2022.8.2 (#84)

* use secret for env variables * add blueprints, bump version * add blueprint to test * bump remote too I guess * add missing loop * only mount blueprints into worker * set namespace * actually create ns * 8.2
goauthentik · Aug 19, 2022 · 133c0ff · 133c0ff
1 parent 514eeb0
commit 133c0ff
Show file tree

Hide file tree

Showing 14 changed files with 129 additions and 40 deletions.
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -42,4 +42,8 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)
-        run: ct install --config ct.yaml
+        run: |
+          namespace=authentik-$(uuidgen)
+          kubectl create ns $namespace
+          kubectl apply -n $namespace -f charts/authentik/ci/manfiests/
+          ct install --namespace=$namespace --config ct.yaml
diff --git a/README.md b/README.md
@@ -9,14 +9,14 @@
 
 ## authentik Chart
 
-![Version: 2022.7.2](https://img.shields.io/badge/Version-2022.7.2-informational?style=for-the-badge)
-![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge)
+![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge)
+![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge)
 
 See [README](./charts/authentik/README.md)
 
 ## authentik-remote-cluster Chart
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge)
 ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge)
 
 See [README](./charts/authentik-remote-cluster/README.md)
diff --git a/charts/authentik-remote-cluster/Chart.yaml b/charts/authentik-remote-cluster/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: authentik-remote-cluster
 description: RBAC required for a remote cluster to be connected to authentik.
 type: application
-version: 1.0.2
+version: 1.0.3
 appVersion: "2021.10.2"
 home: https://goauthentik.io
 sources:

diff --git a/charts/authentik-remote-cluster/README.md b/charts/authentik-remote-cluster/README.md
@@ -5,7 +5,7 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge)
 ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge)
 
 RBAC required for a remote cluster to be connected to authentik.
@@ -16,8 +16,8 @@ RBAC required for a remote cluster to be connected to authentik.
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| BeryJu | [email protected] | https://github.com/BeryJu |
-| dirtycajunrice | [email protected] | https://github.com/dirtycajunrice |
+| BeryJu | <[email protected]> | <https://github.com/BeryJu> |
+| dirtycajunrice | <[email protected]> | <https://github.com/dirtycajunrice> |
 
 ## Source Code
 

diff --git a/charts/authentik-remote-cluster/README.md.gotmpl b/charts/authentik-remote-cluster/README.md.gotmpl
@@ -5,7 +5,7 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge)
+![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge)
 ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge)
 
 {{ template "chart.deprecationWarning" . }}

diff --git a/charts/authentik/Chart.yaml b/charts/authentik/Chart.yaml
@@ -16,8 +16,8 @@ keywords:
   - ldap
   - idp
   - sp
-version: 2022.7.3
-appVersion: 2022.7.2
+version: 2022.8.2
+appVersion: 2022.8.2
 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
 maintainers:
   - name: BeryJu
@@ -41,7 +41,7 @@ dependencies:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: upgrade to authentik 2022.7.2
+      description: upgrade to authentik 2022.8.2
   artifacthub.io/license: GPL-3.0-only
   artifacthub.io/links: |
     - name: Github
@@ -57,8 +57,8 @@ annotations:
       url: https://github.com/dirtycajunrice
   artifacthub.io/images: |
     - name: authentik
-      image: ghcr.io/goauthentik/server:2022.7.2
+      image: ghcr.io/goauthentik/server:2022.8.2
     - name: authentik-outpost-proxy
-      image: ghcr.io/goauthentik/proxy:2022.7.2
+      image: ghcr.io/goauthentik/proxy:2022.8.2
     - name: authentik-outpost-ldap
-      image: ghcr.io/goauthentik/ldap:2022.7.2
+      image: ghcr.io/goauthentik/ldap:2022.8.2
diff --git a/charts/authentik/README.md b/charts/authentik/README.md
@@ -6,8 +6,8 @@
 
 [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/helm/Lint%20and%20Test%20Chart?label=cid&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml)
-![Version: 2022.7.3](https://img.shields.io/badge/Version-2022.7.3-informational?style=for-the-badge)
-![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge)
+![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge)
+![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge)
 
 authentik is an open-source Identity Provider focused on flexibility and versatility
 
@@ -56,8 +56,8 @@ redis:
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.bitnami.com/bitnami | postgresql | 10.9.5 |
-| https://charts.bitnami.com/bitnami | redis | 15.3.2 |
+| https://charts.bitnami.com/bitnami | postgresql | 10.16.2 |
+| https://charts.bitnami.com/bitnami | redis | 15.7.6 |
 | https://library-charts.k8s-at-home.com | common | 4.2.0 |
 
