DirectorySecurity AdvisoriesPricing
Sign in
Directory
authentik logoHELM

authentik

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
2
nameOverride: ""
3
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
4
fullnameOverride: ""
5
# -- Override the Kubernetes version, which is used to evaluate certain manifests
6
kubeVersionOverride: ""
7
## Globally shared configuration for authentik components.
8
global:
9
# To override bitnami images
10
security:
11
allowInsecureImages: true
12
# -- Provide a name in place of `authentik`
13
nameOverride: ""
14
# -- String to fully override `"authentik.fullname"`
15
fullnameOverride: ""
16
# -- A custom namespace to override the default namespace for the deployed resources.
17
namespaceOverride: ""
18
# -- Common labels for all resources.
19
additionalLabels: {}
20
# app: authentik
21
22
# Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
23
revisionHistoryLimit: 3
24
# Default image used by all authentik components. For GeoIP configuration, see the geoip values below.
25
image:
26
# -- If defined, a repository applied to all authentik deployments
27
repository: cgr.dev/chainguard-private/authentik
28
# -- Overrides the global authentik whose default is the chart appVersion
29
tag: latest
30
# -- If defined, an image digest applied to all authentik deployments
31
digest: sha256:528969df81162a916ba2e5f2d597da0986cd24f93cfd9bb4c4dad19c8edba405
32
# -- If defined, an imagePullPolicy applied to all authentik deployments
33
pullPolicy: IfNotPresent
34
# -- Secrets with credentials to pull images from a private registry
35
imagePullSecrets: []
36
# -- Annotations for all deployed Deployments
37
deploymentAnnotations: {}
38
# -- Annotations for all deployed pods
39
podAnnotations: {}
40
# -- Annotations for all deployed secrets
41
secretAnnotations: {}
42
# -- Labels for all deployed pods
43
podLabels: {}
44
# -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors.
45
addPrometheusAnnotations: false
46
# -- Toggle and define pod-level security context.
47
# @default -- `{}` (See [values.yaml])
48
securityContext: {}
49
# runAsUser: 1000
50
# runAsGroup: 1000
51
# fsGroup: 1000
52
53
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
54
hostAliases: []
55
# - ip: 10.20.30.40
56
# hostnames:
57
# - my.hostname
58
59
# -- Default priority class for all components
60
priorityClassName: ""
61
# -- Default node selector for all components
62
nodeSelector: {}
63
# -- Default tolerations for all components
64
tolerations: []
65
# Default affinity preset for all components
66
affinity:
67
# -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard`
68
podAntiAffinity: soft
69
# Node affinity rules
70
nodeAffinity:
71
# -- Default node affinity rules. Either `none`, `soft` or `hard`
72
type: hard
73
# -- Default match expressions for node affinity
74
matchExpressions: []
75
# - key: topology.kubernetes.io/zone
76
# operator: In
77
# values:
78
# - zonea
79
# - zoneb
80
# -- Default [TopologySpreadConstraints] rules for all components
81
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
82
topologySpreadConstraints: []
83
# - maxSkew: 1
84
# topologyKey: topology.kubernetes.io/zone
85
# whenUnsatisfiable: DoNotSchedule
86
87
# -- Deployment strategy for all deployed Deployments
88
deploymentStrategy: {}
89
# type: RollingUpdate
90
# rollingUpdate:
91
# maxSurge: 25%
92
# maxUnavailable: 25%
93
94
# -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
95
# See configuration options at https://goauthentik.io/docs/installation/configuration/
96
# @default -- `[]` (See [values.yaml])
97
env: []
98
# - name: AUTHENTIK_VAR_NAME
99
# value: VALUE
100
# - name: AUTHENTIK_VAR_OTHER
101
# valueFrom:
102
# secretKeyRef:
103
# name: secret-name
104
# key: secret-key
105
# - name: AUTHENTIK_VAR_ANOTHER
106
# valueFrom:
107
# configMapKeyRef:
108
# name: config-map-name
109
# key: config-map-key
110
111
# -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP
112
# @default -- `[]` (See [values.yaml])
113
envFrom: []
114
# - configMapRef:
115
# name: config-map-name
116
# - secretRef:
117
# name: secret-name
118
119
# -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP
120
# @default -- `[]` (See [values.yaml])
121
volumeMounts: []
122
# - name: custom
123
# mountPath: /custom
124
125
# -- Additional volumes to all deployed Deployments.
126
# @default -- `[]` (See [values.yaml])
127
volumes: []
128
# - name: custom
129
# emptyDir: {}
130
# -- Authentik configuration. See the [authentik configuration docs] for details about which values are accepted here. See the note at the top of that page for details about transforming environment variable names into values here.
