# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: authentik namespace: authentik labels: needsDatabase: "yes" spec: interval: 5m chart: spec: chart: authentik version: 2024.10.5 sourceRef: kind: HelmRepository name: authentik-charts namespace: flux-system dependsOn: - name: redis namespace: database values: global: env: - name: AUTHENTIK_HOST value: http://authentik-server.authentik.svc - name: AUTHENTIK_HOST_BROWSER value: "https://auth.${SECRET_NEW_DOMAIN}" - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: key: authentikSecretKey name: authentik-secrets - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: key: pgsqlUserPassword name: authentik-secrets - name: AUTHENTIK_REDIS__PASSWORD valueFrom: secretKeyRef: key: redisUserPassword name: authentik-secrets server: # containerSecurityContext: &securityContext # runAsUser: 10000 # runAsGroup: 10000 # fsGroup: 10000 # fsGroupChangePolicy: OnRootMismatch ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-production traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - &host "auth.${SECRET_NEW_DOMAIN}" paths: - / pathType: Prefix tls: - hosts: - *host metrics: enabled: true serviceMonitor: enabled: true labels: release: kube-prometheus-stack prometheus: rules: enabled: true # worker: # containerSecurityContext: *securityContext # # geoip: # containerSecurityContext: *securityContext authentik: # This sends anonymous usage-data, stack traces on errors and # performance data to sentry.beryju.org, and is fully opt-in log_level: debug error_reporting: enabled: true environment: "k3s" postgresql: host: "postgres16-rw.database.svc" name: "authentik" # database name user: "authentik" redis: host: "redis-master.database" email: host: exim.default port: 8025 username: "" password: "" use_tls: false use_ssl: false timeout: 30 from: karasu@${SECRET_NEW_DOMAIN}