diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 08e3c773e..c00de9016 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -19,16 +19,8 @@ values = [bumpversion:file:website/docs/installation/docker-compose.md] -[bumpversion:file:website/docs/installation/kubernetes.md] - [bumpversion:file:docker-compose.yml] -[bumpversion:file:helm/values.yaml] - -[bumpversion:file:helm/README.md] - -[bumpversion:file:helm/Chart.yaml] - [bumpversion:file:.github/workflows/release.yml] [bumpversion:file:authentik/__init__.py] diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 58e94afaa..293289567 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -25,15 +25,6 @@ jobs: docker-compose up --no-start docker-compose start postgresql redis docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik" - - name: Install Helm - run: | - apt update && apt install -y curl - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash - - name: Helm package - run: | - helm dependency update helm/ - helm package helm/ - mv authentik-*.tgz authentik-chart.tgz - name: Extract version number id: get_version uses: actions/github-script@0.2.0 @@ -51,13 +42,3 @@ jobs: release_name: Release ${{ steps.get_version.outputs.result }} draft: true prerelease: false - - name: Upload packaged Helm Chart - id: upload-release-asset - uses: actions/upload-release-asset@v1.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./authentik-chart.tgz - asset_name: authentik-chart.tgz - asset_content_type: application/gzip diff --git a/helm/.helmignore b/helm/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/helm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/helm/Chart.lock b/helm/Chart.lock deleted file mode 100644 index f512f517d..000000000 --- a/helm/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 9.3.2 -- name: redis - repository: https://charts.bitnami.com/bitnami - version: 10.7.16 -digest: sha256:fd31e2e2b9ff17a5ed906a77a4f15ffa1ab7f5aecaea1e5db77f0d199ae4f19e -generated: "2020-08-25T17:57:49.684549+02:00" diff --git a/helm/Chart.yaml b/helm/Chart.yaml deleted file mode 100644 index a2de4e14b..000000000 --- a/helm/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -description: authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it. -name: authentik -home: https://goauthentik.io -sources: - - https://github.com/goauthentik/authentik -version: "2021.4.5" -icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg -dependencies: - - name: postgresql - version: 9.4.1 - repository: https://charts.bitnami.com/bitnami - condition: install.postgresql - - name: redis - version: 10.9.0 - repository: https://charts.bitnami.com/bitnami - condition: install.redis diff --git a/helm/README.md b/helm/README.md deleted file mode 100644 index ec7413061..000000000 --- a/helm/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# authentik Helm Chart - -| Name | Default | Description | -|-----------------------------------|-------------------------|-------------| -| image.name | beryju/authentik | Image used to run the authentik server and worker | -| image.name_static | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) | -| image.name_outposts | beryju/authentik-%(type)s:%(version)s | Image used for managed outposts. Placeholders: %(type)s: Outpost type; proxy, ldap, etc. %(version)s: Current version; 2021.4.1 | -| image.tag | 2021.4.5 | Image tag | -| image.pullPolicy | IfNotPresent | Image Pull Policy used for all deployments | -| serverReplicas | 1 | Replicas for the Server deployment | -| workerReplicas | 1 | Replicas for the Worker deployment | -| kubernetesIntegration | true | Enable/disable the Kubernetes integration for authentik. This will create a service account for authentik to create and update outposts in authentik | -| config.secretKey | | Secret key used to sign session cookies, generate with `pwgen 50 1` or `openssl rand -base64 36` for example. | -| config.errorReporting.enabled | false | Enable/disable error reporting | -| config.errorReporting.environment | customer | Environment sent with the error reporting | -| config.errorReporting.sendPii | false | Whether to send Personally-identifiable data with the error reporting | -| config.logLevel | warning | Log level of authentik | -| config.email.host | localhost | SMTP Host Emails are sent to | -| config.email.port | 25 | SMTP Port Emails are sent to | -| config.email.username | | SMTP Username | -| config.email.password | | SMTP Password | -| config.email.use_tls | false | Enable StartTLS | -| config.email.use_ssl | false | Enable SSL | -| config.email.timeout | 10 | SMTP Timeout | -| config.email.from | authentik@localhost | Email address authentik will send from, should have a correct @domain | -| pvc.mode | ReadWriteMany | Mode that the PVCs are created in (uploads and GeoIP, if enabled) | -| pvc.uploadsSize | 5Gi | Size for the uploads PVC | -| pvc.uploadsStorageClass | null | Storage class for the uploads PVC (default: use default storage class) | -| pvc.geoIpSize | 1Gi | Size for the GeoIP PVC | -| pvc.geoIpStorageClass | null | Storage class for the GeoIP PVC (default: use default storage class) | -| geoip.enabled | false | Optionally enable GeoIP | -| geoip.accountId | | GeoIP MaxMind Account ID | -| geoip.licenseKey | | GeoIP MaxMind License key | -| geoip.image | maxmindinc/geoipupdate:latest | GeoIP Updater image | -| backup.accessKey | | Optionally enable S3 Backup, Access Key | -| backup.secretKey | | Optionally enable S3 Backup, Secret Key | -| backup.bucket | | Optionally enable S3 Backup, Bucket | -| backup.region | | Optionally enable S3 Backup, Region | -| backup.host | | Optionally enable S3 Backup, to custom Endpoint like minio | -| ingress.annotations | {} | Annotations for the ingress object | -| ingress.hosts | [authentik.k8s.local] | Hosts which the ingress will match | -| ingress.tls | [] | TLS Configuration, same as Ingress objects | -| install.postgresql | true | Enables/disables the packaged PostgreSQL Chart -| install.redis | true | Enables/disables the packaged Redis Chart -| postgresql.postgresqlPassword | | Password used for PostgreSQL, generated automatically. - -For more info, see https://goauthentik.io/ and https://goauthentik.io/docs/installation/kubernetes/ diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt deleted file mode 100644 index 60cb63432..000000000 --- a/helm/templates/NOTES.txt +++ /dev/null @@ -1,11 +0,0 @@ -Access authentik using the following URL: -{{- if .Release.IsUpgrade -}} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} -{{- end }} -{{- else -}} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}/if/flow/initial-setup/ -{{- end }} -To configure your authentik instance, and set a password for the akadmin user. -{{- end }} diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl deleted file mode 100644 index fcb35da00..000000000 --- a/helm/templates/_helpers.tpl +++ /dev/null @@ -1,28 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "authentik.name" -}} -{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "authentik.fullname" -}} -{{- $name := default .Chart.Name -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "authentik.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml deleted file mode 100644 index ef6b8c2fb..000000000 --- a/helm/templates/configmap.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "authentik.fullname" . }}-config -data: - POSTGRESQL__HOST: "{{ .Release.Name }}-postgresql" - POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}" - POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}" - {{- if .Values.backup }} - POSTGRESQL__S3_BACKUP__ACCESS_KEY: "{{ .Values.backup.accessKey }}" - POSTGRESQL__S3_BACKUP__BUCKET: "{{ .Values.backup.bucket }}" - POSTGRESQL__S3_BACKUP__REGION: "{{ .Values.backup.region }}" - POSTGRESQL__S3_BACKUP__HOST: "{{ .Values.backup.host }}" - {{- end}} - REDIS__HOST: "{{ .Release.Name }}-redis-master" - ERROR_REPORTING__ENABLED: "{{ .Values.config.errorReporting.enabled }}" - ERROR_REPORTING__ENVIRONMENT: "{{ .Values.config.errorReporting.environment }}" - ERROR_REPORTING__SEND_PII: "{{ .Values.config.errorReporting.sendPii }}" - LOG_LEVEL: "{{ .Values.config.logLevel }}" - OUTPOSTS__DOCKER_IMAGE_BASE: "{{ .Values.image.name_outposts }}" - EMAIL__HOST: "{{ .Values.config.email.host }}" - EMAIL__PORT: "{{ .Values.config.email.port }}" - EMAIL__USERNAME: "{{ .Values.config.email.username }}" - EMAIL__USE_TLS: "{{ .Values.config.email.use_tls }}" - EMAIL__USE_SSL: "{{ .Values.config.email.use_ssl }}" - EMAIL__TIMEOUT: "{{ .Values.config.email.timeout }}" - EMAIL__FROM: "{{ .Values.config.email.from }}" diff --git a/helm/templates/geoip-configmap.yaml b/helm/templates/geoip-configmap.yaml deleted file mode 100644 index 3e6dd47f3..000000000 --- a/helm/templates/geoip-configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.geoip.