131
# @default -- See [values.yaml]
132
authentik:
133
# -- whether to create the authentik configuration secret
134
enabled: true
135
# -- Log level for server and worker
136
log_level: info
137
# -- Secret key used for cookie singing and unique user IDs,
138
# don't change this after the first install
139
secret_key: ""
140
## use existing secret for authentik configuration instead of creating one
141
## WARNING: when set, authentik.* secret values are ignored
142
existingSecret:
143
# -- name of an existing secret to use for authentik configuration. This secret must contain keys matching configuration option names, see the docs for the full list of configuration options https://docs.goauthentik.io/install-config/configuration/
144
secretName: ""
145
events:
146
context_processors:
147
# -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
148
geoip: /geoip/GeoLite2-City.mmdb
149
# -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
150
asn: /geoip/GeoLite2-ASN.mmdb
151
web:
152
# -- Relative path the authentik instance will be available at. Value _must_ contain both a leading and trailing slash.
153
path: /
154
email:
155
# -- SMTP Server emails are sent from, fully optional
156
host: ""
157
# -- SMTP server port
158
port: 587
159
# -- SMTP credentials, when left empty, no authentication will be done
160
username: ""
161
# -- SMTP credentials, when left empty, no authentication will be done
162
password: ""
163
# -- Use StartTLS. Enable either use_tls or use_ssl, they can't be enabled at the same time.
164
use_tls: false
165
# -- Use SSL. Enable either use_tls or use_ssl, they can't be enabled at the same time.
166
use_ssl: false
167
# -- Connection timeout
168
timeout: 30
169
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
170
from: ""
171
outposts:
172
# -- Template used for managed outposts. The following placeholders can be used
173
# %(type)s - the type of the outpost
174
# %(version)s - version of your authentik install
175
# %(build_hash)s - only for beta versions, the build hash of the image
176
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
177
error_reporting:
178
# -- This sends anonymous usage-data, stack traces on errors and
179
# performance data to sentry.beryju.org, and is fully opt-in
180
enabled: false
181
# -- This is a string that is sent to sentry with your error reports
182
environment: "k8s"
183
# -- Send PII (Personally identifiable information) data to sentry
184
send_pii: false
185
postgresql:
186
# -- set the postgresql hostname to talk to
187
# if unset and .Values.postgresql.enabled == true, will generate the default
188
# @default -- `{{ .Release.Name }}-postgresql`
189
host: "{{ .Release.Name }}-postgresql"
190
# -- postgresql Database name
191
# @default -- `authentik`
192
name: "authentik"
193
# -- postgresql Username
194
# @default -- `authentik`
195
user: "authentik"
196
# -- postgresql password
197
password: ""
198
# -- postgresql port
199
port: 5432
200
blueprints:
201
# -- List of config maps to mount blueprints from.
202
# Only keys in the configMap ending with `.yaml` will be discovered and applied.
203
configMaps: []
204
# -- List of secrets to mount blueprints from.
205
# Only keys in the secret ending with `.yaml` will be discovered and applied.
206
secrets: []
207
## authentik server
208
server:
209
# -- whether to enable server resources
210
enabled: true
211
# -- authentik server name
212
name: server
213
# -- The number of server pods to run
214
replicas: 1
215
## authentik server Horizontal Pod Autoscaler
216
autoscaling:
