diff --git a/share/authentik/index.yaml b/share/authentik/index.yaml index 0cbf809..a6843cd 100644 --- a/share/authentik/index.yaml +++ b/share/authentik/index.yaml @@ -6,114 +6,51 @@ metadata: name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility options: - loglevel: - default: info - examples: - - info - type: string - admin: - default: - email: auth-admin - examples: - - email: auth-admin - properties: - email: - default: auth-admin - type: string - type: object - email: - default: - port: 587 - timeout: 30 - use_ssl: false - use_tls: false - examples: - - port: 587 - timeout: 30 - use_ssl: false - use_tls: false - properties: - port: - default: 587 - type: integer - timeout: - default: 30 - type: integer - use_ssl: - default: false - type: boolean - use_tls: - default: false - type: boolean - type: object domain-name: default: your_company.com examples: - your_company.com type: string - error_reporting: + image: default: - enabled: false - environment: k8s - send_pii: false + project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 examples: - - enabled: false - environment: k8s - send_pii: false + - project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 properties: - enabled: - default: false - type: boolean - environment: - default: k8s + project: + default: goauthentik + type: string + pullPolicy: + default: IfNotPresent + type: string + registry: + default: ghcr.io + type: string + repository: + default: goauthentik/server + type: string + tag: + default: 2023.5.4 type: string - send_pii: - default: false - type: boolean type: object - ingress-class: - default: traefik + sub-domain: + default: auth examples: - - traefik + - auth type: string issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string - redis: - default: - exporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - image: quay.io/opstree/redis:v7.0.5 - storage: 8Gi - examples: - - exporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - image: quay.io/opstree/redis:v7.0.5 - storage: 8Gi - properties: - exporter: - default: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - properties: - enabled: - default: true - type: boolean - image: - default: quay.io/opstree/redis-exporter:v1.44.0 - type: string - type: object - image: - default: quay.io/opstree/redis:v7.0.5 - type: string - storage: - default: 8Gi - type: string - type: object postgres: default: cleanlogs: @@ -152,51 +89,114 @@ options: default: '14' type: string type: object - image: + redis: default: - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 + exporter: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + image: quay.io/opstree/redis:v7.0.5 + storage: 8Gi examples: - - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 + - exporter: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + image: quay.io/opstree/redis:v7.0.5 + storage: 8Gi properties: - project: - default: goauthentik + exporter: + default: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + properties: + enabled: + default: true + type: boolean + image: + default: quay.io/opstree/redis-exporter:v1.44.0 + type: string + type: object + image: + default: quay.io/opstree/redis:v7.0.5 type: string - pullPolicy: - default: IfNotPresent - type: string - registry: - default: ghcr.io - type: string - repository: - default: goauthentik/server - type: string - tag: - default: 2023.5.4 + storage: + default: 8Gi type: string type: object - geoip: - default: /geoip/GeoLite2-City.mmdb - examples: - - /geoip/GeoLite2-City.mmdb - type: string domain: default: your-company examples: - your-company type: string - sub-domain: - default: auth + loglevel: + default: info examples: - - auth + - info type: string + email: + default: + port: 587 + timeout: 30 + use_ssl: false + use_tls: false + examples: + - port: 587 + timeout: 30 + use_ssl: false + use_tls: false + properties: + port: + default: 587 + type: integer + timeout: + default: 30 + type: integer + use_ssl: + default: false + type: boolean + use_tls: + default: false + type: boolean + type: object + admin: + default: + email: auth-admin + examples: + - email: auth-admin + properties: + email: + default: auth-admin + type: string + type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + geoip: + default: /geoip/GeoLite2-City.mmdb + examples: + - /geoip/GeoLite2-City.mmdb + type: string + error_reporting: + default: + enabled: false + environment: k8s + send_pii: false + examples: + - enabled: false + environment: k8s + send_pii: false + properties: + enabled: + default: false + type: boolean + environment: + default: k8s + type: string + send_pii: + default: false + type: boolean + type: object dependencies: - dist: null category: core diff --git a/share/authentik/postgresql.tf b/share/authentik/postgresql.tf index d0e51df..84a0b68 100644 --- a/share/authentik/postgresql.tf +++ b/share/authentik/postgresql.tf @@ -5,137 +5,6 @@ locals { pool-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "pg-pool" }) - postgres-labels = merge(local.common-labels, { - "app.kubernetes.io/component" = "postgresql" - }) -} -resource "kubectl_manifest" "authentik_postgresql" { - yaml_body = <<-EOF - apiVersion: "acid.zalan.do/v1" - kind: "postgresql" - metadata: - name: "${var.instance}-${var.component}" - namespace: "${var.namespace}" - labels: ${jsonencode(local.postgres-labels)} - spec: - databases: - ${var.component}: "${var.component}" - numberOfInstances: ${var.postgres.replicas} - podAnnotations: - "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean" - "k8up.io/file-extension": ".sql" - postgresql: - version: "${var.postgres.version}" - teamId: "${var.instance}" - users: - ${var.component}: - - "superuser" - - "createdb" - volume: - size: "${var.postgres.storage}" - EOF -} - -// Since each authentik worker create a new connection to the DB -// lots of logs are created mesuring in GBs of junk -// So a dayly cleanup make sense -resource "kubectl_manifest" "authentik_cleanup_logs_script" { - yaml_body = <<-EOF - apiVersion: v1 - kind: ConfigMap - metadata: - name: "${var.instance}-${var.component}-cleanlogs" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - data: - "clean.sh": |- - #!/bin/ash - grep log /pgdata/pgroot/data/postgresql.conf|grep conn - echo "$(date '+%T') - Enforcing configuration" - sed -i "s/^log_connections.*/log_connections = 'off'/;s/^log_disconnections.*/log_disconnections = 'off'/" /pgdata/pgroot/data/postgresql.conf - grep log /pgdata/pgroot/data/postgresql.conf|grep conn - for i in /pgdata/pgroot/pg_log/*csv;do echo "$(date '+%T') - Cleaning $i";sed -i '/connection/d' "$i";done - df -h /pgdata/pgroot - EOF -} -resource "kubectl_manifest" "authentik_cleanup_logs_job" { - yaml_body = <<-EOF - apiVersion: batch/v1 - kind: CronJob - metadata: - name: "${var.instance}-${var.component}-cleanlogs" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - spec: - concurrencyPolicy: Forbid - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - image: "${var.postgres.cleanlogs.image}" - imagePullPolicy: IfNotPresent - name: cleanlogs - command: ["/bin/ash"] - args: ["/script/clean.sh"] - volumeMounts: - - mountPath: /pgdata - name: pgdata - - mountPath: /script - name: script - securityContext: - fsGroup: 100 - runAsGroup: 100 - runAsUser: 101 - volumes: - - name: script - configMap: - name: ${kubectl_manifest.authentik_cleanup_logs_script.name} - - name: pgdata - persistentVolumeClaim: - claimName: pgdata-${var.instance}-${var.component}-0 - schedule: "${var.postgres.cleanlogs.schedule}" - successfulJobsHistoryLimit: 3 - EOF -} - -resource "kubectl_manifest" "prj_pre_migrate_pg" { - yaml_body = <<-EOF -apiVersion: batch/v1 -kind: Job -metadata: - name: "${var.instance}-remove-zalando-extensions" - namespace: "${var.namespace}" -spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: clean - image: docker.io/postgres:15.3-bookworm - imagePullPolicy: IfNotPresent - env: - - name: USERNAME - valueFrom: - secretKeyRef: - key: username - name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do - - name: PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do - - name: DBURL - value: "${var.instance}-${var.component}" - - name: DBNAME - value: "${var.component}" - command: - - /bin/bash - - "-c" - - "echo -ne 'drop view if exists metric_helpers.pg_stat_statements;\ndrop function if exists metric_helpers.pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_kcache;\nDROP EXTENSION IF EXISTS set_user;\n'| PGPASSWORD=\"$PASSWORD\" psql -U $USERNAME -d $DBNAME -h $DBURL" - EOF } resource "kubectl_manifest" "prj_pg" { @@ -151,26 +20,6 @@ resource "kubectl_manifest" "prj_pg" { instances: ${var.postgres.replicas} storage: size: "${var.postgres.storage}" - bootstrap: - initdb: - database: ${var.component} - owner: ${var.component} - import: - type: microservice - databases: - - ${var.component} - source: - externalCluster: "${var.instance}-${var.component}" - externalClusters: - - name: "${var.instance}-${var.component}" - connectionParameters: - host: "${var.instance}-${var.component}" - user: postgres - dbname: postgres - sslmode: require - password: - name: "postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do" - key: password EOF }