k3s-cluster/cluster/apps/authentik/helm-release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: authentik
  namespace: authentik
  labels:
    needsDatabase: "yes"
spec:
  interval: 5m
  chart:
    spec:
      chart: authentik
      version: 2023.3.1
      sourceRef:
        kind: HelmRepository
        name: authentik-charts
        namespace: flux-system
  values:
    containerSecurityContext: &securityContext
      runAsUser: 10000
      runAsGroup: 10000
      fsGroup: 10000
      fsGroupChangePolicy: OnRootMismatch

    worker:
      containerSecurityContext: *securityContext

    geoip:
      containerSecurityContext: *securityContext

    authentik:
#      secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
      # This sends anonymous usage-data, stack traces on errors and
      # performance data to sentry.beryju.org, and is fully opt-in
      #log_level: debug
      error_reporting:
        enabled: true
        environment: "k3s"
      postgresql:
        host: "postgresql.database"
        name: "authentik" # database name
        user: "authentik"
#        password: "${SECRET_DATABASE_PGSQL_ADMIN_PASS}"
#        port: 5432
      redis:
        host: "redis-master.database"
#        password: "${SECRET_DATABASE_REDIS_PASS}"
    
#    prometheus:
#      serviceMonitor:
#        create: true
#        labels: 
#          release: kube-prometheus-stack
#      rules:
#        create: true
#        labels: 
#          release: kube-prometheus-stack

    env:
      AUTHENTIK_HOST: &host "auth.${SECRET_NEW_DOMAIN}"
      AUTHENTIK_HOST_BROWSER: *host
    
    envValueFrom:
      AUTHENTIK_SECRET_KEY:
        secretKeyRef:
          key: authentikSecretKey
          name: authentik-secrets
      AUTHENTIK_POSTGRESQL__PASSWORD:
        secretKeyRef:
          key: pgsqlUserPassword
          name: authentik-secrets
      AUTHENTIK_REDIS__PASSWORD:
        secretKeyRef:
          key: redisUserPassword
          name: authentik-secrets

    ingress:
      enabled: true
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-production
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - host: *host
          paths:
            - path: /
              pathType: Prefix
      tls:
        - hosts:
            - *host
          secretName: wildcard-main-tls

    monitoring:
      enabled: false # temporarily disable monitoring