goauthentik · BeryJu · Apr 23, 2023 · Jul 20, 2024 · Jul 20, 2024
@@ -1,2 +1,3 @@
 Chart.lock
 charts/authentik/charts
+venv
@@ -0,0 +1,3 @@
+all:
+	python3 scripts/update-values-from-config.py
+	helm-docs
@@ -100,6 +100,16 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalObjects | list | `[]` | additional resources to deploy. Those objects are templated. |
+| authentik.blueprints_dir | string | `"/blueprints"` |  |
+| authentik.cache.timeout | int | `300` |  |
+| authentik.cache.timeout_flows | int | `300` |  |
+| authentik.cache.timeout_policies | int | `300` |  |
+| authentik.cert_discovery_dir | string | `"/certs"` |  |
+| authentik.compliance.fips.enabled | bool | `false` |  |
+| authentik.cookie_domain | string | `nil` |  |
+| authentik.debug | bool | `false` |  |
+| authentik.disable_startup_analytics | bool | `false` |  |
+| authentik.disable_update_check | bool | `false` |  |
 | authentik.email.from | string | `""` | Email from address, can either be in the format "[email protected]" or "authentik <[email protected]>" |
 | authentik.email.host | string | `""` | SMTP Server emails are sent from, fully optional |
 | authentik.email.password | string | `""` | SMTP credentials, when left empty, no authentication will be done |
@@ -113,16 +123,43 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | authentik.error_reporting.send_pii | bool | `false` | Send PII (Personally identifiable information) data to sentry |
 | authentik.events.context_processors.asn | string | `"/geoip/GeoLite2-ASN.mmdb"` | Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. |
 | authentik.events.context_processors.geoip | string | `"/geoip/GeoLite2-City.mmdb"` | Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. |
-| authentik.log_level | string | `"info"` | Log level for server and worker |
-| authentik.outposts.container_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` | Template used for managed outposts. The following placeholders can be used %(type)s - the type of the outpost %(version)s - version of your authentik install %(build_hash)s - only for beta versions, the build hash of the image |
+| authentik.ldap.page_size | int | `50` |  |
+| authentik.ldap.task_timeout_hours | int | `2` |  |
+| authentik.ldap.tls.ciphers | string | `nil` |  |
+| authentik.listen.listen_debug | string | `"0.0.0.0:9900"` |  |
+| authentik.listen.listen_http | string | `"0.0.0.0:9000"` |  |
+| authentik.listen.listen_https | string | `"0.0.0.0:9443"` |  |
+| authentik.listen.listen_ldap | string | `"0.0.0.0:3389"` |  |
+| authentik.listen.listen_ldaps | string | `"0.0.0.0:6636"` |  |
+| authentik.listen.listen_metrics | string | `"0.0.0.0:9300"` |  |
+| authentik.listen.listen_radius | string | `"0.0.0.0:1812"` |  |
+| authentik.listen.trusted_proxy_cidrs[0] | string | `"127.0.0.0/8"` |  |
+| authentik.listen.trusted_proxy_cidrs[1] | string | `"10.0.0.0/8"` |  |
+| authentik.listen.trusted_proxy_cidrs[2] | string | `"172.16.0.0/12"` |  |
+| authentik.listen.trusted_proxy_cidrs[3] | string | `"192.168.0.0/16"` |  |
+| authentik.listen.trusted_proxy_cidrs[4] | string | `"fe80::/10"` |  |
+| authentik.listen.trusted_proxy_cidrs[5] | string | `"::1/128"` |  |
+| authentik.log_level | string | `"info"` |  |
+| authentik.outposts.container_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` |  |
+| authentik.postgresql | object | `{"host":"{{ .Release.Name }}-postgresql","name":"authentik","password":"","port":5432,"user":"authentik"}` | Log level for server and worker |
 | authentik.postgresql.host | string | `{{ .Release.Name }}-postgresql` | set the postgresql hostname to talk to if unset and .Values.postgresql.enabled == true, will generate the default |
 | authentik.postgresql.name | string | `authentik` | postgresql Database name |
-| authentik.postgresql.password | string | `""` |  |
-| authentik.postgresql.port | int | `5432` |  |
 | authentik.postgresql.user | string | `authentik` | postgresql Username |
 | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to |
 | authentik.redis.password | string | `""` |  |
-| authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install |
+| authentik.remote_debug | bool | `false` |  |
+| authentik.reputation.expiry | int | `86400` |  |
+| authentik.secret_key | string | `""` |  |
+| authentik.session_storage | string | `"cache"` |  |
+| authentik.storage.media.backend | string | `"file"` |  |
+| authentik.storage.media.file.path | string | `"./media"` |  |
+| authentik.storage.media.s3.secure_urls | bool | `true` |  |
+| authentik.tenants.api_key | string | `""` |  |
+| authentik.tenants.enabled | bool | `false` |  |
+| authentik.throttle.default | string | `"1000/second"` |  |
+| authentik.throttle.providers.oauth2.device | string | `"20/hour"` |  |
+| authentik.web.threads | int | `4` |  |
+| authentik.worker.concurrency | int | `2` |  |
 | blueprints.configMaps | list | `[]` | List of config maps to mount blueprints from. Only keys in the configMap ending with `.yaml` will be discovered and applied. |
 | blueprints.secrets | list | `[]` | List of secrets to mount blueprints from. Only keys in the secret ending with `.yaml` will be discovered and applied. |
 | fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible |

@@ -139,16 +139,74 @@ global:
 ## Authentik configuration
 authentik:
   # -- Log level for server and worker
+  postgresql:
+    # -- set the postgresql hostname to talk to
+    # if unset and .Values.postgresql.enabled == true, will generate the default
+    # @default -- `{{ .Release.Name }}-postgresql`
+    host: "{{ .Release.Name }}-postgresql"
+    # -- postgresql Database name
+    # @default -- `authentik`
+    name: "authentik"
+    # -- postgresql Username
+    # @default -- `authentik`
+    user: "authentik"
+    password: ""
+    port: 5432
+  # For example
+  # 0:
+  #   host: replica1.example.com
+
+  listen:
+    listen_http: 0.0.0.0:9000
+    listen_https: 0.0.0.0:9443
+    listen_ldap: 0.0.0.0:3389
+    listen_ldaps: 0.0.0.0:6636
+    listen_radius: 0.0.0.0:1812
+    listen_metrics: 0.0.0.0:9300
+    listen_debug: 0.0.0.0:9900
+    trusted_proxy_cidrs:
+    - 127.0.0.0/8
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - fe80::/10
+    - ::1/128
+
+  redis:
+    # -- set the redis hostname to talk to
+    # @default -- `{{ .Release.Name }}-redis-master`
+    host: "{{ .Release.Name }}-redis-master"
+    password: ""
+
+
+  cache:
+  # url: ""
+    timeout: 300
+    timeout_flows: 300
+    timeout_policies: 300
+
+# channel:
+#   url: ""
+
+# result_backend:
+#   url: ""
+#   transport_options: ""
+
+  debug: false
+  remote_debug: false
+
   log_level: info
-  # -- Secret key used for cookie singing and unique user IDs,
-  # don't change this after the first install
-  secret_key: ""
-  events:
-    context_processors:
-      # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
-      geoip: /geoip/GeoLite2-City.mmdb
-      # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
-      asn: /geoip/GeoLite2-ASN.mmdb
+
+  session_storage: cache
+
+  error_reporting:
+    # -- This sends anonymous usage-data, stack traces on errors and
+    # performance data to sentry.beryju.org, and is fully opt-in
+    enabled: false
+    # -- This is a string that is sent to sentry with your error reports
+    environment: "k8s"
+    # -- Send PII (Personally identifiable information) data to sentry
+    send_pii: false
   email:
     # -- SMTP Server emails are sent from, fully optional
     host: ""
@@ -166,40 +224,73 @@ authentik:
     timeout: 30
     # -- Email from address, can either be in the format "[email protected]" or "authentik <[email protected]>"
     from: ""
+  throttle:
+    providers:
+      oauth2:
+        device: 20/hour
+    default: 1000/second
+
   outposts:
-    # -- Template used for managed outposts. The following placeholders can be used
-    # %(type)s - the type of the outpost
-    # %(version)s - version of your authentik install
-    # %(build_hash)s - only for beta versions, the build hash of the image
+  # Placeholders:
+  # %(type)s: Outpost type; proxy, ldap, etc
+  # %(version)s: Current version; 2021.4.1
+  # %(build_hash)s: Build hash if you're running a beta version
     container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
-  error_reporting:
-    # -- This sends anonymous usage-data, stack traces on errors and
-    # performance data to sentry.beryju.org, and is fully opt-in
-    enabled: false
-    # -- This is a string that is sent to sentry with your error reports
-    environment: "k8s"
-    # -- Send PII (Personally identifiable information) data to sentry
-    send_pii: false
-  postgresql:
-    # -- set the postgresql hostname to talk to
-    # if unset and .Values.postgresql.enabled == true, will generate the default
-    # @default -- `{{ .Release.Name }}-postgresql`
-    host: "{{ .Release.Name }}-postgresql"
-    # -- postgresql Database name
-    # @default -- `authentik`
-    name: "authentik"
-    # -- postgresql Username
-    # @default -- `authentik`
-    user: "authentik"
-    password: ""
-    port: 5432
-  redis:
-    # -- set the redis hostname to talk to
-    # @default -- `{{ .Release.Name }}-redis-master`
-    host: "{{ .Release.Name }}-redis-master"
-    password: ""
+  ldap:
+    task_timeout_hours: 2
+    page_size: 50
+    tls:
+      ciphers:
+
+  reputation:
+    expiry: 86400
+
+  cookie_domain:
+  disable_update_check: false
+  disable_startup_analytics: false
+  events:
+    context_processors:
+      # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
+      geoip: /geoip/GeoLite2-City.mmdb
+      # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
+      asn: /geoip/GeoLite2-ASN.mmdb
+  compliance:
+    fips:
+      enabled: false
 
