From 00235e039b1851531f3cf7d9b6e19eb600c2e37c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Mar 2021 17:32:16 +0100 Subject: [PATCH] helm: add initial geoip --- helm/README.md | 6 ++++- helm/templates/geoip-configmap.yaml | 11 ++++++++ helm/templates/geoip-deployment.yaml | 39 +++++++++++++++++++++++++++ helm/templates/geoip-pvc.yaml | 17 ++++++++++++ helm/templates/web-deployment.yaml | 13 +++++++++ helm/templates/worker-deployment.yaml | 15 +++++++++++ helm/values.test.yaml | 22 --------------- helm/values.yaml | 7 +++++ 8 files changed, 107 insertions(+), 23 deletions(-) create mode 100644 helm/templates/geoip-configmap.yaml create mode 100644 helm/templates/geoip-deployment.yaml create mode 100644 helm/templates/geoip-pvc.yaml delete mode 100644 helm/values.test.yaml diff --git a/helm/README.md b/helm/README.md index f0670fd2e..9da2dc379 100644 --- a/helm/README.md +++ b/helm/README.md @@ -4,7 +4,7 @@ |-----------------------------------|-------------------------|-------------| | image.name | beryju/authentik | Image used to run the authentik server and worker | | image.name_static | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) | -| image.tag | 2021.3.3 | Image tag | +| image.tag | 2021.3.3 | Image tag | | image.pullPolicy | IfNotPresent | Image Pull Policy used for all deployments | | serverReplicas | 1 | Replicas for the Server deployment | | workerReplicas | 1 | Replicas for the Worker deployment | @@ -22,6 +22,10 @@ | config.email.use_ssl | false | Enable SSL | | config.email.timeout | 10 | SMTP Timeout | | config.email.from | authentik@localhost | Email address authentik will send from, should have a correct @domain | +| geoip.enabled | false | Optionally enable GeoIP | +| geoip.accountId | | GeoIP MaxMind Account ID | +| geoip.licenseKey | | GeoIP MaxMind License key | +| geoip.image | maxmindinc/geoipupdate:latest | GeoIP Updater image | | backup.accessKey | | Optionally enable S3 Backup, Access Key | | backup.secretKey | | Optionally enable S3 Backup, Secret Key | | backup.bucket | | Optionally enable S3 Backup, Bucket | diff --git a/helm/templates/geoip-configmap.yaml b/helm/templates/geoip-configmap.yaml new file mode 100644 index 000000000..3e6dd47f3 --- /dev/null +++ b/helm/templates/geoip-configmap.yaml @@ -0,0 +1,11 @@ +{{- if .Values.geoip.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "authentik.fullname" . }}-geoip-config +data: + GEOIPUPDATE_ACCOUNT_ID: "{{ .Values.geoip.accountId }}" + GEOIPUPDATE_LICENSE_KEY: "{{ .Values.geoip.licenseKey }}" + GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" + GEOIPUPDATE_FREQUENCY: "8" +{{- end }} diff --git a/helm/templates/geoip-deployment.yaml b/helm/templates/geoip-deployment.yaml new file mode 100644 index 000000000..fb7088245 --- /dev/null +++ b/helm/templates/geoip-deployment.yaml @@ -0,0 +1,39 @@ +{{- if .Values.geoip.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "authentik.fullname" . }}-geoip + labels: + app.kubernetes.io/name: {{ include "authentik.name" . }} + helm.sh/chart: {{ include "authentik.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + k8s.goauthentik.io/component: geoip +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: {{ include "authentik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + k8s.goauthentik.io/component: geoip + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "authentik.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + k8s.goauthentik.io/component: geoip + spec: + containers: + - name: geoip + image: "{{ .Values.geoip.image }}" + envFrom: + - configMapRef: + name: {{ include "authentik.fullname" . }}-geoip-config + volumeMounts: + - name: geoip + mountPath: /usr/share/GeoIP + volumes: + - name: geoip + persistentVolumeClaim: + claimName: {{ include "authentik.fullname" . }}-geoip +{{- end }} diff --git a/helm/templates/geoip-pvc.yaml b/helm/templates/geoip-pvc.yaml new file mode 100644 index 000000000..2cd0caa14 --- /dev/null +++ b/helm/templates/geoip-pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.geoip.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "authentik.fullname" . }}-geoip + labels: + app.kubernetes.io/name: {{ include "authentik.name" . }} + helm.sh/chart: {{ include "authentik.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi +{{- end }} diff --git a/helm/templates/web-deployment.yaml b/helm/templates/web-deployment.yaml index d68ced4d5..6b98ba27b 100644 --- a/helm/templates/web-deployment.yaml +++ b/helm/templates/web-deployment.yaml @@ -88,9 +88,17 @@ spec: secretKeyRef: name: "{{ .Release.Name }}-postgresql" key: "postgresql-password" + {{ if .Values.geoip.enabled -}} + - name: AUTHENTIK_AUTHENTIK__GEOIP + value: /geoip/GeoLite2-City.mmdb + {{- end }} volumeMounts: - name: authentik-uploads mountPath: /media + {{ if .Values.geoip.enabled -}} + - name: geoip + mountPath: /geoip + {{- end }} ports: - name: http containerPort: 8000 @@ -116,3 +124,8 @@ spec: - name: authentik-uploads persistentVolumeClaim: claimName: {{ include "authentik.fullname" . }}-uploads + {{ if .Values.geoip.enabled -}} + - name: geoip + persistentVolumeClaim: + claimName: {{ include "authentik.fullname" . }}-geoip + {{- end }} diff --git a/helm/templates/worker-deployment.yaml b/helm/templates/worker-deployment.yaml index 60fb58f1f..7d62c2c6b 100644 --- a/helm/templates/worker-deployment.yaml +++ b/helm/templates/worker-deployment.yaml @@ -68,6 +68,15 @@ spec: secretKeyRef: name: "{{ .Release.Name }}-postgresql" key: "postgresql-password" + {{ if .Values.geoip.enabled -}} + - name: AUTHENTIK_AUTHENTIK__GEOIP + value: /geoip/GeoLite2-City.mmdb + {{- end }} + {{ if .Values.geoip.enabled -}} + volumeMounts: + - name: geoip + mountPath: /geoip + {{- end }} resources: requests: cpu: 150m @@ -75,3 +84,9 @@ spec: limits: cpu: 300m memory: 600M + {{ if .Values.geoip.enabled -}} + volumes: + - name: geoip + persistentVolumeClaim: + claimName: {{ include "authentik.fullname" . }}-geoip + {{- end -}} diff --git a/helm/values.test.yaml b/helm/values.test.yaml deleted file mode 100644 index 81fef9fde..000000000 --- a/helm/values.test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -image: - tag: gh-master - pullPolicy: Always - -serverReplicas: 1 -workerReplicas: 1 - -config: - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: debug - -ingress: - hosts: - - authentik.127.0.0.1.nip.io - -# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect -postgresql: - postgresqlPassword: EK-5jnKfjrGRm<77 - -redis: - password: password diff --git a/helm/values.yaml b/helm/values.yaml index 9b997c258..b2ee4f5be 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -44,6 +44,13 @@ config: # Email address authentik will send from, should have a correct @domain from: authentik@localhost +# Enable MaxMind GeoIP +geoip: + enabled: false + accountId: "" + licenseKey: "" + image: maxmindinc/geoipupdate:latest + # Enable Database Backups to S3 # backup: # accessKey: access-key