Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(authentik): better probes, harden ingress, app-template 3.5.1 #1416

Merged
merged 2 commits into from
Dec 1, 2024
Merged

feat(authentik): better probes, harden ingress, app-template 3.5.1 #1416

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc1e48e
feat(authentik): better probes, harden ingress, app-template 3.5.1
JJGadgets Nov 30, 2024
791b31c
feat(authentik): better probes, harden ingress, app-template 3.5.1
JJGadgets Dec 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 49 additions & 12 deletions kube/deploy/apps/authentik/app/hr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/common-3.5.1/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
Expand All @@ -9,7 +10,7 @@ spec:
chart:
spec:
chart: app-template
version: 3.1.0
version: 3.5.1
sourceRef:
name: bjw-s
kind: HelmRepository
Expand Down Expand Up @@ -104,11 +105,24 @@ spec:
limits:
cpu: "1000m"
memory: "2Gi"
ports:
- name: http
containerPort: 9000
- name: https
containerPort: 9443
- name: metrics
containerPort: 9300
probes:
liveness:
enabled: true
type: HTTP
port: http
path: "/-/health/live/"
readiness:
enabled: true
type: HTTP
port: http
path: "/-/health/ready/"
worker:
type: deployment
replicas: 3
Expand Down Expand Up @@ -142,11 +156,14 @@ spec:
limits:
cpu: "1000m"
memory: "2Gi"
#probes:
# liveness:
# enabled: true
# readiness:
# enabled: true
probes:
liveness: &worker-probe
enabled: true
custom: true
spec:
exec:
command: ["ak", "healthcheck"]
readiness: *worker-probe
ldap:
type: deployment
replicas: 2
Expand Down Expand Up @@ -252,16 +269,16 @@ spec:
controller: authentik
ports:
http: &port
port: 9000
port: http
protocol: HTTP
appProtocol: http
http-80:
<<: *port
port: 80
targetPort: 9000
targetPort: http
metrics:
<<: *port
port: 9300
port: metrics
redis:
primary: false
controller: redis
Expand All @@ -278,7 +295,7 @@ spec:
ports:
http:
port: 443
targetPort: 9443
targetPort: https
protocol: HTTPS
appProtocol: https
ldap:
Expand Down Expand Up @@ -324,11 +341,11 @@ spec:
main:
className: nginx-external
annotations:
external-dns.alpha.kubernetes.io/target: "${DNS_CF}"
external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &host "${APP_DNS_AUTHENTIK:=authentik}"
paths: &paths
paths:
- path: /
pathType: Prefix
service:
Expand All @@ -337,6 +354,26 @@ spec:
tls:
- hosts: [*host]
secretName: authentik-tls
harden:
className: nginx-external
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "${IP_JJ_V4:=127.0.0.1/32}"
hosts:
- host: *host
paths:
- &path
path: /api/v3/policies/expression
pathType: Prefix
service:
identifier: authentik
port: http
- <<: *path
path: /api/v3/propertymappings
- <<: *path
path: /api/v3/managed/blueprints
tls:
- hosts: [*host]
secretName: authentik-tls
persistence:
pg-ca:
type: secret
Expand Down