Deploy Authentik LDAP & RADIUS Outposts Via Helm Chart
Hey guys, migrating your authentik setup to Kubernetes can be a bit of a journey, especially when you're dealing with things like LDAP and RADIUS outposts. It sounds like you've hit a couple of snags, particularly with image versions and storage migration. Let's break down how to tackle deploying LDAP and RADIUS outposts using the Helm chart, making sure everything stays in sync and plays nicely together.
Understanding the Challenge
First off, it's totally understandable why you're running into issues. When you move from a docker-compose setup to Kubernetes with Helm, the way services are managed changes quite a bit. You've correctly identified the core problem: keeping your LDAP and RADIUS outposts running the same version as your main authentik server and worker, without having to manually juggle image tags. Plus, the added complexity of migrating your media storage to Rook Ceph S3 is a beast on its own! Let's focus on the outposts for now, and we can always circle back to storage later.
Why Helm Charts are Your Friend
Helm charts are like package managers for Kubernetes. They allow you to define, install, and upgrade even the most complex Kubernetes applications. Think of them as a blueprint for your deployment. In this case, the authentik Helm chart should make deploying and managing your outposts much easier than writing a bunch of custom scripts. The goal here is to leverage the chart's capabilities to manage your LDAP and RADIUS services alongside the main application. The beauty of Helm is that it can help you avoid manual configuration and ensure consistency across your deployments. Using Helm effectively means you're less likely to run into version mismatches or configuration drift, which can be a real headache in the long run.
Enabling LDAP and RADIUS with the Authentik Helm Chart
Okay, let's dive into the solution. You mentioned that you couldn't find a way to enable RADIUS or LDAP with the Helm chart. That's the first thing we need to address. While the default chart might not have explicit toggles for these, it's designed to be flexible. The key is using the extraDeployments feature, which you've already started exploring!
Diving Deep into extraDeployments
The extraDeployments section in your values.yaml file is where you can define additional Kubernetes resources that the Helm chart will deploy. This is perfect for adding your LDAP and RADIUS outposts. The snippet you shared is a great starting point, but let's refine it to make sure it works seamlessly.
Here's what we'll do in detail:
- Leveraging the Helm Chart Values: The most important thing is to make sure your outpost deployments use the same image tag as the main authentik deployment. You're already on the right track with
{{ .Values.image.tag }}, which tells Helm to pull the tag from the chart's configuration. This ensures version consistency. - Correcting the
extraDeploySyntax: It looks like there might be a slight syntax issue in your snippet. TheextraDeployshould beextraDeployments. - Defining the Service: You'll also need to define a Kubernetes Service to expose your LDAP and RADIUS deployments. Services provide a stable IP address and DNS name for your applications, making them accessible within your cluster.
- Secrets Management: You're using
secretKeyRefto pull theAUTHENTIK_TOKEN, which is excellent for security. Make sure theauthentik-outpost-ldapSecret exists in your Kubernetes cluster and contains the correct token. - Consider annotations for pod managements: Specially when dealing with readiness and liveness probes.
Example Configuration for LDAP Outpost
Let's look at a complete example for the LDAP outpost, and then you can adapt it for RADIUS. This configuration will include the Deployment and the Service.
extraDeployments:
- |
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-ldap
namespace: authentik
labels:
app: authentik-ldap
spec:
replicas: 1
selector:
matchLabels:
app: authentik-ldap
template:
metadata:
labels:
app: authentik-ldap
spec:
containers:
- name: ldap
image: ghcr.io/goauthentik/outpost-ldap:{{ .Values.image.tag }}
env:
- name: AUTHENTIK_HOST
value: "https://authentik.example.com" # Replace with your authentik URL
- name: AUTHENTIK_TOKEN
valueFrom:
secretKeyRef:
name: authentik-outpost-ldap
key: token
ports:
- containerPort: 3389
name: ldap
readinessProbe:
tcpSocket:
port: ldap
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: ldap
initialDelaySeconds: 15
periodSeconds: 20
- |
apiVersion: v1
kind: Service
metadata:
name: authentik-ldap
namespace: authentik
labels:
app: authentik-ldap
spec:
selector:
app: authentik-ldap
ports:
- protocol: TCP
port: 3389
targetPort: 3389
type: ClusterIP # Or LoadBalancer if you need external access
Key improvements and explanations:
- Labels: Added labels to both the Deployment and Service for better organization and selection.
