From 133c0ffe5a1b88accdad62a82d02e3377359e837 Mon Sep 17 00:00:00 2001 From: Jens L Date: Fri, 19 Aug 2022 17:04:17 +0100 Subject: [PATCH] 2022.8.2 (#84) * use secret for env variables * add blueprints, bump version * add blueprint to test * bump remote too I guess * add missing loop * only mount blueprints into worker * set namespace * actually create ns * 8.2 --- .github/workflows/lint-test.yaml | 6 ++- README.md | 6 +-- charts/authentik-remote-cluster/Chart.yaml | 2 +- charts/authentik-remote-cluster/README.md | 6 +-- .../authentik-remote-cluster/README.md.gotmpl | 2 +- charts/authentik/Chart.yaml | 12 ++--- charts/authentik/README.md | 15 +++--- charts/authentik/README.md.gotmpl | 4 +- charts/authentik/ci/ct-values.yaml | 5 +- charts/authentik/ci/manfiests/blueprint.yaml | 18 +++++++ charts/authentik/templates/_helpers.tpl | 20 ++++++++ charts/authentik/templates/deployment.yaml | 50 +++++++++++++++---- charts/authentik/templates/secret.yml | 13 +++++ charts/authentik/values.yaml | 10 ++-- 14 files changed, 129 insertions(+), 40 deletions(-) create mode 100644 charts/authentik/ci/manfiests/blueprint.yaml create mode 100644 charts/authentik/templates/secret.yml diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 94294b34..826cc600 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -42,4 +42,8 @@ jobs: if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - run: ct install --config ct.yaml + run: | + namespace=authentik-$(uuidgen) + kubectl create ns $namespace + kubectl apply -n $namespace -f charts/authentik/ci/manfiests/ + ct install --namespace=$namespace --config ct.yaml diff --git a/README.md b/README.md index 9f4db3f3..e502356a 100644 --- a/README.md +++ b/README.md @@ -9,14 +9,14 @@ ## authentik Chart -![Version: 2022.7.2](https://img.shields.io/badge/Version-2022.7.2-informational?style=for-the-badge) -![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge) +![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge) +![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge) See [README](./charts/authentik/README.md) ## authentik-remote-cluster Chart -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge) +![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge) ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge) See [README](./charts/authentik-remote-cluster/README.md) diff --git a/charts/authentik-remote-cluster/Chart.yaml b/charts/authentik-remote-cluster/Chart.yaml index 3435b8c4..eddf98a3 100644 --- a/charts/authentik-remote-cluster/Chart.yaml +++ b/charts/authentik-remote-cluster/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: authentik-remote-cluster description: RBAC required for a remote cluster to be connected to authentik. type: application -version: 1.0.2 +version: 1.0.3 appVersion: "2021.10.2" home: https://goauthentik.io sources: diff --git a/charts/authentik-remote-cluster/README.md b/charts/authentik-remote-cluster/README.md index 3012445c..f1389782 100644 --- a/charts/authentik-remote-cluster/README.md +++ b/charts/authentik-remote-cluster/README.md @@ -5,7 +5,7 @@ --- [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6) -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge) +![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge) ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge) RBAC required for a remote cluster to be connected to authentik. @@ -16,8 +16,8 @@ RBAC required for a remote cluster to be connected to authentik. | Name | Email | Url | | ---- | ------ | --- | -| BeryJu | jens@beryju.org | https://github.com/BeryJu | -| dirtycajunrice | nick@cajun.pro | https://github.com/dirtycajunrice | +| BeryJu | | | +| dirtycajunrice | | | ## Source Code diff --git a/charts/authentik-remote-cluster/README.md.gotmpl b/charts/authentik-remote-cluster/README.md.gotmpl index 13316a2e..d7b28e52 100644 --- a/charts/authentik-remote-cluster/README.md.gotmpl +++ b/charts/authentik-remote-cluster/README.md.gotmpl @@ -5,7 +5,7 @@ --- [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6) -![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=for-the-badge) +![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=for-the-badge) ![AppVersion: 2021.10.2](https://img.shields.io/badge/AppVersion-2021.10.2-informational?style=for-the-badge) {{ template "chart.deprecationWarning" . }} diff --git a/charts/authentik/Chart.yaml b/charts/authentik/Chart.yaml index a0730da5..d4a3cbe8 100644 --- a/charts/authentik/Chart.yaml +++ b/charts/authentik/Chart.yaml @@ -16,8 +16,8 @@ keywords: - ldap - idp - sp -version: 2022.7.3 -appVersion: 2022.7.2 +version: 2022.8.2 +appVersion: 2022.8.2 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg maintainers: - name: BeryJu @@ -41,7 +41,7 @@ dependencies: annotations: artifacthub.io/changes: | - kind: changed - description: upgrade to authentik 2022.7.2 + description: upgrade to authentik 2022.8.2 artifacthub.io/license: GPL-3.0-only artifacthub.io/links: | - name: Github @@ -57,8 +57,8 @@ annotations: url: https://github.com/dirtycajunrice artifacthub.io/images: | - name: authentik - image: ghcr.io/goauthentik/server:2022.7.2 + image: ghcr.io/goauthentik/server:2022.8.2 - name: authentik-outpost-proxy - image: ghcr.io/goauthentik/proxy:2022.7.2 + image: ghcr.io/goauthentik/proxy:2022.8.2 - name: authentik-outpost-ldap - image: ghcr.io/goauthentik/ldap:2022.7.2 + image: ghcr.io/goauthentik/ldap:2022.8.2 diff --git a/charts/authentik/README.md b/charts/authentik/README.md index 11a2fd9d..e88ff997 100644 --- a/charts/authentik/README.md +++ b/charts/authentik/README.md @@ -6,8 +6,8 @@ [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/helm/Lint%20and%20Test%20Chart?label=cid&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml) -![Version: 2022.7.3](https://img.shields.io/badge/Version-2022.7.3-informational?style=for-the-badge) -![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge) +![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge) +![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge) authentik is an open-source Identity Provider focused on flexibility and versatility @@ -56,8 +56,8 @@ redis: | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | postgresql | 10.9.5 | -| https://charts.bitnami.com/bitnami | redis | 15.3.2 | +| https://charts.bitnami.com/bitnami | postgresql | 10.16.2 | +| https://charts.bitnami.com/bitnami | redis | 15.7.6 | | https://library-charts.k8s-at-home.com | common | 4.2.0 | ## Values @@ -96,6 +96,7 @@ redis: | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to | | authentik.redis.password | string | `""` | | | authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install | +| blueprints | list | `[]` | List of config maps to mount blueprints from. Only keys in the configmap ending with ".yaml" wil be discovered and applied | | env | object | `{}` | see configuration options at https://goauthentik.io/docs/installation/configuration/ | | envFrom | list | `[]` | | | envValueFrom | object | `{}` | | @@ -108,7 +109,7 @@ redis: | image.pullPolicy | string | `"IfNotPresent"` | | | image.pullSecrets | list | `[]` | | | image.repository | string | `"ghcr.io/goauthentik/server"` | | -| image.tag | string | `"2022.7.2"` | | +| image.tag | string | `"2022.8.2"` | | | ingress.annotations | object | `{}` | | | ingress.enabled | bool | `false` | | | ingress.hosts[0].host | string | `"authentik.domain.tld"` | | @@ -116,8 +117,7 @@ redis: | ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | | ingress.ingressClassName | string | `""` | | | ingress.labels | object | `{}` | | -| ingress.tls[0].hosts | list | `[]` | | -| ingress.tls[0].secretName | string | `""` | | +| ingress.tls | list | `[]` | | | initContainers | object | `{}` | See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values | | livenessProbe.enabled | bool | `true` | enables or disables the livenessProbe | | livenessProbe.httpGet.path | string | `"/-/health/live/"` | liveness probe url path | @@ -153,6 +153,7 @@ redis: | service.protocol | string | `"TCP"` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.create | bool | `true` | Service account is needed for managed outposts | +| tolerations | list | `[]` | | | volumeMounts | list | `[]` | | | volumes | list | `[]` | | | worker.priorityClassName | string | `nil` | Custom priority class for different treatment by the scheduler | diff --git a/charts/authentik/README.md.gotmpl b/charts/authentik/README.md.gotmpl index f8c01856..283d5596 100644 --- a/charts/authentik/README.md.gotmpl +++ b/charts/authentik/README.md.gotmpl @@ -6,8 +6,8 @@ [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/helm/Lint%20and%20Test%20Chart?label=cid&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml) -![Version: 2022.7.3](https://img.shields.io/badge/Version-2022.7.3-informational?style=for-the-badge) -![AppVersion: 2022.7.2](https://img.shields.io/badge/AppVersion-2022.7.2-informational?style=for-the-badge) +![Version: 2022.8.2](https://img.shields.io/badge/Version-2022.8.2-informational?style=for-the-badge) +![AppVersion: 2022.8.2](https://img.shields.io/badge/AppVersion-2022.8.2-informational?style=for-the-badge) {{ template "chart.deprecationWarning" . }} diff --git a/charts/authentik/ci/ct-values.yaml b/charts/authentik/ci/ct-values.yaml index f45604d3..80a8cee1 100644 --- a/charts/authentik/ci/ct-values.yaml +++ b/charts/authentik/ci/ct-values.yaml @@ -5,7 +5,7 @@ worker: image: repository: ghcr.io/goauthentik/server - tag: 2022.7.2 + tag: 2022.8.2 pullPolicy: IfNotPresent ingress: @@ -35,3 +35,6 @@ redis: auth: enabled: true password: au7h3n71k + +blueprints: + - authentik-ci-blueprint diff --git a/charts/authentik/ci/manfiests/blueprint.yaml b/charts/authentik/ci/manfiests/blueprint.yaml new file mode 100644 index 00000000..1a3737bd --- /dev/null +++ b/charts/authentik/ci/manfiests/blueprint.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authentik-ci-blueprint +data: + test-blueprint.yaml: | + version: 1 + metadata: + name: ci-test-blueprint + entries: + - attrs: + designation: authentication + name: ci-test-blueprint + title: ci-test-blueprint + identifiers: + slug: ci-test-blueprint + model: authentik_flows.flow + id: flow diff --git a/charts/authentik/templates/_helpers.tpl b/charts/authentik/templates/_helpers.tpl index da9516c3..23de313d 100644 --- a/charts/authentik/templates/_helpers.tpl +++ b/charts/authentik/templates/_helpers.tpl @@ -26,3 +26,23 @@ {{- end -}} {{- end -}} {{- end -}} + +{{- define "authentik.secret" -}} + {{- range $k, $v := .values -}} + {{- if kindIs "map" $v -}} + {{- range $sk, $sv := $v -}} + {{- include "authentik.secret" (dict "root" $.root "values" (dict (printf "%s__%s" (upper $k) (upper $sk)) $sv)) -}} + {{- end -}} + {{- else -}} + {{- $value := $v -}} + {{- if or (kindIs "bool" $v) (kindIs "float64" $v) -}} + {{- $v = toString $v -}} + {{- else -}} + {{- $v = tpl $v $.root }} + {{- end -}} + {{- if $v }} +{{ printf "AUTHENTIK_%s" (upper $k) }}: {{ $v | b64enc | quote }} + {{- end }} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/authentik/templates/deployment.yaml b/charts/authentik/templates/deployment.yaml index bc32289c..765c99ed 100644 --- a/charts/authentik/templates/deployment.yaml +++ b/charts/authentik/templates/deployment.yaml @@ -1,3 +1,9 @@ +{{- $env := .Values.env }} +{{- range $name, $val := $.Values.envValueFrom }} +{{- $env = merge $env (dict "name" $name "valueFrom" (toYaml $val)) }} +{{- end }} +{{- $envFrom := .Values.envFrom }} +{{- $envFrom := append $envFrom (dict "secretRef" (dict "name" (printf "%s-secrets" (include "common.names.fullname" .) ))) }} {{- range list "server" "worker" }} --- apiVersion: apps/v1 @@ -70,18 +76,14 @@ spec: image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" imagePullPolicy: "{{ $.Values.image.pullPolicy }}" args: [{{ quote . }}] + {{- with $env }} env: - {{- range $k, $v := $.Values.env }} + {{- range $k, $v := . }} - name: {{ quote $k }} value: {{ quote $v }} {{- end }} - {{- include "authentik.env" (dict "root" $ "values" $.Values.authentik) | indent 12 }} - {{- range $name, $val := $.Values.envValueFrom }} - - name: {{ $name }} - valueFrom: - {{- toYaml $val | nindent 16 }} {{- end }} - {{- with $.Values.envFrom }} + {{- with $envFrom }} envFrom: {{- toYaml . | nindent 12 }} {{- end }} @@ -91,6 +93,14 @@ spec: {{- with $.Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{ if eq . "worker" -}} + {{- with $.Values.blueprints }} + {{- range $name := . }} + - name: blueprints-{{ $name }} + mountPath: /blueprints/mounted/{{ $name }} + {{- end }} + {{- end }} + {{- end }} {{- if eq . "server" }} ports: - name: http @@ -123,16 +133,25 @@ spec: - name: geoip-sidecar image: "{{ $.Values.geoip.image }}" env: +{{- range $name, $val := $.Values.envValueFrom }} +{{- $env = merge $env (dict "name" $name "valueFrom" (toYaml $val)) }} +{{- end }} - name: GEOIPUPDATE_FREQUENCY value: {{ $.Values.geoip.updateInterval | quote }} - name: GEOIPUPDATE_PRESERVE_FILE_TIMES value: "1" - - name: GEOIPUPDATE_ACCOUNT_ID - value: {{ required "geoip account id required" $.Values.geoip.accountId | quote }} - - name: GEOIPUPDATE_LICENSE_KEY - value: {{ required "geoip license key required" $.Values.geoip.licenseKey | quote }} - name: GEOIPUPDATE_EDITION_IDS value: {{ required "geoip edition id required" $.Values.geoip.editionIds | quote }} + - name: GEOIPUPDATE_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ printf "%s-secrets" (include "common.names.fullname" $) }} + key: GEOIPUPDATE_ACCOUNT_ID + - name: GEOIPUPDATE_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ printf "%s-secrets" (include "common.names.fullname" $) }} + key: GEOIPUPDATE_LICENSE_KEY volumeMounts: - name: geoip-db mountPath: /usr/share/GeoIP @@ -153,4 +172,13 @@ spec: {{- with $.Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{ if eq . "worker" -}} + {{- with $.Values.blueprints }} + {{- range $name := . }} + - name: blueprints-{{ $name }} + configMap: + name: {{ $name }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/authentik/templates/secret.yml b/charts/authentik/templates/secret.yml new file mode 100644 index 00000000..0d459036 --- /dev/null +++ b/charts/authentik/templates/secret.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-secrets" (include "common.names.fullname" .) }} + labels: + {{- include "common.labels" . | nindent 4 }} +type: Opaque +data: + {{- include "authentik.secret" (dict "root" . "values" .Values.authentik) | indent 2 }} + {{- if $.Values.geoip.enabled }} + GEOIPUPDATE_ACCOUNT_ID: {{ required "geoip account id required" .Values.geoip.accountId | toString | b64enc | quote }} + GEOIPUPDATE_LICENSE_KEY: {{ required "geoip license key required" .Values.geoip.licenseKey | toString | b64enc | quote }} + {{- end }} diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml index 6f0eb4b4..86fbc8d2 100644 --- a/charts/authentik/values.yaml +++ b/charts/authentik/values.yaml @@ -15,7 +15,7 @@ worker: image: repository: ghcr.io/goauthentik/server - tag: 2022.7.2 + tag: 2022.8.2 pullPolicy: IfNotPresent pullSecrets: [] @@ -35,9 +35,7 @@ ingress: paths: - path: "/" pathType: Prefix - tls: - - hosts: [] - secretName: "" + tls: [] authentik: # -- Log level for server and worker @@ -114,6 +112,10 @@ authentik: host: '{{ .Release.Name }}-redis-master' password: "" +# -- List of config maps to mount blueprints from. Only keys in the +# configmap ending with ".yaml" wil be discovered and applied +blueprints: [] + # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ env: {} # AUTHENTIK_VAR_NAME: VALUE