authentik/website/docs/installation/kubernetes.md

3.4 KiB

title
Kubernetes installation

For a mid to high-load installation, Kubernetes is recommended. authentik is installed using a helm-chart.

To install authentik using the helm chart, generate a password for the database and the cache, using pwgen or openssl rand -base64 36.

Create a values.yaml file with a minimum of these settings:

postgresql:
  postgresqlPassword: "<password you generated>"
redis:
  password: "<another password you generated>"
config:
  secretKey: "<another password you generated>"
# Optionally configure more things, as seen in the full values.yaml file below.

Afterwards, run these commands to install authentik:

helm repo add authentik https://docker.beryju.org/chartrepo/authentik
helm repo update
helm install authentik/authentik -f values.yaml

This installation automatically applies database migrations on startup. After the installation is done, navigate to the https://<ingress you've specified>/if/flow/initial-setup/, to set a password for the akadmin user.

It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by Email stages to send verification/recovery emails.

###################################
# Values directly affecting authentik
###################################
image:
  name: beryju/authentik
  name_static: beryju/authentik-static
  # Image used for managed outposts. Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
  name_outposts: "beryju/authentik-%(type)s:%(version)s"
  tag: 2021.4.5

serverReplicas: 1
workerReplicas: 1

# Enable the Kubernetes integration which lets authentik deploy outposts into kubernetes
kubernetesIntegration: true

monitoring: # Optionally deploy Prometheus Rules and ServiceMonitors
  enabled: false

pvc:
  mode: ReadWriteMany
  uploadsSize: 5Gi
  uploadsStorageClass: null # null uses the default storage class
  geoIpSize: 1Gi
  geoIpStorageClass: null

config:
  # Optionally specify fixed secret_key, otherwise generated automatically
  # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
  # Enable error reporting
  errorReporting:
    enabled: false
    environment: customer
    sendPii: false
  # Log level used by web and worker
  # Can be either debug, info, warning, error
  logLevel: warning
  # Global Email settings
  email:
    # SMTP Host Emails are sent to
    host: localhost
    port: 25
    # Optionally authenticate
    username: ""
    password: ""
    # Use StartTLS
    useTls: false
    # Use SSL
    useSsl: false
    timeout: 10
    # Email address authentik will send from, should have a correct @domain
    from: authentik@localhost

# Enable MaxMind GeoIP
# geoip:
#   enabled: false
#   accountId: ""
#   licenseKey: ""
#   image: maxmindinc/geoipupdate:latest

# Enable Database Backups to S3
# backup:
#   accessKey: access-key
#   secretKey: secret-key
#   bucket: s3-bucket
#   region: eu-central-1
#   host: s3-host

ingress:
  annotations:
    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - authentik.k8s.local
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - authentik.k8s.local

###################################
# Values controlling dependencies
###################################

install:
  postgresql: true
  redis: true