--- # Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION # For dooplex homelab deployment with centralized PostgreSQL # Version: 2025.10.3 global: image: repository: ghcr.io/goauthentik/server tag: "2025.10.3" deploymentAnnotations: reloader.stakater.com/auto: "true" # Auto-reload on secret changes (if using Reloader) deploymentStrategy: type: Recreate podAnnotations: prometheus.io/scrape: "true" prometheus.io/port: "9300" # Environment variables for all pods envFrom: - secretRef: name: authentik-secret-key env: - name: AUTHENTIK_REDIS__HOST value: "authentik-redis-master" # PostgreSQL config for SHARED database - name: AUTHENTIK_POSTGRESQL__HOST value: "postgresql-rw.database-system.svc.cluster.local" - name: AUTHENTIK_POSTGRESQL__NAME value: "authentik" - name: AUTHENTIK_POSTGRESQL__USER value: "authentik" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-postgresql key: password - name: AUTHENTIK_EMAIL__HOST valueFrom: secretKeyRef: name: smtp-credentials key: host - name: AUTHENTIK_EMAIL__PORT valueFrom: secretKeyRef: name: smtp-credentials key: port - name: AUTHENTIK_EMAIL__USERNAME valueFrom: secretKeyRef: name: smtp-credentials key: username - name: AUTHENTIK_EMAIL__PASSWORD valueFrom: secretKeyRef: name: smtp-credentials key: password - name: AUTHENTIK_EMAIL__FROM valueFrom: secretKeyRef: name: smtp-credentials key: from-address authentik: # Secret key will come from authentik-secret-key secret via envFrom secret_key: "" log_level: info # PostgreSQL configuration for SHARED database postgresql: host: "postgresql.database-system.svc.cluster.local" name: "authentik" user: "authentik" # Password comes from secret via global.env error_reporting: enabled: false server: enabled: true name: server replicas: 1 # Ingress configuration ingress: enabled: true ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu" nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" hosts: - authentik.dooplex.hu paths: - / pathType: Prefix tls: - secretName: authentik-tls hosts: - authentik.dooplex.hu # Resource limits resources: requests: cpu: 100m memory: 512Mi limits: memory: 1Gi # Persistent volume for media files volumes: - name: media persistentVolumeClaim: claimName: authentik-media volumeMounts: - name: media mountPath: /media metrics: enabled: true serviceMonitor: enabled: false interval: 30s worker: enabled: true name: worker replicas: 1 # Resource limits resources: requests: cpu: 100m memory: 512Mi limits: memory: 1Gi # Persistent volume for media files (shared with server) volumes: - name: media persistentVolumeClaim: claimName: authentik-media volumeMounts: - name: media mountPath: /media metrics: enabled: true serviceMonitor: enabled: false interval: 30s # DISABLE bundled PostgreSQL - using shared instance postgresql: enabled: false # Enable bundled Redis (required for Authentik) redis: enabled: true architecture: standalone auth: enabled: false # Internal only, no need for auth master: persistence: enabled: true storageClass: longhorn size: 1Gi resources: requests: cpu: 50m memory: 128Mi limits: memory: 256Mi # GeoIP configuration (optional, for geo-blocking features) geoip: enabled: false # To enable later: # 1. Sign up at https://www.maxmind.com/en/geolite2/signup # 2. Get accountId and licenseKey # 3. Uncomment and fill: # accountId: "" # licenseKey: "" # Service Account serviceAccount: create: true annotations: argocd.argoproj.io/sync-wave: "-1" # Prometheus metrics prometheus: rules: enabled: false