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "authentik.fullname" . }}-geoip-config -data: - GEOIPUPDATE_ACCOUNT_ID: "{{ .Values.geoip.accountId }}" - GEOIPUPDATE_LICENSE_KEY: "{{ .Values.geoip.licenseKey }}" - GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" - GEOIPUPDATE_FREQUENCY: "8" -{{- end }} diff --git a/helm/templates/geoip-deployment.yaml b/helm/templates/geoip-deployment.yaml deleted file mode 100644 index fb7088245..000000000 --- a/helm/templates/geoip-deployment.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.geoip.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "authentik.fullname" . }}-geoip - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - k8s.goauthentik.io/component: geoip -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: geoip - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: geoip - spec: - containers: - - name: geoip - image: "{{ .Values.geoip.image }}" - envFrom: - - configMapRef: - name: {{ include "authentik.fullname" . }}-geoip-config - volumeMounts: - - name: geoip - mountPath: /usr/share/GeoIP - volumes: - - name: geoip - persistentVolumeClaim: - claimName: {{ include "authentik.fullname" . }}-geoip -{{- end }} diff --git a/helm/templates/geoip-pvc.yaml b/helm/templates/geoip-pvc.yaml deleted file mode 100644 index 28a5ab278..000000000 --- a/helm/templates/geoip-pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.geoip.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "authentik.fullname" . }}-geoip - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - accessModes: - - {{ .Values.pvc.mode }} - storageClassName: {{ .Values.pvc.geoIpStorageClass }} - resources: - requests: - storage: {{ .Values.pvc.geoIpSize }} -{{- end }} diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml deleted file mode 100644 index 69ad25ec2..000000000 --- a/helm/templates/ingress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- $fullName := include "authentik.fullname" . -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} - http: - paths: - - path: / - backend: - serviceName: {{ $fullName }}-web - servicePort: http - {{- end }} diff --git a/helm/templates/prom-rules.yaml b/helm/templates/prom-rules.yaml deleted file mode 100644 index 847f2a7e7..000000000 --- a/helm/templates/prom-rules.yaml +++ /dev/null @@ -1,121 +0,0 @@ -{{- if .Values.monitoring.enabled -}} ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ include "authentik.fullname" . }}-static-rules - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - groups: - - name: Aggregate request counters - rules: - - record: job:django_http_requests_before_middlewares_total:sum_rate30s - expr: sum(rate(django_http_requests_before_middlewares_total[30s])) by (job) - - record: job:django_http_requests_unknown_latency_total:sum_rate30s - expr: sum(rate(django_http_requests_unknown_latency_total[30s])) by (job) - - record: job:django_http_ajax_requests_total:sum_rate30s - expr: sum(rate(django_http_ajax_requests_total[30s])) by (job) - - record: job:django_http_responses_before_middlewares_total:sum_rate30s - expr: sum(rate(django_http_responses_before_middlewares_total[30s])) by (job) - - record: job:django_http_requests_unknown_latency_including_middlewares_total:sum_rate30s - expr: sum(rate(django_http_requests_unknown_latency_including_middlewares_total[30s])) by (job) - - record: job:django_http_requests_body_total_bytes:sum_rate30s - expr: sum(rate(django_http_requests_body_total_bytes[30s])) by (job) - - record: job:django_http_responses_streaming_total:sum_rate30s - expr: sum(rate(django_http_responses_streaming_total[30s])) by (job) - - record: job:django_http_responses_body_total_bytes:sum_rate30s - expr: sum(rate(django_http_responses_body_total_bytes[30s])) by (job) - - record: job:django_http_requests_total:sum_rate30s - expr: sum(rate(django_http_requests_total_by_method[30s])) by (job) - - record: job:django_http_requests_total_by_method:sum_rate30s - expr: sum(rate(django_http_requests_total_by_method[30s])) by (job,method) - - record: job:django_http_requests_total_by_transport:sum_rate30s - expr: sum(rate(django_http_requests_total_by_transport[30s])) by (job,transport) - - record: job:django_http_requests_total_by_view:sum_rate30s - expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view) - - record: