homelab/helm/values/authentik.values.yaml

global:
  addPrometheusAnnotations: true
  securityContext:
    runAsUser: 1000
    fsGroup: 1000
  podLabels:
    app: authentik
  nodeSelector:
    nodepool: worker
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: authentik
  env:
    - name: AUTHENTIK_SECRET_KEY
      valueFrom:
        secretKeyRef:
          name: authentik-secret-key
          key: password
    - name: AUTHENTIK_EMAIL__USERNAME
      valueFrom:
        secretKeyRef:
          name: smtp-token
          key: authentik-username
    - name: AUTHENTIK_EMAIL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: smtp-token
          key: authentik-password
    - name: AUTHENTIK_EMAIL__FROM
      valueFrom:
        secretKeyRef:
          name: smtp-token
          key: authentik-username
    - name: AUTHENTIK_EMAIL__USE_TLS
      value: "true"
    - name: AUTHENTIK_POSTGRESQL__SSLMODE
      value: verify-full
    - name: AUTHENTIK_POSTGRESQL__SSLROOTCERT
      value: "/opt/authentik/certs/ca.crt"
    - name: AUTHENTIK_POSTGRESQL__SSLCERT
      value: "/opt/authentik/certs/tls.crt"
    - name: AUTHENTIK_POSTGRESQL__SSLKEY
      value: "/opt/authentik/certs/tls.key"
    - name: AUTHENTIK_REDIS__PASSWORD
      valueFrom:
        secretKeyRef:
          name: valkey
          key: password
  volumes:
    - name: ssl-bundle
      projected:
        sources:
          - secret:
              name: authentik-client-cert
              items:
                - key: tls.crt
                  path: tls.crt
                - key: tls.key
                  path: tls.key
                  mode: 0600
          - secret:
              name: postgres-server-cert
              items:
                - key: ca.crt
                  path: ca.crt
  volumeMounts:
    - name: ssl-bundle
      mountPath: /opt/authentik/certs
      readOnly: true

authentik:
  error_reporting:
    enabled: false
  email:
    host: "smtp.protonmail.ch"
    port: 587
  postgresql:
    host: postgres-cluster-rw
    user: authentik
    name: authentik
  redis:
    host: valkey

server:
  replicas: 3
  ingress:
    enabled: true
    annotations:
      cert-manager.io/cluster-issuer: cloudflare-issuer
      cert-manager.io/acme-challenge-type: dns01
      cert-manager.io/private-key-size: "4096"
    ingressClassName: traefik
    hosts:
      - auth.dogar.dev
    tls:
      - secretName: authentik-tls
        hosts:
          - auth.dogar.dev

worker:
  replicas: 3
    
postgresql:
    enabled: false
redis:
    enabled: false