From b93bc6bb8e9346412c1d2161b9270c7cbf39ac11 Mon Sep 17 00:00:00 2001 From: Marc 'risson' Schmitt Date: Thu, 15 Feb 2024 19:46:29 +0100 Subject: [PATCH] authentik-remote-cluster: rework Signed-off-by: Marc 'risson' Schmitt --- charts/authentik-remote-cluster/Chart.yaml | 4 +- charts/authentik-remote-cluster/README.md | 30 +++++----- .../authentik-remote-cluster/README.md.gotmpl | 4 +- .../templates/_helpers.tpl | 57 +++++++++++-------- .../templates/cluster-role-binding.yaml | 21 ------- .../{cluster-role.yaml => clusterrole.yaml} | 5 +- .../templates/clusterrolebinding.yaml | 20 +++++++ .../templates/role-binding.yaml | 20 ------- .../templates/role.yaml | 22 ++++--- .../templates/rolebinding.yaml | 19 +++++++ .../templates/service-account-secret.yaml | 16 ------ .../templates/service-account.yaml | 12 ---- .../templates/serviceaccount-secret.yaml | 15 +++++ .../templates/serviceaccount.yaml | 11 ++++ charts/authentik-remote-cluster/values.yaml | 18 ++++++ 15 files changed, 152 insertions(+), 122 deletions(-) delete mode 100644 charts/authentik-remote-cluster/templates/cluster-role-binding.yaml rename charts/authentik-remote-cluster/templates/{cluster-role.yaml => clusterrole.yaml} (64%) create mode 100644 charts/authentik-remote-cluster/templates/clusterrolebinding.yaml delete mode 100644 charts/authentik-remote-cluster/templates/role-binding.yaml create mode 100644 charts/authentik-remote-cluster/templates/rolebinding.yaml delete mode 100644 charts/authentik-remote-cluster/templates/service-account-secret.yaml delete mode 100644 charts/authentik-remote-cluster/templates/service-account.yaml create mode 100644 charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml create mode 100644 charts/authentik-remote-cluster/templates/serviceaccount.yaml diff --git a/charts/authentik-remote-cluster/Chart.yaml b/charts/authentik-remote-cluster/Chart.yaml index 3e171f01..e62e4c1c 100644 --- a/charts/authentik-remote-cluster/Chart.yaml +++ b/charts/authentik-remote-cluster/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -version: 1.2.2 -appVersion: 2023.6.0 +version: 2.0.0 +appVersion: 2024.2.0 name: authentik-remote-cluster description: RBAC required for a remote cluster to be connected to authentik. type: application diff --git a/charts/authentik-remote-cluster/README.md b/charts/authentik-remote-cluster/README.md index 11d0357b..c4b927df 100644 --- a/charts/authentik-remote-cluster/README.md +++ b/charts/authentik-remote-cluster/README.md @@ -5,8 +5,8 @@ --- [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) -![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge) -![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge) +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=for-the-badge) +![AppVersion: 2024.2.0](https://img.shields.io/badge/AppVersion-2024.2.0-informational?style=for-the-badge) RBAC required for a remote cluster to be connected to authentik. @@ -14,21 +14,25 @@ RBAC required for a remote cluster to be connected to authentik. ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | +| Name | Email | Url | +| -------------- | ---------------------- | ------------------------ | | authentik Team | | | ## Source Code -* -* +- +- ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| annotations | object | `{}` | | -| clusterRole.enabled | bool | `true` | | -| fullnameOverride | string | `""` | | -| nameOverride | string | `""` | | -| serviceAccountSecret.enabled | bool | `true` | | +| Key | Type | Default | Description | +| ---------------------------- | ------ | ------- | ------------------------------------------------------------------------------------------------- | +| annotations | object | `{}` | Annotations to apply to all resources | +| clusterRole.enabled | bool | `true` | Create a clusterole in addition to a namespaced role. | +| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible | +| global.additionalLabels | object | `{}` | Common labels for all resources. | +| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` | +| global.nameOverride | string | `""` | Provide a name in place of `authentik` | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `""` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible | +| serviceAccountSecret.enabled | bool | `true` | Create a secret with the service account credentials | diff --git a/charts/authentik-remote-cluster/README.md.gotmpl b/charts/authentik-remote-cluster/README.md.gotmpl index 3285369a..84f54f58 100644 --- a/charts/authentik-remote-cluster/README.md.gotmpl +++ b/charts/authentik-remote-cluster/README.md.gotmpl @@ -5,8 +5,8 @@ --- [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) -![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge) -![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge) +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=for-the-badge) +![AppVersion: 2024.2.0](https://img.shields.io/badge/AppVersion-2024.2.0-informational?style=for-the-badge) {{ template "chart.deprecationWarning" . }} diff --git a/charts/authentik-remote-cluster/templates/_helpers.tpl b/charts/authentik-remote-cluster/templates/_helpers.tpl index b5d39159..29161c5a 100644 --- a/charts/authentik-remote-cluster/templates/_helpers.tpl +++ b/charts/authentik-remote-cluster/templates/_helpers.tpl @@ -1,9 +1,15 @@ +{{/* vim: set filetype=mustache: */}} + {{/* -Expand the name of the chart. +Expand the name of the chart */}} {{- define "authentik-remote-cluster.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} +{{- $globalNameOverride := "" -}} +{{- if hasKey .Values "global" -}} +{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}} +{{- end -}} +{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* Create a default fully qualified app name. @@ -11,21 +17,22 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "authentik-remote-cluster.fullname" -}} -{{- if not .Chart.IsRoot }} -{{- .Release.Name }} -{{- else }} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} +{{- $name := include "authentik-remote-cluster.name" . -}} +{{- $globalFullNameOverride := "" -}} +{{- if hasKey .Values "global" -}} +{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}} +{{- end -}} +{{- if or .Values.fullnameOverride $globalFullNameOverride -}} +{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}} +{{- else -}} +{{- if contains $name .Release.Name -}} +{{- $name = .Release.Name -}} +{{- else -}} +{{- $name = printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} +{{- trunc 63 $name | trimSuffix "-" -}} +{{- end -}} {{/* Create chart name and version as used by the chart label. @@ -38,13 +45,15 @@ Create chart name and version as used by the chart label. Common labels */}} {{- define "authentik-remote-cluster.labels" -}} -helm.sh/chart: {{ include "authentik-remote-cluster.chart" . }} -app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +helm.sh/chart: {{ include "authentik-remote-cluster.chart" .context | quote }} +app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" .context | quote }} +app.kubernetes.io/instance: {{ .context.Release.Name | quote }} +app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }} +app.kubernetes.io/part-of: "authentik" +app.kubernetes.io/version: {{ .context.Chart.Version | quote }} +{{- with .context.Values.global.additionalLabels }} +{{ toYaml . }} {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{- define "authentik-remote-cluster.api-verbs-rw" -}} diff --git a/charts/authentik-remote-cluster/templates/cluster-role-binding.yaml b/charts/authentik-remote-cluster/templates/cluster-role-binding.yaml deleted file mode 100644 index 0f05d1b3..00000000 --- a/charts/authentik-remote-cluster/templates/cluster-role-binding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.clusterRole.enabled -}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }} - labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/authentik-remote-cluster/templates/cluster-role.yaml b/charts/authentik-remote-cluster/templates/clusterrole.yaml similarity index 64% rename from charts/authentik-remote-cluster/templates/cluster-role.yaml rename to charts/authentik-remote-cluster/templates/clusterrole.yaml index 4f24e262..8ec94a8b 100644 --- a/charts/authentik-remote-cluster/templates/cluster-role.yaml +++ b/charts/authentik-remote-cluster/templates/clusterrole.yaml @@ -1,11 +1,10 @@ {{- if .Values.clusterRole.enabled -}} ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "authentik-remote-cluster.fullname" . }}-{{ .Release.Namespace }} + name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }} labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} {{- with .Values.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml b/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..144e9366 --- /dev/null +++ b/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.clusterRole.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }} + labels: + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }} +subjects: + - kind: ServiceAccount + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/authentik-remote-cluster/templates/role-binding.yaml b/charts/authentik-remote-cluster/templates/role-binding.yaml deleted file mode 100644 index ea9279f4..00000000 --- a/charts/authentik-remote-cluster/templates/role-binding.