add authentik

authentik/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: authentik
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: authentik
+  version: 2025.2.1
+  repository: https://charts.goauthentik.io

authentik/values.yaml

@@ -0,0 +1,87 @@
+authentik:
+  postgresql:
+    enabled: true
+    image:
+      repository: bitnami/postgresql
+      tag: 15.8.0-debian-12-r18
+    auth:
+      username: authentik
+      database: authentik
+      existingSecret: "authentik-credentials"
+      secretKeys:
+        adminPasswordKey: "admin-password"
+        userPasswordKey: "user-password"
+        replicationPasswordKey: "replication-password"
+    primary:
+      extendedConfiguration: |
+        max_connections = 500
+      resourcesPreset: "none"
+      persistence:
+        enabled: true
+        storageClass: weyma-shared
+        accessModes:
+          - ReadWriteOnce
+      readReplicas:
+        resourcesPreset: "none"
+      backup:
+        resourcesPreset: "none"
+      passwordUpdateJob:
+        resourcesPreset: "none"
+      volumePermissions:
+        resourcesPreset: "none"
+      metrics:
+        resourcesPreset: "none"
+  redis:
+    enabled: true
+    architecture: standalone
+    auth:
+      enabled: false
+    master:
+      resourcesPreset: "none"
+    replica:
+      resourcesPreset: "none"
+    sentinel:
+      resourcesPreset: "none"
+    metrics:
+      resourcesPreset: "none"
+    volumePermissions:
+      resourcesPreset: "none"
+    sysctl:
+      resourcesPreset: "none"
+  global:
+    env:
+      - name: AUTHENTIK_SECRET_KEY
+        valueFrom:
+          secretKeyRef:
+            name: authentik-credentials
+            key: authentik-secret-key
+  additionalObjects:
+    - apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      metadata:
+        name: authentik-credentials
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: authentik-credentials
+          creationPolicy: Owner
+        data:
+          - secretKey: admin-password
+            remoteRef:
+              key: authentik
+              property: admin-password
+          - secretKey: authentik-secret-key
+            remoteRef:
+              key: authentik
+              property: authentik-secret-key
+          - secretKey: replication-password
+            remoteRef:
+              key: authentik
+              property: replication-password
+          - secretKey: user-password
+            remoteRef:
+              key: authentik
+              property: user-password