1# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
3# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
5# -- Override the Kubernetes version, which is used to evaluate certain manifests
7## Globally shared configuration for authentik components.
9 # To override bitnami images
11 allowInsecureImages: true
12 # -- Provide a name in place of `authentik`
14 # -- String to fully override `"authentik.fullname"`
16 # -- A custom namespace to override the default namespace for the deployed resources.
18 # -- Common labels for all resources.
22 # Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
23 revisionHistoryLimit: 3
24 # Default image used by all authentik components. For GeoIP configuration, see the geoip values below.
26 # -- If defined, a repository applied to all authentik deployments
27 repository: cgr.dev/chainguard-private/authentik
28 # -- Overrides the global authentik whose default is the chart appVersion
30 # -- If defined, an image digest applied to all authentik deployments
31 digest: sha256:528969df81162a916ba2e5f2d597da0986cd24f93cfd9bb4c4dad19c8edba405
32 # -- If defined, an imagePullPolicy applied to all authentik deployments
33 pullPolicy: IfNotPresent
34 # -- Secrets with credentials to pull images from a private registry
36 # -- Annotations for all deployed Deployments
37 deploymentAnnotations: {}
38 # -- Annotations for all deployed pods
40 # -- Annotations for all deployed secrets
42 # -- Labels for all deployed pods
44 # -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors.
45 addPrometheusAnnotations: false
46 # -- Toggle and define pod-level security context.
47 # @default -- `{}` (See [values.yaml])
53 # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
59 # -- Default priority class for all components
61 # -- Default node selector for all components
63 # -- Default tolerations for all components
65 # Default affinity preset for all components
67 # -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard`
71 # -- Default node affinity rules. Either `none`, `soft` or `hard`
73 # -- Default match expressions for node affinity
75 # - key: topology.kubernetes.io/zone
80 # -- Default [TopologySpreadConstraints] rules for all components
81 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
82 topologySpreadConstraints: []
84 # topologyKey: topology.kubernetes.io/zone
85 # whenUnsatisfiable: DoNotSchedule
87 # -- Deployment strategy for all deployed Deployments
88 deploymentStrategy: {}
94 # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
95 # See configuration options at https://goauthentik.io/docs/installation/configuration/
96 # @default -- `[]` (See [values.yaml])
98 # - name: AUTHENTIK_VAR_NAME
100 # - name: AUTHENTIK_VAR_OTHER
105 # - name: AUTHENTIK_VAR_ANOTHER
108 # name: config-map-name
109 # key: config-map-key
111 # -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP
112 # @default -- `[]` (See [values.yaml])
115 # name: config-map-name
119 # -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP
120 # @default -- `[]` (See [values.yaml])
125 # -- Additional volumes to all deployed Deployments.
126 # @default -- `[]` (See [values.yaml])
130# -- Authentik configuration. See the [authentik configuration docs] for details about which values are accepted here. See the note at the top of that page for details about transforming environment variable names into values here.
131# @default -- See [values.yaml]
133 # -- whether to create the authentik configuration secret
135 # -- Log level for server and worker
137 # -- Secret key used for cookie singing and unique user IDs,
138 # don't change this after the first install
140 ## use existing secret for authentik configuration instead of creating one
141 ## WARNING: when set, authentik.* secret values are ignored
143 # -- name of an existing secret to use for authentik configuration. This secret must contain keys matching configuration option names, see the docs for the full list of configuration options https://docs.goauthentik.io/install-config/configuration/
147 # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
148 geoip: /geoip/GeoLite2-City.mmdb
149 # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
150 asn: /geoip/GeoLite2-ASN.mmdb
152 # -- Relative path the authentik instance will be available at. Value _must_ contain both a leading and trailing slash.
155 # -- SMTP Server emails are sent from, fully optional
157 # -- SMTP server port
159 # -- SMTP credentials, when left empty, no authentication will be done
161 # -- SMTP credentials, when left empty, no authentication will be done
163 # -- Use StartTLS. Enable either use_tls or use_ssl, they can't be enabled at the same time.
165 # -- Use SSL. Enable either use_tls or use_ssl, they can't be enabled at the same time.