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "authentik-remote-cluster.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/authentik-remote-cluster/templates/role.yaml b/charts/authentik-remote-cluster/templates/role.yaml index 1496f1f6..18e5b9cb 100644 --- a/charts/authentik-remote-cluster/templates/role.yaml +++ b/charts/authentik-remote-cluster/templates/role.yaml @@ -1,11 +1,10 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} {{- with .Values.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -17,30 +16,35 @@ rules: - secrets - services - configmaps - verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} + verbs: + {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} - apiGroups: - extensions - apps resources: - deployments - verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} + verbs: + {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} - apiGroups: - extensions - networking.k8s.io resources: - ingresses - verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} + verbs: + {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} - apiGroups: - traefik.containo.us - traefik.io resources: - middlewares - verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} + verbs: + {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} - apiGroups: - monitoring.coreos.com resources: - servicemonitors - verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} + verbs: + {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }} - apiGroups: - apiextensions.k8s.io resources: diff --git a/charts/authentik-remote-cluster/templates/rolebinding.yaml b/charts/authentik-remote-cluster/templates/rolebinding.yaml new file mode 100644 index 00000000..d776a8e3 --- /dev/null +++ b/charts/authentik-remote-cluster/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "authentik-remote-cluster.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} diff --git a/charts/authentik-remote-cluster/templates/service-account-secret.yaml b/charts/authentik-remote-cluster/templates/service-account-secret.yaml deleted file mode 100644 index bc324120..00000000 --- a/charts/authentik-remote-cluster/templates/service-account-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.serviceAccountSecret.enabled -}} ---- -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} - annotations: - kubernetes.io/service-account.name: {{ include "authentik-remote-cluster.fullname" . }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/authentik-remote-cluster/templates/service-account.yaml b/charts/authentik-remote-cluster/templates/service-account.yaml deleted file mode 100644 index 0c271de4..00000000 --- a/charts/authentik-remote-cluster/templates/service-account.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "authentik-remote-cluster.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "authentik-remote-cluster.labels" . | nindent 4 }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml b/charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml new file mode 100644 index 00000000..5774d27d --- /dev/null +++ b/charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccountSecret.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} + annotations: + kubernetes.io/service-account.name: {{ template "authentik-remote-cluster.fullname" . }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/authentik-remote-cluster/templates/serviceaccount.yaml b/charts/authentik-remote-cluster/templates/serviceaccount.yaml new file mode 100644 index 00000000..cd618557 --- /dev/null +++ b/charts/authentik-remote-cluster/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "authentik-remote-cluster.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/authentik-remote-cluster/values.yaml b/charts/authentik-remote-cluster/values.yaml index c2ccb66d..3c9fcd92 100644 --- a/charts/authentik-remote-cluster/values.yaml +++ b/charts/authentik-remote-cluster/values.yaml @@ -1,10 +1,28 @@ +--- +# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible nameOverride: "" +# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible fullnameOverride: "" +# -- Override the Kubernetes version, which is used to evaluate certain manifests +kubeVersionOverride: "" +## Globally shared configuration for authentik components. +global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + +# -- Annotations to apply to all resources annotations: {} serviceAccountSecret: + # -- Create a secret with the service account credentials enabled: true clusterRole: + # -- Create a clusterole in addition to a namespaced role. enabled: true