217
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server
218
enabled: false
219
# -- Minimum number of replicas for the authentik server [HPA]
220
minReplicas: 1
221
# -- Maximum number of replicas for the authentik server [HPA]
222
maxReplicas: 5
223
# -- Average CPU utilization percentage for the authentik server [HPA]
224
targetCPUUtilizationPercentage: 50
225
# -- Average memory utilization percentage for the authentik server [HPA]
226
targetMemoryUtilizationPercentage: ~
227
# -- Configures the scaling behavior of the target in both Up and Down directions.
228
behavior: {}
229
# scaleDown:
230
# stabilizationWindowSeconds: 300
231
# policies:
232
# - type: Pods
233
# value: 1
234
# periodSeconds: 180
235
# scaleUp:
236
# stabilizationWindowSeconds: 300
237
# policies:
238
# - type: Pods
239
# value: 2
240
# periodSeconds: 60
241
# -- Configures custom HPA metrics for the authentik server
242
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
243
metrics: []
244
## authentik server Pod Disruption Budget
245
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
246
pdb:
247
# -- Deploy a [PodDistrubtionBudget] for the authentik server
248
enabled: false
249
# -- Labels to be added to the authentik server pdb
250
labels: {}
251
# -- Annotations to be added to the authentik server pdb
252
annotations: {}
253
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
254
# @default -- `""` (defaults to 0 if not specified)
255
minAvailable: ""
256
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
257
## Has higher precedence over `server.pdb.minAvailable`
258
maxUnavailable: ""
259
## authentik server image
260
## This should match what is deployed in the worker. Prefer using global.image
261
image:
262
# -- Repository to use to the authentik server
263
# @default -- `""` (defaults to global.image.repository)
264
repository: "" # defaults to global.image.repository
265
# -- Tag to use to the authentik server
266
# @default -- `""` (defaults to global.image.tag)
267
tag: "" # defaults to global.image.tag
268
# -- Digest to use to the authentik server
269
# @default -- `""` (defaults to global.image.digest)
270
digest: "" # defaults to global.image.digest
271
# -- Image pull policy to use to the authentik server
272
# @default -- `""` (defaults to global.image.pullPolicy)
273
pullPolicy: "" # defaults to global.image.pullPolicy
274
# -- Secrets with credentials to pull images from a private registry
275
# @default -- `[]` (defaults to global.imagePullSecrets)
276
imagePullSecrets: []
277
# -- Environment variables to pass to the authentik server. Does not apply to GeoIP
278
# See configuration options at https://goauthentik.io/docs/installation/configuration/
279
# @default -- `[]` (See [values.yaml])
280
env: []
281
# - name: AUTHENTIK_VAR_NAME
282
# value: VALUE
283
# - name: AUTHENTIK_VAR_OTHER
284
# valueFrom:
285
# secretKeyRef:
286
# name: secret-name
287
# key: secret-key
288
# - name: AUTHENTIK_VAR_ANOTHER
289
# valueFrom:
290
# configMapKeyRef:
291
# name: config-map-name
292
# key: config-map-key
293
294
# -- envFrom to pass to the authentik server. Does not apply to GeoIP
295
# @default -- `[]` (See [values.yaml])
296
envFrom: []
297
# - configMapRef:
298
# name: config-map-name
299
# - secretRef:
300
# name: secret-name
301
302
# -- Specify postStart and preStop lifecycle hooks for you authentik server container
303
lifecycle: {}
304
# -- Additional containers to be added to the authentik server pod
305
## Note: Supports use of custom Helm templates
306
extraContainers: []
307
# - name: my-sidecar
308
# image: nginx:latest
309
310
# -- Init containers to add to the authentik server pod
311
## Note: Supports use of custom Helm templates
312
initContainers: []
313
# - name: download-tools
314
# image: alpine:3
315
# command: [sh, -c]
316
# args:
317
# - echo init
318
319
# -- Additional volumeMounts to the authentik server main container
320
volumeMounts: []
321
# - name: custom
322
# mountPath: /custom
323
324
# -- Additional volumes to the authentik server pod
325
volumes: []
326
# - name: custom
327
# emptyDir: {}
328
329
# -- Annotations to be added to the authentik server Deployment
330
deploymentAnnotations: {}
331
# -- Annotations to be added to the authentik server pods
332
podAnnotations: {}
333
# -- Labels to be added to the authentik server pods
334
podLabels: {}
335
# -- Resource limits and requests for the authentik server
336
resources: {}
337
# requests:
338
# cpu: 100m
339
# memory: 512Mi
340
# limits:
341
# memory: 512Mi
342
343
# authentik server container ports
344
containerPorts:
345
# -- http container port
346
http: 9000
347
# -- https container port
348
https: 9443
349
# -- metrics container port
350
metrics: 9300
351
# -- Host Network for authentik server pods
352
hostNetwork: false
353
# -- [DNS configuration]
354
dnsConfig: {}
355
# -- Alternative DNS policy for authentik server pods
356
dnsPolicy: ""
357
# -- serviceAccount to use for authentik server pods
358
serviceAccountName: ~
359
# -- (bool) automount behavior for service account token in server pods. Only applies if server.serviceAccountName is set.
