v1.0.0-RC6

* values: update defaults to ensure correct types * readme: add example values to get started * bump chart version * add disclaimer for error_reporting * update changelog in chart * add things * hehe * hehe2 * update changes in annotations * remove duplicate from defaults * more default values Co-authored-by: Nicholas St. Germain <[email protected]>
goauthentik · May 10, 2021 · a0372b7 · a0372b7
1 parent b15fb29
commit a0372b7
Show file tree

Hide file tree

Showing 6 changed files with 156 additions and 59 deletions.
diff --git a/charts/authentik/Chart.yaml b/charts/authentik/Chart.yaml
@@ -9,7 +9,7 @@ keywords:
   - proxy
   - oauth
   - authentication
-version: 1.0.0-RC5
+version: 1.0.0-RC6
 appVersion: 2021.4.5
 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
 maintainers:
@@ -34,11 +34,19 @@ dependencies:
 annotations:
   artifacthub.io/prerelease: "true"
   artifacthub.io/changes: |
-    - kind: fixed
-      description: removed lingering suffix in ingress causing a mismatch for selector
+    - kind: added
+      description: example values in readme to get started
       links:
         - name: Github PR
-          url: https://github.com/goauthentik/helm/pull/5
+          url: https://github.com/goauthentik/helm/pull/6
+    - kind: added
+      description: a few of the descriptions for values.yaml
+    - kind: changed
+      description: default values for some empty fields
+    - kind: fixed
+      description: missing roles for traefik middlewares and crd list
+    - kind: security
+      description: explicitly disabled send_pii by default
   artifacthub.io/license: GPL-3.0-only
   artifacthub.io/links: |
     - name: Github

diff --git a/charts/authentik/README.md b/charts/authentik/README.md
@@ -1,6 +1,6 @@
 # authentik
 
-![Version: 1.0.0-RC5](https://img.shields.io/badge/Version-1.0.0--RC5-informational?style=flat-square) ![AppVersion: 2021.4.5](https://img.shields.io/badge/AppVersion-2021.4.5-informational?style=flat-square)
+![Version: 1.0.0-RC6](https://img.shields.io/badge/Version-1.0.0--RC6-informational?style=flat-square) ![AppVersion: 2021.4.5](https://img.shields.io/badge/AppVersion-2021.4.5-informational?style=flat-square)
 
 authentik is an open-source Identity Provider focused on flexibility and versatility
 
@@ -13,6 +13,38 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 | BeryJu | [email protected] | https://github.com/BeryJu |
 | dirtycajunrice | [email protected] | https://github.com/DirtyCajunRice |
 
+## Example values to get started:
+
+```yaml
+authentik:
+  secret_key: "PleaseGenerateA50CharKey"
+  # This sends anonymous usage-data, stack traces on errors and
+  # performance data to sentry.beryju.org, and is fully opt-in
+  error_reporting:
+    enabled: true
+  postgresql:
+    host: "asdf-postgresql"
+    name: "authentik"
+    user: "authentik"
+    password: "ThisIsNotASecurePassword"
+  redis:
+    host: "asdf-redis-master"
+
+ingress:
+  enabled: true
+  hosts:
+    - host: authentik.domain.tld
+      paths:
+        - path: "/"
+          pathType: Prefix
+
+postgresql:
+  enabled: true
+  postgresqlPassword: "ThisIsNotASecurePassword"
+redis:
+  enabled: true
+```
+
 ## Source Code
 
