feat(charts/authentik): add blueprints-sidecar to collect from cluster

Author: genofire

charts/authentik/templates/deployment.yaml

@@ -94,6 +94,10 @@ spec:
             - name: geoip-db
               mountPath: /geoip
           {{- end }}
+            {{- if $.Values.sidecar.blueprints.enabled }}
+            - name: sidecar-blueprints
+              mountPath: /blueprints/sidecar
+            {{- end }}
             {{- with $.Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -151,6 +155,34 @@ spec:
             - name: geoip-db
               mountPath: /usr/share/GeoIP
       {{- end }}
+        {{- with $.Values.sidecar.blueprints }}
+        {{- if .enabled }}
+        - name: sidecar-blueprints
+          image: "{{ .image.repository }}:{{ .image.tag }}"
+          env:
+            - name: "FOLDER"
+              value: "/blueprints/sidecar"
+            - name: "LABEL"
+              value: "goauthentik_blueprint"
+            - name: "LABEL_VALUE"
+              value: "1"
+            {{- with .namespace }}
+            - name: "NAMESPACE"
+              value: "{{ . }}"
+            {{- end }}
+            {{- with .resource }}
+            - name: "RESOURCE"
+              value: "{{ . }}"
+            {{- end }}
+            {{- with .uniqueFilenames }}
+            - name: "UNIQUE_FILENAMES"
+              value: "{{ . }}"
+            {{- end }}
+          volumeMounts:
+            - name: sidecar-blueprints
+              mountPath: /blueprints/sidecar
+        {{- end }}
+        {{- end }}
       {{- with $.Values.additionalContainers }}
         {{- $additionalContainers := list }}
         {{- range $name, $container := . }}
@@ -166,6 +198,10 @@ spec:
         - name: geoip-db
           emptyDir: {}
       {{- end }}
+      {{- if $.Values.sidecar.blueprints.enabled }}
+        - name: sidecar-blueprints
+          emptyDir: {}
+      {{- end }}
       {{- with $.Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/authentik/templates/service-account.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.serviceAccount.create }}
+
+{{ include "common.serviceAccount" . }}
+
+{{- if .Values.sidecar.blueprints.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "common.names.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps", "secrets"]
+  verbs: ["get", "watch", "list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "common.names.fullname" . }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "common.names.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

charts/authentik/values.yaml

@@ -182,6 +182,16 @@ prometheus:
     # -- labels additional on PrometheusRule
     labels: {}
 
+sidecar:
+  blueprints:
+    enabled: false
+    image:
+      repository: "ghcr.io/kiwigrid/k8s-sidecar"
+      tag: "1.23.0"
+    namespace: ""
+    resource: "both"
+    uniqueFilenames: true
+
 geoip:
   # -- optional GeoIP, deploys a cronjob to download the maxmind database
   enabled: false