- Readiness and Liveness Probes: These probes tell Kubernetes when your pod is ready to accept traffic and when it needs to be restarted. This improves the reliability of your deployment. The readiness probe checks if the LDAP port is open and ready to accept conections; the liveness probe does the same check, but is more sensitive to unhealthy process states, forcing a pod restart.
- Service Type: The example uses
ClusterIP, which makes the service accessible only within the cluster. If you need to expose it externally, you might want to useLoadBalancer(if your cloud provider supports it) orNodePort.
Adapting for RADIUS
To deploy the RADIUS outpost, you'll follow the same pattern. Just duplicate the above configuration, replacing ldap with radius where appropriate. You'll need to adjust the image name (e.g., ghcr.io/goauthentik/outpost-radius), the port (usually 1812 and 1813 for RADIUS), and the Secret name (e.g., authentik-outpost-radius).
Applying the Configuration
- Update
values.yaml: Add theextraDeploymentssection to yourvalues.yamlfile in your authentik Helm chart directory. - Upgrade the Deployment: Run
helm upgrade --install authentik . -n authentik(replaceauthentikwith your release name and namespace if different). This command tells Helm to apply the changes defined in yourvalues.yaml. - Verify the Deployment: Check if your LDAP and RADIUS pods are running with
kubectl get pods -n authentik. Also, verify that the Services are created withkubectl get svc -n authentik.
Debugging Tips
If things don't work right away (which is totally normal!), here are some tips for debugging:
- Check Pod Logs: Use
kubectl logs <pod-name> -n authentikto see the logs from your outpost containers. This can often give you clues about what's going wrong. - Describe the Pod:
kubectl describe pod <pod-name> -n authentikwill show you detailed information about the pod, including any events or errors. - Helm History:
helm history authentik -n authentikshows you the history of your Helm releases, which can be helpful for tracking changes and rollbacks. - Kubernetes Events: Check events in the namespace using
kubectl get events -n authentikto see if there are any issues reported by Kubernetes itself.
Staying in Sync: Image Tags and Updates
The real win here is that by using {{ .Values.image.tag }}, your outposts will automatically use the same image tag as your main authentik deployment. This means that when you upgrade your authentik chart, your outposts will be upgraded as well, keeping everything in sync. This is crucial for maintaining compatibility and avoiding unexpected issues. Always make sure to test updates in a staging environment before applying them to production, just to be safe!
Addressing the Media Storage Migration
Okay, so we've covered the LDAP and RADIUS outposts. Let's briefly touch on your media storage migration to Rook Ceph S3. This is a separate challenge, but it's definitely solvable. The core issue is moving your existing media files from the local volume (./media) to your S3 bucket.
Here’s a general approach:
- Access the Volume: You'll need a way to access the files in your
./mediadirectory. If it's a local volume on your Kubernetes nodes, you might need to create a temporary pod that mounts the volume. - S3 Credentials: Ensure your authentik deployment has the necessary credentials to access your Rook Ceph S3 bucket. This usually involves creating a Kubernetes Secret containing your S3 access key and secret key.
- Data Transfer: Use a tool like
rcloneoraws s3 syncto copy the files from the volume to your S3 bucket. These tools are designed for efficient data transfer to and from S3. - Update Authentik Configuration: Configure authentik to use your S3 bucket for media storage. This typically involves setting environment variables or configuration options within your authentik deployment.
This process might involve some downtime, so plan accordingly. It's also a good idea to back up your data before starting the migration. This is a more involved process, and it might be worth exploring dedicated guides or seeking help from the authentik community or Kubernetes experts.
Conclusion: You've Got This!
Deploying LDAP and RADIUS outposts with the authentik Helm chart might seem daunting at first, but by leveraging the extraDeployments feature and understanding how Helm handles image tags, you can keep your deployments consistent and manageable. Remember to define your Deployments and Services, use readiness and liveness probes for reliability, and always verify your deployments after applying changes.
And remember, the Kubernetes world has a learning curve, so don't get discouraged if things don't work perfectly on the first try. The authentik community and the broader Kubernetes community are here to help. Happy deploying!