167 # -- Connection timeout
169 # -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
172 # -- Template used for managed outposts. The following placeholders can be used
173 # %(type)s - the type of the outpost
174 # %(version)s - version of your authentik install
175 # %(build_hash)s - only for beta versions, the build hash of the image
176 container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
178 # -- This sends anonymous usage-data, stack traces on errors and
179 # performance data to sentry.beryju.org, and is fully opt-in
181 # -- This is a string that is sent to sentry with your error reports
183 # -- Send PII (Personally identifiable information) data to sentry
186 # -- set the postgresql hostname to talk to
187 # if unset and .Values.postgresql.enabled == true, will generate the default
188 # @default -- `{{ .Release.Name }}-postgresql`
189 host: "{{ .Release.Name }}-postgresql"
190 # -- postgresql Database name
191 # @default -- `authentik`
193 # -- postgresql Username
194 # @default -- `authentik`
196 # -- postgresql password
201 # -- List of config maps to mount blueprints from.
202 # Only keys in the configMap ending with `.yaml` will be discovered and applied.
204 # -- List of secrets to mount blueprints from.
205 # Only keys in the secret ending with `.yaml` will be discovered and applied.
209 # -- whether to enable server resources
211 # -- authentik server name
213 # -- The number of server pods to run
215 ## authentik server Horizontal Pod Autoscaler
217 # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server
219 # -- Minimum number of replicas for the authentik server [HPA]
221 # -- Maximum number of replicas for the authentik server [HPA]
223 # -- Average CPU utilization percentage for the authentik server [HPA]
224 targetCPUUtilizationPercentage: 50
225 # -- Average memory utilization percentage for the authentik server [HPA]
226 targetMemoryUtilizationPercentage: ~
227 # -- Configures the scaling behavior of the target in both Up and Down directions.
230 # stabilizationWindowSeconds: 300
236 # stabilizationWindowSeconds: 300
241 # -- Configures custom HPA metrics for the authentik server
242 # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
244 ## authentik server Pod Disruption Budget
245 ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
247 # -- Deploy a [PodDistrubtionBudget] for the authentik server
249 # -- Labels to be added to the authentik server pdb
251 # -- Annotations to be added to the authentik server pdb
253 # -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
254 # @default -- `""` (defaults to 0 if not specified)
256 # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
257 ## Has higher precedence over `server.pdb.minAvailable`
259 ## authentik server image
260 ## This should match what is deployed in the worker. Prefer using global.image
262 # -- Repository to use to the authentik server
263 # @default -- `""` (defaults to global.image.repository)
264 repository: "" # defaults to global.image.repository
265 # -- Tag to use to the authentik server
266 # @default -- `""` (defaults to global.image.tag)
267 tag: "" # defaults to global.image.tag
268 # -- Digest to use to the authentik server
269 # @default -- `""` (defaults to global.image.digest)
270 digest: "" # defaults to global.image.digest
271 # -- Image pull policy to use to the authentik server
272 # @default -- `""` (defaults to global.image.pullPolicy)
273 pullPolicy: "" # defaults to global.image.pullPolicy
274 # -- Secrets with credentials to pull images from a private registry
275 # @default -- `[]` (defaults to global.imagePullSecrets)
277 # -- Environment variables to pass to the authentik server. Does not apply to GeoIP
278 # See configuration options at https://goauthentik.io/docs/installation/configuration/
279 # @default -- `[]` (See [values.yaml])
281 # - name: AUTHENTIK_VAR_NAME
283 # - name: AUTHENTIK_VAR_OTHER
288 # - name: AUTHENTIK_VAR_ANOTHER
291 # name: config-map-name
292 # key: config-map-key
294 # -- envFrom to pass to the authentik server. Does not apply to GeoIP
295 # @default -- `[]` (See [values.yaml])
298 # name: config-map-name
302 # -- Specify postStart and preStop lifecycle hooks for you authentik server container
304 # -- Additional containers to be added to the authentik server pod
305 ## Note: Supports use of custom Helm templates
308 # image: nginx:latest
310 # -- Init containers to add to the authentik server pod
311 ## Note: Supports use of custom Helm templates
313 # - name: download-tools
319 # -- Additional volumeMounts to the authentik server main container
324 # -- Additional volumes to the authentik server pod
329 # -- Annotations to be added to the authentik server Deployment
330 deploymentAnnotations: {}
331 # -- Annotations to be added to the authentik server pods
333 # -- Labels to be added to the authentik server pods
335 # -- Resource limits and requests for the authentik server
343 # authentik server container ports
345 # -- http container port
347 # -- https container port
349 # -- metrics container port
351 # -- Host Network for authentik server pods
353 # -- [DNS configuration]
355 # -- Alternative DNS policy for authentik server pods
357 # -- serviceAccount to use for authentik server pods
358 serviceAccountName: ~
359 # -- (bool) automount behavior for service account token in server pods. Only applies if server.serviceAccountName is set.
