helm: don't automount Service token when integration is not enabled, improve k8s detection

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-07 16:16:17 +02:00
parent 12b1f53948
commit 4054e6da8c
5 changed files with 10 additions and 6 deletions

View file

@ -1,7 +1,7 @@
"""authentik core tasks"""
from datetime import datetime
from io import StringIO
from pathlib import Path
from os import environ
from boto3.exceptions import Boto3Error
from botocore.exceptions import BotoCoreError, ClientError
@ -9,6 +9,7 @@ from dbbackup.db.exceptions import CommandConnectorError
from django.contrib.humanize.templatetags.humanize import naturaltime
from django.core import management
from django.utils.timezone import now
from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
from structlog.stdlib import get_logger
from authentik.core.models import ExpiringModel
@ -40,9 +41,7 @@ def clean_expired_models(self: MonitoredTask):
def backup_database(self: MonitoredTask): # pragma: no cover
"""Database backup"""
self.result_timeout_hours = 25
if Path("/var/run/secrets/kubernetes.io").exists() and not CONFIG.y(
"postgresql.s3_backup"
):
if SERVICE_HOST_ENV_NAME in environ and not CONFIG.y("postgresql.s3_backup"):
LOGGER.info("Running in k8s and s3 backups are not configured, skipping")
self.set_status(
TaskResult(

View file

@ -39,6 +39,8 @@ class AuthentikOutpostConfig(AppConfig):
KubernetesServiceConnection,
)
# Explicitly check against token filename, as thats
# only present when the integration is enabled
if Path(SERVICE_TOKEN_FILENAME).exists():
LOGGER.debug("Detected in-cluster Kubernetes Config")
if not KubernetesServiceConnection.objects.filter(local=True).exists():

View file

@ -22,6 +22,7 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
k8s.goauthentik.io/component: web
spec:
automountServiceAccountToken: false
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:

View file

@ -24,6 +24,8 @@ spec:
spec:
{{- if .Values.kubernetesIntegration }}
serviceAccountName: {{ include "authentik.fullname" . }}-sa
{{- else }}
automountServiceAccountToken: false
{{- end }}
affinity:
podAntiAffinity:

View file

@ -2,9 +2,9 @@
import os
import warnings
from multiprocessing import cpu_count
from pathlib import Path
import structlog
from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
bind = "0.0.0.0:8000"
@ -48,7 +48,7 @@ logconfig_dict = {
# if we're running in kubernetes, use fixed workers because we can scale with more pods
# otherwise (assume docker-compose), use as much as we can
if Path("/var/run/secrets/kubernetes.io").exists():
if SERVICE_HOST_ENV_NAME in os.environ:
workers = 2
else:
workers = cpu_count() * 2 + 1