 * <https://github.com/goauthentik/authentik>
@@ -33,18 +65,19 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 | affinity | object | `{}` |  |
 | authentik.email.from | string | `""` |  |
 | authentik.email.host | string | `""` |  |
-| authentik.email.port | string | `""` |  |
-| authentik.email.timeout | string | `""` |  |
-| authentik.email.use_ssl | string | `""` |  |
-| authentik.email.use_tls | string | `""` |  |
+| authentik.email.port | int | `587` |  |
+| authentik.email.timeout | int | `30` |  |
+| authentik.email.use_ssl | bool | `false` |  |
+| authentik.email.use_tls | bool | `false` |  |
 | authentik.email.username | string | `""` |  |
 | authentik.error_reporting.enabled | bool | `false` |  |
-| authentik.error_reporting.environment | string | `""` |  |
-| authentik.error_reporting.send_pii | string | `""` |  |
-| authentik.log_level | string | `""` |  |
-| authentik.outposts.docker_image_base | string | `""` |  |
-| authentik.postgresql.host | string | `""` |  |
+| authentik.error_reporting.environment | string | `"k8s"` |  |
+| authentik.error_reporting.send_pii | bool | `false` |  |
+| authentik.log_level | string | `"info"` |  |
+| authentik.outposts.docker_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` |  |
+| authentik.postgresql.host | string | `{{ .Release.Name }}-postgresql` | set the postgresql hostname to talk to if unset and .Values.postgresql.enabled == true, will generate the default |
 | authentik.postgresql.name | string | `""` |  |
+| authentik.postgresql.password | string | `""` |  |
 | authentik.postgresql.s3_backup.access_key | string | `""` |  |
 | authentik.postgresql.s3_backup.bucket | string | `""` |  |
 | authentik.postgresql.s3_backup.host | string | `""` |  |
@@ -71,12 +104,14 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 | ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | ingress.ingressClassName | string | `""` |  |
 | ingress.labels | object | `{}` |  |
-| livenessProbe.enabled | bool | `true` |  |
-| livenessProbe.httpGet.path | string | `"/-/health/live/"` |  |
+| livenessProbe.enabled | bool | `true` | enables or disables the livenessProbe |
+| livenessProbe.httpGet.path | string | `"/-/health/live/"` | liveness probe url path |
 | livenessProbe.httpGet.port | string | `"http"` |  |
-| livenessProbe.initialDelaySeconds | int | `60` |  |
-| livenessProbe.periodSeconds | int | `30` |  |
+| livenessProbe.initialDelaySeconds | int | `15` |  |
+| livenessProbe.periodSeconds | int | `10` |  |
 | postgresql.enabled | bool | `false` |  |
+| postgresql.postgresqlDatabase | string | `"authentik"` |  |
+| postgresql.postgresqlUsername | string | `"authentik"` |  |
 | prometheus.rules.create | bool | `false` |  |
 | prometheus.serviceMonitor.create | bool | `false` |  |
 | prometheus.serviceMonitor.interval | string | `"10s"` |  |
@@ -87,8 +122,8 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 | readinessProbe.enabled | bool | `true` |  |
 | readinessProbe.httpGet.path | string | `"/-/health/ready/"` |  |
 | readinessProbe.httpGet.port | string | `"http"` |  |
-| readinessProbe.initialDelaySeconds | int | `60` |  |
-| readinessProbe.periodSeconds | int | `30` |  |
+| readinessProbe.initialDelaySeconds | int | `15` |  |
+| readinessProbe.periodSeconds | int | `10` |  |
 | redis.auth.enabled | bool | `false` |  |
 | redis.enabled | bool | `false` |  |
 | replicas | int | `1` |  |

diff --git a/charts/authentik/README.md.gotmpl b/charts/authentik/README.md.gotmpl
@@ -9,6 +9,38 @@
 
 {{ template "chart.maintainersSection" . }}
 
+## Example values to get started:
+
+```yaml
+authentik:
+  secret_key: "PleaseGenerateA50CharKey"
+  # This sends anonymous usage-data, stack traces on errors and
+  # performance data to sentry.beryju.org, and is fully opt-in
+  error_reporting:
+    enabled: true
+  postgresql:
+    host: "asdf-postgresql"
+    name: "authentik"
+    user: "authentik"
+    password: "ThisIsNotASecurePassword"
+  redis:
+    host: "asdf-redis-master"
+
+ingress:
+  enabled: true
+  hosts:
+    - host: authentik.domain.tld
+      paths:
+        - path: "/"
+          pathType: Prefix
+
+postgresql:
+  enabled: true
+  postgresqlPassword: "ThisIsNotASecurePassword"
+redis:
+  enabled: true
+```
+
 {{ template "chart.sourcesSection" . }}
 
