Merge pull request #13 from goauthentik/1.1.0

v1.1.0

README.md

@@ -1,6 +1,6 @@
 # authentik
 
-![Version: 1.0.3](https://img.shields.io/badge/Version-1.0.3-informational?style=flat-square) ![AppVersion: 2021.5.4](https://img.shields.io/badge/AppVersion-2021.5.4-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2021.5.4](https://img.shields.io/badge/AppVersion-2021.5.4-informational?style=flat-square)
 
 authentik is an open-source Identity Provider focused on flexibility and versatility
 
@@ -58,6 +58,7 @@ redis:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity applied to the deployments |
+| authentik.authentik.geoip | string | `"/geoip/GeoLite2-City.mmdb"` |  |
 | authentik.email.from | string | `""` | Email from address, can either be in the format "foo@bar.baz" or "Authentik <foo@bar.baz>" |
 | authentik.email.host | string | `""` | SMTP Server emails are sent from, fully optional |
 | authentik.email.password | string | `""` | SMTP credentials, when left empty, not authentication will be done |
@@ -91,8 +92,9 @@ redis:
 | geoip.accountId | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup |
 | geoip.editionIds | string | `"GeoLite2-City"` |  |
 | geoip.enabled | bool | `false` | optional GeoIP, deploys a cronjob to download the maxmind database |
+| geoip.image | string | `"maxmindinc/geoipupdate:v4.7"` |  |
 | geoip.licenseKey | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup |
-| geoip.schedule | string | `"0 */8 * * *"` |  |
+| geoip.updateInterval | int | `8` | number of hours between update runs |
 | image.name | string | `"ghcr.io/goauthentik/server"` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.tag | string | `"2021.5.4"` |  |
@@ -113,16 +115,17 @@ redis:
 | postgresql.postgresqlUsername | string | `"authentik"` |  |
 | prometheus.rules.create | bool | `false` |  |
 | prometheus.serviceMonitor.create | bool | `false` |  |
-| prometheus.serviceMonitor.interval | string | `"10s"` |  |
+| prometheus.serviceMonitor.interval | string | `"30s"` |  |
 | prometheus.serviceMonitor.scrapeTimeout | string | `"3s"` |  |
 | prometheus.serviceMonitor.secret.name | string | `""` |  |
-| prometheus.serviceMonitor.secret.passwordKey | string | `""` |  |
-| prometheus.serviceMonitor.secret.usernameKey | string | `""` |  |
+| prometheus.serviceMonitor.secret.passwordKey | string | `"password"` | password is the secret key |
+| prometheus.serviceMonitor.secret.usernameKey | string | `"username"` | username *value* currently _MUST_ be "monitor" |
 | readinessProbe.enabled | bool | `true` |  |
 | readinessProbe.httpGet.path | string | `"/-/health/ready/"` |  |
 | readinessProbe.httpGet.port | string | `"http"` |  |
 | readinessProbe.initialDelaySeconds | int | `15` |  |
 | readinessProbe.periodSeconds | int | `10` |  |
+| redis.architecture | string | `"standalone"` |  |
 | redis.auth.enabled | bool | `false` |  |
 | redis.enabled | bool | `false` | enable the bundled bitnami redis chart |
 | replicas | int | `1` | Server replicas |

charts/authentik/Chart.yaml

@@ -16,7 +16,7 @@ keywords:
   - ldap
   - idp
   - sp
-version: 1.0.3
+version: 1.1.0
 appVersion: 2021.5.4
 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
 maintainers:
@@ -39,6 +39,9 @@ dependencies:
     repository: https://library-charts.k8s-at-home.com
     version: 2.4.0
 annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: migrate GeoIP from CronJob to sidecar with emptyDir
   artifacthub.io/license: GPL-3.0-only
   artifacthub.io/links: |
     - name: Github

charts/authentik/README.md

@@ -1,6 +1,6 @@
 # authentik
 
-![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![AppVersion: 2021.5.4](https://img.shields.io/badge/AppVersion-2021.5.4-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: 2021.5.4](https://img.shields.io/badge/AppVersion-2021.5.4-informational?style=flat-square)
 
 authentik is an open-source Identity Provider focused on flexibility and versatility
 