360 automountServiceAccountToken: ~
361 # -- authentik server pod-level security context
362 # @default -- `{}` (See [values.yaml])
368 # -- authentik server container-level security context
369 # @default -- See [values.yaml]
370 containerSecurityContext: {}
371 # Not all of the following has been tested. Use at your own risk.
373 # readOnlyRootFilesystem: true
374 # allowPrivilegeEscalation: false
376 # type: RuntimeDefault
381 ## Liveness, readiness and startup probes for authentik server
382 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
384 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
386 # -- Number of seconds after the container has started before [probe] is initiated
387 initialDelaySeconds: 5
388 # -- How often (in seconds) to perform the [probe]
390 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
392 # -- Number of seconds after which the [probe] times out
394 ## Probe configuration
396 path: "{{ .Values.authentik.web.path }}-/health/live/"
399 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
401 # -- Number of seconds after the container has started before [probe] is initiated
402 initialDelaySeconds: 5
403 # -- How often (in seconds) to perform the [probe]
405 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
407 # -- Number of seconds after which the [probe] times out
409 ## Probe configuration
411 path: "{{ .Values.authentik.web.path }}-/health/ready/"
414 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
416 # -- Number of seconds after the container has started before [probe] is initiated
417 initialDelaySeconds: 5
418 # -- How often (in seconds) to perform the [probe]
420 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
422 # -- Number of seconds after which the [probe] times out
424 ## Probe configuration
426 path: "{{ .Values.authentik.web.path }}-/health/live/"
428 # -- terminationGracePeriodSeconds for container lifecycle hook
429 terminationGracePeriodSeconds: 30
430 # -- Prority class for the authentik server pods
431 # @default -- `""` (defaults to global.priorityClassName)
432 priorityClassName: ""
434 # @default -- `{}` (defaults to global.nodeSelector)
436 # -- [Tolerations] for use with node taints
437 # @default -- `[]` (defaults to global.tolerations)
439 # -- Assign custom [affinity] rules to the deployment
440 # @default -- `{}` (defaults to the global.affinity preset)
442 # -- Assign custom [TopologySpreadConstraints] rules to the authentik server
443 # @default -- `[]` (defaults to global.topologySpreadConstraints)
444 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
445 ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
446 topologySpreadConstraints: []
448 # topologyKey: topology.kubernetes.io/zone
449 # whenUnsatisfiable: DoNotSchedule
451 # -- Deployment strategy to be added to the authentik server Deployment
452 # @default -- `{}` (defaults to global.deploymentStrategy)
453 deploymentStrategy: {}
454 # type: RollingUpdate
457 # maxUnavailable: 25%
459 ## authentik server service configuration
461 # -- authentik server service annotations
463 # -- authentik server service labels
465 # -- authentik server service type
467 # -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`)
469 # -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`)
471 # -- authentik server service http port
473 # -- authentik server service https port
474 servicePortHttps: 443
475 # -- authentik server service http port name
476 servicePortHttpName: http
477 # -- authentik server service https port name
478 servicePortHttpsName: https
479 # -- authentik server service http port appProtocol
480 # servicePortHttpAppProtocol: HTTP
481 # -- authentik server service https port appProtocol
482 # servicePortHttpsAppProtocol: HTTPS
483 # -- LoadBalancer will get created with the IP specified in this field
485 # -- Source IP ranges to allow access to service from
486 loadBalancerSourceRanges: []
487 # -- authentik server service external IPs
489 # -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints
490 externalTrafficPolicy: ""
491 # -- Used to maintain session affinity. Supports `ClientIP` and `None`
493 # -- Session affinity configuration
494 sessionAffinityConfig: {}
495 ## authentik server metrics service configuration
497 # -- deploy metrics service
500 # -- metrics service type
502 # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
504 # -- metrics service annotations
506 # -- metrics service labels
508 # -- metrics service port
510 # -- metrics service port name
513 # -- enable a prometheus ServiceMonitor
515 # -- Prometheus ServiceMonitor interval
517 # -- Prometheus ServiceMonitor scrape timeout
519 # -- Prometheus [RelabelConfigs] to apply to samples before scraping
521 # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
522 metricRelabelings: []
523 # -- Prometheus ServiceMonitor selector
525 # prometheus: kube-prometheus
527 # -- Prometheus ServiceMonitor scheme
529 # -- Prometheus ServiceMonitor tlsConfig
531 # -- Prometheus ServiceMonitor namespace
533 # -- Prometheus ServiceMonitor labels
535 # -- Prometheus ServiceMonitor annotations
538 # -- enable an ingress resource for the authentik server
540 # -- additional ingress annotations
542 # -- additional ingress labels
544 # -- defines which ingress controller will implement the resource
546 # -- List of ingress hosts
548 # - authentik.domain.tld
550 # -- List of ingress paths
552 - "{{ .Values.authentik.web.path }}"
553 # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
555 # -- additional ingress paths
563 # name: use-annotation
565 # -- ingress TLS configuration
567 # - secretName: authentik-tls
569 # - authentik.domain.tld
571 # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
575 # -- enable an HTTPRoute resource for the authentik server.
