diff --git a/.gitignore b/.gitignore index 91375431..b214d5be 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ Chart.lock charts/authentik/charts +venv diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..e73cc4e1 --- /dev/null +++ b/Makefile @@ -0,0 +1,3 @@ +all: + python3 scripts/update-values-from-config.py + helm-docs diff --git a/charts/authentik/README.md b/charts/authentik/README.md index d428bac6..b19948ce 100644 --- a/charts/authentik/README.md +++ b/charts/authentik/README.md @@ -100,6 +100,16 @@ The secret `authentik-postgres-credentials` must have `username` and `password` | Key | Type | Default | Description | |-----|------|---------|-------------| | additionalObjects | list | `[]` | additional resources to deploy. Those objects are templated. | +| authentik.blueprints_dir | string | `"/blueprints"` | | +| authentik.cache.timeout | int | `300` | | +| authentik.cache.timeout_flows | int | `300` | | +| authentik.cache.timeout_policies | int | `300` | | +| authentik.cert_discovery_dir | string | `"/certs"` | | +| authentik.compliance.fips.enabled | bool | `false` | | +| authentik.cookie_domain | string | `nil` | | +| authentik.debug | bool | `false` | | +| authentik.disable_startup_analytics | bool | `false` | | +| authentik.disable_update_check | bool | `false` | | | authentik.email.from | string | `""` | Email from address, can either be in the format "foo@bar.baz" or "authentik " | | authentik.email.host | string | `""` | SMTP Server emails are sent from, fully optional | | authentik.email.password | string | `""` | SMTP credentials, when left empty, no authentication will be done | @@ -113,16 +123,43 @@ The secret `authentik-postgres-credentials` must have `username` and `password` | authentik.error_reporting.send_pii | bool | `false` | Send PII (Personally identifiable information) data to sentry | | authentik.events.context_processors.asn | string | `"/geoip/GeoLite2-ASN.mmdb"` | Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. | | authentik.events.context_processors.geoip | string | `"/geoip/GeoLite2-City.mmdb"` | Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. | -| authentik.log_level | string | `"info"` | Log level for server and worker | -| authentik.outposts.container_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` | Template used for managed outposts. The following placeholders can be used %(type)s - the type of the outpost %(version)s - version of your authentik install %(build_hash)s - only for beta versions, the build hash of the image | +| authentik.ldap.page_size | int | `50` | | +| authentik.ldap.task_timeout_hours | int | `2` | | +| authentik.ldap.tls.ciphers | string | `nil` | | +| authentik.listen.listen_debug | string | `"0.0.0.0:9900"` | | +| authentik.listen.listen_http | string | `"0.0.0.0:9000"` | | +| authentik.listen.listen_https | string | `"0.0.0.0:9443"` | | +| authentik.listen.listen_ldap | string | `"0.0.0.0:3389"` | | +| authentik.listen.listen_ldaps | string | `"0.0.0.0:6636"` | | +| authentik.listen.listen_metrics | string | `"0.0.0.0:9300"` | | +| authentik.listen.listen_radius | string | `"0.0.0.0:1812"` | | +| authentik.listen.trusted_proxy_cidrs[0] | string | `"127.0.0.0/8"` | | +| authentik.listen.trusted_proxy_cidrs[1] | string | `"10.0.0.0/8"` | | +| authentik.listen.trusted_proxy_cidrs[2] | string | `"172.16.0.0/12"` | | +| authentik.listen.trusted_proxy_cidrs[3] | string | `"192.168.0.0/16"` | | +| authentik.listen.trusted_proxy_cidrs[4] | string | `"fe80::/10"` | | +| authentik.listen.trusted_proxy_cidrs[5] | string | `"::1/128"` | | +| authentik.log_level | string | `"info"` | | +| authentik.outposts.container_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` | | +| authentik.postgresql | object | `{"host":"{{ .Release.Name }}-postgresql","name":"authentik","password":"","port":5432,"user":"authentik"}` | Log level for server and worker | | authentik.postgresql.host | string | `{{ .Release.Name }}-postgresql` | set the postgresql hostname to talk to if unset and .Values.postgresql.enabled == true, will generate the default | | authentik.postgresql.name | string | `authentik` | postgresql Database name | -| authentik.postgresql.password | string | `""` | | -| authentik.postgresql.port | int | `5432` | | | authentik.postgresql.user | string | `authentik` | postgresql Username | | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to | | authentik.redis.password | string | `""` | | -| authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install | +| authentik.remote_debug | bool | `false` | | +| authentik.reputation.expiry | int | `86400` | | +| authentik.secret_key | string | `""` | | +| authentik.session_storage | string | `"cache"` | | +| authentik.storage.media.backend | string | `"file"` | | +| authentik.storage.media.file.path | string | `"./media"` | | +| authentik.storage.media.s3.secure_urls | bool | `true` | | +| authentik.tenants.api_key | string | `""` | | +| authentik.tenants.enabled | bool | `false` | | +| authentik.throttle.default | string | `"1000/second"` | | +| authentik.throttle.providers.oauth2.device | string | `"20/hour"` | | +| authentik.web.threads | int | `4` | | +| authentik.worker.concurrency | int | `2` | | | blueprints.configMaps | list | `[]` | List of config maps to mount blueprints from. Only keys in the configMap ending with `.yaml` will be discovered and applied. | | blueprints.secrets | list | `[]` | List of secrets to mount blueprints from. Only keys in the secret ending with `.yaml` will be discovered and applied. | | fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible | diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml index 18abe2eb..42006047 100644 --- a/charts/authentik/values.yaml +++ b/charts/authentik/values.yaml @@ -139,16 +139,74 @@ global: ## Authentik configuration authentik: # -- Log level for server and worker + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "{{ .Release.Name }}-postgresql" + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + password: "" + port: 5432 + # For example + # 0: + # host: replica1.example.com + + listen: + listen_http: 0.0.0.0:9000 + listen_https: 0.0.0.0:9443 + listen_ldap: 0.0.0.0:3389 + listen_ldaps: 0.0.0.0:6636 + listen_radius: 0.0.0.0:1812 + listen_metrics: 0.0.0.0:9300 + listen_debug: 0.0.0.0:9900 + trusted_proxy_cidrs: + - 127.0.0.0/8 + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - fe80::/10 + - ::1/128 + + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "{{ .Release.Name }}-redis-master" + password: "" + + + cache: + # url: "" + timeout: 300 + timeout_flows: 300 + timeout_policies: 300 + +# channel: +# url: "" + +# result_backend: +# url: "" +# transport_options: "" + + debug: false + remote_debug: false + log_level: info - # -- Secret key used for cookie singing and unique user IDs, - # don't change this after the first install - secret_key: "" - events: - context_processors: - # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. - geoip: /geoip/GeoLite2-City.mmdb - # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. - asn: /geoip/GeoLite2-ASN.mmdb + + session_storage: cache + + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false email: # -- SMTP Server emails are sent from, fully optional host: "" @@ -166,40 +224,73 @@ authentik: timeout: 30 # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " from: "" + throttle: + providers: + oauth2: + device: 20/hour + default: 1000/second + outposts: - # -- Template used for managed outposts. The following placeholders can be used - # %(type)s - the type of the outpost - # %(version)s - version of your authentik install - # %(build_hash)s - only for beta versions, the build hash of the image + # Placeholders: + # %(type)s: Outpost type; proxy, ldap, etc + # %(version)s: Current version; 2021.4.1 + # %(build_hash)s: Build hash if you're running a beta version container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s - error_reporting: - # -- This sends anonymous usage-data, stack traces on errors and - # performance data to sentry.beryju.org, and is fully opt-in - enabled: false - # -- This is a string that is sent to sentry with your error reports - environment: "k8s" - # -- Send PII (Personally identifiable information) data to sentry - send_pii: false - postgresql: - # -- set the postgresql hostname to talk to - # if unset and .Values.postgresql.enabled == true, will generate the default - # @default -- `{{ .Release.Name }}-postgresql` - host: "{{ .Release.Name }}-postgresql" - # -- postgresql