+  cert_discovery_dir: /certs
 
+  tenants:
+    enabled: false
+    api_key: ""
+
+  blueprints_dir: /blueprints
+
+  web:
+  # No default here as it's set dynamically
+  # workers: 2
+    threads: 4
+
+  worker:
+    concurrency: 2
+
+  storage:
+    media:
+      backend: file # or s3
+      file:
+        path: ./media
+      s3:
+      # How to talk to s3
+      # region: "us-east-1"
+      # use_ssl: True
+      # endpoint: "https://s3.us-east-1.amazonaws.com"
+      # access_key: ""
+      # secret_key: ""
+      # bucket_name: "authentik-media"
+      # How to render file URLs
+      # custom_domain: null
+        secure_urls: true
+  secret_key: ""
 blueprints:
   # -- List of config maps to mount blueprints from.
   # Only keys in the configMap ending with `.yaml` will be discovered and applied.
@@ -228,7 +319,7 @@ server:
     # -- Average CPU utilization percentage for the authentik server [HPA]
     targetCPUUtilizationPercentage: 50
     # -- Average memory utilization percentage for the authentik server [HPA]
-    targetMemoryUtilizationPercentage: ~
+    targetMemoryUtilizationPercentage:
     # -- Configures the scaling behavior of the target in both Up and Down directions.
     behavior: {}
       # scaleDown:
@@ -371,7 +462,7 @@ server:
   dnsPolicy: ""
 
   # -- serviceAccount to use for authentik server pods
-  serviceAccountName: ~
+  serviceAccountName:
 
   # -- authentik server pod-level security context
   # @default -- `{}` (See [values.yaml])
@@ -574,7 +665,7 @@ server:
 
     # -- List of ingress paths
     paths:
-      - /
+    - /
     # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
     pathType: Prefix
     # -- additional ingress paths
@@ -616,7 +707,7 @@ worker:
     # -- Average CPU utilization percentage for the authentik worker [HPA]
     targetCPUUtilizationPercentage: 50
     # -- Average memory utilization percentage for the authentik worker [HPA]
-    targetMemoryUtilizationPercentage: ~
+    targetMemoryUtilizationPercentage:
     # -- Configures the scaling behavior of the target in both Up and Down directions.
     behavior: {}
       # scaleDown:
@@ -750,7 +841,7 @@ worker:
   dnsPolicy: ""
 
   # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
-  serviceAccountName: ~
+  serviceAccountName:
 
   # -- authentik worker pod-level security context
   # @default -- `{}` (See [values.yaml])
@@ -786,8 +877,8 @@ worker:
     ## Probe configuration
     exec:
       command:
-        - ak
-        - healthcheck
+      - ak
+      - healthcheck
 
   readinessProbe:
     # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
@@ -803,8 +894,8 @@ worker:
     ## Probe configuration
     exec:
       command:
-        - ak
-        - healthcheck
+      - ak
+      - healthcheck
 
   startupProbe:
     # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
@@ -820,8 +911,8 @@ worker:
     ## Probe configuration
     exec:
       command:
-        - ak
-        - healthcheck
+      - ak
+      - healthcheck
 
   # -- terminationGracePeriodSeconds for container lifecycle hook
   terminationGracePeriodSeconds: 30

@@ -0,0 +1,21 @@
+from requests import get
+from ruamel.yaml import YAML
+
+yaml = YAML()
+yaml.preserve_quotes = True
+yaml.explicit_start = True
+yaml.explicit_end = False
+
+config_raw = get("https://raw.githubusercontent.com/goauthentik/authentik/main/authentik/lib/default.yml").text
+config = yaml.load(config_raw)
+
+with open("charts/authentik/values.yaml", mode="r", encoding="utf-8") as _values:
+    values = yaml.load(_values.read())
+
+# The old config has higher priority over the upstream config
+old_config = values["authentik"]
+config.update(old_config)
+values["authentik"] = config
+
+with open("charts/authentik/values.yaml", mode="w", encoding="utf-8") as _values:
+    yaml.dump(values, _values)