From 521f6f2ce308f3b06b53e2c004893100cda1528b Mon Sep 17 00:00:00 2001 From: genofire Date: Wed, 5 Apr 2023 23:52:37 +0000 Subject: [PATCH] feat(charts/authentik): add blueprints-sidecar to collect from cluster --- charts/authentik/ci/ct-values.yaml | 7 + .../ci/manifests/blueprint-sidecar.yaml | 13 ++ charts/authentik/templates/deployment.yaml | 151 +++++++++++------- .../authentik/templates/service-account.yaml | 24 +++ charts/authentik/values.yaml | 12 +- 5 files changed, 151 insertions(+), 56 deletions(-) create mode 100644 charts/authentik/ci/manifests/blueprint-sidecar.yaml create mode 100644 charts/authentik/templates/service-account.yaml diff --git a/charts/authentik/ci/ct-values.yaml b/charts/authentik/ci/ct-values.yaml index c8c72d53..ab1715f5 100644 --- a/charts/authentik/ci/ct-values.yaml +++ b/charts/authentik/ci/ct-values.yaml @@ -36,5 +36,12 @@ redis: enabled: true password: au7h3n71k +serviceAccount: + create: true + +sidecar: + blueprints: + enabled: true + blueprints: - authentik-ci-blueprint diff --git a/charts/authentik/ci/manifests/blueprint-sidecar.yaml b/charts/authentik/ci/manifests/blueprint-sidecar.yaml new file mode 100644 index 00000000..25f4974d --- /dev/null +++ b/charts/authentik/ci/manifests/blueprint-sidecar.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: authentik-ci-blueprint-sidecar + labels: + goauthentik_blueprint: "1" +data: + test.yaml: |- + version: 1 + metadata: + name: sidecar-test + entries: [] \ No newline at end of file diff --git a/charts/authentik/templates/deployment.yaml b/charts/authentik/templates/deployment.yaml index 5a7adb95..bee911bb 100644 --- a/charts/authentik/templates/deployment.yaml +++ b/charts/authentik/templates/deployment.yaml @@ -1,4 +1,4 @@ -{{- range list "server" "worker" }} +{{- range $component := list "server" "worker" }} --- apiVersion: apps/v1 kind: Deployment @@ -6,31 +6,31 @@ metadata: name: {{ printf "%s-%s" (include "common.names.fullname" $) . }} labels: {{- include "common.labels" $ | nindent 4 }} - app.kubernetes.io/component: "{{ . }}" + app.kubernetes.io/component: "{{ $component }}" spec: - {{ if eq . "server" -}} + {{- if eq . "server" }} replicas: {{ $.Values.replicas }} - {{- else -}} + {{- else }} replicas: {{ $.Values.worker.replicas }} {{- end }} selector: matchLabels: {{- include "common.labels.selectorLabels" $ | nindent 6 }} - app.kubernetes.io/component: "{{ . }}" + app.kubernetes.io/component: "{{ $component }}" template: metadata: labels: {{- include "common.labels.selectorLabels" $ | nindent 8 }} - app.kubernetes.io/component: "{{ . }}" + app.kubernetes.io/component: "{{ $component }}" app.kubernetes.io/version: "{{ $.Values.image.tag }}" - {{- if $.Values.podAnnotations }} + {{- with $.Values.podAnnotations }} annotations: - {{- toYaml $.Values.podAnnotations | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- if $.Values.image.pullSecrets }} + {{- with $.Values.image.pullSecrets }} imagePullSecrets: - {{- toYaml $.Values.image.pullSecrets | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- if $.Values.serviceAccount.create }} serviceAccountName: {{ include "common.names.fullname" $ }} @@ -60,20 +60,25 @@ spec: {{- end }} {{- tpl (toYaml $initContainers) $ | nindent 8 }} {{- end }} - {{ if eq . "server" -}} + {{- if eq $component "server" }} priorityClassName: {{ $.Values.priorityClassName }} + {{- with $.Values.securityContext }} securityContext: - {{- toYaml $.Values.securityContext | nindent 8 }} - {{- else -}} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- else }} priorityClassName: {{ $.Values.worker.priorityClassName }} + {{- with $.Values.worker.securityContext }} securityContext: - {{- toYaml $.Values.worker.securityContext | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} containers: - name: {{ $.Chart.Name }} image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}{{- if $.Values.image.digest -}}@{{ $.Values.image.digest }}{{- end -}}" imagePullPolicy: "{{ $.Values.image.pullPolicy }}" - args: [{{ quote . }}] + args: + - {{ $component | quote }} env: {{- range $k, $v := $.Values.env }} - name: {{ quote $k }} @@ -85,27 +90,32 @@ spec: valueFrom: {{- toYaml $val | nindent 16 }} {{- end }} - {{- with $.Values.envFrom }} + {{- with $.Values.envFrom }} envFrom: - {{- toYaml . | nindent 12 }} - {{- end }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: - {{- if $.Values.geoip.enabled }} + {{- if $.Values.geoip.enabled }} - name: geoip-db mountPath: /geoip - {{- end }} - {{- with $.Values.volumeMounts }} - {{- toYaml . | nindent 12 }} {{- end }} - {{ if eq . "worker" -}} - {{- with $.Values.blueprints }} - {{- range $name := . }} + + {{- if $.Values.sidecar.blueprints.enabled }} + - name: sidecar-blueprints + mountPath: /blueprints/sidecar + {{- end }} + + {{- range $name := $.Values.blueprints }} - name: blueprints-{{ $name }} mountPath: /blueprints/mounted/{{ $name }} - {{- end }} {{- end }} - {{- end }} - {{- if eq . "server" }} + + {{- with $.Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + + {{- if eq $component "server" }} ports: - name: http containerPort: 9000 @@ -116,24 +126,25 @@ spec: - name: https containerPort: 9443 protocol: TCP - {{- if $.Values.livenessProbe.enabled }} - {{- with omit $.Values.livenessProbe "enabled" }} + {{- with $.Values.livenessProbe }} + {{- if .enabled }} livenessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- if $.Values.readinessProbe.enabled }} - {{- with omit $.Values.readinessProbe "enabled" }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- with $.Values.readinessProbe }} + {{- if .enabled }} readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - {{- with index $.Values.resources . }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- end }}{{/* end server */}} + + {{- with (get $.Values.resources $component) }} resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if $.Values.geoip.enabled }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if $.Values.geoip.enabled }} - name: geoip-sidecar image: "{{ $.Values.geoip.image }}" env: @@ -150,8 +161,36 @@ spec: volumeMounts: - name: geoip-db mountPath: /usr/share/GeoIP - {{- end }} - {{- with $.Values.additionalContainers }} + {{- end }} + {{- with $.Values.sidecar.blueprints }} + {{- if .enabled }} + - name: sidecar-blueprints + image: "{{ .image.repository }}:{{ .image.tag }}" + env: + - name: "FOLDER" + value: "/blueprints/sidecar" + - name: "LABEL" + value: "goauthentik_blueprint" + - name: "LABEL_VALUE" + value: "1" + {{- with .namespace }} + - name: "NAMESPACE" + value: "{{ . }}" + {{- end }} + {{- with .resource }} + - name: "RESOURCE" + value: "{{ . }}" + {{- end }} + {{- with .uniqueFilenames }} + - name: "UNIQUE_FILENAMES" + value: "{{ . }}" + {{- end }} + volumeMounts: + - name: sidecar-blueprints + mountPath: /blueprints/sidecar + {{- end }} + {{- end }} + {{- with $.Values.additionalContainers }} {{- $additionalContainers := list }} {{- range $name, $container := . }} {{- if not $container.name -}} @@ -162,20 +201,22 @@ spec: {{- tpl (toYaml $additionalContainers) $ | nindent 8 }} {{- end }} volumes: - {{- if $.Values.geoip.enabled }} + {{- if $.Values.geoip.enabled }} - name: geoip-db emptyDir: {} - {{- end }} - {{- with $.Values.volumes }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{ if eq . "worker" -}} - {{- with $.Values.blueprints }} - {{- range $name := . }} + {{- end }} + {{- if $.Values.sidecar.blueprints.enabled }} + - name: sidecar-blueprints + emptyDir: {} + {{- end }} + {{- range $name := $.Values.blueprints }} - name: blueprints-{{ $name }} configMap: name: {{ $name }} {{- end }} - {{- end }} - {{- end }} + + {{- with $.Values.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} diff --git a/charts/authentik/templates/service-account.yaml b/charts/authentik/templates/service-account.yaml new file mode 100644 index 00000000..6b7a1b83 --- /dev/null +++ b/charts/authentik/templates/service-account.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.serviceAccount.create .Values.sidecar.blueprints.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "common.names.fullname" . }} +rules: +- apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "common.names.fullname" . }} +roleRef: + kind: ClusterRole + name: {{ include "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml index 6f0e4e0e..9859da88 100644 --- a/charts/authentik/values.yaml +++ b/charts/authentik/values.yaml @@ -164,7 +164,7 @@ readinessProbe: periodSeconds: 10 serviceAccount: - # -- Service account is needed for managed outposts + # -- Service account is needed for managed outposts and sidecar for blueprints create: true annotations: {} serviceAccountSecret: @@ -184,6 +184,16 @@ prometheus: # -- labels additional on PrometheusRule labels: {} +sidecar: + blueprints: + enabled: false + image: + repository: "ghcr.io/kiwigrid/k8s-sidecar" + tag: "1.23.0" + namespace: "" + resource: "both" + uniqueFilenames: true + geoip: # -- optional GeoIP, deploys a cronjob to download the maxmind database enabled: false