diff --git a/cluster/apps/authentik/helm-release.yaml b/cluster/apps/authentik/helm-release.yaml
new file mode 100644
index 0000000..f05fd79
--- /dev/null
+++ b/cluster/apps/authentik/helm-release.yaml
@@ -0,0 +1,38 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik-master
+  namespace: authentik
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.3.1
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+  values:
+    authentik:
+      secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
+      # This sends anonymous usage-data, stack traces on errors and
+      # performance data to sentry.beryju.org, and is fully opt-in
+      error_reporting:
+        enabled: true
+      postgresql:
+        host: "postgresql.database"
+        name: "authentik"
+        user: k3spostgresql
+        password: "${SECRET_DATABASE_PGSQL_USER_PASS}"
+      redis:
+        host: "redis-master.database"
+        password: "${SECRET_DATABASE_REDIS_PASS}"
+
+    ingress:
+      enabled: true
+      hosts:
+        - host: k3sauth.***REMOVED***
+          paths:
+            - path: "/"
+              pathType: Prefix
\ No newline at end of file
diff --git a/cluster/apps/authentik/helm-repository.yaml b/cluster/apps/authentik/helm-repository.yaml
new file mode 100644
index 0000000..f43f288
--- /dev/null
+++ b/cluster/apps/authentik/helm-repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://charts.goauthentik.io
diff --git a/cluster/apps/authentik/kustomization.yaml b/cluster/apps/authentik/kustomization.yaml
new file mode 100644
index 0000000..edebbb5
--- /dev/null
+++ b/cluster/apps/authentik/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./helm-repository.yaml
+- ./helm-release.yaml
+- ./network_policy.yaml
+- ./traefik-middleware.yaml
\ No newline at end of file
diff --git a/cluster/apps/authentik/namespace.yaml b/cluster/apps/authentik/namespace.yaml
new file mode 100644
index 0000000..a6b2e67
--- /dev/null
+++ b/cluster/apps/authentik/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik
+  labels:
+    name: authentik
\ No newline at end of file
diff --git a/cluster/apps/authentik/network_policy.yaml b/cluster/apps/authentik/network_policy.yaml
new file mode 100644
index 0000000..b9bad9a
--- /dev/null
+++ b/cluster/apps/authentik/network_policy.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-most-allow-some
+  namespace: authentik
+spec:
+  # Apply to all pods in this namespace
+  podSelector: {}
+  ingress:
+  - from:
+    # Allow all pods in this namespace
+    - namespaceSelector:
+        matchLabels:
+          name: "authentik"
+#    - podSelector: {}
+
+    # Allow traefik pods
+    - namespaceSelector:
+        matchLabels:
+          name: "traefik"
+
+    # Not sure if this is required, but just to make sure
+    - namespaceSelector:
+        matchLabels:
+          name: "database"
+
+    # Allow all pods with this label
+    - podSelector:
+        matchLabels:
+          needsAuthentik: "yes"
\ No newline at end of file
diff --git a/cluster/apps/authentik/traefik-middleware.yaml b/cluster/apps/authentik/traefik-middleware.yaml
new file mode 100644
index 0000000..93318f6
--- /dev/null
+++ b/cluster/apps/authentik/traefik-middleware.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik
+  namespace: traefik
+spec:
+  forwardauth:
+    address: http://authentik-master.authentik:80/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders: "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
\ No newline at end of file
diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml
index 7f63deb..f952cbb 100644
--- a/cluster/apps/kustomization.yaml
+++ b/cluster/apps/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./database
+- ./authentik
 - ./media
 - ./download
\ No newline at end of file