job:django_http_requests_total_by_view_transport_method:sum_rate30s - expr: sum(rate(django_http_requests_total_by_view_transport_method[30s])) by (job,view,transport,method) - - record: job:django_http_responses_total_by_templatename:sum_rate30s - expr: sum(rate(django_http_responses_total_by_templatename[30s])) by (job,templatename) - - record: job:django_http_responses_total_by_status:sum_rate30s - expr: sum(rate(django_http_responses_total_by_status[30s])) by (job,status) - - record: job:django_http_responses_total_by_status_name_method:sum_rate30s - expr: sum(rate(django_http_responses_total_by_status_name_method[30s])) by (job,status,name,method) - - record: job:django_http_responses_total_by_charset:sum_rate30s - expr: sum(rate(django_http_responses_total_by_charset[30s])) by (job,charset) - - record: job:django_http_exceptions_total_by_type:sum_rate30s - expr: sum(rate(django_http_exceptions_total_by_type[30s])) by (job,type) - - record: job:django_http_exceptions_total_by_view:sum_rate30s - expr: sum(rate(django_http_exceptions_total_by_view[30s])) by (job,view) - - name: Aggregate latency histograms - rules: - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "50" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "95" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99" - - record: job:django_http_requests_latency_including_middlewares_seconds:quantile_rate30s - expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_including_middlewares_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99.9" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.50, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "50" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.95, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "95" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.99, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99" - - record: job:django_http_requests_latency_seconds:quantile_rate30s - expr: histogram_quantile(0.999, sum(rate(django_http_requests_latency_seconds_bucket[30s])) by (job, le)) - labels: - quantile: "99.9" - - name: Aggregate model operations - rules: - - record: job:django_model_inserts_total:sum_rate1m - expr: sum(rate(django_model_inserts_total[1m])) by (job, model) - - record: job:django_model_updates_total:sum_rate1m - expr: sum(rate(django_model_updates_total[1m])) by (job, model) - - record: job:django_model_deletes_total:sum_rate1m - expr: sum(rate(django_model_deletes_total[1m])) by (job, model) - - name: Aggregate database operations - rules: - - record: job:django_db_new_connections_total:sum_rate30s - expr: sum(rate(django_db_new_connections_total[30s])) by (alias, vendor) - - record: job:django_db_new_connection_errors_total:sum_rate30s - expr: sum(rate(django_db_new_connection_errors_total[30s])) by (alias, vendor) - - record: job:django_db_execute_total:sum_rate30s - expr: sum(rate(django_db_execute_total[30s])) by (alias, vendor) - - record: job:django_db_execute_many_total:sum_rate30s - expr: sum(rate(django_db_execute_many_total[30s])) by (alias, vendor) - - record: job:django_db_errors_total:sum_rate30s - expr: sum(rate(django_db_errors_total[30s])) by (alias, vendor, type) - - name: Aggregate migrations - rules: - - record: job:django_migrations_applied_total:max - expr: max(django_migrations_applied_total) by (job, connection) - - record: job:django_migrations_unapplied_total:max - expr: max(django_migrations_unapplied_total) by (job, connection) - - name: Alerts - rules: - - alert: UnappliedMigrations - expr: job:django_migrations_unapplied_total:max > 0 - for: 1m - labels: - severity: testing -{{- end }} diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml deleted file mode 100644 index cb5b8ae67..000000000 --- a/helm/templates/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "authentik.fullname" . }}-uploads - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - accessModes: - - {{ .Values.pvc.mode }} - storageClassName: {{ .Values.pvc.uploadsStorageClass }} - resources: - requests: - storage: {{ .Values.pvc.uploadsSize }} diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml deleted file mode 100644 index b972b0bf4..000000000 --- a/helm/templates/secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ include "authentik.fullname" . }}-secret-key -data: - monitoring_username: bW9uaXRvcg== # monitor in base64 - {{- if .Values.config.secretKey }} - SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }} - {{- else }} - SECRET_KEY: {{ randAlphaNum 50 | b64enc | quote}} - {{- end }} - {{- if .Values.backup }} - POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secretKey | b64enc }}" - {{- end}} - EMAIL__PASSWORD: "{{ .Values.config.email.password | b64enc }}" diff --git a/helm/templates/service-account.yaml b/helm/templates/service-account.yaml deleted file mode 100644 index 947375828..000000000 --- a/helm/templates/service-account.