hive-apps/.archive/auth/values/authentik.yaml

# -- Server replicas
replicas: 1

# -- server securityContext
securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000

worker:
  # -- worker replicas
  replicas: 1
  # -- worker securityContext
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000


image:
  repository: ghcr.io/goauthentik/server
  tag: 2023.6.1

ingress:
  enabled: true
  ingressClassName: "ingress-internal"
  annotations:
    cert-manager.io/cluster-issuer: "vault-issuer"
  hosts:
    - host: auth.dc
      paths:
        - path: "/"
          pathType: Prefix
  tls:
    - secretName: auth.dc-tls
      hosts:
        - auth.dc

authentik:
  # -- Log level for server and worker
  log_level: info
  # -- Secret key used for cookie singing and unique user IDs,
  # don't change this after the first install
  #secret_key: ""
  # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled.
  geoip: /geoip/GeoLite2-City.mmdb
  # -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none'
  avatars: none
  email:
    # -- SMTP Server emails are sent from, fully optional
    host: ""
    port: 587
    # -- SMTP credentials, when left empty, not authentication will be done
    username: ""
    # -- SMTP credentials, when left empty, not authentication will be done
    password: ""
    # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
    use_tls: false
    # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
    use_ssl: false
    # -- Connection timeout
    timeout: 30
    # -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
    from: ""
  outposts:
    # -- Template used for managed outposts. The following placeholders can be used
    # %(type)s - the type of the outpost
    # %(version)s - version of your authentik install
    # %(build_hash)s - only for beta versions, the build hash of the image
    container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  error_reporting:
    # -- This sends anonymous usage-data, stack traces on errors and
    # performance data to sentry.beryju.org, and is fully opt-in
    enabled: false
    # -- This is a string that is sent to sentry with your error reports
    environment: "k8s"
    # -- Send PII (Personally identifiable information) data to sentry
    send_pii: false
  postgresql:
    # -- set the postgresql hostname to talk to
    # if unset and .Values.postgresql.enabled == true, will generate the default
    # @default -- `{{ .Release.Name }}-postgresql`
    host: 'authentik-db-rw.auth.svc.cluster.local'
    # -- postgresql Database name
    # @default -- `authentik`
    name: "app"
    # -- postgresql Username
    # @default -- `authentik`
    user: "app"
    #password: ""
    port: 5432

  # redis:
  #   host: 'rfs-authentik-redis.auth.svc.cluster.local'

# -- List of config maps to mount blueprints from. Only keys in the
# configmap ending with ".yaml" wil be discovered and applied
blueprints: []

# -- see configuration options at https://goauthentik.io/docs/installation/configuration/
env: {}
# AUTHENTIK_VAR_NAME: VALUE

envFrom: []
#  - configMapRef:
#      name: special-config

envValueFrom:
  AUTHENTIK_POSTGRESQL__PASSWORD:
    secretKeyRef:
      key: password
      name: authentik-db-app
  AUTHENTIK_SECRET_KEY:
    secretKeyRef:
      key: secret_key
      name: authentik
  AUTHENTIK_REDIS__PASSWORD:
    secretKeyRef:
      key: password
      name: redis


resources:
  server: {}
  worker: {}

postgresql:
  enabled: false

redis:
  #FIXME: Authentik doesn't support redis+sentinal yet..
  # See: https://github.com/goauthentik/authentik/pull/5395
  enabled: true
  architecture: standalone
  auth:
    enabled: true
    existingSecret: "redis"
    existingSecretPasswordKey: "password"