added authentik app

auth-system/authentik-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authentik-media
+  namespace: auth-system
+spec:
+  accessModes:
+    - ReadWriteMany  # RWX needed for server + worker pods
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 2Gi

auth-system/authentik-values.yaml

@@ -0,0 +1,199 @@
+---
+# Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION
+# For dooplex homelab deployment with centralized PostgreSQL
+# Version: 2025.10.3
+
+global:
+  image:
+    repository: ghcr.io/goauthentik/server
+    tag: "2025.10.3"
+  
+  deploymentAnnotations:
+    reloader.stakater.com/auto: "true"  # Auto-reload on secret changes (if using Reloader)
+  
+  podAnnotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9300"
+  
+  # Environment variables for all pods
+  envFrom:
+    - secretRef:
+        name: authentik-secret-key
+  
+  env:
+    - name: AUTHENTIK_REDIS__HOST
+      value: "authentik-redis-master"
+    # PostgreSQL config for SHARED database
+    - name: AUTHENTIK_POSTGRESQL__HOST
+      value: "postgresql.database-system.svc.cluster.local"
+    - name: AUTHENTIK_POSTGRESQL__NAME
+      value: "authentik"
+    - name: AUTHENTIK_POSTGRESQL__USER
+      value: "authentik"
+    - name: AUTHENTIK_POSTGRESQL__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: authentik-postgresql
+          key: password
+    - name: AUTHENTIK_EMAIL__HOST
+      valueFrom:
+        secretKeyRef:
+          name: smtp-credentials
+          key: host
+    - name: AUTHENTIK_EMAIL__PORT
+      valueFrom:
+        secretKeyRef:
+          name: smtp-credentials
+          key: port
+    - name: AUTHENTIK_EMAIL__USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: smtp-credentials
+          key: username
+    - name: AUTHENTIK_EMAIL__PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: smtp-credentials
+          key: password
+    - name: AUTHENTIK_EMAIL__FROM
+      valueFrom:
+        secretKeyRef:
+          name: smtp-credentials
+          key: from-address
+
+authentik:
+  # Secret key will come from authentik-secret-key secret via envFrom
+  secret_key: ""
+  
+  log_level: info
+  
+  # PostgreSQL configuration for SHARED database
+  postgresql:
+    host: "postgresql.database-system.svc.cluster.local"
+    name: "authentik"
+    user: "authentik"
+    # Password comes from secret via global.env
+  
+  error_reporting:
+    enabled: false
+
+server:
+  enabled: true
+  name: server
+  replicas: 1
+  
+  # Ingress configuration
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    hosts:
+      - host: authentik.dooplex.hu
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: authentik-tls
+        hosts:
+          - authentik.dooplex.hu
+  
+  # Resource limits
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      memory: 1Gi
+  
+  # Persistent volume for media files
+  volumes:
+    - name: media
+      persistentVolumeClaim:
+        claimName: authentik-media
+  
+  volumeMounts:
+    - name: media
+      mountPath: /media
+  
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+
+worker:
+  enabled: true
+  name: worker
+  replicas: 1
+  
+  # Resource limits
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      memory: 1Gi
+  
+  # Persistent volume for media files (shared with server)
+  volumes:
+    - name: media
+      persistentVolumeClaim:
+        claimName: authentik-media
+  
+  volumeMounts:
+    - name: media
+      mountPath: /media
+  
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+
+# DISABLE bundled PostgreSQL - using shared instance
+postgresql:
+  enabled: false
+
+# Enable bundled Redis (required for Authentik)
+redis:
+  enabled: true
+  architecture: standalone
+  auth:
+    enabled: false  # Internal only, no need for auth
+  master:
+    persistence:
+      enabled: true
+      storageClass: longhorn
+      size: 1Gi
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+      limits:
+        memory: 256Mi
+
+# GeoIP configuration (optional, for geo-blocking features)
+geoip:
+  enabled: false
+  # To enable later:
+  # 1. Sign up at https://www.maxmind.com/en/geolite2/signup
+  # 2. Get accountId and licenseKey
+  # 3. Uncomment and fill:
+  # accountId: ""
+  # licenseKey: ""
+
+# Service Account
+serviceAccount:
+  create: true
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+
+# Prometheus metrics
+prometheus:
+  rules:
+    enabled: false