||||
port: 25
|
||||
# Optionally authenticate
|
||||
username: ""
|
||||
password: ""
|
||||
# Use StartTLS
|
||||
useTls: false
|
||||
# Use SSL
|
||||
useSsl: false
|
||||
timeout: 10
|
||||
# Email address authentik will send from, should have a correct @domain
|
||||
from: authentik@localhost
|
||||
|
||||
# Enable MaxMind GeoIP
|
||||
# geoip:
|
||||
# enabled: false
|
||||
# accountId: ""
|
||||
# licenseKey: ""
|
||||
# image: maxmindinc/geoipupdate:latest
|
||||
|
||||
# Enable Database Backups to S3
|
||||
# backup:
|
||||
# accessKey: access-key
|
||||
# secretKey: secret-key
|
||||
# bucket: s3-bucket
|
||||
# region: eu-central-1
|
||||
# host: s3-host
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
{}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- authentik.k8s.local
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - authentik.k8s.local
|
||||
|
||||
###################################
|
||||
# Values controlling dependencies
|
||||
###################################
|
||||
|
||||
install:
|
||||
postgresql: true
|
||||
redis: true
|
||||
```
|
||||
|
|
|
@ -14,10 +14,10 @@ module.exports = {
|
|||
items: [
|
||||
"installation/index",
|
||||
"installation/docker-compose",
|
||||
"installation/configuration",
|
||||
"installation/reverse-proxy",
|
||||
"installation/kubernetes",
|
||||
"installation/beta",
|
||||
"installation/configuration",
|
||||
"installation/reverse-proxy",
|
||||
],
|
||||
},
|
||||
{
|
||||
|
|
Reference in New Issue