DirectorySecurity AdvisoriesPricing
Sign in
Directory
authentik logoHELM

authentik

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
2
nameOverride: ""
3
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
4
fullnameOverride: ""
5
# -- Override the Kubernetes version, which is used to evaluate certain manifests
6
kubeVersionOverride: ""
7
## Globally shared configuration for authentik components.
8
global:
9
# To override bitnami images
10
security:
11
allowInsecureImages: true
12
# -- Provide a name in place of `authentik`
13
nameOverride: ""
14
# -- String to fully override `"authentik.fullname"`
15
fullnameOverride: ""
16
# -- A custom namespace to override the default namespace for the deployed resources.
17
namespaceOverride: ""
18
# -- Common labels for all resources.
19
additionalLabels: {}
20
# app: authentik
21
22
# Number of old deployment ReplicaSets to retain. The rest will be garbage collected.
23
revisionHistoryLimit: 3
24
# Default image used by all authentik components. For GeoIP configuration, see the geoip values below.
25
image:
26
# -- If defined, a repository applied to all authentik deployments
27
repository: cgr.dev/chainguard-private/authentik
28
# -- Overrides the global authentik whose default is the chart appVersion
29
tag: latest
30
# -- If defined, an image digest applied to all authentik deployments
31
digest: sha256:4b7bafde453b591314cd0f89e1ce9c87d53ed88a5ac3653b7661b62aa1076e15
32
# -- If defined, an imagePullPolicy applied to all authentik deployments
33
pullPolicy: IfNotPresent
34
# -- Secrets with credentials to pull images from a private registry
35
imagePullSecrets: []
36
# -- Annotations for all deployed Deployments
37
deploymentAnnotations: {}
38
# -- Annotations for all deployed pods
39
podAnnotations: {}
40
# -- Annotations for all deployed secrets
41
secretAnnotations: {}
42
# -- Labels for all deployed pods
43
podLabels: {}
44
# -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors.
45
addPrometheusAnnotations: false
46
# -- Toggle and define pod-level security context.
47
# @default -- `{}` (See [values.yaml])
48
securityContext: {}
49
# runAsUser: 1000
50
# runAsGroup: 1000
51
# fsGroup: 1000
52
53
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
54
hostAliases: []
55
# - ip: 10.20.30.40
56
# hostnames:
57
# - my.hostname
58
59
# -- Default priority class for all components
60
priorityClassName: ""
61
# -- Default node selector for all components
62
nodeSelector: {}
63
# -- Default tolerations for all components
64
tolerations: []
65
# Default affinity preset for all components
66
affinity:
67
# -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard`
68
podAntiAffinity: soft
69
# Node affinity rules
70
nodeAffinity:
71
# -- Default node affinity rules. Either `none`, `soft` or `hard`
72
type: hard
73
# -- Default match expressions for node affinity
74
matchExpressions: []
75
# - key: topology.kubernetes.io/zone
76
# operator: In
77
# values:
78
# - zonea
79
# - zoneb
80
# -- Default [TopologySpreadConstraints] rules for all components
81
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
82
topologySpreadConstraints: []
83
# - maxSkew: 1
84
# topologyKey: topology.kubernetes.io/zone
85
# whenUnsatisfiable: DoNotSchedule
86
87
# -- Deployment strategy for all deployed Deployments
88
deploymentStrategy: {}
89
# type: RollingUpdate
90
# rollingUpdate:
91
# maxSurge: 25%
92
# maxUnavailable: 25%
93
94
# -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
95
# See configuration options at https://goauthentik.io/docs/installation/configuration/
96
# @default -- `[]` (See [values.yaml])
97
env: []
98
# - name: AUTHENTIK_VAR_NAME
99
# value: VALUE
100
# - name: AUTHENTIK_VAR_OTHER
101
# valueFrom:
102
# secretKeyRef:
103
# name: secret-name
104
# key: secret-key
105
# - name: AUTHENTIK_VAR_ANOTHER
106
# valueFrom:
107
# configMapKeyRef:
108
# name: config-map-name
109
# key: config-map-key
110
111
# -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP
112
# @default -- `[]` (See [values.yaml])
113
envFrom: []
114
# - configMapRef:
115
# name: config-map-name
116
# - secretRef:
117
# name: secret-name
118
119
# -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP
120
# @default -- `[]` (See [values.yaml])
121
volumeMounts: []
122
# - name: custom
123
# mountPath: /custom
124
125
# -- Additional volumes to all deployed Deployments.
126
# @default -- `[]` (See [values.yaml])
127
volumes: []
128
# - name: custom
129
# emptyDir: {}
130
# -- Authentik configuration. See the [authentik configuration docs] for details about which values are accepted here. See the note at the top of that page for details about transforming environment variable names into values here.
131
# @default -- See [values.yaml]
132
authentik:
133
# -- whether to create the authentik configuration secret
134
enabled: true
135
# -- Log level for server and worker
136
log_level: info
137
# -- Secret key used for cookie singing and unique user IDs,
138
# don't change this after the first install
139
secret_key: ""
140
## use existing secret for authentik configuration instead of creating one
141
## WARNING: when set, authentik.* secret values are ignored
142
existingSecret:
143
# -- name of an existing secret to use for authentik configuration
144
secretName: ""
145
events:
146
context_processors:
147
# -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled.
148
geoip: /geoip/GeoLite2-City.mmdb
149
# -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
150
asn: /geoip/GeoLite2-ASN.mmdb
151
web:
152
# -- Relative path the authentik instance will be available at. Value _must_ contain both a leading and trailing slash.
153
path: /
154
email:
155
# -- SMTP Server emails are sent from, fully optional
156
host: ""
157
# -- SMTP server port
158
port: 587
159
# -- SMTP credentials, when left empty, no authentication will be done
160
username: ""
161
# -- SMTP credentials, when left empty, no authentication will be done
162
password: ""
163
# -- Use StartTLS. Enable either use_tls or use_ssl, they can't be enabled at the same time.
164
use_tls: false
165
# -- Use SSL. Enable either use_tls or use_ssl, they can't be enabled at the same time.
166
use_ssl: false
167
# -- Connection timeout
168
timeout: 30
169
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
170
from: ""
171
outposts:
172
# -- Template used for managed outposts. The following placeholders can be used
173
# %(type)s - the type of the outpost
174
# %(version)s - version of your authentik install
175
# %(build_hash)s - only for beta versions, the build hash of the image
176
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
177
error_reporting:
178
# -- This sends anonymous usage-data, stack traces on errors and
179
# performance data to sentry.beryju.org, and is fully opt-in
180
enabled: false
181
# -- This is a string that is sent to sentry with your error reports
182
environment: "k8s"
183
# -- Send PII (Personally identifiable information) data to sentry
184
send_pii: false
185
postgresql:
186
# -- set the postgresql hostname to talk to
187
# if unset and .Values.postgresql.enabled == true, will generate the default
188
# @default -- `{{ .Release.Name }}-postgresql`
189
host: "{{ .Release.Name }}-postgresql"
190
# -- postgresql Database name
191
# @default -- `authentik`
192
name: "authentik"
193
# -- postgresql Username
194
# @default -- `authentik`
195
user: "authentik"
196
# -- postgresql password
197
password: ""
198
# -- postgresql port
199
port: 5432
200
blueprints:
201
# -- List of config maps to mount blueprints from.
202
# Only keys in the configMap ending with `.yaml` will be discovered and applied.
203
configMaps: []
204
# -- List of secrets to mount blueprints from.
205
# Only keys in the secret ending with `.yaml` will be discovered and applied.
206
secrets: []
207
## authentik server
208
server:
209
# -- whether to enable server resources
210
enabled: true
211
# -- authentik server name
212
name: server
213
# -- The number of server pods to run
214
replicas: 1
215
## authentik server Horizontal Pod Autoscaler
216
autoscaling:
217
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server
218
enabled: false
219
# -- Minimum number of replicas for the authentik server [HPA]
220
minReplicas: 1
221
# -- Maximum number of replicas for the authentik server [HPA]
222
maxReplicas: 5
223
# -- Average CPU utilization percentage for the authentik server [HPA]
224
targetCPUUtilizationPercentage: 50
225
# -- Average memory utilization percentage for the authentik server [HPA]
226
targetMemoryUtilizationPercentage: ~
227
# -- Configures the scaling behavior of the target in both Up and Down directions.
228
behavior: {}
229
# scaleDown:
230
# stabilizationWindowSeconds: 300
231
# policies:
232
# - type: Pods
233
# value: 1
234
# periodSeconds: 180
235
# scaleUp:
236
# stabilizationWindowSeconds: 300
237
# policies:
238
# - type: Pods
239
# value: 2
240
# periodSeconds: 60
241
# -- Configures custom HPA metrics for the authentik server
242
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
243
metrics: []
244
## authentik server Pod Disruption Budget
245
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
246
pdb:
247
# -- Deploy a [PodDistrubtionBudget] for the authentik server
248
enabled: false
249
# -- Labels to be added to the authentik server pdb
250
labels: {}
251
# -- Annotations to be added to the authentik server pdb
252
annotations: {}
253
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
254
# @default -- `""` (defaults to 0 if not specified)
255
minAvailable: ""
256
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
257
## Has higher precedence over `server.pdb.minAvailable`
258
maxUnavailable: ""
259
## authentik server image
260
## This should match what is deployed in the worker. Prefer using global.image
261
image:
262
# -- Repository to use to the authentik server
263
# @default -- `""` (defaults to global.image.repository)
264
repository: "" # defaults to global.image.repository
265
# -- Tag to use to the authentik server
266
# @default -- `""` (defaults to global.image.tag)
267
tag: "" # defaults to global.image.tag
268
# -- Digest to use to the authentik server
269
# @default -- `""` (defaults to global.image.digest)
270
digest: "" # defaults to global.image.digest
271
# -- Image pull policy to use to the authentik server
272
# @default -- `""` (defaults to global.image.pullPolicy)
273
pullPolicy: "" # defaults to global.image.pullPolicy
274
# -- Secrets with credentials to pull images from a private registry
275
# @default -- `[]` (defaults to global.imagePullSecrets)
276
imagePullSecrets: []
277
# -- Environment variables to pass to the authentik server. Does not apply to GeoIP
278
# See configuration options at https://goauthentik.io/docs/installation/configuration/
279
# @default -- `[]` (See [values.yaml])
280
env: []
281
# - name: AUTHENTIK_VAR_NAME
282
# value: VALUE
283
# - name: AUTHENTIK_VAR_OTHER
284
# valueFrom:
285
# secretKeyRef:
286
# name: secret-name
287
# key: secret-key
288
# - name: AUTHENTIK_VAR_ANOTHER
289
# valueFrom:
290
# configMapKeyRef:
291
# name: config-map-name
292
# key: config-map-key
293
294
# -- envFrom to pass to the authentik server. Does not apply to GeoIP
295
# @default -- `[]` (See [values.yaml])
296
envFrom: []
297
# - configMapRef:
298
# name: config-map-name
299
# - secretRef:
300
# name: secret-name
301
302
# -- Specify postStart and preStop lifecycle hooks for you authentik server container
303
lifecycle: {}
304
# -- Additional containers to be added to the authentik server pod
305
## Note: Supports use of custom Helm templates
306
extraContainers: []
307
# - name: my-sidecar
308
# image: nginx:latest
309
310
# -- Init containers to add to the authentik server pod
311
## Note: Supports use of custom Helm templates
312
initContainers: []
313
# - name: download-tools
314
# image: alpine:3
315
# command: [sh, -c]
316
# args:
317
# - echo init
318
319
# -- Additional volumeMounts to the authentik server main container
320
volumeMounts: []
321
# - name: custom
322
# mountPath: /custom
323
324
# -- Additional volumes to the authentik server pod
325
volumes: []
326
# - name: custom
327
# emptyDir: {}
328
329
# -- Annotations to be added to the authentik server Deployment
330
deploymentAnnotations: {}
331
# -- Annotations to be added to the authentik server pods
332
podAnnotations: {}
333
# -- Labels to be added to the authentik server pods
334
podLabels: {}
335
# -- Resource limits and requests for the authentik server
336
resources: {}
337
# requests:
338
# cpu: 100m
339
# memory: 512Mi
340
# limits:
341
# memory: 512Mi
342
343
# authentik server container ports
344
containerPorts:
345
# -- http container port
346
http: 9000
347
# -- https container port
348
https: 9443
349
# -- metrics container port
350
metrics: 9300
351
# -- Host Network for authentik server pods
352
hostNetwork: false
353
# -- [DNS configuration]
354
dnsConfig: {}
355
# -- Alternative DNS policy for authentik server pods
356
dnsPolicy: ""
