Comments (4)
Firstly I would like to thank the Authentik team, their work is great.
However if its any help to you I do it like this to keep things generalized as much as possible. I created my own version of the helm chart from scratch for this very reason. Feel free to export the ideas, I was thinking of starting a big PR as the chart is cool, but has a few deficiencies (like secrets, and theming). Please don't use mine for now at-least it is still majorly changing and is likely not as supported as their own.
A secret to hold the data (by default auto-generates secrets unless disabled):
https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/templates/auth.secret.yaml (my secret is a bit heavy you dont need any way near as many). This also allows you to sideload a secret with bitnami sealed secrets by disabling autogeneration in production, but is really useful in testing.
E.G:
...
kind: Secret
...
data:
postgresUserPassword: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
authJwtToken: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
redisPassword: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
...
A table which keeps track of the each key value in the secret above, what the filename it creates is, and what environment variable should be generated to point to that file. https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/values.yaml#L161 I call my table lookup.
authentik:
...
# authentik expects its secrets as files in the same directory
# so we tell kube where to get secret data and where to put it
secrets:
basePath: /secrets
lookup:
# this lookup will mount a secret data to a file basePath/files
# this will also then create an env variable pointing to this secret file
# thus we have no env variables with secrets in them but files are permed
# https://www.authentik.com/integration/kubernetes/secrets/
- key: postgresUserPassword
file: postgresql-pass
env: AUTHENTIK_POSTGRESQL__PASSWORD
- key: redisPassword
file: redis-pass
env: AUTHENTIK_REDIS__PASSWORD
- key: authJwtToken
file: secret-key
env: AUTHENTIK_SECRET_KEY
...
A templated deployment that automatically defines mounts and env variables. All according to the table specification and creates the env variables to let Authentik know where to look for these mounts. https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/values.yaml#L161
kind: deployment
...
spec:
containers:
- name: authentik
env:
{{- range .Values.authentik.secrets.lookup }}
- name: {{ .env }}
value: {{ printf "file://%s/%s" $.Values.authentik.secrets.basePath .file }}
{{- end }}
volumeMounts:
# secrets mount
- mountPath: {{ .Values.authentik.secrets.basePath }}
name: secrets
readOnly: true
...
volumes:
- name: secrets
secret:
secretName: {{ .Values.secret.name }}
optional: false
items:
{{- range .Values.authentik.secrets.lookup }}
- key: {{ .key }}
path: {{ .file }}
{{- end }}
...
Authentik is a little more complex in practice since it has both servers and workers, but that is the general gist. If there is strong desire for this I can also put in a PR sometime soon to support this kind of secret passing although not exactly like this.
P.S for anyone wondering how themeing works, the fastest way is to mount over the top of existing files in the containers. For instance to overwrite the background I believe is /web/dist/assets/images/flow_background.jpg but you can edit the path in the default flows like "welcome to authentik" flow has a background path option. You still need to get your image into the container tho.
P.P.S my implementation is OSLv3
from helm.
an alternative option would be to pass the authentik: yaml as a config file to authentik instead of parsing it to env vars. What do you think @BeryJu ?
from helm.
is there any update on this?
from helm.
This has been resolved for some time now. Authentik's config (under the authentik
key in the values) is now stored as a secret. Plus, if you don't want to specify secret values in your values, we have several ways for you to do so:
global.env
and/orglobal.envFrom
to load directly for a secret you provideglobal.volumes
andglobal.volumeMounts
to mount a secret somewhere and then setting the config value that needs this secret tofile:///path/to/secret
.
from helm.
Related Issues (20)
- HTTPS with LoadBalancer? HOT 1
- The Redis HPA is no longer supported in the latest version of K8S HOT 2
- Feature Request: Add support to import blueprints from Secrets HOT 3
- Redis: Cannot define StorageClass HOT 3
- Feature Request: Add bootstrap variables HOT 1
- Running authentik with pgpool HOT 1
- support referencing kubernetes secrets for postgres & redis configuration HOT 2
- PDB does not use right set of labels as selector HOT 1
- <.Chart.IsRoot>: can't evaluate field IsRoot in type interface {}
- Bug: Error in 2024.2.0 helm chart ingress HOT 1
- additionalObjects "cannot retrieve Template.Basepath from values inside tpl function" HOT 1
- Error when enabling geoip in chart HOT 1
- bug: invalid YAML templates/server/deployment.yaml HOT 1
- nodeSelectorTerms is set to an empty object when configuring server or worker affinity HOT 1
- Authentik shows internal pod IPv6 for Users instead of public IP HOT 1
- Secret blueprints treated as ConfigMap volumes HOT 1
- [Question] Environment variables failing to be detected HOT 1
- 2024.4.0 Update - Worker Pod Startup Probe Fails HOT 2
- Install server instance as a DaemonSet HOT 5
- Can't generate kubeconfig file for remote cluster integration using the authentik-remote-cluster helmchart HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm.