# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: authentik
  namespace: authentik
  labels:
    needsDatabase: "yes"
spec:
  interval: 5m
  chart:
    spec:
      chart: authentik
      version: 2024.10.4
      sourceRef:
        kind: HelmRepository
        name: authentik-charts
        namespace: flux-system
  dependsOn:
  - name: redis
    namespace: database
  values:
    global:
      env:
        - name: AUTHENTIK_HOST
          value: http://authentik-server.authentik.svc
        - name: AUTHENTIK_HOST_BROWSER
          value: "https://auth.${SECRET_NEW_DOMAIN}"
        - name: AUTHENTIK_SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: authentikSecretKey
              name: authentik-secrets
        - name: AUTHENTIK_POSTGRESQL__PASSWORD
          valueFrom:
            secretKeyRef:
              key: pgsqlUserPassword
              name: authentik-secrets
        - name: AUTHENTIK_REDIS__PASSWORD
          valueFrom:
            secretKeyRef:
              key: redisUserPassword
              name: authentik-secrets
      
    server:
#      containerSecurityContext: &securityContext
#        runAsUser: 10000
#        runAsGroup: 10000
#        fsGroup: 10000
#        fsGroupChangePolicy: OnRootMismatch

      ingress:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
          - &host "auth.${SECRET_NEW_DOMAIN}"
        paths:
          - /
        pathType: Prefix
        tls:
          - hosts:
              - *host

      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
          labels:
            release: kube-prometheus-stack

    prometheus:
      rules:
        enabled: true

#    worker:
#      containerSecurityContext: *securityContext
#
#    geoip:
#      containerSecurityContext: *securityContext

    authentik:
      # This sends anonymous usage-data, stack traces on errors and
      # performance data to sentry.beryju.org, and is fully opt-in
      log_level: debug
      error_reporting:
        enabled: true
        environment: "k3s"
      postgresql:
        host: "postgres16-rw.database.svc"
        name: "authentik" # database name
        user: "authentik"
      redis:
        host: "redis-master.database"

      email:
        host: exim.default
        port: 8025
        username: ""
        password: ""
        use_tls: false
        use_ssl: false
        timeout: 30
        from: karasu@${SECRET_NEW_DOMAIN}