@@ -58,6 +58,7 @@ redis:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity applied to the deployments |
+| authentik.authentik.geoip | string | `"/geoip/GeoLite2-City.mmdb"` |  |
 | authentik.email.from | string | `""` | Email from address, can either be in the format "foo@bar.baz" or "Authentik <foo@bar.baz>" |
 | authentik.email.host | string | `""` | SMTP Server emails are sent from, fully optional |
 | authentik.email.password | string | `""` | SMTP credentials, when left empty, not authentication will be done |
@@ -91,8 +92,9 @@ redis:
 | geoip.accountId | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup |
 | geoip.editionIds | string | `"GeoLite2-City"` |  |
 | geoip.enabled | bool | `false` | optional GeoIP, deploys a cronjob to download the maxmind database |
+| geoip.image | string | `"maxmindinc/geoipupdate:v4.7"` |  |
 | geoip.licenseKey | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup |
-| geoip.schedule | string | `"0 */8 * * *"` |  |
+| geoip.updateInterval | int | `8` | number of hours between update runs |
 | image.name | string | `"ghcr.io/goauthentik/server"` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.tag | string | `"2021.5.4"` |  |
@@ -113,16 +115,17 @@ redis:
 | postgresql.postgresqlUsername | string | `"authentik"` |  |
 | prometheus.rules.create | bool | `false` |  |
 | prometheus.serviceMonitor.create | bool | `false` |  |
-| prometheus.serviceMonitor.interval | string | `"10s"` |  |
+| prometheus.serviceMonitor.interval | string | `"30s"` |  |
 | prometheus.serviceMonitor.scrapeTimeout | string | `"3s"` |  |
 | prometheus.serviceMonitor.secret.name | string | `""` |  |
-| prometheus.serviceMonitor.secret.passwordKey | string | `""` |  |
-| prometheus.serviceMonitor.secret.usernameKey | string | `""` |  |
+| prometheus.serviceMonitor.secret.passwordKey | string | `"password"` | password is the secret key |
+| prometheus.serviceMonitor.secret.usernameKey | string | `"username"` | username *value* currently _MUST_ be "monitor" |
 | readinessProbe.enabled | bool | `true` |  |
 | readinessProbe.httpGet.path | string | `"/-/health/ready/"` |  |
 | readinessProbe.httpGet.port | string | `"http"` |  |
 | readinessProbe.initialDelaySeconds | int | `15` |  |
 | readinessProbe.periodSeconds | int | `10` |  |
+| redis.architecture | string | `"standalone"` |  |
 | redis.auth.enabled | bool | `false` |  |
 | redis.enabled | bool | `false` | enable the bundled bitnami redis chart |
 | replicas | int | `1` | Server replicas |

charts/authentik/templates/deployment.yaml

@@ -32,6 +32,24 @@ spec:
       {{- end }}
       enableServiceLinks: true
       containers:
+      {{- if $.Values.geoip.enabled }}
+        - name: geoip-sidecar
+          image: "{{ $.Values.geoip.image }}"
+          env:
+            - name: GEOIPUPDATE_FREQUENCY
+              value: {{ $.Values.geoip.updateInterval | quote }}
+            - name: GEOIPUPDATE_PRESERVE_FILE_TIMES
+              value: "1"
+            - name: GEOIPUPDATE_ACCOUNT_ID
+              value: {{ required "geoip account id required" $.Values.geoip.accountId | quote }}
+            - name: GEOIPUPDATE_LICENSE_KEY
+              value: {{ required "geoip license key required" $.Values.geoip.licenseKey | quote }}
+            - name: GEOIPUPDATE_EDITION_IDS
+              value: {{ required "geoip edition id required" $.Values.geoip.editionIds | quote }}
+          volumeMounts:
+            - name: geoip-db
+              mountPath: /usr/share/GeoIP
+      {{- end }}
         - name: {{ $.Chart.Name }}
           image: "{{ $.Values.image.name }}:{{ $.Values.image.tag }}"
           imagePullPolicy: "{{ $.Values.image.pullPolicy }}"
@@ -51,9 +69,11 @@ spec:
           envFrom:
               {{- toYaml . | nindent 12 }}
             {{- end }}
-            {{- with $.Values.volumeMounts }}
           volumeMounts:
-              {{- toYaml . | nindent 12 }}
+            - name: geoip-db
+              mountPath: /geoip
+            {{- with $.Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
             {{- if eq . "server" }}
           ports:
@@ -80,8 +100,10 @@ spec:
           resources:
               {{- toYaml . | nindent 12 }}
             {{- end }}
-      {{- with $.Values.volumes }}
       volumes:
+        - name: geoip-db
+          emptyDir: {}
+      {{- with $.Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
 {{- end }}

charts/authentik/values.yaml

@@ -22,6 +22,8 @@ ingress:
           pathType: Prefix
 
 authentik:
+  authentik:
+    geoip: /geoip/GeoLite2-City.mmdb
   # -- Log level for server and worker
   log_level: info
   # -- Secret key used for cookie singing and unique user IDs,
@@ -152,25 +154,28 @@ serviceAccount:
 prometheus:
   serviceMonitor:
     create: false
-    interval: 10s
+    interval: 30s
     scrapeTimeout: 3s
     secret:
       name: ""
-      # username currently _MUST_ be "monitor"
-      usernameKey: ""
-      passwordKey: ""
+      # -- username *value* currently _MUST_ be "monitor"
+      usernameKey: username
+      # -- password is the secret key
+      passwordKey: password
   rules:
     create: false
 
 geoip:
   # -- optional GeoIP, deploys a cronjob to download the maxmind database
   enabled: false
-  schedule: "0 */8 * * *"
   # -- sign up under https://www.maxmind.com/en/geolite2/signup
   accountId: ""
   # -- sign up under https://www.maxmind.com/en/geolite2/signup
   licenseKey: ""
   editionIds: "GeoLite2-City"
+  image: maxmindinc/geoipupdate:v4.7
+  # -- number of hours between update runs
+  updateInterval: 8
 
 postgresql:
   # -- enable the bundled bitnami postgresql chart