576 # Be aware that this is an early beta of this feature. We don't guarantee this works and is subject to change.
578 # -- Set the route apiVersion
579 apiVersion: gateway.networking.k8s.io/v1
580 # -- Set the route kind
582 # -- Route annotations
588 # -- Reference to parent gateways
590 # -- Create http route for redirect (https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/#http-to-https-redirects).
591 # Take care that you only enable this on the http listener of the gateway to avoid an infinite redirect.
592 # Matches, filters and additionalRules will be ignored if this is set to true
594 # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
600 value: "{{ .Values.authentik.web.path }}"
603 # -- Additional custom rules that can be added to the route
607 # -- whether to enable worker resources
609 # -- authentik worker name
611 # -- The number of worker pods to run
613 ## authentik worker Horizontal Pod Autoscaler
615 # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker
617 # -- Minimum number of replicas for the authentik worker [HPA]
619 # -- Maximum number of replicas for the authentik worker [HPA]
621 # -- Average CPU utilization percentage for the authentik worker [HPA]
622 targetCPUUtilizationPercentage: 50
623 # -- Average memory utilization percentage for the authentik worker [HPA]
624 targetMemoryUtilizationPercentage: ~
625 # -- Configures the scaling behavior of the target in both Up and Down directions.
628 # stabilizationWindowSeconds: 300
634 # stabilizationWindowSeconds: 300
639 # -- Configures custom HPA metrics for the authentik worker
640 # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
642 ## authentik worker Pod Disruption Budget
643 ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
645 # -- Deploy a [PodDistrubtionBudget] for the authentik worker
647 # -- Labels to be added to the authentik worker pdb
649 # -- Annotations to be added to the authentik worker pdb
651 # -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
652 # @default -- `""` (defaults to 0 if not specified)
654 # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
655 ## Has higher precedence over `worker.pdb.minAvailable`
657 ## authentik worker image
658 ## This should match what is deployed in the server. Prefer using global.image
660 # -- Repository to use to the authentik worker
661 # @default -- `""` (defaults to global.image.repository)
662 repository: "" # defaults to global.image.repository
663 # -- Tag to use to the authentik worker
664 # @default -- `""` (defaults to global.image.tag)
665 tag: "" # defaults to global.image.tag
666 # -- Digest to use to the authentik worker
667 # @default -- `""` (defaults to global.image.digest)
668 digest: "" # defaults to global.image.digest
669 # -- Image pull policy to use to the authentik worker
670 # @default -- `""` (defaults to global.image.pullPolicy)
671 pullPolicy: "" # defaults to global.image.pullPolicy
672 # -- Secrets with credentials to pull images from a private registry
673 # @default -- `[]` (defaults to global.imagePullSecrets)
675 # -- Environment variables to pass to the authentik worker. Does not apply to GeoIP
676 # See configuration options at https://goauthentik.io/docs/installation/configuration/
677 # @default -- `[]` (See [values.yaml])
679 # - name: AUTHENTIK_VAR_NAME
681 # - name: AUTHENTIK_VAR_OTHER
686 # - name: AUTHENTIK_VAR_ANOTHER
689 # name: config-map-name
690 # key: config-map-key
692 # -- envFrom to pass to the authentik worker. Does not apply to GeoIP
693 # @default -- `[]` (See [values.yaml])
696 # name: config-map-name
700 # -- Specify postStart and preStop lifecycle hooks for you authentik worker container
702 # -- Additional containers to be added to the authentik worker pod
703 ## Note: Supports use of custom Helm templates
706 # image: nginx:latest
708 # -- Init containers to add to the authentik worker pod
709 ## Note: Supports use of custom Helm templates
711 # - name: download-tools
717 # -- Additional volumeMounts to the authentik worker main container