Database name - # @default -- `authentik` - name: "authentik" - # -- postgresql Username - # @default -- `authentik` - user: "authentik" - password: "" - port: 5432 - redis: - # -- set the redis hostname to talk to - # @default -- `{{ .Release.Name }}-redis-master` - host: "{{ .Release.Name }}-redis-master" - password: "" + ldap: + task_timeout_hours: 2 + page_size: 50 + tls: + ciphers: + + reputation: + expiry: 86400 + + cookie_domain: + disable_update_check: false + disable_startup_analytics: false + events: + context_processors: + # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. + asn: /geoip/GeoLite2-ASN.mmdb + compliance: + fips: + enabled: false + cert_discovery_dir: /certs + tenants: + enabled: false + api_key: "" + + blueprints_dir: /blueprints + + web: + # No default here as it's set dynamically + # workers: 2 + threads: 4 + + worker: + concurrency: 2 + + storage: + media: + backend: file # or s3 + file: + path: ./media + s3: + # How to talk to s3 + # region: "us-east-1" + # use_ssl: True + # endpoint: "https://s3.us-east-1.amazonaws.com" + # access_key: "" + # secret_key: "" + # bucket_name: "authentik-media" + # How to render file URLs + # custom_domain: null + secure_urls: true + secret_key: "" blueprints: # -- List of config maps to mount blueprints from. # Only keys in the configMap ending with `.yaml` will be discovered and applied. @@ -228,7 +319,7 @@ server: # -- Average CPU utilization percentage for the authentik server [HPA] targetCPUUtilizationPercentage: 50 # -- Average memory utilization percentage for the authentik server [HPA] - targetMemoryUtilizationPercentage: ~ + targetMemoryUtilizationPercentage: # -- Configures the scaling behavior of the target in both Up and Down directions. behavior: {} # scaleDown: @@ -371,7 +462,7 @@ server: dnsPolicy: "" # -- serviceAccount to use for authentik server pods - serviceAccountName: ~ + serviceAccountName: # -- authentik server pod-level security context # @default -- `{}` (See [values.yaml]) @@ -574,7 +665,7 @@ server: # -- List of ingress paths paths: - - / + - / # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix # -- additional ingress paths @@ -616,7 +707,7 @@ worker: # -- Average CPU utilization percentage for the authentik worker [HPA] targetCPUUtilizationPercentage: 50 # -- Average memory utilization percentage for the authentik worker [HPA] - targetMemoryUtilizationPercentage: ~ + targetMemoryUtilizationPercentage: # -- Configures the scaling behavior of the target in both Up and Down directions. behavior: {} # scaleDown: @@ -750,7 +841,7 @@ worker: dnsPolicy: "" # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true - serviceAccountName: ~ + serviceAccountName: # -- authentik worker pod-level security context # @default -- `{}` (See [values.yaml]) @@ -786,8 +877,8 @@ worker: ## Probe configuration exec: command: - - ak - - healthcheck + - ak + - healthcheck readinessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded @@ -803,8 +894,8 @@ worker: ## Probe configuration exec: command: - - ak - - healthcheck + - ak + - healthcheck startupProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded @@ -820,8 +911,8 @@ worker: ## Probe configuration exec: command: - - ak - - healthcheck + - ak + - healthcheck # -- terminationGracePeriodSeconds for container lifecycle hook terminationGracePeriodSeconds: 30 diff --git a/scripts/update-values-from-config.py b/scripts/update-values-from-config.py new file mode 100644 index 00000000..a14129d2 --- /dev/null +++ b/scripts/update-values-from-config.py @@ -0,0 +1,21 @@ +from requests import get +from ruamel.yaml import YAML + +yaml = YAML() +yaml.preserve_quotes = True +yaml.explicit_start = True +yaml.explicit_end = False + +config_raw = get("https://raw.githubusercontent.com/goauthentik/authentik/main/authentik/lib/default.yml").text +config = yaml.load(config_raw) + +with open("charts/authentik/values.yaml", mode="r", encoding="utf-8") as _values: + values = yaml.load(_values.read()) + +# The old config has higher priority over the upstream config +old_config = values["authentik"] +config.update(old_config) +values["authentik"] = config + +with open("charts/authentik/values.yaml", mode="w", encoding="utf-8") as _values: + yaml.dump(values, _values)