# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
# (keep them in sync). valuesContent here is the LIVE source — values.yaml is
# just a human-readable mirror, not consumed by helm-controller.
#
# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: authentik
  namespace: kube-system
spec:
  repo: https://charts.goauthentik.io
  chart: authentik
  # Pinned: helm-controller reconciles on a loop and pulls the LATEST chart when
  # version is unset — a successful reconcile would then silently upgrade
  # authentik. Keep == the deployed version.
  version: 2026.5.2
  targetNamespace: dezky-auth
  createNamespace: true
  valuesContent: |-
    global:
      # Image moved under global.image in chart 2026.5.x; the old top-level
      # `image:` key now hard-fails the chart's deprecation guard (deprectations.yaml).
      image:
        tag: "2026.5.2"
      envFrom:
        - secretRef:
            name: authentik-secret
      env:
        - name: AUTHENTIK_BOOTSTRAP_EMAIL
          value: admin@dezky.eu
        - name: AUTHENTIK_DISABLE_UPDATE_CHECK
          value: "true"
    authentik:
      error_reporting:
        enabled: false
      postgresql:
        host: postgres.dezky-data
        name: authentik
        user: authentik
      redis:
        host: redis.dezky-data
    postgresql:
      enabled: false
    redis:
      enabled: false
    server:
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-prod
          # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer
          # on port 80 at renewal; redirect-https bounces other traffic to HTTPS.
          # (Middleware lives in authentik/redirect-middleware.yaml.)
          traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
          traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
        hosts:
          - auth.dezky.eu
        paths:
          - "/"
        tls:
          - hosts:
              - auth.dezky.eu
            secretName: authentik-tls
    # NOTE: blueprints are mounted via a post-install initContainer patch on the
    # worker Deployment (this chart version ignored worker.volumes here) — it
    # copies the 'authentik-blueprints' ConfigMap into an emptyDir as real files
    # at /blueprints/custom. See README "Blueprints + branding". Client secrets
    # come from authentik-secret (PORTAL_OIDC_CLIENT_SECRET / OPERATOR_OIDC_CLIENT_SECRET).