 ## Values
@@ -96,6 +96,7 @@ redis:
 | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to |
 | authentik.redis.password | string | `""` |  |
 | authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install |
+| blueprints | list | `[]` | List of config maps to mount blueprints from. Only keys in the configmap ending with ".yaml" wil be discovered and applied |
 | env | object | `{}` | see configuration options at https://goauthentik.io/docs/installation/configuration/ |
 | envFrom | list | `[]` |  |
 | envValueFrom | object | `{}` |  |
@@ -108,16 +109,15 @@ redis:
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.pullSecrets | list | `[]` |  |
 | image.repository | string | `"ghcr.io/goauthentik/server"` |  |
-| image.tag | string | `"2022.7.2"` |  |
+| image.tag | string | `"2022.8.2"` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.hosts[0].host | string | `"authentik.domain.tld"` |  |
 | ingress.hosts[0].paths[0].path | string | `"/"` |  |
 | ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | ingress.ingressClassName | string | `""` |  |
 | ingress.labels | object | `{}` |  |
-| ingress.tls[0].hosts | list | `[]` |  |
-| ingress.tls[0].secretName | string | `""` |  |
+| ingress.tls | list | `[]` |  |
 | initContainers | object | `{}` | See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values |
 | livenessProbe.enabled | bool | `true` | enables or disables the livenessProbe |
 | livenessProbe.httpGet.path | string | `"/-/health/live/"` | liveness probe url path |
@@ -153,6 +153,7 @@ redis:
 | service.protocol | string | `"TCP"` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.create | bool | `true` | Service account is needed for managed outposts |
+| tolerations | list | `[]` |  |
 | volumeMounts | list | `[]` |  |
 | volumes | list | `[]` |  |
 | worker.priorityClassName | string | `nil` | Custom priority class for different treatment by the scheduler |

diff --git a/charts/authentik/README.md.gotmpl b/charts/authentik/README.md.gotmpl
@@ -6,8 +6,8 @@
 
 [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/helm/Lint%20and%20Test%20Chart?label=cid&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml)
-![Version: 2022.7.3](https://img.shields.io/badge/Version-2022.7.3-informational?style=for-the-badge)
-![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge)
+![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge)
+![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge)
 
 {{ template "chart.deprecationWarning" . }}
 

diff --git a/charts/authentik/ci/ct-values.yaml b/charts/authentik/ci/ct-values.yaml
@@ -5,7 +5,7 @@ worker:
 
 image:
   repository: ghcr.io/goauthentik/server
-  tag: 2022.7.2
+  tag: 2022.8.2
   pullPolicy: IfNotPresent
 
