# Authentik production Helm values — mirrors the dev docker-compose service
# (ghcr.io/goauthentik/server:2025.10), pointed at the in-cluster data tier.
#
# Secrets come from the 'authentik-secret' Secret via global.envFrom (generated
# on-box; see README) — NEVER in this file. Non-secret config only here.
#
# NOTE: chart version is intentionally unpinned at first install (helm-controller
# pulls latest). After it's up, pin the installed chart + image versions here +
# in RUNBOOK.md for reproducibility.

image:
  tag: "2026.5.2"   # deployed version (latest chart as of 2026-06-08)

global:
  # AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
  # AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
  envFrom:
    - secretRef:
        name: authentik-secret
  env:
    - name: AUTHENTIK_BOOTSTRAP_EMAIL
      value: admin@dezky.eu
    - name: AUTHENTIK_DISABLE_UPDATE_CHECK
      value: "true"

authentik:
  error_reporting:
    enabled: false
  postgresql:
    host: postgres.dezky-data
    name: authentik
    user: authentik
  redis:
    host: redis.dezky-data

# Use the in-cluster data tier, not the chart's bundled subcharts.
postgresql:
  enabled: false
redis:
  enabled: false

server:
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - auth.dezky.eu
    paths:
      - "/"
    tls:
      - hosts:
          - auth.dezky.eu
        secretName: authentik-tls

# Blueprints (portal + operator OIDC apps + brand) are mounted via a post-install
# initContainer patch on the worker (this chart version ignored worker.volumes),
# copying the authentik-blueprints ConfigMap to an emptyDir as real files at
# /blueprints/custom. See README "Blueprints + branding".