722 # -- Additional volumes to the authentik worker pod
727 # -- Annotations to be added to the authentik worker Deployment
728 deploymentAnnotations: {}
729 # -- Annotations to be added to the authentik worker pods
731 # -- Labels to be added to the authentik worker pods
733 # -- Resource limits and requests for the authentik worker
741 # authentik worker container ports
743 # -- http container port
745 # -- metrics container port
747 # -- Host Network for authentik worker pods
749 # -- [DNS configuration]
751 # -- Alternative DNS policy for authentik worker pods
753 # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
754 serviceAccountName: ~
755 # -- (bool) automount behavior for service account token in worker pods. Only applies if worker.serviceAccountName is set.
756 automountServiceAccountToken: ~
757 # -- authentik worker pod-level security context
758 # @default -- `{}` (See [values.yaml])
764 # -- authentik worker container-level security context
765 # @default -- See [values.yaml]
766 containerSecurityContext: {}
767 # Not all of the following has been tested. Use at your own risk.
769 # readOnlyRootFilesystem: true
770 # allowPrivilegeEscalation: false
772 # type: RuntimeDefault
778 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
780 # -- Number of seconds after the container has started before [probe] is initiated
781 initialDelaySeconds: 5
782 # -- How often (in seconds) to perform the [probe]
784 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
786 # -- Number of seconds after which the [probe] times out
788 ## Probe configuration
794 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
796 # -- Number of seconds after the container has started before [probe] is initiated
797 initialDelaySeconds: 5
798 # -- How often (in seconds) to perform the [probe]
800 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
802 # -- Number of seconds after which the [probe] times out
804 ## Probe configuration
810 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
812 # -- Number of seconds after the container has started before [probe] is initiated
813 initialDelaySeconds: 30
814 # -- How often (in seconds) to perform the [probe]
816 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
818 # -- Number of seconds after which the [probe] times out
820 ## Probe configuration
825 # -- terminationGracePeriodSeconds for container lifecycle hook
826 terminationGracePeriodSeconds: 30
827 # -- Prority class for the authentik worker pods
828 # @default -- `""` (defaults to global.priorityClassName)
829 priorityClassName: ""
831 # @default -- `{}` (defaults to global.nodeSelector)
833 # -- [Tolerations] for use with node taints
834 # @default -- `[]` (defaults to global.tolerations)
836 # -- Assign custom [affinity] rules to the deployment
837 # @default -- `{}` (defaults to the global.affinity preset)
839 # -- Assign custom [TopologySpreadConstraints] rules to the authentik worker
840 # @default -- `[]` (defaults to global.topologySpreadConstraints)
841 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
842 ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
843 topologySpreadConstraints: []
845 # topologyKey: topology.kubernetes.io/zone
846 # whenUnsatisfiable: DoNotSchedule
848 # -- Deployment strategy to be added to the authentik worker Deployment
849 # @default -- `{}` (defaults to global.deploymentStrategy)
850 deploymentStrategy: {}
851 # type: RollingUpdate
854 # maxUnavailable: 25%
856 ## authentik worker metrics service configuration
858 # -- deploy metrics service
861 # -- metrics service type
863 # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
865 # -- metrics service annotations
867 # -- metrics service labels
869 # -- metrics service port
871 # -- metrics service port name
874 # -- enable a prometheus ServiceMonitor
876 # -- Prometheus ServiceMonitor interval
878 # -- Prometheus ServiceMonitor scrape timeout
880 # -- Prometheus [RelabelConfigs] to apply to samples before scraping
