apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: authentik namespace: authentik-ns annotations: force-recreate: true spec: chart: spec: chart: authentik sourceRef: kind: HelmRepository name: authentik namespace: flux-system interval: 15m0s timeout: 5m releaseName: authentik values: # -- Server replicas replicas: 1 # -- Custom priority class for different treatment by the scheduler priorityClassName: # -- server securityContext securityContext: {} # -- server containerSecurityContext containerSecurityContext: {} worker: # -- worker replicas replicas: 1 # -- Custom priority class for different treatment by the scheduler priorityClassName: # -- worker securityContext securityContext: {} # -- server containerSecurityContext containerSecurityContext: {} env: - name: AUTHENTIK_REDIS__DB value: "1" image: repository: ghcr.io/goauthentik/server tag: 2024.2.2 #tag: latest # -- optional container image digest digest: "" pullPolicy: IfNotPresent pullSecrets: [] # -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used initContainers: {} # -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. additionalContainers: {} ingress: enabled: false ingressClassName: "" annotations: {} labels: {} hosts: - host: authentik.domain.tld paths: - path: "/" pathType: Prefix tls: [] # -- Annotations to add to the server and worker deployments annotations: {} # -- Annotations to add to the server and worker pods podAnnotations: {} authentik: # -- Log level for server and worker log_level: info # -- Secret key used for cookie singing and unique user IDs, # don't change this after the first install #secret_key: "" # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. geoip: /geoip/GeoLite2-City.mmdb email: # -- SMTP Server emails are sent from, fully optional host: "" port: 587 # -- SMTP credentials, when left empty, not authentication will be done username: "" # -- SMTP credentials, when left empty, not authentication will be done password: "" # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. use_tls: false # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. use_ssl: false # -- Connection timeout timeout: 30 # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " from: "" outposts: # -- Template used for managed outposts. The following placeholders can be used # %(type)s - the type of the outpost # %(version)s - version of your authentik install # %(build_hash)s - only for beta versions, the build hash of the image container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s error_reporting: # -- This sends anonymous usage-data, stack traces on errors and # performance data to sentry.beryju.org, and is fully opt-in enabled: false # -- This is a string that is sent to sentry with your error reports environment: "k8s" # -- Send PII (Personally identifiable information) data to sentry send_pii: false postgresql: # -- set the postgresql hostname to talk to # if unset and .Values.postgresql.enabled == true, will generate the default # @default -- `{{ .Release.Name }}-postgresql` host: "postgresql.postgresql-system.svc.cluster.local" # -- postgresql Database name # @default -- `authentik` name: "authentik" # -- postgresql Username # @default -- `authentik` user: "authentik" #password: "" port: 5432 redis: # -- set the redis hostname to talk to # @default -- `{{ .Release.Name }}-redis-master` host: "redis-master.redis-system.svc.cluster.local" #password: "" # -- List of config maps to mount blueprints from. Only keys in the # configmap ending with ".yaml" wil be discovered and applied blueprints: configMaps: [] secrets: [] # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ env: - name: AUTHENTIK_REDIS__DB value: "1" # AUTHENTIK_VAR_NAME: VALUE envFrom: [] # - configMapRef: # name: special-config envValueFrom: AUTHENTIK_SECRET_KEY: secretKeyRef: name: authentik-secret key: secret-key AUTHENTIK_POSTGRESQL__PASSWORD: secretKeyRef: name: authentik-secret key: postgres-password AUTHENTIK_REDIS__PASSWORD: secretKeyRef: name: authentik-secret key: redis-password service: # -- Service that is created to access authentik enabled: true type: LoadBalancer port: 80 name: http protocol: TCP labels: {} annotations: {} volumes: [] volumeMounts: [] # -- affinity applied to the deployments affinity: {} # -- tolerations applied to the deployments tolerations: [] # -- nodeSelector applied to the deployments nodeSelector: {} resources: server: {} worker: {} autoscaling: server: # -- Create a HPA for the server deployment enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 50 worker: # -- Create a HPA for the worker deployment enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 80 livenessProbe: # -- enables or disables the livenessProbe enabled: true httpGet: # -- liveness probe url path path: /-/health/live/ port: http initialDelaySeconds: 5 periodSeconds: 10 startupProbe: # -- enables or disables the livenessProbe enabled: true httpGet: # -- liveness probe url path path: /-/health/live/ port: http failureThreshold: 60 periodSeconds: 5 readinessProbe: enabled: true httpGet: path: /-/health/ready/ port: http periodSeconds: 10 serviceAccount: # -- Service account is needed for managed outposts create: true annotations: {} serviceAccountSecret: # -- As we use the authentik-remote-cluster chart as subchart, and that chart # creates a service account secret by default which we don't need here, disable its creation enabled: false fullnameOverride: authentik nameOverride: authentik prometheus: serviceMonitor: create: false interval: 30s scrapeTimeout: 3s # -- labels additional on ServiceMonitor labels: {} rules: create: false # -- labels additional on PrometheusRule labels: {} geoip: # -- optional GeoIP, deploys a cronjob to download the maxmind database enabled: false # -- sign up under https://www.maxmind.com/en/geolite2/signup accountId: "" # -- sign up under https://www.maxmind.com/en/geolite2/signup licenseKey: "" editionIds: "GeoLite2-City" image: maxmindinc/geoipupdate:v4.8 # -- number of hours between update runs updateInterval: 8 # -- server containerSecurityContext containerSecurityContext: {} postgresql: # -- enable the bundled bitnami postgresql chart enabled: false postgresqlMaxConnections: 500 postgresqlUsername: "authentik" # postgresqlPassword: "" postgresqlDatabase: "authentik" # persistence: # enabled: true # storageClass: # accessModes: # - ReadWriteOnce image: tag: 15.4.0-debian-11-r0 redis: # -- enable the bundled bitnami redis chart enabled: false architecture: standalone auth: enabled: false image: tag: 6.2.10-debian-11-r13