Run authentik using ArgoCD raise validation - geoip

[lukasz18dg]

Scenario:

1. Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes. In my case I had one application, which read other aplication in specific folder => apps Definition:

project: default
source:
  repoURL: '[email protected]:<censored>'
  path: apps
  targetRevision: HEAD
  directory:
    recurse: true
    jsonnet: {}
destination:
  server: 'https://kubernetes.default.svc'
  namespace: argocd
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true
    - Validate=true
    - PruneLast=true
    - RespectIgnoreDifferences=false
    - ApplyOutOfSyncOnly=false
    - ServerSideApply=true
    - Replace=false
  retry:
    limit: 3
    backoff:
      duration: 60s
      factor: 2
      maxDuration: 3m0s

2. In apss I had folder with: authentik That folder have several files like: Chart.yaml

apiVersion: v2
name: goauthentik
description: An Umbrella Helm chart
type: application
version: 0.1.0
appVersion: "1.0"

dependencies:
- name: authentik
  version: 2023.*
  repository: https://charts.goauthentik.io/

aplication.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: authentik
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    name: ''
    namespace: authentik
    server: 'https://kubernetes.default.svc'
  source:
    path: apps/authentik
    repoURL: '[email protected]:<censored>'
    targetRevision: HEAD
    helm:
      valueFiles:
      - values.yaml
  sources: []
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground

values.yaml

replicas: 1
priorityClassName:
securityContext: {}

worker:
  replicas: 1
  priorityClassName:
  securityContext: {}

image:
  repository: ghcr.io/goauthentik/server
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

initContainers: {}

additionalContainers: {}

ingress:
  enabled: false
  ingressClassName: "traefik-ingress"
  annotations: {
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  }
  labels: {}
  hosts:
    - host: <censored my domain>
      paths:
        - path: "/"
          pathType: Prefix
  tls: []

annotations: {}

podAnnotations: {}

authentik:
  log_level: error
  secret_key: "<censored some value>"
  geoip: /geoip/GeoLite2-City.mmdb
  email:
    host: ""
    port: 587
    username: ""
    password: ""
    use_tls: false
    use_ssl: false
    timeout: 30
    from: ""
  outposts:
    container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  error_reporting:
    enabled: false
    environment: "k8s"
    send_pii: false
  redis:
    host: "{{ .Release.Name }}-redis-master"
    password: ""

blueprints: []

#secret to avoid add information about DB
envFrom:
  - secretRef:
       name: authentik-secret

envValueFrom: {}

service:
  enabled: true
  type: ClusterIP
  port: 80
  name: http
  protocol: TCP
  labels: {}
  annotations: {}

volumes: []

volumeMounts: []

affinity: {}

tolerations: []

nodeSelector: {}

resources:
  server: {}
  worker: {}

autoscaling:
  server:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
  worker:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80

livenessProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  initialDelaySeconds: 5
  periodSeconds: 10

startupProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  failureThreshold: 60
  periodSeconds: 5

readinessProbe:
  enabled: true
  httpGet:
    path: /-/health/ready/
    port: http
  periodSeconds: 10

serviceAccount:
  create: true
  annotations: {}
  serviceAccountSecret:
    enabled: false

geoip:
  enabled: false

prometheus:
  serviceMonitor:
    create: false
    interval: 30s
    scrapeTimeout: 3s
    labels: {}
  rules:
    create: false
    labels: {}

postgresql:
  enabled: false

redis:
  enabled: true

Be aware I added geoip in main object, similar like was described in those places: https://artifacthub.io/packages/helm/goauthentik/authentik https://github.com/goauthentik/helm/blob/main/charts/authentik/values.yaml

3. Commit changes and look if argo correctly run authenik.

Reality: No, finished with error:

ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): `helm template . --name-template authentik --namespace authentik --kube-version 1.27 --values <path to cached source>/apps/authentik/values.yaml --api-versions admissionregistration.k8s.io/v1 --api-versions admissionregistration.k8s.io/v1/MutatingWebhookConfiguration --api-versions admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration --api-versions apiextensions.k8s.io/v1 --api-versions apiextensions.k8s.io/v1/CustomResourceDefinition --api-versions apiregistration.k8s.io/v1 --api-versions apiregistration.k8s.io/v1/APIService --api-versions apps/v1 --api-versions apps/v1/ControllerRevision --api-versions apps/v1/DaemonSet --api-versions apps/v1/Deployment --api-versions apps/v1/ReplicaSet --api-versions apps/v1/StatefulSet --api-versions argoproj.io/v1alpha1 --api-versions argoproj.io/v1alpha1/AppProject --api-versions argoproj.io/v1alpha1/Application --api-versions argoproj.io/v1alpha1/ApplicationSet --api-versions autoscaling/v1 --api-versions autoscaling/v1/HorizontalPodAutoscaler --api-versions autoscaling/v2 --api-versions autoscaling/v2/HorizontalPodAutoscaler --api-versions batch/v1 --api-versions batch/v1/CronJob --api-versions batch/v1/Job --api-versions bitnami.com/v1alpha1 --api-versions bitnami.com/v1alpha1/SealedSecret --api-versions certificates.k8s.io/v1 --api-versions certificates.k8s.io/v1/CertificateSigningRequest --api-versions coordination.k8s.io/v1 --api-versions coordination.k8s.io/v1/Lease --api-versions discovery.k8s.io/v1 --api-versions discovery.k8s.io/v1/EndpointSlice --api-versions events.k8s.io/v1 --api-versions events.k8s.io/v1/Event --api-versions flowcontrol.apiserver.k8s.io/v1beta2 --api-versions flowcontrol.apiserver.k8s.io/v1beta2/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta2/PriorityLevelConfiguration --api-versions flowcontrol.apiserver.k8s.io/v1beta3 --api-versions flowcontrol.apiserver.k8s.io/v1beta3/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta3/PriorityLevelConfiguration --api-versions helm.cattle.io/v1 --api-versions helm.cattle.io/v1/HelmChart --api-versions helm.cattle.io/v1/HelmChartConfig --api-versions k3s.cattle.io/v1 --api-versions k3s.cattle.io/v1/Addon --api-versions longhorn.io/v1beta1 --api-versions longhorn.io/v1beta1/BackingImage --api-versions longhorn.io/v1beta1/BackingImageDataSource --api-versions longhorn.io/v1beta1/BackingImageManager --api-versions longhorn.io/v1beta1/Backup --api-versions longhorn.io/v1beta1/BackupTarget --api-versions longhorn.io/v1beta1/BackupVolume --api-versions longhorn.io/v1beta1/Engine --api-versions longhorn.io/v1beta1/EngineImage --api-versions longhorn.io/v1beta1/InstanceManager --api-versions longhorn.io/v1beta1/Node --api-versions longhorn.io/v1beta1/RecurringJob --api-versions longhorn.io/v1beta1/Replica --api-versions longhorn.io/v1beta1/Setting --api-versions longhorn.io/v1beta1/ShareManager --api-versions longhorn.io/v1beta1/Volume --api-versions longhorn.io/v1beta2 --api-versions longhorn.io/v1beta2/BackingImage --api-versions longhorn.io/v1beta2/BackingImageDataSource --api-versions longhorn.io/v1beta2/BackingImageManager --api-versions longhorn.io/v1beta2/Backup --api-versions longhorn.io/v1beta2/BackupTarget --api-versions longhorn.io/v1beta2/BackupVolume --api-versions longhorn.io/v1beta2/Engine --api-versions longhorn.io/v1beta2/EngineImage --api-versions longhorn.io/v1beta2/InstanceManager --api-versions longhorn.io/v1beta2/Node --api-versions longhorn.io/v1beta2/Orphan --api-versions longhorn.io/v1beta2/RecurringJob --api-versions longhorn.io/v1beta2/Replica --api-versions longhorn.io/v1beta2/Setting --api-versions longhorn.io/v1beta2/ShareManager --api-versions longhorn.io/v1beta2/Snapshot --api-versions longhorn.io/v1beta2/SupportBundle --api-versions longhorn.io/v1beta2/SystemBackup --api-versions longhorn.io/v1beta2/SystemRestore --api-versions longhorn.io/v1beta2/Volume --api-versions longhorn.io/v1beta2/VolumeAttachment --api-versions metallb.io/v1alpha1 --api-versions metallb.io/v1alpha1/AddressPool --api-versions metallb.io/v1beta1 --api-versions metallb.io/v1beta1/AddressPool --api-versions metallb.io/v1beta1/BFDProfile --api-versions