helm-charts

History

WrenIX e9fa9578d7 fix(authentik-application): lint		2024-01-13 01:27:00 +01:00
..
ci	chore(ci): chart-testing	2024-01-13 01:18:16 +01:00
files	feat(authentik-application): support own scopes for oidc	2023-12-31 17:57:54 +01:00
templates	chore(authentik-application): refactory for easiert templating of blueprint	2023-11-05 18:34:27 +01:00
.helmignore	fix(authentik-application): init	2023-09-03 15:04:04 +02:00
_docs.gotmpl	fix: README with oci	2023-11-03 16:51:58 +01:00
Chart.yaml	fix(authentik-application): lint	2024-01-13 01:27:00 +01:00
README.adoc	fix(authentik-application): lint	2024-01-13 01:27:00 +01:00
values.yaml	chore(ci): chart-testing	2024-01-13 01:18:16 +01:00

README.adoc


= authentik-application

image::https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square[Version: 0.4.1]
image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
== Maintainers

.Maintainers
|===
| Name | Email | Url

| WrenIX
|
| <https://wrenix.eu>
|===

## Pre-Requirement
Usage of https://github.com/goauthentik/helm/pull/146

## or manual:
Install authentik with this `values.yaml`:
```yaml
serviceAccount:
  create: true

additionalContainers:
  - name: sidecar-blueprints
    image: "ghcr.io/kiwigrid/k8s-sidecar:1.25.1"
    env:
      - name: "FOLDER"
        value: "/blueprints/sidecar"
      - name: "LABEL"
        value: "goauthentik_blueprint"
      - name: "LABEL_VALUE"
        value: "1"
      # - name: "NAMESPACE"
      #   value: "ALL"
      - name: "RESOURCE"
        value: "both"
      - name: "UNIQUE_FILENAMES"
        value: "true"
    volumeMounts:
      - name: sidecar-blueprints
        mountPath: /blueprints/sidecar

volumeMounts:
  - name: sidecar-blueprints
    mountPath: /blueprints/sidecar

volumes:
  - name: sidecar-blueprints
    emptyDir: {}
```

And create an Role and bind them on to the ServiceAccount to read secrets:
```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: authentik-blueprint-sidecar
rules:
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: authentik-blueprint-sidecar
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: authentik-blueprint-sidecar
subjects:
  - kind: ServiceAccount
    name: authentik
```

== Usage

Helm must be installed and setup to your kubernetes cluster to use the charts.
Refer to Helm's https://helm.sh/docs[documentation] to get started.
Once Helm has been set up correctly, fetch the charts as follows:

[source,bash]
----
helm pull oci://codeberg.org/wrenix/helm-charts/authentik-application
----

You can install a chart release using the following command:

[source,bash]
----
helm install authentik-application-release oci://codeberg.org/wrenix/helm-charts/authentik-application --values values.yaml
----

To uninstall a chart release use `helm`'s delete command:

[source,bash]
----
helm uninstall authentik-application-release
----

== Values

.Values
|===
| Key | Type | Default | Description

| blueprint.application.bindPolicyID
| string
| `nil`
| uuid for bindPolicyID for group - if not set generated on secret for be stable (or groups: [] filled)

| blueprint.application.description
| string
| `""`
| description of application

| blueprint.application.group
| string
| `""`
| put this application in authentik in group

| blueprint.application.icon
| string
| `""`
| icon of application (url)

| blueprint.application.launchURL
| string
| `""`
|

| blueprint.application.name
| string
| `""`
| application name in menu

| blueprint.application.openInNewTab
| bool
| `false`
| open application in new tab

| blueprint.application.policyEngineMode
| string
| `"any"`
|

| blueprint.application.publisher
| string
| `""`
| publisher of application

| blueprint.application.slug
| string
| `"app-name"`
| application slug

| blueprint.authentik.domain
| string
| `"https://auth.wrenix.eu"`
| domain to authentik, used in generated url (like issuer)

| blueprint.groups
| string
| `nil`
| authentik groups created / give access to this application  disable any groups by set groups: [] (to a slice) example:   - slug: "app: grafana-admin"     parent: "app: infra"     bindID: uuid

| blueprint.labels
| object
| `{"goauthentik_blueprint":"1"}`
| label of generated secret with blueprint

| blueprint.provider.authorizationFlow
| string
| `"default-provider-authorization-implicit-consent"`
|

| blueprint.provider.enabled
| bool
| `true`
| creat an provider for authentification (otherwise just a like in menu is created)

| blueprint.provider.name
| string
| `""`
|

| blueprint.provider.oidc.clientID
| string
| `nil`
| client id - generated if secret enabled

| blueprint.provider.oidc.clientSecret
| string
| `nil`
| client secret - generated if secret enabled

| blueprint.provider.oidc.clientType
| string
| `"confidential"`
|

| blueprint.provider.oidc.redirectURL
| string
| `""`
|

| blueprint.provider.oidc.scopes
| string
| `nil`
| Scope

| blueprint.provider.oidc.signingKey
| string
| `""`
| Need for non-curve / RSA

| blueprint.provider.proxy.cookieDomain
| string
| `""`
|

| blueprint.provider.proxy.externalHost
| string
| `nil`
|

| blueprint.provider.proxy.ingress.backend
| string
| `"authentik"`
| service backend to authentik

| blueprint.provider.proxy.ingress.domain
| string
| `nil`
| domain of application (where outpost should be deployed)

| blueprint.provider.proxy.ingress.enabled
| bool
| `false`
| deploy ingress on application domain for e.g. logout (WIP)

| blueprint.provider.proxy.skipPathRegex
| string
| `""`
|

| blueprint.provider.saml
| string
| `nil`
|

| blueprint.provider.type
| string
| `"oidc"`
| type of application connection, current support: oidc, saml and proxy

| secret.labels
| object
| `{}`
| label of secret to store generated secret

| secret.name
| string
| `""`
| name of secret to store generated secret (like clientI)
|===

Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]