authentik-remote-cluster: rework

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

charts/authentik-remote-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-version: 1.2.2
-appVersion: 2023.6.0
+version: 2.0.0
+appVersion: 2024.2.0
 name: authentik-remote-cluster
 description: RBAC required for a remote cluster to be connected to authentik.
 type: application

charts/authentik-remote-cluster/README.md

@@ -5,30 +5,34 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge)
-![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=for-the-badge)
+![AppVersion: 2024.2.0](https://img.shields.io/badge/AppVersion-2024.2.0-informational?style=for-the-badge)
 
 RBAC required for a remote cluster to be connected to authentik.
 
 **Homepage:** <https://goauthentik.io>
 
 ## Maintainers
 
-| Name | Email | Url |
-| ---- | ------ | --- |
+| Name           | Email                  | Url                      |
+| -------------- | ---------------------- | ------------------------ |
 | authentik Team | <hello@goauthentik.io> | <https://goauthentik.io> |
 
 ## Source Code
 
-* <https://goauthentik.io/docs/>
-* <https://github.com/goauthentik/authentik>
+-   <https://goauthentik.io/docs/>
+-   <https://github.com/goauthentik/authentik>
 
 ## Values
 
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| annotations | object | `{}` |  |
-| clusterRole.enabled | bool | `true` |  |
-| fullnameOverride | string | `""` |  |
-| nameOverride | string | `""` |  |
-| serviceAccountSecret.enabled | bool | `true` |  |
+| Key                          | Type   | Default | Description                                                                                       |
+| ---------------------------- | ------ | ------- | ------------------------------------------------------------------------------------------------- |
+| annotations                  | object | `{}`    | Annotations to apply to all resources                                                             |
+| clusterRole.enabled          | bool   | `true`  | Create a clusterole in addition to a namespaced role.                                             |
+| fullnameOverride             | string | `""`    | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible |
+| global.additionalLabels      | object | `{}`    | Common labels for all resources.                                                                  |
+| global.fullnameOverride      | string | `""`    | String to fully override `"authentik.fullname"`                                                   |
+| global.nameOverride          | string | `""`    | Provide a name in place of `authentik`                                                            |
+| kubeVersionOverride          | string | `""`    | Override the Kubernetes version, which is used to evaluate certain manifests                      |
+| nameOverride                 | string | `""`    | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible              |
+| serviceAccountSecret.enabled | bool   | `true`  | Create a secret with the service account credentials                                              |

charts/authentik-remote-cluster/README.md.gotmpl

@@ -5,8 +5,8 @@
 ---
 
 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-![Version: 1.2.2](https://img.shields.io/badge/Version-1.2.2-informational?style=for-the-badge)
-![AppVersion: 2023.6.0](https://img.shields.io/badge/AppVersion-2023.6.0-informational?style=for-the-badge)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=for-the-badge)
+![AppVersion: 2024.2.0](https://img.shields.io/badge/AppVersion-2024.2.0-informational?style=for-the-badge)
 
 {{ template "chart.deprecationWarning" . }}
 

charts/authentik-remote-cluster/templates/_helpers.tpl

@@ -1,31 +1,38 @@
+{{/* vim: set filetype=mustache: */}}
+
 {{/*
-Expand the name of the chart.
+Expand the name of the chart
 */}}
 {{- define "authentik-remote-cluster.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
+{{- $globalNameOverride := "" -}}
+{{- if hasKey .Values "global" -}}
+{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}}
+{{- end -}}
+{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
 
