diff --git a/charts/authentik/README.md b/charts/authentik/README.md index 3122dfd..c9ef88a 100644 --- a/charts/authentik/README.md +++ b/charts/authentik/README.md @@ -281,6 +281,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password` | server.service.sessionAffinity | string | `""` | Used to maintain session affinity. Supports `ClientIP` and `None` | | server.service.sessionAffinityConfig | object | `{}` | Session affinity configuration | | server.service.type | string | `"ClusterIP"` | authentik server service type | +| server.serviceAccountName | string | `nil` | serviceAccount to use for authentik server pods | | server.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | | server.startupProbe.httpGet.path | string | `"/-/health/live/"` | | | server.startupProbe.httpGet.port | string | `"http"` | | @@ -348,6 +349,7 @@ The secret `authentik-postgres-credentials` must have `username` and `password` | worker.replicas | int | `1` | The number of worker pods to run | | worker.resources | object | `{}` | Resource limits and requests for the authentik worker | | worker.securityContext | object | `{}` (See [values.yaml]) | authentik worker pod-level security context | +| worker.serviceAccountName | string | `nil` | serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true | | worker.startupProbe.exec.command[0] | string | `"ak"` | | | worker.startupProbe.exec.command[1] | string | `"healthcheck"` | | | worker.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | diff --git a/charts/authentik/templates/server/deployment.yaml b/charts/authentik/templates/server/deployment.yaml index daf45b6..f322bba 100644 --- a/charts/authentik/templates/server/deployment.yaml +++ b/charts/authentik/templates/server/deployment.yaml @@ -42,6 +42,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.server.serviceAccountName }} + serviceAccountName: {{ . }} + {{- end }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 8 }} diff --git a/charts/authentik/templates/worker/deployment.yaml b/charts/authentik/templates/worker/deployment.yaml index aa6352c..b4a1537 100644 --- a/charts/authentik/templates/worker/deployment.yaml +++ b/charts/authentik/templates/worker/deployment.yaml @@ -42,9 +42,13 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.worker.serviceAccountName }} + serviceAccountName: {{ . }} + {{- else }} {{- if .Values.serviceAccount.create }} serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }} {{- end }} + {{- end }} {{- with .Values.global.hostAliases }} hostAliases: {{- toYaml . | nindent 8 }} diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml index b19ba01..18abe2e 100644 --- a/charts/authentik/values.yaml +++ b/charts/authentik/values.yaml @@ -370,6 +370,9 @@ server: # -- Alternative DNS policy for authentik server pods dnsPolicy: "" + # -- serviceAccount to use for authentik server pods + serviceAccountName: ~ + # -- authentik server pod-level security context # @default -- `{}` (See [values.yaml]) securityContext: {} @@ -746,6 +749,9 @@ worker: # -- Alternative DNS policy for authentik worker pods dnsPolicy: "" + # -- serviceAccount to use for authentik worker pods. If set, overrides the value used when serviceAccount.create is true + serviceAccountName: ~ + # -- authentik worker pod-level security context # @default -- `{}` (See [values.yaml]) securityContext: {}