add subpath support (#276)

* add subpath support * automatically set ingress path too
goauthentik · Jan 21, 2025 · 8a22991 · 8a22991
1 parent e8021a8
commit 8a22991
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/charts/authentik/README.md b/charts/authentik/README.md
@@ -123,6 +123,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to |
 | authentik.redis.password | string | `""` |  |
 | authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install |
+| authentik.web.path | string | `"/"` | Relative path the authentik instance will be available at. Value _must_ contain both a leading and trailing slash. |
 | blueprints.configMaps | list | `[]` | List of config maps to mount blueprints from. Only keys in the configMap ending with `.yaml` will be discovered and applied. |
 | blueprints.secrets | list | `[]` | List of secrets to mount blueprints from. Only keys in the secret ending with `.yaml` will be discovered and applied. |
 | fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible |
@@ -233,12 +234,12 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | server.ingress.ingressClassName | string | `""` | defines which ingress controller will implement the resource |
 | server.ingress.labels | object | `{}` | additional ingress labels |
 | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
-| server.ingress.paths | list | `["/"]` | List of ingress paths |
+| server.ingress.paths | list | `["{{ .Values.authentik.web.path }}"]` | List of ingress paths |
 | server.ingress.tls | list | `[]` | ingress TLS configuration |
 | server.initContainers | list | `[]` | Init containers to add to the authentik server pod # Note: Supports use of custom Helm templates |
 | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for you authentik server container |
 | server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
-| server.livenessProbe.httpGet.path | string | `"/-/health/live/"` |  |
+| server.livenessProbe.httpGet.path | string | `"{{ .Values.authentik.web.path }}-/health/live/"` |  |
 | server.livenessProbe.httpGet.port | string | `"http"` |  |
 | server.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated |
 | server.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
@@ -273,7 +274,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | server.podLabels | object | `{}` | Labels to be added to the authentik server pods |
 | server.priorityClassName | string | `""` (defaults to global.priorityClassName) | Prority class for the authentik server pods |
 | server.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
-| server.readinessProbe.httpGet.path | string | `"/-/health/ready/"` |  |
+| server.readinessProbe.httpGet.path | string | `"{{ .Values.authentik.web.path }}-/health/ready/"` |  |
 | server.readinessProbe.httpGet.port | string | `"http"` |  |
 | server.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated |
 | server.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
@@ -299,7 +300,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password`
 | server.service.type | string | `"ClusterIP"` | authentik server service type |
 | server.serviceAccountName | string | `nil` | serviceAccount to use for authentik server pods |
 | server.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
-| server.startupProbe.httpGet.path | string | `"/-/health/live/"` |  |
+| server.startupProbe.httpGet.path | string | `"{{ .Values.authentik.web.path }}-/health/live/"` |  |
 | server.startupProbe.httpGet.port | string | `"http"` |  |
 | server.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated |
 | server.startupProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |

diff --git a/charts/authentik/templates/server/deployment.yaml b/charts/authentik/templates/server/deployment.yaml
@@ -110,15 +110,15 @@ spec:
               protocol: TCP
           {{- with .Values.server.livenessProbe }}
           livenessProbe:
-            {{ toYaml . | nindent 12 }}
+            {{ tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
           {{- with .Values.server.readinessProbe }}
           readinessProbe:
-            {{ toYaml . | nindent 12 }}
+            {{ tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
           {{- with .Values.server.startupProbe }}
           startupProbe:
-            {{ toYaml . | nindent 12 }}
+            {{ tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.server.resources | nindent 12 }}

diff --git a/charts/authentik/templates/server/ingress.yaml b/charts/authentik/templates/server/ingress.yaml
@@ -31,7 +31,7 @@ spec:
           {{- toYaml . | nindent 10 }}
           {{- end }}
           {{- range $p := $paths }}
-          - path: {{ $p }}
+          - path: {{ tpl (toYaml $p) $ }}
             pathType: {{ $pathType }}
             backend:
               service:
@@ -51,7 +51,7 @@ spec:
           {{- toYaml . | nindent 10 }}
           {{- end }}
           {{- range $p := $paths }}
-          - path: {{ $p }}
+          - path: {{ tpl (toYaml $p) $ }}
             pathType: {{ $pathType }}
             backend:
               service:

diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml
@@ -154,6 +154,9 @@ authentik:
       geoip: /geoip/GeoLite2-City.mmdb
       # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled.
       asn: /geoip/GeoLite2-ASN.mmdb
+  web:
+    # -- Relative path the authentik instance will be available at. Value _must_ contain both a leading and trailing slash.
+    path: /
   email:
     # -- SMTP Server emails are sent from, fully optional
     host: ""
@@ -413,7 +416,7 @@ server:
     timeoutSeconds: 1
     ## Probe configuration
     httpGet:
-      path: /-/health/live/
+      path: "{{ .Values.authentik.web.path }}-/health/live/"
       port: http
 
   readinessProbe:
@@ -429,7 +432,7 @@ server:
     timeoutSeconds: 1
     ## Probe configuration
     httpGet:
-      path: /-/health/ready/
+      path: "{{ .Values.authentik.web.path }}-/health/ready/"
       port: http
 
   startupProbe:
@@ -445,7 +448,7 @@ server:
     timeoutSeconds: 1
     ## Probe configuration
     httpGet:
-      path: /-/health/live/
+      path: "{{ .Values.authentik.web.path }}-/health/live/"
       port: http
 
   # -- terminationGracePeriodSeconds for container lifecycle hook
@@ -579,7 +582,7 @@ server:
 
     # -- List of ingress paths
     paths:
-      - /
+      - "{{ .Values.authentik.web.path }}"
     # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
     pathType: Prefix
     # -- additional ingress paths