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if .Values.kubernetesIntegration }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "authentik.fullname" . }}-sa-role -rules: -- apiGroups: - - "" - resources: - - secrets - - services - verbs: - - "get" - - "create" - - "delete" - - "read" - - "patch" -- apiGroups: - - "extensions" - - "apps" - resources: - - "deployments" - verbs: - - "get" - - "create" - - "delete" - - "read" - - "patch" -- apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - "ingresses" - verbs: - - "get" - - "create" - - "delete" - - "read" - - "patch" -- apiGroups: - - "" - resources: - - namespaces - verbs: - - list ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "authentik.fullname" . }}-sa ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "authentik.fullname" . }}-sa-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "authentik.fullname" . }}-sa-role -subjects: -- kind: ServiceAccount - name: {{ include "authentik.fullname" . }}-sa - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/helm/templates/web-deployment.yaml b/helm/templates/web-deployment.yaml deleted file mode 100644 index 99f6496b0..000000000 --- a/helm/templates/web-deployment.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "authentik.fullname" . }}-web - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - k8s.goauthentik.io/component: web -spec: - replicas: {{ .Values.serverReplicas }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: web - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: web - spec: - automountServiceAccountToken: false - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - {{ include "authentik.name" . }} - - key: app.kubernetes.io/instance - operator: In - values: - - {{ .Release.Name }} - - key: k8s.goauthentik.io/component - operator: In - values: - - web - topologyKey: "kubernetes.io/hostname" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.name }}:{{ .Values.image.tag }}" - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - args: [server] - envFrom: - - configMapRef: - name: {{ include "authentik.fullname" . }}-config - prefix: AUTHENTIK_ - - secretRef: - name: {{ include "authentik.fullname" . }}-secret-key - prefix: AUTHENTIK_ - env: - - name: AUTHENTIK_REDIS__PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Release.Name }}-redis" - key: "redis-password" - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Release.Name }}-postgresql" - key: "postgresql-password" - {{ if .Values.geoip.enabled -}} - - name: AUTHENTIK_AUTHENTIK__GEOIP - value: /geoip/GeoLite2-City.mmdb - {{- end }} - volumeMounts: - - name: authentik-uploads - mountPath: /media - {{ if .Values.geoip.enabled -}} - - name: geoip - mountPath: /geoip - {{- end }} - ports: - - name: http - containerPort: 9000 - protocol: TCP - - name: https - containerPort: 9443 - protocol: TCP - livenessProbe: - httpGet: - path: /-/health/live/ - port: http - initialDelaySeconds: 15 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /-/health/ready/ - port: http - initialDelaySeconds: 15 - periodSeconds: 30 - resources: - requests: - cpu: 100m - memory: 300M - limits: - cpu: 300m - memory: 600M - volumes: - - name: authentik-uploads - persistentVolumeClaim: - claimName: {{ include "authentik.fullname" . }}-uploads - {{ if .Values.geoip.enabled -}} - - name: geoip - persistentVolumeClaim: - claimName: {{ include "authentik.fullname" . }}-geoip - {{- end }} diff --git a/helm/templates/web-service.yaml b/helm/templates/web-service.yaml deleted file mode 100644 index f09c3661e..000000000 --- a/helm/templates/web-service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "authentik.fullname" . }}-web - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "authentik.chart" . }} - k8s.goauthentik.io/component: web -spec: - type: ClusterIP - ports: - - port: 9000 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: web diff --git a/helm/templates/web-sm.yaml b/helm/templates/web-sm.yaml deleted file mode 100644 index 7c09a62fb..000000000 --- a/helm/templates/web-sm.