authentik is an open-source Identity Provider focused on flexibility and versatility
Breaking changes
The vendored Bitnami PostgreSQL and Redis Helm charts have been removed and now use upstream versions.
The PostgreSQL Helm chart has been updated from 10.16.2 to 12.12.10. The full diff is here but is quite large. We recommend checking out the upstream release notes for the 11.x.x and 12.x.x upgrades. Among the changes you may be required to do, the postgresql.persistence key has been renamed to postgresql.primary.persistence, postgresql.postgresqlPassword to postgresql.auth.password, postgresql.existingSecret to postgresql.auth.existingSecret. Note that this update does not change the major version of PostgreSQL, so no manual intervention is required on that side.
The Redis Helm chart has been updated from 15.7.6 to 18.6.1. The full diff is here but is quite large. We recommend checking out the upstream release notes for the 16.x.x, 17.x.x and 18.x.x upgrades. If you do not have any custom values, no action is required. Not that this upgrades the major Redis version from 6 to 7, and thus no rollback is possible.
Ingress versions before networking.k8s.io/v1 are not supported anymore.
blueprints has been renamed to blueprints.configMaps and blueprints.secrets has been added to import blueprints from secrets.
image has been renamed to global.image, and can now be overridden for the server and worker with server.image and worker.image.
image.pullSecrets has been renamed to global.imagePullSecrets, and can now be overridden for the server and worker with server.imagePullSecrets and worker.imagePullSecrets.
annotations has been renamed global.deploymentAnnotations, and additional annotations can now be configured for only the server or worker with server.deploymentAnnotations and worker.deploymentAnnotations.
podAnnotations has been renamed global.podAnnotations, and additional annotations can now be configured for only the server or worker with server.podAnnotations and worker.podAnnotations.
nodeSelector has been renamed to global.nodeSelector, and can now be overridden for the server and worker with server.nodeSelector and worker.nodeSelector.
tolerations has been renamed to global.tolerations, and can now be overridden for the server and worker with server.tolerations and worker.tolerations.
affinity has been removed and replaced by the reworked global.affinity which pre-sets affinity rules. It is possible override those rules for the server and worker with server.affinity and worker.affinity.
env, envValueFrom and envFrom have been removed and replaced by global.env and global.envFrom. global.env now puts the configured list directly into the deployment, without modifications as the previous setting used to do. It is now also possible to pass environment variables to only the server or worker with server.env, worker.env, server.envFrom and worker.envFrom.
additionalContainers has been removed and replaced by server.extraContainers and worker.extraContainers. The previous dictionary must now be a list and name is a required property.
initContainers has been removed and replaced by server.initContainers and worker.initContainers. The previous dictionary must now be a list and name is a required property.
volumes and volumeMounts have been renamed to global.volumes and global.volumeMounts. Additionally, server.volumes, worker.volumes, server.volumeMounts and worker.volumeMounts have been added.
replicas has been renamed to server.replicas.
strategy has been renamed to server.deploymentStrategy. worker.strategy has been renamed to worker.deploymentStrategy. global.deploymentStrategy has been added to configure deployment strategy for all authentik deployments.
priorityClassName has been renamed to server.priorityClassName. Also, server.priorityClassName and worker.priorityClassName can be used with global.priorityClassName.
containerSecurityContext has been renamed to server.containerSecurityContext.
livenessProbe, readinessProbe and startupProbe have been renamed to server.livenessProbe, server.readinessProbe and server.startupProbe. Additionally, the enabled option of those has been removed. If you need to disable those, you can do server.readinessProbe: ~ in your values. Also, some defaults have been reworked.
autoscaling.server has been renamed to server.autoscaling and autoscaling.worker has been renamed to worker.autoscaling.
pdb.server has been renamed to server.pdb and pdb.worker has been renamed to worker.pdb.
resources.server has been renamed to server.resources and resources.worker has been renamed to worker.resources.
service has been renamed server.service. Inside the service definition, port has been renamed servicePortHttp, nodePort has been renamed nodePortHttp, name has been renamed to servicePortHttpName, protocol has been removed. A lot of options have been added to customize it.
prometheus.serviceMonitor has been renamed to server.metrics.serviceMonitor. Inside the service monitor definition, create has been renamed to enabled.
prometheus.rules.create has been renamed to prometheus.rules.enabled. Additional options have also been added for more configurability.
ingress has been renamed to server.ingress. Additionally, the hosts key has been replaced by a list of hosts and paths, instead of a stand-in for an ingress definition. Additional keys are now also available for more configurability.
The geoip.image has been broken up into a dictionary following the other images definitions.
The GeoIP image repository has been changed from docker.io/maxmindinc/geoipupdate to ghcr.io/maxmind/geoipupdate. The image version has been ugpraded from 4.8 to 6.0.0
New features
global.additionalLabels has been added for labels to be applied to all resources.
Add global.revisionHistoryLimit for the number of deployment ReplicaSets to retain.
global.podLabels, server.podLabels and worker.podLabels have been added to configure extra labels to add the the deployed pods.
global.addPrometheusAnnotations allows for Prometheus annotations to be added to metrics services. This can be used as an alternative to the ServiceMonitors.
global.securityContext has been added to define pod-level security context for all deployed pods.
global.topologySpreadConstraints has been added to define topology spread constraints rules for all components.
The autoscaling configuration has gained some more configurability. Check out the values.yaml for more information.
server.terminationGracePeriodSeconds has been added and is set to a value of 30 by default.
Add the ability to use an existing secret for GeoIP credentials with geoip.existingSecret.
additionalObjects has been added to allow deploying other Kubernetes objects.
What's Changed
Full Changelog: authentik-2024.2.0-rc2...authentik-2024.2.0