360
automountServiceAccountToken: ~
361
# -- authentik server pod-level security context
362
# @default -- `{}` (See [values.yaml])
363
securityContext: {}
364
# runAsUser: 1000
365
# runAsGroup: 1000
366
# fsGroup: 1000
367
368
# -- authentik server container-level security context
369
# @default -- See [values.yaml]
370
containerSecurityContext: {}
371
# Not all of the following has been tested. Use at your own risk.
372
# runAsNonRoot: true
373
# readOnlyRootFilesystem: true
374
# allowPrivilegeEscalation: false
375
# seccomProfile:
376
# type: RuntimeDefault
377
# capabilities:
378
# drop:
379
# - ALL
380
381
## Liveness, readiness and startup probes for authentik server
382
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
383
livenessProbe:
384
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
385
failureThreshold: 3
386
# -- Number of seconds after the container has started before [probe] is initiated
387
initialDelaySeconds: 5
388
# -- How often (in seconds) to perform the [probe]
389
periodSeconds: 10
390
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
391
successThreshold: 1
392
# -- Number of seconds after which the [probe] times out
393
timeoutSeconds: 3
394
## Probe configuration
395
httpGet:
396
path: "{{ .Values.authentik.web.path }}-/health/live/"
397
port: http
398
readinessProbe:
399
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
400
failureThreshold: 3
401
# -- Number of seconds after the container has started before [probe] is initiated
402
initialDelaySeconds: 5
403
# -- How often (in seconds) to perform the [probe]
404
periodSeconds: 10
405
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
406
successThreshold: 1
407
# -- Number of seconds after which the [probe] times out
408
timeoutSeconds: 3
409
## Probe configuration
410
httpGet:
411
path: "{{ .Values.authentik.web.path }}-/health/ready/"
412
port: http
413
startupProbe:
414
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
415
failureThreshold: 60
416
# -- Number of seconds after the container has started before [probe] is initiated
417
initialDelaySeconds: 5
418
# -- How often (in seconds) to perform the [probe]
419
periodSeconds: 10
420
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
421
successThreshold: 1
422
# -- Number of seconds after which the [probe] times out
423
timeoutSeconds: 3
424
## Probe configuration
425
httpGet:
426
path: "{{ .Values.authentik.web.path }}-/health/live/"
427
port: http
428
# -- terminationGracePeriodSeconds for container lifecycle hook
429
terminationGracePeriodSeconds: 30
430
# -- Prority class for the authentik server pods
431
# @default -- `""` (defaults to global.priorityClassName)
432
priorityClassName: ""
433
# -- [Node selector]
434
# @default -- `{}` (defaults to global.nodeSelector)
435
nodeSelector: {}
436
# -- [Tolerations] for use with node taints
437
# @default -- `[]` (defaults to global.tolerations)
438
tolerations: []
439
# -- Assign custom [affinity] rules to the deployment
440
# @default -- `{}` (defaults to the global.affinity preset)
441
affinity: {}
442
# -- Assign custom [TopologySpreadConstraints] rules to the authentik server
443
# @default -- `[]` (defaults to global.topologySpreadConstraints)
444
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
445
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
446
topologySpreadConstraints: []
447
# - maxSkew: 1
448
# topologyKey: topology.kubernetes.io/zone
449
# whenUnsatisfiable: DoNotSchedule
450
451
# -- Deployment strategy to be added to the authentik server Deployment
452
# @default -- `{}` (defaults to global.deploymentStrategy)
453
deploymentStrategy: {}
454
# type: RollingUpdate
455
# rollingUpdate:
456
# maxSurge: 25%
457
# maxUnavailable: 25%
458
459
## authentik server service configuration
460
service:
461
# -- authentik server service annotations
462
annotations: {}
463
# -- authentik server service labels
464
labels: {}
465
# -- authentik server service type
466
type: ClusterIP
467
# -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`)
468
nodePortHttp: 30080
469
# -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`)
470
nodePortHttps: 30443
471
# -- authentik server service http port
472
servicePortHttp: 80
473
# -- authentik server service https port
474
servicePortHttps: 443
475
# -- authentik server service http port name
476
servicePortHttpName: http
477