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.monitoring.enabled -}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - name: {{ include "authentik.fullname" . }}-web-monitoring -spec: - endpoints: - - basicAuth: - password: - name: {{ include "authentik.fullname" . }}-secret-key - key: SECRET_KEY - username: - name: {{ include "authentik.fullname" . }}-secret-key - key: monitoring_username - port: http - path: /metrics/ - interval: 10s - selector: - matchLabels: - k8s.goauthentik.io/component: web -{{- end }} diff --git a/helm/templates/worker-deployment.yaml b/helm/templates/worker-deployment.yaml deleted file mode 100644 index 9743b6113..000000000 --- a/helm/templates/worker-deployment.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "authentik.fullname" . }}-worker - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - helm.sh/chart: {{ include "authentik.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - k8s.goauthentik.io/component: worker -spec: - replicas: {{ .Values.workerReplicas }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: worker - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "authentik.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - k8s.goauthentik.io/component: worker - spec: - {{- if .Values.kubernetesIntegration }} - serviceAccountName: {{ include "authentik.fullname" . }}-sa - {{- else }} - automountServiceAccountToken: false - {{- end }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - {{ include "authentik.name" . }} - - key: app.kubernetes.io/instance - operator: In - values: - - {{ .Release.Name }} - - key: k8s.goauthentik.io/component - operator: In - values: - - worker - topologyKey: "kubernetes.io/hostname" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.name }}:{{ .Values.image.tag }}" - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - args: [worker] - envFrom: - - configMapRef: - name: "{{ include "authentik.fullname" . }}-config" - prefix: "AUTHENTIK_" - - secretRef: - name: {{ include "authentik.fullname" . }}-secret-key - prefix: AUTHENTIK_ - env: - - name: AUTHENTIK_REDIS__PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Release.Name }}-redis" - key: "redis-password" - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Release.Name }}-postgresql" - key: "postgresql-password" - {{ if .Values.geoip.enabled -}} - - name: AUTHENTIK_AUTHENTIK__GEOIP - value: /geoip/GeoLite2-City.mmdb - {{- end }} - {{ if .Values.geoip.enabled -}} - volumeMounts: - - name: geoip - mountPath: /geoip - {{- end }} - resources: - requests: - cpu: 150m - memory: 400M - limits: - cpu: 300m - memory: 600M - {{ if .Values.geoip.enabled -}} - volumes: - - name: geoip - persistentVolumeClaim: - claimName: {{ include "authentik.fullname" . }}-geoip - {{- end -}} diff --git a/helm/values.yaml b/helm/values.yaml deleted file mode 100644 index d579ec204..000000000 --- a/helm/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -################################### -# Values directly affecting authentik -################################### -image: - name: beryju/authentik - name_static: beryju/authentik-static - # Image used for managed outposts. Placeholders: - # %(type)s: Outpost type; proxy, ldap, etc - # %(version)s: Current version; 2021.4.1 - name_outposts: "beryju/authentik-%(type)s:%(version)s" - tag: 2021.4.5 - pullPolicy: IfNotPresent - -serverReplicas: 1 -workerReplicas: 1 - -# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes -kubernetesIntegration: true - -monitoring: - enabled: false - -pvc: - mode: ReadWriteMany - uploadsSize: 5Gi - uploadsStorageClass: null - geoIpSize: 1Gi - geoIpStorageClass: null - -config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - errorReporting: - enabled: false - environment: customer - sendPii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: warning - # Global Email settings - email: - # SMTP Host Emails are sent to - host: localhost - port: 25 - # Optionally authenticate - username: "" - password: "" - # Use StartTLS - useTls: false - # Use SSL - useSsl: false - timeout: 10 - # Email address authentik will send from, should have a correct @domain - from: authentik@localhost - -# Enable MaxMind GeoIP -geoip: - enabled: false - accountId: "" - licenseKey: "" - image: maxmindinc/geoipupdate:latest - -# Enable Database Backups to S3 -# backup: -# accessKey: access-key -# secretKey: secret-key -# bucket: s3-bucket -# region: eu-central-1 -# host: s3-host - -ingress: - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - authentik.k8s.