357
# -- serviceAccount to use for authentik server pods
358
serviceAccountName: ~
359
# -- authentik server pod-level security context
360
# @default -- `{}` (See [values.yaml])
361
securityContext: {}
362
# runAsUser: 1000
363
# runAsGroup: 1000
364
# fsGroup: 1000
365
366
# -- authentik server container-level security context
367
# @default -- See [values.yaml]
368
containerSecurityContext: {}
369
# Not all of the following has been tested. Use at your own risk.
370
# runAsNonRoot: true
371
# readOnlyRootFilesystem: true
372
# allowPrivilegeEscalation: false
373
# seccomProfile:
374
# type: RuntimeDefault
375
# capabilities:
376
# drop:
377
# - ALL
378
379
## Liveness, readiness and startup probes for authentik server
380
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
381
livenessProbe:
382
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
383
failureThreshold: 3
384
# -- Number of seconds after the container has started before [probe] is initiated
385
initialDelaySeconds: 5
386
# -- How often (in seconds) to perform the [probe]
387
periodSeconds: 10
388
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
389
successThreshold: 1
390
# -- Number of seconds after which the [probe] times out
391
timeoutSeconds: 3
392
## Probe configuration
393
httpGet:
394
path: "{{ .Values.authentik.web.path }}-/health/live/"
395
port: http
396
readinessProbe:
397
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
398
failureThreshold: 3
399
# -- Number of seconds after the container has started before [probe] is initiated
400
initialDelaySeconds: 5
401
# -- How often (in seconds) to perform the [probe]
402
periodSeconds: 10
403
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
404
successThreshold: 1
405
# -- Number of seconds after which the [probe] times out
406
timeoutSeconds: 3
407
## Probe configuration
408
httpGet:
409
path: "{{ .Values.authentik.web.path }}-/health/ready/"
410
port: http
411
startupProbe:
412
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
413
failureThreshold: 60
414
# -- Number of seconds after the container has started before [probe] is initiated
415
initialDelaySeconds: 5
416
# -- How often (in seconds) to perform the [probe]
417
periodSeconds: 10
418
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
419
successThreshold: 1
420
# -- Number of seconds after which the [probe] times out
421
timeoutSeconds: 3
422
## Probe configuration
423
httpGet:
424
path: "{{ .Values.authentik.web.path }}-/health/live/"
425
port: http
426
# -- terminationGracePeriodSeconds for container lifecycle hook
427
terminationGracePeriodSeconds: 30
428
# -- Prority class for the authentik server pods
429
# @default -- `""` (defaults to global.priorityClassName)
430
priorityClassName: ""
431
# -- [Node selector]
432
# @default -- `{}` (defaults to global.nodeSelector)
433
nodeSelector: {}
434
# -- [Tolerations] for use with node taints
435
# @default -- `[]` (defaults to global.tolerations)
436
tolerations: []
437
# -- Assign custom [affinity] rules to the deployment
438
# @default -- `{}` (defaults to the global.affinity preset)
439
affinity: {}
440
# -- Assign custom [TopologySpreadConstraints] rules to the authentik server
441
# @default -- `[]` (defaults to global.topologySpreadConstraints)
442
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
443
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
444
topologySpreadConstraints: []
445
# - maxSkew: 1
446
# topologyKey: topology.kubernetes.io/zone
447
# whenUnsatisfiable: DoNotSchedule
448
449
# -- Deployment strategy to be added to the authentik server Deployment
450
# @default -- `{}` (defaults to global.deploymentStrategy)
451
deploymentStrategy: {}
452
# type: RollingUpdate
453
# rollingUpdate:
454
# maxSurge: 25%
455
# maxUnavailable: 25%
456
457
## authentik server service configuration
458
service:
459
# -- authentik server service annotations
460
annotations: {}
461
# -- authentik server service labels
462
labels: {}
463
# -- authentik server service type
464
type: ClusterIP
465
# -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`)
466
nodePortHttp: 30080
467
# -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`)
468
nodePortHttps: 30443
469
# -- authentik server service http port
470
servicePortHttp: 80
471
# -- authentik server service https port
472
servicePortHttps: 443
473
# -- authentik server service http port name
474
servicePortHttpName: http
475
