feat(charts/authentik): Support Service accounts for authentik

This will allow the use of container secret intrfaces
goauthentik · Jan 25, 2025 · e95beba · e95beba
1 parent 8a22991
commit e95beba
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 9 deletions.
diff --git a/charts/authentik/templates/server/deployment.yaml b/charts/authentik/templates/server/deployment.yaml
@@ -38,13 +38,21 @@ spec:
         {{- end }}
         {{- end }}
     spec:
+      {{- if .Values.server.serviceAccount.create }}
+      {{- if .Values.server.serviceAccount.name }}
+      serviceAccountName: {{ .Values.server.serviceAccount.name }}
+      {{- else }}
+      serviceAccountName: {{ template "authentik.server.fullname" . }}
+      {{- end }}      
+      {{- else }}      
       {{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}            
       {{- with .Values.server.serviceAccountName }}
       serviceAccountName: {{ . }}
       {{- end }}
+      {{- end }}
       {{- with .Values.global.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/authentik/templates/server/serviceaccount.yaml b/charts/authentik/templates/server/serviceaccount.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.server.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- if .Values.server.serviceAccount.name }}
+  name: {{ .Values.server.serviceAccount.name }}
+  {{- else }}
+  name: {{ template "authentik.server.fullname" . }}
+  {{- end }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
+    {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.worker.podLabels) }}
+        {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.server.serviceAccount.labels }}
+  {{- toYaml .Values.server.serviceAccount.labels | nindent 4 }}
+  {{- end }}
+  {{- if .Values.server.serviceAccount.annotations }}
+  annotations:
+    {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+    {{- end }}
+{{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- toYaml . | nindent 2 }}
+{{- end }}    
+{{- end }}
diff --git a/charts/authentik/templates/worker/deployment.yaml b/charts/authentik/templates/worker/deployment.yaml
@@ -38,15 +38,19 @@ spec:
         {{- end }}
         {{- end }}
     spec:
+      {{- if .Values.worker.serviceAccount.create }}
+      {{- if .Values.worker.serviceAccount.name }}
+      serviceAccountName: {{ .Values.worker.serviceAccount.name }}
+      {{- else }}
+      serviceAccountName: {{ template "authentik.server.fullname" . }}
+      {{- end }}      
+      {{- else }}      
       {{- with .Values.worker.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.worker.serviceAccountName }}
+      {{- end }}            
+      {{- with .Values.server.serviceAccountName }}
       serviceAccountName: {{ . }}
-      {{- else }}
-      {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }}
       {{- end }}
       {{- end }}
       {{- with .Values.global.hostAliases }}

diff --git a/charts/authentik/templates/worker/serviceaccount.yaml b/charts/authentik/templates/worker/serviceaccount.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.worker.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- if .Values.worker.serviceAccount.name }}
+    name: {{ .Values.worker.serviceAccount.name }}
+  {{- else }}
+    name: {{ template "authentik.server.fullname" . }}
+  {{- end }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }}
+    {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.worker.podLabels) }}
+        {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.worker.serviceAccount.labels }}
+  {{- toYaml .Values.worker.serviceAccount.labels | nindent 4 }}
+  {{- end }}
+  {{- if .Values.worker.serviceAccount.annotations }}
+  annotations:
+    {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+    {{- end }}
+{{- with .Values.worker.imagePullSecrets | default .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- toYaml . | nindent 2 }}
+{{- end }}    
+{{- end }}
diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml
@@ -378,9 +378,15 @@ server:
   # -- Alternative DNS policy for authentik server pods
   dnsPolicy: ""
 
-  # -- serviceAccount to use for authentik server pods
+  # -- serviceAccount to use for authentik server pods used when serviceAccount.create is false
   serviceAccountName: ~
-
+  serviceAccount:
+    create: true
+    # -- serviceAccount name if not provided will be generated using the fullname template
+    name:
+    labels: {}
+    annotations: {}
+
   # -- authentik server pod-level security context
   # @default -- `{}` (See [values.yaml])
   securityContext: {}
@@ -757,8 +763,14 @@ worker:
   # -- Alternative DNS policy for authentik worker pods
   dnsPolicy: ""
 
-  # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true
+  # -- serviceAccount to use for authentik server pods used when serviceAccount.create is false
   serviceAccountName: ~
+  serviceAccount:
+    create: true
+    # -- serviceAccount name if not provided will be generated using the fullname template
+    name:
+    labels: {}
+    annotations: {}
 
   # -- authentik worker pod-level security context
   # @default -- `{}` (See [values.yaml])