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - authentik.k8s.local - -################################### -# Values controlling dependencies -################################### - -install: - postgresql: true - redis: true - -# These values influence the bundled postgresql and redis charts, but are also used by authentik to connect -postgresql: - postgresqlDatabase: authentik - -redis: - cluster: - enabled: false - master: - # https://stackoverflow.com/a/59189742 - disableCommands: [] diff --git a/website/docs/installation/kubernetes.md b/website/docs/installation/kubernetes.md index f6e87606b..a5a06cd75 100644 --- a/website/docs/installation/kubernetes.md +++ b/website/docs/installation/kubernetes.md @@ -15,13 +15,14 @@ redis: password: "" config: secretKey: "" -# Optionally configure more things, as seen in the full values.yaml file below. ``` +See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik). + Afterwards, run these commands to install authentik: ``` -helm repo add authentik https://docker.beryju.org/chartrepo/authentik +helm repo add authentik https://helm.goauthentik.io helm repo update helm install authentik/authentik -f values.yaml ``` @@ -29,95 +30,3 @@ helm install authentik/authentik -f values.yaml This installation automatically applies database migrations on startup. After the installation is done, navigate to the `https:///if/flow/initial-setup/`, to set a password for the akadmin user. It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by [Email stages](flow/stages/email/index.md) to send verification/recovery emails. - -```yaml -################################### -# Values directly affecting authentik -################################### -image: - name: beryju/authentik - name_static: beryju/authentik-static - # Image used for managed outposts. Placeholders: - # %(type)s: Outpost type; proxy, ldap, etc - # %(version)s: Current version; 2021.4.1 - name_outposts: "beryju/authentik-%(type)s:%(version)s" - tag: 2021.4.5 - -serverReplicas: 1 -workerReplicas: 1 - -# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes -kubernetesIntegration: true - -monitoring: # Optionally deploy Prometheus Rules and ServiceMonitors - enabled: false - -pvc: - mode: ReadWriteMany - uploadsSize: 5Gi - uploadsStorageClass: null # null uses the default storage class - geoIpSize: 1Gi - geoIpStorageClass: null - -config: - # Optionally specify fixed secret_key, otherwise generated automatically - # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o - # Enable error reporting - errorReporting: - enabled: false - environment: customer - sendPii: false - # Log level used by web and worker - # Can be either debug, info, warning, error - logLevel: warning - # Global Email settings - email: - # SMTP Host Emails are sent to - host: localhost - port: 25 - # Optionally authenticate - username: "" - password: "" - # Use StartTLS - useTls: false - # Use SSL - useSsl: false - timeout: 10 - # Email address authentik will send from, should have a correct @domain - from: authentik@localhost - -# Enable MaxMind GeoIP -# geoip: -# enabled: false -# accountId: "" -# licenseKey: "" -# image: maxmindinc/geoipupdate:latest - -# Enable Database Backups to S3 -# backup: -# accessKey: access-key -# secretKey: secret-key -# bucket: s3-bucket -# region: eu-central-1 -# host: s3-host - -ingress: - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - authentik.k8s.local - tls: [] - # - secretName: chart-example-tls - # hosts: - # - authentik.k8s.local - -################################### -# Values controlling dependencies -################################### - -install: - postgresql: true - redis: true -``` diff --git a/website/sidebars.js b/website/sidebars.js index eb66aa4a7..77d883dd6 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -14,10 +14,10 @@ module.exports = { items: [ "installation/index", "installation/docker-compose", - "installation/configuration", - "installation/reverse-proxy", "installation/kubernetes", "installation/beta", + "installation/configuration", + "installation/reverse-proxy", ], }, {