882 # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
883 metricRelabelings: []
884 # -- Prometheus ServiceMonitor selector
886 # prometheus: kube-prometheus
888 # -- Prometheus ServiceMonitor scheme
890 # -- Prometheus ServiceMonitor tlsConfig
892 # -- Prometheus ServiceMonitor namespace
894 # -- Prometheus ServiceMonitor labels
896 # -- Prometheus ServiceMonitor annotations
899 # -- Create service account. Needed for managed outposts
901 # -- additional service account annotations
903 serviceAccountSecret:
904 # As we use the authentik-remote-cluster chart as subchart, and that chart
905 # creates a service account secret by default which we don't need here,
906 # disable its creation
908 fullnameOverride: authentik
910 # -- enable GeoIP sidecars for the authentik server and worker pods
912 editionIds: "GeoLite2-City GeoLite2-ASN"
913 # -- GeoIP update frequency, in hours
915 # -- sign up under https://www.maxmind.com/en/geolite2/signup
917 # -- sign up under https://www.maxmind.com/en/geolite2/signup
919 ## use existing secret instead of values above
921 # -- name of an existing secret to use instead of values above
923 # -- key in the secret containing the account ID
924 accountId: "account_id"
925 # -- key in the secret containing the license key
926 licenseKey: "license_key"
928 # -- If defined, a repository for GeoIP images
929 repository: cgr.dev/chainguard-private/geoip-api
930 # -- If defined, a tag for GeoIP images
932 # -- If defined, an image digest for GeoIP images
933 digest: sha256:4f54b365f344d9770e8f4803c3329fe9467490bcdd1e2ebcf8325471f15ea77f
934 # -- If defined, an imagePullPolicy for GeoIP images
935 pullPolicy: IfNotPresent
936 # -- Environment variables to pass to the GeoIP containers
937 # @default -- `[]` (See [values.yaml])
939 # - name: GEOIPUPDATE_VAR_NAME
941 # - name: GEOIPUPDATE_VAR_OTHER
946 # - name: GEOIPUPDATE_VAR_ANOTHER
949 # name: config-map-name
950 # key: config-map-key
952 # -- envFrom to pass to the GeoIP containers
953 # @default -- `[]` (See [values.yaml])
956 # name: config-map-name
960 # -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker.
965 # -- Resource limits and requests for GeoIP containers
973 # -- GeoIP container-level security context
974 # @default -- See [values.yaml]
975 containerSecurityContext: {}
976 # Not all of the following has been tested. Use at your own risk.
978 # readOnlyRootFilesystem: true
979 # allowPrivilegeEscalation: false
981 # type: RuntimeDefault
988 # -- PrometheusRule namespace
990 # -- PrometheusRule selector
992 # prometheus: kube-prometheus
994 # -- PrometheusRule labels
996 # -- PrometheusRule annotations
998 # -- PrometheusRuleGroup additional annotations
999 additionalRuleGroupAnnotations: {}
1001 # -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values.
1005 repository: library/postgres
1006 tag: "17.10-bookworm"
1014 - config_file=/bitnami/postgresql/conf/postgresql.conf
1016 - hba_file=/bitnami/postgresql/conf/pg_hba.conf
1018 listen_addresses = '*'
1020 wal_level = 'replica'
1023 log_connections = 'false'
1024 log_disconnections = 'false'
1025 log_hostname = 'false'
1026 client_min_messages = 'error'
1027 include_dir = 'conf.d'
1028 pgHbaConfiguration: |
1029 host all all 0.0.0.0/0 scram-sha-256
1030 host all all ::/0 scram-sha-256
1031 local all all scram-sha-256
1032 host all all 127.0.0.1/32 scram-sha-256
1033 host all all ::1/128 scram-sha-256
1034 extendedConfiguration: |
1035 max_connections = 500
1038 value: '{{ (include "postgresql.v1.database" .) }}'
1039 resourcesPreset: "none"
1045 containerSecurityContext:
1046 readOnlyRootFilesystem: true
1048 - name: postgresql-socket
1049 mountPath: /var/run/postgresql
1051 - name: postgresql-socket
1054 resourcesPreset: "none"
1056 resourcesPreset: "none"
1058 resourcesPreset: "none"
1060 resourcesPreset: "none"
1065 resourcesPreset: "none"
1067 repository: prometheuscommunity/postgres-exporter
1069# -- additional resources to deploy. Those objects are templated.
1070additionalObjects: []