authentik:
  server:
    replicas: 0
    volumeMounts:
      - name: cert-dubyatp-xyz
        readOnly: true
        mountPath: "/certs/dubyatp-xyz"
    volumes:
      - name: cert-dubyatp-xyz
        secret:
          defaultMode: 0644
          secretName: cert-dubyatp-xyz
    metrics:
      enabled: true
      service:
        labels:
          metrics_enabled: "true"
  worker:
    replicas: 0
    volumeMounts:
      - name: cert-dubyatp-xyz
        readOnly: true
        mountPath: "/certs/dubyatp-xyz"
    volumes:
      - name: cert-dubyatp-xyz
        secret:
          secretName: cert-dubyatp-xyz
  redis:
    enabled: true
    architecture: standalone
    auth:
      enabled: false
    master:
      resourcesPreset: "none"
      podAnnotations:
        backup.velero.io/backup-volumes: redis-data
    replica:
      resourcesPreset: "none"
    sentinel:
      resourcesPreset: "none"
    metrics:
      resourcesPreset: "none"
    volumePermissions:
      resourcesPreset: "none"
    sysctl:
      resourcesPreset: "none"
  global:
    env:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-credentials
            key: authentik-secret-key
      - name: AUTHENTIK_POSTGRESQL__HOST
        value: weyma-pgsql-rw.cloudnativepg.svc.cluster.local
      - name: AUTHENTIK_POSTGRESQL__NAME
        value: authentik
      - name: AUTHENTIK_POSTGRESQL__USER
        value: authentik
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
            name: authentik-db-auth
            key: password
  additionalObjects:
    - apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        annotations:
          traefik.ingress.kubernetes.io/router.middlewares: cloudflarewarp@file
        name: authentik-ingress
      spec:
        ingressClassName: traefik
        rules:
          - host: auth.dubyatp.xyz
            http:
              paths:
              - backend:
                  service:
                    name: authentik-server
                    port:
                      number: 80
                path: /
                pathType: Prefix
        tls:
          - hosts:
              - auth.dubyatp.xyz
            secretName: cert-dubyatp-xyz
    - apiVersion: v1
      kind: Secret
      metadata:
        name: cert-dubyatp-xyz
        annotations:
          replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
          replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
      data:
        tls.crt: ""
        tls.key: ""
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
        name: authentik-credentials
      spec:
        refreshInterval: 1h
        secretStoreRef:
          name: weyma-vault
          kind: ClusterSecretStore
        target:
          name: authentik-credentials
          creationPolicy: Owner
        data:
          - secretKey: admin-password
            remoteRef:
              key: authentik
              property: admin-password
          - secretKey: authentik-secret-key
            remoteRef:
              key: authentik
              property: authentik-secret-key
          - secretKey: replication-password
            remoteRef:
              key: authentik
              property: replication-password
          - secretKey: user-password
            remoteRef:
              key: authentik
              property: user-password
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
        name: authentik-db-auth
      spec:
        data:
        - remoteRef:
            conversionStrategy: Default
            decodingStrategy: None
            key: cloudnativepg
            metadataPolicy: None
            property: authentik_pw
          secretKey: password
        refreshInterval: 1h
        secretStoreRef:
          kind: ClusterSecretStore
          name: weyma-vault
        target:
          creationPolicy: Owner
          deletionPolicy: Retain
          name: authentik-db-auth