2023-10-15 13:43:33 +00:00
apiVersion : helm.toolkit.fluxcd.io/v2beta1
kind : HelmRelease
metadata :
name : authentik
namespace : authentik-ns
annotations :
force-recreate : true
spec :
chart :
spec :
chart : authentik
sourceRef :
kind : HelmRepository
name : authentik
namespace : flux-system
2023-12-03 02:51:04 +00:00
interval : 15m0s
2023-10-15 13:43:33 +00:00
timeout : 5m
releaseName : authentik
values :
# -- Server replicas
replicas : 1
# -- Custom priority class for different treatment by the scheduler
priorityClassName :
# -- server securityContext
securityContext : {}
# -- server containerSecurityContext
containerSecurityContext : {}
worker :
# -- worker replicas
replicas : 1
# -- Custom priority class for different treatment by the scheduler
priorityClassName :
# -- worker securityContext
securityContext : {}
# -- server containerSecurityContext
containerSecurityContext : {}
image :
repository : ghcr.io/goauthentik/server
2024-01-30 00:03:12 +00:00
tag : 2023.10 .7
2023-12-03 02:51:04 +00:00
#tag: latest
2023-10-15 13:43:33 +00:00
# -- optional container image digest
digest : ""
pullPolicy : IfNotPresent
pullSecrets : [ ]
# -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used
initContainers : {}
# -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used.
additionalContainers : {}
ingress :
enabled : false
ingressClassName : ""
annotations : {}
labels : {}
hosts :
- host : authentik.domain.tld
paths :
- path : "/"
pathType : Prefix
tls : [ ]
# -- Annotations to add to the server and worker deployments
annotations : {}
# -- Annotations to add to the server and worker pods
podAnnotations : {}
authentik :
# -- Log level for server and worker
log_level : info
# -- Secret key used for cookie singing and unique user IDs,
# don't change this after the first install
#secret_key: ""
# -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled.
geoip : /geoip/GeoLite2-City.mmdb
email :
# -- SMTP Server emails are sent from, fully optional
host : ""
port : 587
# -- SMTP credentials, when left empty, not authentication will be done
username : ""
# -- SMTP credentials, when left empty, not authentication will be done
password : ""
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_tls : false
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_ssl : false
# -- Connection timeout
timeout : 30
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
from : ""
outposts :
# -- Template used for managed outposts. The following placeholders can be used
# %(type)s - the type of the outpost
# %(version)s - version of your authentik install
# %(build_hash)s - only for beta versions, the build hash of the image
container_image_base : ghcr.io/goauthentik/%(type)s:%(version)s
error_reporting :
# -- This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.beryju.org, and is fully opt-in
enabled : false
# -- This is a string that is sent to sentry with your error reports
environment : "k8s"
# -- Send PII (Personally identifiable information) data to sentry
send_pii : false
postgresql :
# -- set the postgresql hostname to talk to
# if unset and .Values.postgresql.enabled == true, will generate the default
# @default -- `{{ .Release.Name }}-postgresql`
2023-10-15 13:47:42 +00:00
host : "postgresql.postgresql-system.svc.cluster.local"
2023-10-15 13:43:33 +00:00
# -- postgresql Database name
# @default -- `authentik`
name : "authentik"
# -- postgresql Username
# @default -- `authentik`
user : "authentik"
#password: ""
port : 5432
redis :
# -- set the redis hostname to talk to
# @default -- `{{ .Release.Name }}-redis-master`
2023-10-15 13:50:40 +00:00
host : "redis-master.redis-system.svc.cluster.local"
2023-10-15 13:43:33 +00:00
#password: ""
# -- List of config maps to mount blueprints from. Only keys in the
# configmap ending with ".yaml" wil be discovered and applied
blueprints : [ ]
# -- see configuration options at https://goauthentik.io/docs/installation/configuration/
env : {}
# AUTHENTIK_VAR_NAME: VALUE
envFrom : [ ]
# - configMapRef:
# name: special-config
envValueFrom :
AUTHENTIK_SECRET_KEY :
secretKeyRef :
2023-12-03 02:51:04 +00:00
name : authentik-secret
2023-10-15 13:43:33 +00:00
key : secret-key
AUTHENTIK_POSTGRESQL__PASSWORD :
secretKeyRef :
name : authentik-secret
key : postgres-password
AUTHENTIK_REDIS__PASSWORD :
secretKeyRef :
name : authentik-secret
key : redis-password
service :
# -- Service that is created to access authentik
enabled : true
type : LoadBalancer
port : 80
name : http
protocol : TCP
labels : {}
annotations : {}
volumes : [ ]
volumeMounts : [ ]
# -- affinity applied to the deployments
affinity : {}
# -- tolerations applied to the deployments
tolerations : [ ]
# -- nodeSelector applied to the deployments
nodeSelector : {}
resources :
server : {}
worker : {}
autoscaling :
server :
# -- Create a HPA for the server deployment
enabled : false
minReplicas : 1
maxReplicas : 5
targetCPUUtilizationPercentage : 50
worker :
# -- Create a HPA for the worker deployment
enabled : false
minReplicas : 1
maxReplicas : 5
targetCPUUtilizationPercentage : 80
livenessProbe :
# -- enables or disables the livenessProbe
enabled : true
httpGet :
# -- liveness probe url path
path : /-/health/live/
port : http
initialDelaySeconds : 5
periodSeconds : 10
startupProbe :
# -- enables or disables the livenessProbe
enabled : true
httpGet :
# -- liveness probe url path
path : /-/health/live/
port : http
failureThreshold : 60
periodSeconds : 5
readinessProbe :
enabled : true
httpGet :
path : /-/health/ready/
port : http
periodSeconds : 10
serviceAccount :
# -- Service account is needed for managed outposts
create : true
annotations : {}
serviceAccountSecret :
# -- As we use the authentik-remote-cluster chart as subchart, and that chart
# creates a service account secret by default which we don't need here, disable its creation
enabled : false
fullnameOverride : authentik
nameOverride : authentik
prometheus :
serviceMonitor :
create : false
interval : 30s
scrapeTimeout : 3s
# -- labels additional on ServiceMonitor
labels : {}
rules :
create : false
# -- labels additional on PrometheusRule
labels : {}
geoip :
# -- optional GeoIP, deploys a cronjob to download the maxmind database
enabled : false
# -- sign up under https://www.maxmind.com/en/geolite2/signup
accountId : ""
# -- sign up under https://www.maxmind.com/en/geolite2/signup
licenseKey : ""
editionIds : "GeoLite2-City"
image : maxmindinc/geoipupdate:v4.8
# -- number of hours between update runs
updateInterval : 8
# -- server containerSecurityContext
containerSecurityContext : {}
postgresql :
# -- enable the bundled bitnami postgresql chart
enabled : false
postgresqlMaxConnections : 500
postgresqlUsername : "authentik"
# postgresqlPassword: ""
postgresqlDatabase : "authentik"
# persistence:
# enabled: true
# storageClass:
# accessModes:
# - ReadWriteOnce
image :
tag : 15.4 .0 -debian-11-r0
redis :
# -- enable the bundled bitnami redis chart
enabled : false
architecture : standalone
auth :
enabled : false
image :
tag : 6.2 .10 -debian-11-r13