# -- authentik server service https port name
476
servicePortHttpsName: https
477
# -- authentik server service http port appProtocol
478
# servicePortHttpAppProtocol: HTTP
479
# -- authentik server service https port appProtocol
480
# servicePortHttpsAppProtocol: HTTPS
481
# -- LoadBalancer will get created with the IP specified in this field
482
loadBalancerIP: ""
483
# -- Source IP ranges to allow access to service from
484
loadBalancerSourceRanges: []
485
# -- authentik server service external IPs
486
externalIPs: []
487
# -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints
488
externalTrafficPolicy: ""
489
# -- Used to maintain session affinity. Supports `ClientIP` and `None`
490
sessionAffinity: ""
491
# -- Session affinity configuration
492
sessionAffinityConfig: {}
493
## authentik server metrics service configuration
494
metrics:
495
# -- deploy metrics service
496
enabled: false
497
service:
498
# -- metrics service type
499
type: ClusterIP
500
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
501
clusterIP: ""
502
# -- metrics service annotations
503
annotations: {}
504
# -- metrics service labels
505
labels: {}
506
# -- metrics service port
507
servicePort: 9300
508
# -- metrics service port name
509
portName: metrics
510
serviceMonitor:
511
# -- enable a prometheus ServiceMonitor
512
enabled: false
513
# -- Prometheus ServiceMonitor interval
514
interval: 30s
515
# -- Prometheus ServiceMonitor scrape timeout
516
scrapeTimeout: 3s
517
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
518
relabelings: []
519
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
520
metricRelabelings: []
521
# -- Prometheus ServiceMonitor selector
522
selector: {}
523
# prometheus: kube-prometheus
524
525
# -- Prometheus ServiceMonitor scheme
526
scheme: ""
527
# -- Prometheus ServiceMonitor tlsConfig
528
tlsConfig: {}
529
# -- Prometheus ServiceMonitor namespace
530
namespace: ""
531
# -- Prometheus ServiceMonitor labels
532
labels: {}
533
# -- Prometheus ServiceMonitor annotations
534
annotations: {}
535
ingress:
536
# -- enable an ingress resource for the authentik server
537
enabled: false
538
# -- additional ingress annotations
539
annotations: {}
540
# -- additional ingress labels
541
labels: {}
542
# -- defines which ingress controller will implement the resource
543
ingressClassName: ""
544
# -- List of ingress hosts
545
hosts: []
546
# - authentik.domain.tld
547
548
# -- List of ingress paths
549
paths:
550
- "{{ .Values.authentik.web.path }}"
551
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
552
pathType: Prefix
553
# -- additional ingress paths
554
extraPaths: []
555
# - path: /*
556
# pathType: Prefix
557
# backend:
558
# service:
559
# name: ssl-redirect
560
# port:
561
# name: use-annotation
562
563
# -- ingress TLS configuration
564
tls: []
565
# - secretName: authentik-tls
566
# hosts:
567
# - authentik.domain.tld
568
569
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
570
https: false
571
route:
572
main:
573
# -- enable an HTTPRoute resource for the authentik server.
574
# Be aware that this is an early beta of this feature. We don't guarantee this works and is subject to change.
575
enabled: false
576
# -- Set the route apiVersion
577
apiVersion: gateway.networking.k8s.io/v1
578
# -- Set the route kind
579
kind: HTTPRoute
580
# -- Route annotations
581
annotations: {}
582
# -- Route labels
583
labels: {}
584
# -- Route hostnames
585
hostnames: []
586
# -- Reference to parent gateways
587
parentRefs: []
588
# -- Create http route for redirect (https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/#http-to-https-redirects).
589
# Take care that you only enable this on the http listener of the gateway to avoid an infinite redirect.
590
# Matches, filters and additionalRules will be ignored if this is set to true
591
httpsRedirect: false
592
# -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
593
https: false
594
# -- Route matches
595
matches:
596
- path:
597
type: PathPrefix
598
value: "{{ .Values.authentik.web.path }}"
599
# -- Route filters
600
filters: []
601
# -- Additional custom rules that can be added to the route
602
additionalRules: []
603
## authentik worker
604
worker:
605
# -- whether to enable worker resources
606
enabled: true
607
# -- authentik worker name
608
name: worker
609
# -- The number of worker pods to run
610
replicas: 1
611
## authentik worker Horizontal Pod Autoscaler
612
autoscaling:
613
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker
614
enabled: false
615
# -- Minimum number of replicas for the authentik worker [HPA]
616
minReplicas: 1
617
# -- Maximum number of replicas for the authentik worker [HPA]
618
maxReplicas: 5
619
# -- Average CPU utilization percentage for the authentik worker [HPA]
620
targetCPUUtilizationPercentage: 50
621
# -- Average memory utilization percentage for the authentik worker [HPA]
622
targetMemoryUtilizationPercentage: ~
623
# -- Configures the scaling behavior of the target in both Up and Down directions.
624
behavior: {}
625
# scaleDown:
626
# stabilizationWindowSeconds: 300
627
# policies:
628
# - type: Pods
629
# value: 1
630
# periodSeconds: 180
631
# scaleUp:
632
# stabilizationWindowSeconds: 300
633
# policies:
634
# - type: Pods
635
# value: 2
636
# periodSeconds: 60
637
# -- Configures custom HPA metrics for the authentik worker
638
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
639
metrics: []
640
## authentik worker Pod Disruption Budget
641
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
642
pdb:
643
# -- Deploy a [PodDistrubtionBudget] for the authentik worker
644
enabled: false
645
# -- Labels to be added to the authentik worker pdb
646
labels: {}
647
# -- Annotations to be added to the authentik worker pdb
648
annotations: {}
649
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
650
# @default -- `""` (defaults to 0 if not specified)
651
minAvailable: ""
652
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
653
## Has higher precedence over `worker.pdb.minAvailable`
654
maxUnavailable: ""
655
## authentik worker image
656
## This should match what is deployed in the server. Prefer using global.image
657
image:
658
# -- Repository to use to the authentik worker
659
# @default -- `""` (defaults to global.image.repository)
660
repository: "" # defaults to global.image.repository
661
# -- Tag to use to the authentik worker
662
# @default -- `""` (defaults to global.image.tag)
663
tag: "" # defaults to global.image.tag
664
# -- Digest to use to the authentik worker
665
# @default -- `""` (defaults to global.image.digest)
666
digest: "" # defaults to global.image.digest
667
# -- Image pull policy to use to the authentik worker
668
# @default -- `""` (defaults to global.image.pullPolicy)
669
pullPolicy: "" # defaults to global.image.pullPolicy
670
# -- Secrets with credentials to pull images from a private registry
671
# @default -- `[]` (defaults to global.imagePullSecrets)
672
imagePullSecrets: []
673
# -- Environment variables to pass to the authentik worker. Does not apply to GeoIP
674
# See configuration options at https://goauthentik.io/docs/installation/configuration/
675
# @default -- `[]` (See [values.yaml])
676
env: []
677
# - name: AUTHENTIK_VAR_NAME
678
# value: VALUE
679
# - name: AUTHENTIK_VAR_OTHER
680
# valueFrom:
681
# secretKeyRef:
682
# name: secret-name
683
# key: secret-key
684
# - name: AUTHENTIK_VAR_ANOTHER
685
# valueFrom:
686
# configMapKeyRef:
687
# name: config-map-name
688
# key: config-map-key
689
690
# -- envFrom to pass to the authentik worker. Does not apply to GeoIP
691
# @default -- `[]` (See [values.yaml])
692
envFrom: []
693
# - configMapRef:
694
# name: config-map-name
695
# - secretRef:
696
# name: secret-name
697
698
# -- Specify postStart and preStop lifecycle hooks for you authentik worker container
699
lifecycle: {}
700
# -- Additional containers to be added to the authentik worker pod
701
## Note: Supports use of custom Helm templates
702
extraContainers: []
703
# - name: my-sidecar
704
# image: nginx:latest
705
706
# -- Init containers to add to the authentik worker pod
707
## Note: Supports use of custom Helm templates
708
initContainers: []
709
# - name: download-tools
710
# image: alpine:3
711
# command: [sh, -c]
712
# args:
713
# - echo init
714
715
# -- Additional volumeMounts to the authentik worker main container
716
volumeMounts: []
717
# - name: custom
718
# mountPath: /custom
719
720
# -- Additional volumes to the authentik worker pod
721
volumes: []
722
# - name: custom
723
# emptyDir: {}
724
725
# -- Annotations to be added to the authentik worker Deployment
726
deploymentAnnotations: {}
727
# -- Annotations to be added to the authentik worker pods
728
podAnnotations: {}
729
# -- Labels to be added to the authentik worker pods
730
podLabels: {}
731
# -- Resource limits and requests for the authentik worker
732
resources: {}
733
# requests:
734
# cpu: 100m
735
# memory: 512Mi
736
# limits:
737
# memory: 512Mi
738
739
# authentik worker container ports
740
containerPorts:
741
# -- http container port
742
http: 9000
743
# -- metrics container port
744
metrics: 9300
745
# -- Host Network for authentik worker pods
746
hostNetwork: false
747
# -- [DNS configuration]
748
dnsConfig: {}
749
# -- Alternative DNS policy for authentik worker pods
750
dnsPolicy: ""
751
# -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
752
serviceAccountName: ~
753
# -- (bool) automount behavior for service account token in worker pods. Only applies if worker.serviceAccountName is set.
