# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
# (keep them in sync). Version intentionally unpinned for the first install —
# PIN the resolved chart version here once it's up (see RUNBOOK.md).
#
# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: authentik
  namespace: kube-system
spec:
  repo: https://charts.goauthentik.io
  chart: authentik
  targetNamespace: dezky-auth
  createNamespace: true
  valuesContent: |-
    image:
      tag: "2026.5.2"
    global:
      envFrom:
        - secretRef:
            name: authentik-secret
      env:
        - name: AUTHENTIK_BOOTSTRAP_EMAIL
          value: admin@dezky.eu
        - name: AUTHENTIK_DISABLE_UPDATE_CHECK
          value: "true"
    authentik:
      error_reporting:
        enabled: false
      postgresql:
        host: postgres.dezky-data
        name: authentik
        user: authentik
      redis:
        host: redis.dezky-data
    postgresql:
      enabled: false
    redis:
      enabled: false
    server:
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-prod
        hosts:
          - auth.dezky.eu
        paths:
          - "/"
        tls:
          - hosts:
              - auth.dezky.eu
            secretName: authentik-tls