apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik
namespace: authentik
labels:
needsDatabase: "yes"
spec:
interval: 5m
chart:
spec:
chart: authentik
version: 2023.3.1
sourceRef:
kind: HelmRepository
name: authentik-charts
namespace: flux-system
values:
containerSecurityContext: &securityContext
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
worker:
containerSecurityContext: *securityContext
geoip:
containerSecurityContext: *securityContext
authentik:
# secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
# This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.beryju.org, and is fully opt-in
#log_level: debug
error_reporting:
enabled: true
environment: "k3s"
postgresql:
host: "postgresql.database"
name: "authentik" # database name
user: "authentik"
# password: "${SECRET_DATABASE_PGSQL_ADMIN_PASS}"
# port: 5432
redis:
host: "redis-master.database"
# password: "${SECRET_DATABASE_REDIS_PASS}"
env:
AUTHENTIK_HOST: &host "auth.${SECRET_NEW_DOMAIN}"
AUTHENTIK_HOST_BROWSER: *host
envValueFrom:
AUTHENTIK_SECRET_KEY:
secretKeyRef:
key: authentikSecretKey
name: authentik-secrets
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
key: pgsqlUserPassword
name: authentik-secrets
AUTHENTIK_REDIS__PASSWORD:
secretKeyRef:
key: redisUserPassword
name: authentik-secrets
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: *host
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
monitoring:
enabled: false # temporarily disable monitoring