754
automountServiceAccountToken: ~
755
# -- authentik worker pod-level security context
756
# @default -- `{}` (See [values.yaml])
757
securityContext: {}
758
# runAsUser: 1000
759
# runAsGroup: 1000
760
# fsGroup: 1000
761
762
# -- authentik worker container-level security context
763
# @default -- See [values.yaml]
764
containerSecurityContext: {}
765
# Not all of the following has been tested. Use at your own risk.
766
# runAsNonRoot: true
767
# readOnlyRootFilesystem: true
768
# allowPrivilegeEscalation: false
769
# seccomProfile:
770
# type: RuntimeDefault
771
# capabilities:
772
# drop:
773
# - ALL
774
775
livenessProbe:
776
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
777
failureThreshold: 3
778
# -- Number of seconds after the container has started before [probe] is initiated
779
initialDelaySeconds: 5
780
# -- How often (in seconds) to perform the [probe]
781
periodSeconds: 10
782
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
783
successThreshold: 1
784
# -- Number of seconds after which the [probe] times out
785
timeoutSeconds: 3
786
## Probe configuration
787
exec:
788
command:
789
- ak
790
- healthcheck
791
readinessProbe:
792
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
793
failureThreshold: 3
794
# -- Number of seconds after the container has started before [probe] is initiated
795
initialDelaySeconds: 5
796
# -- How often (in seconds) to perform the [probe]
797
periodSeconds: 10
798
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
799
successThreshold: 1
800
# -- Number of seconds after which the [probe] times out
801
timeoutSeconds: 3
802
## Probe configuration
803
exec:
804
command:
805
- ak
806
- healthcheck
807
startupProbe:
808
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
809
failureThreshold: 60
810
# -- Number of seconds after the container has started before [probe] is initiated
811
initialDelaySeconds: 30
812
# -- How often (in seconds) to perform the [probe]
813
periodSeconds: 10
814
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
815
successThreshold: 1
816
# -- Number of seconds after which the [probe] times out
817
timeoutSeconds: 3
818
## Probe configuration
819
exec:
820
command:
821
- ak
822
- healthcheck
823
# -- terminationGracePeriodSeconds for container lifecycle hook
824
terminationGracePeriodSeconds: 30
825
# -- Prority class for the authentik worker pods
826
# @default -- `""` (defaults to global.priorityClassName)
827
priorityClassName: ""
828
# -- [Node selector]
829
# @default -- `{}` (defaults to global.nodeSelector)
830
nodeSelector: {}
831
# -- [Tolerations] for use with node taints
832
# @default -- `[]` (defaults to global.tolerations)
833
tolerations: []
834
# -- Assign custom [affinity] rules to the deployment
835
# @default -- `{}` (defaults to the global.affinity preset)
836
affinity: {}
837
# -- Assign custom [TopologySpreadConstraints] rules to the authentik worker
838
# @default -- `[]` (defaults to global.topologySpreadConstraints)
839
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
840
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
841
topologySpreadConstraints: []
842
# - maxSkew: 1
843
# topologyKey: topology.kubernetes.io/zone
844
# whenUnsatisfiable: DoNotSchedule
845
846
# -- Deployment strategy to be added to the authentik worker Deployment
847
# @default -- `{}` (defaults to global.deploymentStrategy)
848
deploymentStrategy: {}
849
# type: RollingUpdate
850
# rollingUpdate:
851
# maxSurge: 25%
852
# maxUnavailable: 25%
853
854
## authentik worker metrics service configuration
855
metrics:
856
# -- deploy metrics service
857
enabled: false
858
service:
859
# -- metrics service type
860
type: ClusterIP
861
# -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP)
862
clusterIP: ""
863
# -- metrics service annotations
864
annotations: {}
865
# -- metrics service labels
866
labels: {}
867
# -- metrics service port
868
servicePort: 9300
869
# -- metrics service port name
870
portName: metrics
871
serviceMonitor:
872
# -- enable a prometheus ServiceMonitor
873
enabled: false
874
# -- Prometheus ServiceMonitor interval
875
interval: 30s
876
# -- Prometheus ServiceMonitor scrape timeout
877
scrapeTimeout: 3s
878
# -- Prometheus [RelabelConfigs] to apply to samples before scraping
879
relabelings: []
880
# -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion
881
metricRelabelings: []
882
# -- Prometheus ServiceMonitor selector
883
selector: {}
884
# prometheus: kube-prometheus
885
886
# -- Prometheus ServiceMonitor scheme
887
scheme: ""
888
# -- Prometheus ServiceMonitor tlsConfig
889
tlsConfig: {}
890
# -- Prometheus ServiceMonitor namespace
891
namespace: ""
892
# -- Prometheus ServiceMonitor labels
893
labels: {}
894
# -- Prometheus ServiceMonitor annotations
895
annotations: {}
896
serviceAccount:
897
# -- Create service account. Needed for managed outposts
898
create: true
899
# -- additional service account annotations
900
annotations: {}
901
serviceAccountSecret:
902
# As we use the authentik-remote-cluster chart as subchart, and that chart
903
# creates a service account secret by default which we don't need here,
904
# disable its creation
905
enabled: false
906
fullnameOverride: authentik
907
geoip:
908
# -- enable GeoIP sidecars for the authentik server and worker pods
909
enabled: false
910
editionIds: "GeoLite2-City GeoLite2-ASN"
911
# -- GeoIP update frequency, in hours
912
updateInterval: 8
913
# -- sign up under https://www.maxmind.com/en/geolite2/signup
914
accountId: ""
915
# -- sign up under https://www.maxmind.com/en/geolite2/signup
916
licenseKey: ""
917
## use existing secret instead of values above
918
existingSecret:
919
# -- name of an existing secret to use instead of values above
920
secretName: ""
921
# -- key in the secret containing the account ID
922
accountId: "account_id"
923
# -- key in the secret containing the license key
924
licenseKey: "license_key"
925
image:
926
# -- If defined, a repository for GeoIP images
927
repository: cgr.dev/chainguard-private/geoip-api
928
# -- If defined, a tag for GeoIP images
929
tag: latest
930
# -- If defined, an image digest for GeoIP images
931
digest: sha256:3286c83759ab55ecbb8fa9d36a82270821ceae9a97beadbae2985cc801fe22f2
932
# -- If defined, an imagePullPolicy for GeoIP images
933
pullPolicy: IfNotPresent
934
# -- Environment variables to pass to the GeoIP containers
935
# @default -- `[]` (See [values.yaml])
936
env: []
937
# - name: GEOIPUPDATE_VAR_NAME
938
# value: VALUE
939
# - name: GEOIPUPDATE_VAR_OTHER
940
# valueFrom:
941
# secretKeyRef:
942
# name: secret-name
943
# key: secret-key
944
# - name: GEOIPUPDATE_VAR_ANOTHER
945
# valueFrom:
946
# configMapKeyRef:
947
# name: config-map-name
948
# key: config-map-key
949
950
# -- envFrom to pass to the GeoIP containers
951
# @default -- `[]` (See [values.yaml])
952
envFrom: []