# -- authentik server service https port name
478
servicePortHttpsName: https
479
# -- authentik server service http port appProtocol
480
# servicePortHttpAppProtocol: HTTP
481
# -- authentik server service https port appProtocol
482
# servicePortHttpsAppProtocol: HTTPS
483
# -- LoadBalancer will get created with the IP specified in this field
484
loadBalancerIP: ""
485
# -- Source IP ranges to allow access to service from
486
loadBalancerSourceRanges: []
487
# -- authentik server service external IPs
488
externalIPs: []
489
# -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints
490
externalTrafficPolicy: ""
491
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
492
sessionAffinity: ""
493
# -- Session affinity configuration
494
sessionAffinityConfig: {}
495
## authentik server metrics service configuration
496
metrics:
497
# -- deploy metrics service
498
enabled: false
499
service:
500
# -- metrics service type
501
type: ClusterIP
502
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
503
clusterIP: ""
504
# -- metrics service annotations
505
annotations: {}
506
# -- metrics service labels
507
labels: {}
508
# -- metrics service port
509
servicePort: 9300
510
# -- metrics service port name
511
portName: metrics
512
serviceMonitor:
513
# -- enable a prometheus ServiceMonitor
514
enabled: false
515
# -- Prometheus ServiceMonitor interval
516
interval: 30s
517
# -- Prometheus ServiceMonitor scrape timeout
518
scrapeTimeout: 3s
519
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
520
relabelings: []
521
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
522
metricRelabelings: []
523
# -- Prometheus ServiceMonitor selector
524
selector: {}
525
# prometheus: kube-prometheus
526
527
# -- Prometheus ServiceMonitor scheme
528
scheme: ""
529
# -- Prometheus ServiceMonitor tlsConfig
530
tlsConfig: {}
531
# -- Prometheus ServiceMonitor namespace
532
namespace: ""
533
# -- Prometheus ServiceMonitor labels
534
labels: {}
535
# -- Prometheus ServiceMonitor annotations
536
annotations: {}
537
ingress:
538
# -- enable an ingress resource for the authentik server
539
enabled: false
540
# -- additional ingress annotations
541
annotations: {}
542
# -- additional ingress labels
543
labels: {}
544
# -- defines which ingress controller will implement the resource
545
ingressClassName: ""
546
# -- List of ingress hosts
547
hosts: []
548
# - authentik.domain.tld
549
550
# -- List of ingress paths
551
paths:
552
- "{{ .Values.authentik.web.path }}"
553
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
554
pathType: Prefix
555
# -- additional ingress paths
556
extraPaths: []
557
# - path: /*
558
# pathType: Prefix
559
# backend:
560
# service:
561
# name: ssl-redirect
562
# port:
563
# name: use-annotation
564
565
# -- ingress TLS configuration
566
tls: []
567
# - secretName: authentik-tls
568
# hosts:
569
# - authentik.domain.tld
570
571
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
572
https: false
573
route:
574
main:
575
# -- enable an HTTPRoute resource for the authentik server.
576
# Be aware that this is an early beta of this feature. We don't guarantee this works and is subject to change.
577
enabled: false
578
# -- Set the route apiVersion
579
apiVersion: gateway.networking.k8s.io/v1
580
# -- Set the route kind
581
kind: HTTPRoute
582
# -- Route annotations
583
annotations: {}
584
# -- Route labels
585
labels: {}
586
# -- Route hostnames
587
hostnames: []
588
# -- Reference to parent gateways
589
parentRefs: []
590
# -- Create http route for redirect (https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/#http-to-https-redirects).
591
# Take care that you only enable this on the http listener of the gateway to avoid an infinite redirect.
592
# Matches, filters and additionalRules will be ignored if this is set to true
593
httpsRedirect: false
594
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
595
https: false
596
# -- Route matches
597
matches:
598
- path:
599
type: PathPrefix
600
value: "{{ .Values.authentik.web.path }}"
601
# -- Route filters
602
filters: []
603
# -- Additional custom rules that can be added to the route
604
additionalRules: []
605
## authentik worker
606
worker:
607
# -- whether to enable worker resources
608
enabled: true
609
# -- authentik worker name
610
name: worker
611
# -- The number of worker pods to run
612
replicas: 1
613
## authentik worker Horizontal Pod Autoscaler
614
autoscaling:
615
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker
616
enabled: false
617
# -- Minimum number of replicas for the authentik worker [HPA]
618
minReplicas: 1
619
# -- Maximum number of replicas for the authentik worker [HPA]
620
maxReplicas: 5
621
# -- Average CPU utilization percentage for the authentik worker [HPA]
622
targetCPUUtilizationPercentage: 50
623
# -- Average memory utilization percentage for the authentik worker [HPA]
624
targetMemoryUtilizationPercentage: ~
625
# -- Configures the scaling behavior of the target in both Up and Down directions.
626
behavior: {}
627
# scaleDown:
628
# stabilizationWindowSeconds: 300
629
# policies:
630
# - type: Pods
631
# value: 1
632
# periodSeconds: 180
633
# scaleUp:
634
# stabilizationWindowSeconds: 300
635
# policies:
636
# - type: Pods
637
# value: 2
638
# periodSeconds: 60
639
# -- Configures custom HPA metrics for the authentik worker
640
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
641
metrics: []
642
## authentik worker Pod Disruption Budget
643
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
644
pdb:
645
# -- Deploy a [PodDistrubtionBudget] for the authentik worker
646
enabled: false
647
# -- Labels to be added to the authentik worker pdb
648
labels: {}
649
# -- Annotations to be added to the authentik worker pdb
650
annotations: {}
651
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
652
# @default -- `""` (defaults to 0 if not specified)
653
minAvailable: ""
654
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
655
## Has higher precedence over `worker.pdb.minAvailable`
656
maxUnavailable: ""
657
## authentik worker image
658
## This should match what is deployed in the server. Prefer using global.image
659
image:
660
# -- Repository to use to the authentik worker
661
# @default -- `""` (defaults to global.image.repository)
662
repository: "" # defaults to global.image.repository
663
# -- Tag to use to the authentik worker
664
# @default -- `""` (defaults to global.image.tag)
665
tag: "" # defaults to global.image.tag
666
# -- Digest to use to the authentik worker
667
# @default -- `""` (defaults to global.image.digest)
668
digest: "" # defaults to global.image.digest
669
# -- Image pull policy to use to the authentik worker
670
# @default -- `""` (defaults to global.image.pullPolicy)
671
pullPolicy: "" # defaults to global.image.pullPolicy
672
# -- Secrets with credentials to pull images from a private registry
673
# @default -- `[]` (defaults to global.imagePullSecrets)
674
imagePullSecrets: []
675
# -- Environment variables to pass to the authentik worker. Does not apply to GeoIP
676
# See configuration options at https://goauthentik.io/docs/installation/configuration/
677
# @default -- `[]` (See [values.yaml])
678
env: []
679
# - name: AUTHENTIK_VAR_NAME
680
# value: VALUE
681
# - name: AUTHENTIK_VAR_OTHER
682
# valueFrom:
683
# secretKeyRef:
684
# name: secret-name
685
# key: secret-key
686
# - name: AUTHENTIK_VAR_ANOTHER
687
# valueFrom:
688
# configMapKeyRef:
689
# name: config-map-name
690
# key: config-map-key
691
692
# -- envFrom to pass to the authentik worker. Does not apply to GeoIP
693
# @default -- `[]` (See [values.yaml])
694
envFrom: []
695
# - configMapRef:
696
# name: config-map-name
697
# - secretRef:
698
# name: secret-name
699
700
# -- Specify postStart and preStop lifecycle hooks for you authentik worker container
701
lifecycle: {}
702
# -- Additional containers to be added to the authentik worker pod
703
## Note: Supports use of custom Helm templates
704
extraContainers: []
705
# - name: my-sidecar
706
# image: nginx:latest
707
708
# -- Init containers to add to the authentik worker pod
709
## Note: Supports use of custom Helm templates
710
initContainers: []
711
# - name: download-tools
712
# image: alpine:3
713
# command: [sh, -c]
714
# args:
715
# - echo init
716
717
# -- Additional volumeMounts to the authentik worker main container
718
volumeMounts: []
719
# - name: custom
720
# mountPath: /custom
721
722
# -- Additional volumes to the authentik worker pod
723
volumes: []
724
# - name: custom
725
# emptyDir: {}
726
727
# -- Annotations to be added to the authentik worker Deployment
728
deploymentAnnotations: {}
729
# -- Annotations to be added to the authentik worker pods
730
podAnnotations: {}
731
# -- Labels to be added to the authentik worker pods
732
podLabels: {}
733
# -- Resource limits and requests for the authentik worker
734
resources: {}
735
# requests:
736
# cpu: 100m
737
# memory: 512Mi
738
# limits:
739
# memory: 512Mi
740
741
# authentik worker container ports
742
containerPorts:
743
# -- http container port
744
http: 9000
745
# -- metrics container port
746
metrics: 9300
747
# -- Host Network for authentik worker pods
748
hostNetwork: false
749
# -- [DNS configuration]
750
dnsConfig: {}
751
# -- Alternative DNS policy for authentik worker pods
752
dnsPolicy: ""
753
# -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
754
serviceAccountName: ~
755
# -- (bool) automount behavior for service account token in worker pods. Only applies if worker.serviceAccountName is set.
