# -- Server replicas replicas: 1 # -- server securityContext securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 worker: # -- worker replicas replicas: 1 # -- worker securityContext securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 image: repository: ghcr.io/goauthentik/server tag: 2023.10.7 ingress: enabled: true ingressClassName: "ingress-internal" annotations: cert-manager.io/cluster-issuer: "vault-issuer" hosts: - host: auth.dc paths: - path: "/" pathType: Prefix tls: - secretName: auth.dc-tls hosts: - auth.dc authentik: # -- Log level for server and worker log_level: info # -- Secret key used for cookie singing and unique user IDs, # don't change this after the first install #secret_key: "" # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. geoip: /geoip/GeoLite2-City.mmdb # -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none' avatars: none email: # -- SMTP Server emails are sent from, fully optional host: "" port: 587 # -- SMTP credentials, when left empty, not authentication will be done username: "" # -- SMTP credentials, when left empty, not authentication will be done password: "" # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. use_tls: false # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. use_ssl: false # -- Connection timeout timeout: 30 # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " from: "" outposts: # -- Template used for managed outposts. The following placeholders can be used # %(type)s - the type of the outpost # %(version)s - version of your authentik install # %(build_hash)s - only for beta versions, the build hash of the image container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s error_reporting: # -- This sends anonymous usage-data, stack traces on errors and # performance data to sentry.beryju.org, and is fully opt-in enabled: false # -- This is a string that is sent to sentry with your error reports environment: "k8s" # -- Send PII (Personally identifiable information) data to sentry send_pii: false postgresql: # -- set the postgresql hostname to talk to # if unset and .Values.postgresql.enabled == true, will generate the default # @default -- `{{ .Release.Name }}-postgresql` host: 'authentik-db-rw.auth.svc.cluster.local' # -- postgresql Database name # @default -- `authentik` name: "app" # -- postgresql Username # @default -- `authentik` user: "app" #password: "" port: 5432 # redis: # host: 'rfs-authentik-redis.auth.svc.cluster.local' # -- List of config maps to mount blueprints from. Only keys in the # configmap ending with ".yaml" wil be discovered and applied blueprints: [] # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ env: {} # AUTHENTIK_VAR_NAME: VALUE envFrom: [] # - configMapRef: # name: special-config envValueFrom: AUTHENTIK_POSTGRESQL__PASSWORD: secretKeyRef: key: password name: authentik-db-app AUTHENTIK_SECRET_KEY: secretKeyRef: key: secret_key name: authentik AUTHENTIK_REDIS__PASSWORD: secretKeyRef: key: password name: redis resources: server: {} worker: {} postgresql: enabled: false redis: #FIXME: Authentik doesn't support redis+sentinal yet.. # See: https://github.com/goauthentik/authentik/pull/5395 enabled: true architecture: standalone auth: enabled: true existingSecret: "redis" existingSecretPasswordKey: "password"