 ingress:
@@ -35,3 +35,6 @@ redis:
   auth:
     enabled: true
     password: au7h3n71k
+
+blueprints:
+  - authentik-ci-blueprint
diff --git a/charts/authentik/ci/manfiests/blueprint.yaml b/charts/authentik/ci/manfiests/blueprint.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authentik-ci-blueprint
+data:
+  test-blueprint.yaml: |
+    version: 1
+    metadata:
+      name: ci-test-blueprint
+    entries:
+      - attrs:
+          designation: authentication
+          name: ci-test-blueprint
+          title: ci-test-blueprint
+        identifiers:
+          slug: ci-test-blueprint
+        model: authentik_flows.flow
+        id: flow
diff --git a/charts/authentik/templates/_helpers.tpl b/charts/authentik/templates/_helpers.tpl
@@ -26,3 +26,23 @@
     {{- end -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "authentik.secret" -}}
+  {{- range $k, $v := .values -}}
+    {{- if kindIs "map" $v -}}
+      {{- range $sk, $sv := $v -}}
+        {{- include "authentik.secret" (dict "root" $.root "values" (dict (printf "%s__%s" (upper $k) (upper $sk)) $sv)) -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $value := $v -}}
+      {{- if or (kindIs "bool" $v) (kindIs "float64" $v) -}}
+        {{- $v = toString $v -}}
+      {{- else -}}
+        {{- $v = tpl $v $.root }}
+      {{- end -}}
+      {{- if $v }}
+{{ printf "AUTHENTIK_%s" (upper $k) }}: {{ $v | b64enc | quote }}
+      {{- end }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/authentik/templates/deployment.yaml b/charts/authentik/templates/deployment.yaml
@@ -1,3 +1,9 @@
+{{- $env := .Values.env }}
+{{- range $name, $val := $.Values.envValueFrom }}
+{{- $env = merge $env (dict "name" $name "valueFrom" (toYaml $val)) }}
+{{- end }}
+{{- $envFrom := .Values.envFrom }}
+{{- $envFrom := append $envFrom (dict "secretRef" (dict "name" (printf "%s-secrets" (include "common.names.fullname" .) ))) }}
 {{- range list "server" "worker" }}
 ---
 apiVersion: apps/v1
@@ -70,18 +76,14 @@ spec:
           image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}"
           imagePullPolicy: "{{ $.Values.image.pullPolicy }}"
           args: [{{ quote . }}]
+            {{- with $env }}
           env:
-            {{- range $k, $v := $.Values.env }}
+            {{- range $k, $v := . }}
             - name: {{ quote $k }}
               value: {{ quote $v }}
             {{- end }}
-            {{- include "authentik.env" (dict "root" $ "values" $.Values.authentik) | indent 12 }}
-            {{- range $name, $val := $.Values.envValueFrom }}
-            - name: {{ $name }}
-              valueFrom:
-                {{- toYaml $val | nindent 16 }}
             {{- end }}
-            {{- with $.Values.envFrom }}
+            {{- with $envFrom }}
           envFrom:
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -91,6 +93,14 @@ spec:
             {{- with $.Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+      {{ if eq . "worker" -}}
+            {{- with $.Values.blueprints }}
+              {{- range $name := . }}
+            - name: blueprints-{{ $name }}
+              mountPath: /blueprints/mounted/{{ $name }}
+              {{- end }}
+            {{- end }}
+      {{- end }}
             {{- if eq . "server" }}
           ports:
             - name: http
@@ -123,16 +133,25 @@ spec:
         - name: geoip-sidecar
           image: "{{ $.Values.geoip.image }}"
           env:
+{{- range $name, $val := $.Values.envValueFrom }}
+{{- $env = merge $env (dict "name" $name "valueFrom" (toYaml $val)) }}
+{{- end }}
             - name: GEOIPUPDATE_FREQUENCY
               value: {{ $.Values.geoip.updateInterval | quote }}
             - name: GEOIPUPDATE_PRESERVE_FILE_TIMES
               value: "1"
-            - name: GEOIPUPDATE_ACCOUNT_ID
-              value: {{ required "geoip account id required" $.Values.geoip.accountId | quote }}
-            - name: GEOIPUPDATE_LICENSE_KEY
-              value: {{ required "geoip license key required" $.Values.geoip.licenseKey | quote }}
             - name: GEOIPUPDATE_EDITION_IDS
               value: {{ required "geoip edition id required" $.Values.geoip.editionIds | quote }}
+            - name: GEOIPUPDATE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-secrets" (include "common.names.fullname" $) }}
+                  key: GEOIPUPDATE_ACCOUNT_ID
+            - name: GEOIPUPDATE_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-secrets" (include "common.names.fullname" $) }}
+                  key: GEOIPUPDATE_LICENSE_KEY
           volumeMounts:
             - name: geoip-db
               mountPath: /usr/share/GeoIP
@@ -153,4 +172,13 @@ spec:
       {{- with $.Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+    {{ if eq . "worker" -}}
+      {{- with $.Values.blueprints }}
+        {{- range $name := . }}
+        - name: blueprints-{{ $name }}
+          configMap:
+            name: {{ $name }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
 {{- end }}
diff --git a/charts/authentik/templates/secret.yml b/charts/authentik/templates/secret.yml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-secrets" (include "common.names.fullname" .) }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- include "authentik.secret" (dict "root" . "values" .Values.authentik) | indent 2 }}
+  {{- if $.Values.geoip.enabled }}
+  GEOIPUPDATE_ACCOUNT_ID: {{ required "geoip account id required" .Values.geoip.accountId | toString | b64enc | quote }}
+  GEOIPUPDATE_LICENSE_KEY: {{ required "geoip license key required" .Values.geoip.licenseKey | toString | b64enc | quote }}
+  {{- end }}
diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml
@@ -15,7 +15,7 @@ worker:
 
 image:
   repository: ghcr.io/goauthentik/server
-  tag: 2022.7.2
+  tag: 2022.8.2
   pullPolicy: IfNotPresent
   pullSecrets: []
 
@@ -35,9 +35,7 @@ ingress:
       paths:
         - path: "/"
           pathType: Prefix
-  tls:
-    - hosts: []
-      secretName: ""
+  tls: []
 
 authentik:
   # -- Log level for server and worker
@@ -114,6 +112,10 @@ authentik:
     host: '{{ .Release.Name }}-redis-master'
     password: ""
 
+# -- List of config maps to mount blueprints from. Only keys in the
+# configmap ending with ".yaml" wil be discovered and applied
+blueprints: []
+
 # -- see configuration options at https://goauthentik.io/docs/installation/configuration/
 env: {}
 # AUTHENTIK_VAR_NAME: VALUE