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "authentik-remote-cluster.fullname" -}}
-{{- if not .Chart.IsRoot }}
-{{- .Release.Name }}
-{{- else }}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
+{{- $name := include "authentik-remote-cluster.name" . -}}
+{{- $globalFullNameOverride := "" -}}
+{{- if hasKey .Values "global" -}}
+{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}}
+{{- end -}}
+{{- if or .Values.fullnameOverride $globalFullNameOverride -}}
+{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}}
+{{- else -}}
+{{- if contains $name .Release.Name -}}
+{{- $name = .Release.Name -}}
+{{- else -}}
+{{- $name = printf "%s-%s" .Release.Name $name -}}
+{{- end -}}
+{{- end -}}
+{{- trunc 63 $name | trimSuffix "-" -}}
+{{- end -}}
 
 {{/*
 Create chart name and version as used by the chart label.
@@ -38,13 +45,15 @@ Create chart name and version as used by the chart label.
 Common labels
 */}}
 {{- define "authentik-remote-cluster.labels" -}}
-helm.sh/chart: {{ include "authentik-remote-cluster.chart" . }}
-app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+helm.sh/chart: {{ include "authentik-remote-cluster.chart" .context | quote }}
+app.kubernetes.io/name: {{ include "authentik-remote-cluster.name" .context | quote }}
+app.kubernetes.io/instance: {{ .context.Release.Name | quote }}
+app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }}
+app.kubernetes.io/part-of: "authentik"
+app.kubernetes.io/version: {{ .context.Chart.Version | quote }}
+{{- with .context.Values.global.additionalLabels }}
+{{ toYaml . }}
 {{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{- define "authentik-remote-cluster.api-verbs-rw" -}}

charts/authentik-remote-cluster/templates/clusterrole.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.clusterRole.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - list
+{{- end }}

charts/authentik-remote-cluster/templates/clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.clusterRole.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ printf "%s-%s" (include "authentik-remote-cluster.fullname" .) .Release.Namespace | quote }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "authentik-remote-cluster.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}

charts/authentik-remote-cluster/templates/role.yaml

@@ -1,11 +1,10 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ include "authentik-remote-cluster.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
-    {{- include "authentik-remote-cluster.labels" . | nindent 4 }}
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
   {{- with .Values.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -17,30 +16,35 @@ rules:
       - secrets
       - services
       - configmaps
-    verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
   - apiGroups:
       - extensions
       - apps
     resources:
       - deployments
-    verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
   - apiGroups:
       - extensions
       - networking.k8s.io
     resources:
       - ingresses
-    verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
   - apiGroups:
       - traefik.containo.us
       - traefik.io
     resources:
       - middlewares
-    verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
   - apiGroups:
       - monitoring.coreos.com
     resources:
       - servicemonitors
-    verbs: {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
+    verbs:
+      {{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
   - apiGroups:
       - apiextensions.k8s.io
     resources:

charts/authentik-remote-cluster/templates/rolebinding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "authentik-remote-cluster.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}

charts/authentik-remote-cluster/templates/serviceaccount-secret.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.serviceAccountSecret.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  annotations:
+    kubernetes.io/service-account.name: {{ template "authentik-remote-cluster.fullname" . }}
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: kubernetes.io/service-account-token
+{{- end }}

charts/authentik-remote-cluster/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "authentik-remote-cluster.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "authentik-remote-cluster.labels" (dict "context" .) | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

charts/authentik-remote-cluster/values.yaml

@@ -1,10 +1,28 @@
+---
+# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
 nameOverride: ""
+# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
 fullnameOverride: ""
+# -- Override the Kubernetes version, which is used to evaluate certain manifests
+kubeVersionOverride: ""
 
+## Globally shared configuration for authentik components.
+global:
+  # -- Provide a name in place of `authentik`
+  nameOverride: ""
+  # -- String to fully override `"authentik.fullname"`
+  fullnameOverride: ""
+  # -- Common labels for all resources.
+  additionalLabels: {}
+    # app: authentik
+
+# -- Annotations to apply to all resources
 annotations: {}
 
 serviceAccountSecret:
+  # -- Create a secret with the service account credentials
   enabled: true
 
 clusterRole:
+  # -- Create a clusterole in addition to a namespaced role.
   enabled: true