apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: authentik
  namespace: authentik
spec:
  chart:
    spec:
      chart: authentik
      version: 2025.6.1
      sourceRef:
        kind: HelmRepository
        name: authentik
  interval: 15m
  releaseName: authentik
  values:
    authentik:
      secret_key: file:///secret-key/key
      postgresql:
        host: postgres-cluster-rw
        user: file:///postgres-creds/username
        password: file:///postgres-creds/password
    server:
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          traefik.ingress.kubernetes.io/router.tls: "true"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
          - authentik.michaelthomson.dev
        tls:
          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
            hosts:
              - authentik.michaelthomson.dev
      volumes:
        - name: postgres-creds
          secret:
            secretName: authentik-postgres-credentials
        - name: secret-key
          secret:
            secretName: authentik-secret-key
      volumeMounts:
        - name: postgres-creds
          mountPath: /postgres-creds
          readOnly: true
        - name: secret-key
          mountPath: /secret-key
          readOnly: true
    worker:
      env:
        - name: AUTHENTIK_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: authentik-secret-key
              key: key
      volumes:
        - name: postgres-creds
          secret:
            secretName: authentik-postgres-credentials
      volumeMounts:
        - name: postgres-creds
          mountPath: /postgres-creds
          readOnly: true
    redis:
      enabled: true