 {{ template "chart.requirementsSection" . }}

diff --git a/charts/authentik/ci/ct-values.yaml b/charts/authentik/ci/ct-values.yaml
@@ -16,8 +16,6 @@ ingress:
 authentik:
   log_level: debug
   secret_key: 5up3r53cr37K3y
-  outposts:
-    docker_image_base: beryju/authentik
   postgresql:
     host: postgresql
     name: authentik
@@ -30,9 +28,7 @@ authentik:
 postgresql:
   enabled: true
   fullnameOverride: postgresql
-  postgresqlUsername: authentik
   postgresqlPassword: au7h3n71k
-  postgresqlDatabase: authentik
   persistence:
     enabled: false
 

diff --git a/charts/authentik/templates/rbac.yaml b/charts/authentik/templates/rbac.yaml
@@ -31,31 +31,47 @@ rules:
       - services
       - configmaps
     verbs:
-      - "get"
-      - "create"
-      - "delete"
-      - "list"
-      - "patch"
+      - get
+      - create
+      - delete
+      - list
+      - patch
   - apiGroups:
-      - "extensions"
-      - "apps"
+      - extensions
+      - apps
     resources:
-      - "deployments"
+      - deployments
     verbs:
-      - "get"
-      - "create"
-      - "delete"
-      - "list"
-      - "patch"
+      - get
+      - create
+      - delete
+      - list
+      - patch
   - apiGroups:
-      - "extensions"
-      - "networking.k8s.io"
+      - extensions
+      - networking.k8s.io
     resources:
-      - "ingresses"
+      - ingresses
     verbs:
-      - "get"
-      - "create"
-      - "delete"
-      - "list"
-      - "patch"
+      - get
+      - create
+      - delete
+      - list
+      - patch
+  - apiGroups:
+     - traefik.containo.us
+    resources:
+     - middlewares
+    verbs:
+      - get
+      - create
+      - delete
+      - list
+      - patch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
   {{- end }}
diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml
@@ -17,26 +17,32 @@ ingress:
           pathType: Prefix
 
 authentik:
-  log_level: ""
+  log_level: info
   secret_key: ""
   email:
     host: ""
-    port: ""
+    port: 587
     username: ""
-    use_tls: ""
-    use_ssl: ""
-    timeout: ""
+    use_tls: false
+    use_ssl: false
+    timeout: 30
     from: ""
   outposts:
-    docker_image_base: ""
+    docker_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
   error_reporting:
+    # This sends anonymous usage-data, stack traces on errors and
+    # performance data to sentry.beryju.org, and is fully opt-in
     enabled: false
-    environment: ""
-    send_pii: ""
+    environment: "k8s"
+    send_pii: false
   postgresql:
+    # -- set the postgresql hostname to talk to
+    # if unset and .Values.postgresql.enabled == true, will generate the default
+    # @default -- `{{ .Release.Name }}-postgresql`
     host: ""
     name: ""
     user: ""
+    password: ""
     s3_backup:
       access_key: ""
       bucket: ""
@@ -79,21 +85,25 @@ resources:
   server: {}
   worker: {}
 
+# WARNING! When initially deploying, authentik has to do a few DB migrations. This may cause it to die from probe
+# failure, but will continue on reboot. You can disable this during deployment if this is not desired
 livenessProbe:
+  # -- enables or disables the livenessProbe
   enabled: true
   httpGet:
+    # -- liveness probe url path
     path: /-/health/live/
     port: http
-  initialDelaySeconds: 60
-  periodSeconds: 30
+  initialDelaySeconds: 15
+  periodSeconds: 10
 
 readinessProbe:
   enabled: true
   httpGet:
     path: /-/health/ready/
     port: http
-  initialDelaySeconds: 60
-  periodSeconds: 30
+  initialDelaySeconds: 15
+  periodSeconds: 10
 
 serviceAccount:
   create: true
@@ -120,9 +130,9 @@ geoip:
 
 postgresql:
   enabled: false
-  # postgresqlUsername: ""
+  postgresqlUsername: "authentik"
   # postgresqlPassword: ""
-  # postgresqlDatabase: ""
+  postgresqlDatabase: "authentik"
   # persistence:
   #   enabled: true
   #   storageClass: