---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: authentik
  namespace: networking
spec:
  interval: 5m
  chart:
    spec:
      # renovate: registryUrl=https://charts.goauthentik.io
      chart: authentik
      version: 2.1.0
      sourceRef:
        kind: HelmRepository
        name: authentik-charts
        namespace: flux-system
      interval: 5m
  values:
    image:
      repository: ghcr.io/goauthentik/server
      tag: 2021.8.3

    ingress:
      enabled: true
      ingressClassName: "nginx"
      # annotations:
        # traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
      hosts:
        - host: "id.${SECRET_CLUSTER_DOMAIN}"
          paths:
            - path: /
      tls:
        - hosts:
            - "id.${SECRET_CLUSTER_DOMAIN}"
          secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
    geoip:
      enabled: false
    authentik:
      email:
        host: smtp.fastmail.com
        port: 587
        username: ${SECRET_SMTP_USERNAME}
        password: ${SECRET_AUTHENTIK_SMTP_PASSWORD}
        use_ssl: true
        from: authentik@${SECRET_CLUSTER_DOMAIN_ROOT}
      secret_key: ${SECRET_AUTHENTIK_SECRET_KEY}
      log_level: debug

      outposts:
        docker_image_base: ghcr.io/goauthentik/%(type)s:%(version)s

      postgresql:
        host: postgresql-kube.data.svc.cluster.local.
        name: authentik
        user: authentik
        password: ${SECRET_AUTHENTIK_POSTGRES_PASSWORD}
      redis:
        host: '{{ .Release.Name }}-redis-master'
        password: ${SECRET_AUTHENTIK_REDIS_PASSWORD}

    redis:
      enabled: true
      auth:
        enabled: true
        password: ${SECRET_AUTHENTIK_REDIS_PASSWORD}