756
automountServiceAccountToken: ~
757
# -- authentik worker pod-level security context
758
# @default -- `{}` (See [values.yaml])
759
securityContext: {}
760
# runAsUser: 1000
761
# runAsGroup: 1000
762
# fsGroup: 1000
763
764
# -- authentik worker container-level security context
765
# @default -- See [values.yaml]
766
containerSecurityContext: {}
767
# Not all of the following has been tested. Use at your own risk.
768
# runAsNonRoot: true
769
# readOnlyRootFilesystem: true
770
# allowPrivilegeEscalation: false
771
# seccomProfile:
772
# type: RuntimeDefault
773
# capabilities:
774
# drop:
775
# - ALL
776
777
livenessProbe:
778
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
779
failureThreshold: 3
780
# -- Number of seconds after the container has started before [probe] is initiated
781
initialDelaySeconds: 5
782
# -- How often (in seconds) to perform the [probe]
783
periodSeconds: 10
784
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
785
successThreshold: 1
786
# -- Number of seconds after which the [probe] times out
787
timeoutSeconds: 3
788
## Probe configuration
789
exec:
790
command:
791
- ak
792
- healthcheck
793
readinessProbe:
794
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
795
failureThreshold: 3
796
# -- Number of seconds after the container has started before [probe] is initiated
797
initialDelaySeconds: 5
798
# -- How often (in seconds) to perform the [probe]
799
periodSeconds: 10
800
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
801
successThreshold: 1
802
# -- Number of seconds after which the [probe] times out
803
timeoutSeconds: 3
804
## Probe configuration
805
exec:
806
command:
807
- ak
808
- healthcheck
809
startupProbe:
810
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
811
failureThreshold: 60
812
# -- Number of seconds after the container has started before [probe] is initiated
813
initialDelaySeconds: 30
814
# -- How often (in seconds) to perform the [probe]
815
periodSeconds: 10
816
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
817
successThreshold: 1
818
# -- Number of seconds after which the [probe] times out
819
timeoutSeconds: 3
820
## Probe configuration
821
exec:
822
command:
823
- ak
824
- healthcheck
825
# -- terminationGracePeriodSeconds for container lifecycle hook
826
terminationGracePeriodSeconds: 30
827
# -- Prority class for the authentik worker pods
828
# @default -- `""` (defaults to global.priorityClassName)
829
priorityClassName: ""
830
# -- [Node selector]
831
# @default -- `{}` (defaults to global.nodeSelector)
832
nodeSelector: {}
833
# -- [Tolerations] for use with node taints
834
# @default -- `[]` (defaults to global.tolerations)
835
tolerations: []
836
# -- Assign custom [affinity] rules to the deployment
837
# @default -- `{}` (defaults to the global.affinity preset)
838
affinity: {}
839
# -- Assign custom [TopologySpreadConstraints] rules to the authentik worker
840
# @default -- `[]` (defaults to global.topologySpreadConstraints)
841
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
842
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
843
topologySpreadConstraints: []
844
# - maxSkew: 1
845
# topologyKey: topology.kubernetes.io/zone
846
# whenUnsatisfiable: DoNotSchedule
847
848
# -- Deployment strategy to be added to the authentik worker Deployment
849
# @default -- `{}` (defaults to global.deploymentStrategy)
850
deploymentStrategy: {}
851
# type: RollingUpdate
852
# rollingUpdate:
853
# maxSurge: 25%
854
# maxUnavailable: 25%
855
856
## authentik worker metrics service configuration
857
metrics:
858
# -- deploy metrics service
859
enabled: false
860
service:
861
# -- metrics service type
862
type: ClusterIP
863
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
864
clusterIP: ""
865
# -- metrics service annotations
866
annotations: {}
867
# -- metrics service labels
868
labels: {}
869
# -- metrics service port
870
servicePort: 9300
871
# -- metrics service port name
872
portName: metrics
873
serviceMonitor:
874
# -- enable a prometheus ServiceMonitor
875
enabled: false
876
# -- Prometheus ServiceMonitor interval
877
interval: 30s
878
# -- Prometheus ServiceMonitor scrape timeout
879
scrapeTimeout: 3s
880
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
881
relabelings: []
882
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
883
metricRelabelings: []
884
# -- Prometheus ServiceMonitor selector
885
selector: {}
886
# prometheus: kube-prometheus
887
888
# -- Prometheus ServiceMonitor scheme
889
scheme: ""
890
# -- Prometheus ServiceMonitor tlsConfig
891
tlsConfig: {}
892
# -- Prometheus ServiceMonitor namespace
893
namespace: ""
894
# -- Prometheus ServiceMonitor labels
895
labels: {}
896
# -- Prometheus ServiceMonitor annotations
897
annotations: {}
898
serviceAccount:
899
# -- Create service account. Needed for managed outposts
900
create: true
901
# -- additional service account annotations
902
annotations: {}
903
serviceAccountSecret:
904
# As we use the authentik-remote-cluster chart as subchart, and that chart
905
# creates a service account secret by default which we don't need here,
906
# disable its creation
907
enabled: false
908
fullnameOverride: authentik
909
geoip:
910
# -- enable GeoIP sidecars for the authentik server and worker pods
911
enabled: false
912
editionIds: "GeoLite2-City GeoLite2-ASN"
913
# -- GeoIP update frequency, in hours
914
updateInterval: 8
915
# -- sign up under https://www.maxmind.com/en/geolite2/signup
916
accountId: ""
917
# -- sign up under https://www.maxmind.com/en/geolite2/signup
918
licenseKey: ""
919
## use existing secret instead of values above
920
existingSecret:
921
# -- name of an existing secret to use instead of values above
922
secretName: ""
923
# -- key in the secret containing the account ID
924
accountId: "account_id"
925
# -- key in the secret containing the license key
926
licenseKey: "license_key"
927
image:
928
# -- If defined, a repository for GeoIP images
929
repository: cgr.dev/chainguard-private/geoip-api
930
# -- If defined, a tag for GeoIP images
931
tag: latest
932
# -- If defined, an image digest for GeoIP images
933
digest: sha256:4f54b365f344d9770e8f4803c3329fe9467490bcdd1e2ebcf8325471f15ea77f
934
# -- If defined, an imagePullPolicy for GeoIP images
935
pullPolicy: IfNotPresent
936
# -- Environment variables to pass to the GeoIP containers
937
# @default -- `[]` (See [values.yaml])
938
env: []
939
# - name: GEOIPUPDATE_VAR_NAME
940
# value: VALUE
941
# - name: GEOIPUPDATE_VAR_OTHER
942
# valueFrom:
943
# secretKeyRef:
944
# name: secret-name
945
# key: secret-key
946
# - name: GEOIPUPDATE_VAR_ANOTHER
947
# valueFrom:
948
# configMapKeyRef:
949
# name: config-map-name
950
# key: config-map-key
951
952
# -- envFrom to pass to the GeoIP containers
953
# @default -- `[]` (See [values.yaml])
954
envFrom: []
