diff --git a/share/authentik/index.yaml b/share/authentik/index.yaml index 17a2df9..031262a 100644 --- a/share/authentik/index.yaml +++ b/share/authentik/index.yaml @@ -6,101 +6,49 @@ metadata: name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility options: - email: - default: - port: 587 - timeout: 30 - use_ssl: false - use_tls: false + loglevel: + default: info examples: - - port: 587 - timeout: 30 - use_ssl: false - use_tls: false - properties: - port: - default: 587 - type: integer - timeout: - default: 30 - type: integer - use_ssl: - default: false - type: boolean - use_tls: - default: false - type: boolean - type: object - geoip: - default: /geoip/GeoLite2-City.mmdb - examples: - - /geoip/GeoLite2-City.mmdb + - info type: string - admin: + postgres: default: - email: auth-admin + cleanlogs: + image: docker.io/alpine:3.18 + schedule: 30 5/12 * * * + replicas: 1 + storage: 8Gi + version: '14' examples: - - email: auth-admin + - cleanlogs: + image: docker.io/alpine:3.18 + schedule: 30 5/12 * * * + replicas: 1 + storage: 8Gi + version: '14' properties: - email: - default: auth-admin + cleanlogs: + default: + image: docker.io/alpine:3.18 + schedule: 30 5/12 * * * + properties: + image: + default: docker.io/alpine:3.18 + type: string + schedule: + default: 30 5/12 * * * + type: string + type: object + replicas: + default: 1 + type: integer + storage: + default: 8Gi + type: string + version: + default: '14' type: string type: object - image: - default: - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 - examples: - - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 - properties: - project: - default: goauthentik - type: string - pullPolicy: - default: IfNotPresent - type: string - registry: - default: ghcr.io - type: string - repository: - default: goauthentik/server - type: string - tag: - default: 2023.5.4 - type: string - type: object - error_reporting: - default: - enabled: false - environment: k8s - send_pii: false - examples: - - enabled: false - environment: k8s - send_pii: false - properties: - enabled: - default: false - type: boolean - environment: - default: k8s - type: string - send_pii: - default: false - type: boolean - type: object - sub-domain: - default: auth - examples: - - auth - type: string redis: default: exporter: @@ -134,50 +82,120 @@ options: default: 8Gi type: string type: object - postgres: - default: - replicas: 1 - storage: 8Gi - version: '14' - examples: - - replicas: 1 - storage: 8Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 8Gi - type: string - version: - default: '14' - type: string - type: object domain-name: default: your_company.com examples: - your_company.com type: string - ingress-class: - default: traefik - examples: - - traefik - type: string issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string + error_reporting: + default: + enabled: false + environment: k8s + send_pii: false + examples: + - enabled: false + environment: k8s + send_pii: false + properties: + enabled: + default: false + type: boolean + environment: + default: k8s + type: string + send_pii: + default: false + type: boolean + type: object + email: + default: + port: 587 + timeout: 30 + use_ssl: false + use_tls: false + examples: + - port: 587 + timeout: 30 + use_ssl: false + use_tls: false + properties: + port: + default: 587 + type: integer + timeout: + default: 30 + type: integer + use_ssl: + default: false + type: boolean + use_tls: + default: false + type: boolean + type: object + image: + default: + project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 + examples: + - project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 + properties: + project: + default: goauthentik + type: string + pullPolicy: + default: IfNotPresent + type: string + registry: + default: ghcr.io + type: string + repository: + default: goauthentik/server + type: string + tag: + default: 2023.5.4 + type: string + type: object + admin: + default: + email: auth-admin + examples: + - email: auth-admin + properties: + email: + default: auth-admin + type: string + type: object + geoip: + default: /geoip/GeoLite2-City.mmdb + examples: + - /geoip/GeoLite2-City.mmdb + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string domain: default: your-company examples: - your-company type: string - loglevel: - default: info + sub-domain: + default: auth examples: - - info + - auth type: string dependencies: - dist: null diff --git a/share/authentik/postgresql.tf b/share/authentik/postgresql.tf index 6b8c703..3c2554e 100644 --- a/share/authentik/postgresql.tf +++ b/share/authentik/postgresql.tf @@ -24,3 +24,67 @@ resource "kubectl_manifest" "authentik_postgresql" { size: "${var.postgres.storage}" EOF } + +// Since each authentik worker create a new connection to the DB +// lots of logs are created mesuring in GBs of junk +// So a dayly cleanup make sense +resource "kubectl_manifest" "authentik_cleanup_logs_script" { + yaml_body = <<-EOF + apiVersion: v1 + kind: ConfigMap + metadata: + name: "${var.instance}-${var.component}-cleanlogs" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + data: + "clean.sh": |- + #!/bin/ash + grep log /pgdata/pgroot/data/postgresql.conf|grep conn + echo "$(date '+%T') - Enforcing configuration" + sed -i "s/^log_connections.*/log_connections = 'off'/;s/^log_disconnections.*/log_disconnections = 'off'/" /pgdata/pgroot/data/postgresql.conf + grep log /pgdata/pgroot/data/postgresql.conf|grep conn + for i in /pgdata/pgroot/pg_log/*csv;do echo "$(date '+%T') - Cleaning $i";sed -i '/connection/d' "$i";done + df -h /pgdata/pgroot + EOF +} +resource "kubectl_manifest" "authentik_cleanup_logs_job" { + yaml_body = <<-EOF + apiVersion: batch/v1 + kind: CronJob + metadata: + name: "${var.instance}-${var.component}-cleanlogs" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + containers: + - image: "${var.postgres.cleanlogs.image}" + imagePullPolicy: IfNotPresent + name: cleanlogs + command: ["/bin/ash"] + args: ["/script/clean.sh"] + volumeMounts: + - mountPath: /pgdata + name: pgdata + - mountPath: /script + name: script + securityContext: + fsGroup: 100 + runAsGroup: 100 + runAsUser: 405 + volumes: + - name: script + configMap: + name: ${kubectl_manifest.authentik_cleanup_logs_script.name} + - name: pgdata + persistentVolumeClaim: + claimName: pgdata-${var.instance}-${var.component}-0 + schedule: "${var.postgres.cleanlogs.image}" + successfulJobsHistoryLimit: 3 + EOF +}