953
# - configMapRef:
954
# name: config-map-name
955
# - secretRef:
956
# name: secret-name
957
958
# -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker.
959
volumeMounts: []
960
# - name: custom
961
# mountPath: /custom
962
963
# -- Resource limits and requests for GeoIP containers
964
resources: {}
965
# requests:
966
# cpu: 100m
967
# memory: 128Mi
968
# limits:
969
# memory: 128Mi
970
971
# -- GeoIP container-level security context
972
# @default -- See [values.yaml]
973
containerSecurityContext: {}
974
# Not all of the following has been tested. Use at your own risk.
975
# runAsNonRoot: true
976
# readOnlyRootFilesystem: true
977
# allowPrivilegeEscalation: false
978
# seccomProfile:
979
# type: RuntimeDefault
980
# capabilities:
981
# drop:
982
# - ALL
983
prometheus:
984
rules:
985
enabled: false
986
# -- PrometheusRule namespace
987
namespace: ""
988
# -- PrometheusRule selector
989
selector: {}
990
# prometheus: kube-prometheus
991
992
# -- PrometheusRule labels
993
labels: {}
994
# -- PrometheusRule annotations
995
annotations: {}
996
# -- PrometheusRuleGroup additional annotations
997
additionalRuleGroupAnnotations: {}
998
postgresql:
999
# -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values.
1000
enabled: false
1001
image:
1002
registry: docker.io
1003
repository: library/postgres
1004
tag: "17.9-bookworm"
1005
auth:
1006
username: authentik
1007
database: authentik
1008
# password: ""
1009
primary:
1010
args:
1011
- -c
1012
- config_file=/bitnami/postgresql/conf/postgresql.conf
1013
- -c
1014
- hba_file=/bitnami/postgresql/conf/pg_hba.conf
1015
configuration: |
1016
listen_addresses = '*'
1017
port = '5432'
1018
wal_level = 'replica'
1019
fsync = 'on'
1020
hot_standby = 'on'
1021
log_connections = 'false'
1022
log_disconnections = 'false'
1023
log_hostname = 'false'
1024
client_min_messages = 'error'
1025
include_dir = 'conf.d'
1026
pgHbaConfiguration: |
1027
host all all 0.0.0.0/0 scram-sha-256
1028
host all all ::/0 scram-sha-256
1029
local all all scram-sha-256
1030
host all all 127.0.0.1/32 scram-sha-256
1031
host all all ::1/128 scram-sha-256
1032
extendedConfiguration: |
1033
max_connections = 500
1034
extraEnvVars:
1035
- name: POSTGRES_DB
1036
value: '{{ (include "postgresql.v1.database" .) }}'
1037
resourcesPreset: "none"
1038
# persistence:
1039
# enabled: true
1040
# storageClass:
1041
# accessModes:
1042
# - ReadWriteOnce
1043
containerSecurityContext:
1044
readOnlyRootFilesystem: true
1045
extraVolumeMounts:
1046
- name: postgresql-socket
1047
mountPath: /var/run/postgresql
1048
extraVolumes:
1049
- name: postgresql-socket
1050
emptyDir: {}
1051
readReplicas:
1052
resourcesPreset: "none"
1053
backup:
1054
resourcesPreset: "none"
1055
passwordUpdateJob:
1056
resourcesPreset: "none"
1057
volumePermissions:
1058
resourcesPreset: "none"
1059
image:
1060
repository: debian
1061
tag: 13-slim
1062
metrics:
1063
resourcesPreset: "none"
1064
image:
1065
repository: prometheuscommunity/postgres-exporter
1066
tag: v0.19.1
1067
# -- additional resources to deploy. Those objects are templated.
1068
additionalObjects: []
1069

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.