955
# - configMapRef:
956
# name: config-map-name
957
# - secretRef:
958
# name: secret-name
959
960
# -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker.
961
volumeMounts: []
962
# - name: custom
963
# mountPath: /custom
964
965
# -- Resource limits and requests for GeoIP containers
966
resources: {}
967
# requests:
968
# cpu: 100m
969
# memory: 128Mi
970
# limits:
971
# memory: 128Mi
972
973
# -- GeoIP container-level security context
974
# @default -- See [values.yaml]
975
containerSecurityContext: {}
976
# Not all of the following has been tested. Use at your own risk.
977
# runAsNonRoot: true
978
# readOnlyRootFilesystem: true
979
# allowPrivilegeEscalation: false
980
# seccomProfile:
981
# type: RuntimeDefault
982
# capabilities:
983
# drop:
984
# - ALL
985
prometheus:
986
rules:
987
enabled: false
988
# -- PrometheusRule namespace
989
namespace: ""
990
# -- PrometheusRule selector
991
selector: {}
992
# prometheus: kube-prometheus
993
994
# -- PrometheusRule labels
995
labels: {}
996
# -- PrometheusRule annotations
997
annotations: {}
998
# -- PrometheusRuleGroup additional annotations
999
additionalRuleGroupAnnotations: {}
1000
postgresql:
1001
# -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values.
1002
enabled: false
1003
image:
1004
registry: docker.io
1005
repository: library/postgres
1006
tag: "17.10-bookworm"
1007
auth:
1008
username: authentik
1009
database: authentik
1010
# password: ""
1011
primary:
1012
args:
1013
- -c
1014
- config_file=/bitnami/postgresql/conf/postgresql.conf
1015
- -c
1016
- hba_file=/bitnami/postgresql/conf/pg_hba.conf
1017
configuration: |
1018
listen_addresses = '*'
1019
port = '5432'
1020
wal_level = 'replica'
1021
fsync = 'on'
1022
hot_standby = 'on'
1023
log_connections = 'false'
1024
log_disconnections = 'false'
1025
log_hostname = 'false'
1026
client_min_messages = 'error'
1027
include_dir = 'conf.d'
1028
pgHbaConfiguration: |
1029
host all all 0.0.0.0/0 scram-sha-256
1030
host all all ::/0 scram-sha-256
1031
local all all scram-sha-256
1032
host all all 127.0.0.1/32 scram-sha-256
1033
host all all ::1/128 scram-sha-256
1034
extendedConfiguration: |
1035
max_connections = 500
1036
extraEnvVars:
1037
- name: POSTGRES_DB
1038
value: '{{ (include "postgresql.v1.database" .) }}'
1039
resourcesPreset: "none"
1040
# persistence:
1041
# enabled: true
1042
# storageClass:
1043
# accessModes:
1044
# - ReadWriteOnce
1045
containerSecurityContext:
1046
readOnlyRootFilesystem: true
1047
extraVolumeMounts:
1048
- name: postgresql-socket
1049
mountPath: /var/run/postgresql
1050
extraVolumes:
1051
- name: postgresql-socket
1052
emptyDir: {}
1053
readReplicas:
1054
resourcesPreset: "none"
1055
backup:
1056
resourcesPreset: "none"
1057
passwordUpdateJob:
1058
resourcesPreset: "none"
1059
volumePermissions:
1060
resourcesPreset: "none"
1061
image:
1062
repository: debian
1063
tag: 13-slim
1064
metrics:
1065
resourcesPreset: "none"
1066
image:
1067
repository: prometheuscommunity/postgres-exporter
1068
tag: v0.19.1
1069
# -- additional resources to deploy. Those objects are templated.
1070
additionalObjects: []
1071

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.