metallb.io/v1beta1/BGPAdvertisement --api-versions metallb.io/v1beta1/BGPPeer --api-versions metallb.io/v1beta1/Community --api-versions metallb.io/v1beta1/IPAddressPool --api-versions metallb.io/v1beta1/L2Advertisement --api-versions metallb.io/v1beta2 --api-versions metallb.io/v1beta2/BGPPeer --api-versions networking.k8s.io/v1 --api-versions networking.k8s.io/v1/Ingress --api-versions networking.k8s.io/v1/IngressClass --api-versions networking.k8s.io/v1/NetworkPolicy --api-versions node.k8s.io/v1 --api-versions node.k8s.io/v1/RuntimeClass --api-versions policy/v1 --api-versions policy/v1/PodDisruptionBudget --api-versions postgresql.cnpg.io/v1 --api-versions postgresql.cnpg.io/v1/Backup --api-versions postgresql.cnpg.io/v1/Cluster --api-versions postgresql.cnpg.io/v1/Pooler --api-versions postgresql.cnpg.io/v1/ScheduledBackup --api-versions rbac.authorization.k8s.io/v1 --api-versions rbac.authorization.k8s.io/v1/ClusterRole --api-versions rbac.authorization.k8s.io/v1/ClusterRoleBinding --api-versions rbac.authorization.k8s.io/v1/Role --api-versions rbac.authorization.k8s.io/v1/RoleBinding --api-versions scheduling.k8s.io/v1 --api-versions scheduling.k8s.io/v1/PriorityClass --api-versions storage.k8s.io/v1 --api-versions storage.k8s.io/v1/CSIDriver --api-versions storage.k8s.io/v1/CSINode --api-versions storage.k8s.io/v1/CSIStorageCapacity --api-versions storage.k8s.io/v1/StorageClass --api-versions storage.k8s.io/v1/VolumeAttachment --api-versions traefik.containo.us/v1alpha1 --api-versions traefik.containo.us/v1alpha1/IngressRoute --api-versions traefik.containo.us/v1alpha1/IngressRouteTCP --api-versions traefik.containo.us/v1alpha1/IngressRouteUDP --api-versions traefik.containo.us/v1alpha1/Middleware --api-versions traefik.containo.us/v1alpha1/MiddlewareTCP --api-versions traefik.containo.us/v1alpha1/ServersTransport --api-versions traefik.containo.us/v1alpha1/TLSOption --api-versions traefik.containo.us/v1alpha1/TLSStore --api-versions traefik.containo.us/v1alpha1/TraefikService --api-versions traefik.io/v1alpha1 --api-versions traefik.io/v1alpha1/IngressRoute --api-versions traefik.io/v1alpha1/IngressRouteTCP --api-versions traefik.io/v1alpha1/IngressRouteUDP --api-versions traefik.io/v1alpha1/Middleware --api-versions traefik.io/v1alpha1/MiddlewareTCP --api-versions traefik.io/v1alpha1/ServersTransport --api-versions traefik.io/v1alpha1/ServersTransportTCP --api-versions traefik.io/v1alpha1/TLSOption --api-versions traefik.io/v1alpha1/TLSStore --api-versions traefik.io/v1alpha1/TraefikService --api-versions v1 --api-versions v1/ConfigMap --api-versions v1/Endpoints --api-versions v1/Event --api-versions v1/LimitRange --api-versions v1/Namespace --api-versions v1/Node --api-versions v1/PersistentVolume --api-versions v1/PersistentVolumeClaim --api-versions v1/Pod --api-versions v1/PodTemplate --api-versions v1/ReplicationController --api-versions v1/ResourceQuota --api-versions v1/Secret --api-versions v1/Service --api-versions v1/ServiceAccount --include-crds` failed exit status 1: Error: template: goauthentik/charts/authentik/templates/worker-deployment.yaml:28:43: executing "goauthentik/charts/authentik/templates/worker-deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: goauthentik/charts/authentik/templates/secret.yaml:13:10: executing "goauthentik/charts/authentik/templates/secret.yaml" at <$.Values.geoip.enabled>: can't evaluate field enabled in type interface {} Use --debug flag to render out invalid YAML

Seems like most important information is:

<include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: goauthentik/charts/authentik/templates/secret.yaml:13:10: executing "goauthentik/charts/authentik/templates/secret.yaml" at <$.Values.geoip.enabled>: can't evaluate field enabled in type interface {} Use --debug flag to render out invalid YAML

And As far I understood in this place: https://github.com/goauthentik/helm/blob/9faeb471a4be825b617443ffb3b2c1f9f8f14f51/charts/authentik/templates/secret.yaml#L12C1-L12C1 we add information from: Values.authentik and include to secret.yaml In line 13 we tried to read information from values, however geoip is outside: authentik "object" and that is reason why error is raised?