authentik:
  server:
    replicas: 3
    volumeMounts:
      - name: cert-dubyatp-xyz
        readOnly: true
        mountPath: "/certs/dubyatp-xyz"
    volumes:
      - name: cert-dubyatp-xyz
        secret:
          defaultMode: 0644
          secretName: cert-dubyatp-xyz
    metrics:
      enabled: true
      service:
        labels:
          metrics_enabled: "true"
    livenessProbe:
      failureThreshold: 3      
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 10       
      httpGet:
        path: "{{ .Values.authentik.web.path }}-/health/live/"
        port: http

    readinessProbe:
      failureThreshold: 3      
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 10       
      httpGet:
        path: "{{ .Values.authentik.web.path }}-/health/ready/"
        port: http

    startupProbe:
      failureThreshold: 60     
      initialDelaySeconds: 5
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 10       
      httpGet:
        path: "{{ .Values.authentik.web.path }}-/health/live/"
        port: http
  worker:
    replicas: 3
    volumeMounts:
      - name: cert-dubyatp-xyz
        readOnly: true
        mountPath: "/certs/dubyatp-xyz"
    volumes:
      - name: cert-dubyatp-xyz
        secret:
          secretName: cert-dubyatp-xyz
  global:
    env:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-credentials
            key: authentik-secret-key
      - name: AUTHENTIK_POSTGRESQL__HOST
        value: pooler-weyma-rw-authentik.cloudnativepg.svc.cluster.local
      - name: AUTHENTIK_POSTGRESQL__NAME
        value: authentik
      - name: AUTHENTIK_POSTGRESQL__USER
        value: authentik
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
            name: authentik-db-auth
            key: password
      - name: AUTHENTIK_EMAIL__FROM
        value: authentik_dubyatp@em924671.dubyatp.xyz
      - name: AUTHENTIK_EMAIL__HOST
        value: mail.smtp2go.com
      - name: AUTHENTIK_EMAIL__USE_TLS
        value: "true"
      - name: AUTHENTIK_EMAIL__USERNAME
        value: authentik_dubyatp
      - name: AUTHENTIK_EMAIL__PASSWORD
        valueFrom:
          secretKeyRef:
            name: authentik-credentials
            key: smtp-password
      - name: AUTHENTIK_EMAIL__TIMEOUT
        value: "30"
      - name: AUTHENTIK_STORAGE__BACKEND
        value: "s3"
      - name: AUTHENTIK_STORAGE__S3__ENDPOINT
        value: "https://weyma-s3.infra.dubyatp.xyz"
      - name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
        value: "authentik-files"
      - name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-files
            key: AWS_ACCESS_KEY_ID
      - name: AUTHENTIK_STORAGE__S3__SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-files
            key: AWS_SECRET_ACCESS_KEY      
  additionalObjects:
    - apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        annotations:
          traefik.ingress.kubernetes.io/router.middlewares: cloudflarewarp@file
        name: authentik-ingress
      spec:
        ingressClassName: traefik
        rules:
          - host: auth.dubyatp.xyz
            http:
              paths:
              - backend:
                  service:
                    name: authentik-server
                    port:
                      number: 80
                path: /
                pathType: Prefix
        tls:
          - hosts:
              - auth.dubyatp.xyz
            secretName: cert-dubyatp-xyz
    - apiVersion: v1
      kind: Secret
      metadata:
        name: cert-dubyatp-xyz
        annotations:
          replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
          replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
      data:
        tls.crt: ""
        tls.key: ""
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
        name: authentik-credentials
      spec:
        refreshInterval: 1h
        secretStoreRef:
          name: weyma-vault
          kind: ClusterSecretStore
        target:
          name: authentik-credentials
          creationPolicy: Owner
        data:
          - secretKey: admin-password
            remoteRef:
              key: authentik
              property: admin-password
          - secretKey: authentik-secret-key
            remoteRef:
              key: authentik
              property: authentik-secret-key
          - secretKey: replication-password
            remoteRef:
              key: authentik
              property: replication-password
          - secretKey: user-password
            remoteRef:
              key: authentik
              property: user-password
          - secretKey: smtp-password
            remoteRef:
              key: authentik
              property: smtp-password
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
        name: authentik-db-auth
      spec:
        data:
        - remoteRef:
            conversionStrategy: Default
            decodingStrategy: None
            key: cloudnativepg
            metadataPolicy: None
            property: authentik_pw
          secretKey: password
        refreshInterval: 1h
        secretStoreRef:
          kind: ClusterSecretStore
          name: weyma-vault
        target:
          creationPolicy: Owner
          deletionPolicy: Retain
          name: authentik-db-auth
    - apiVersion: objectbucket.io/v1alpha1
      kind: ObjectBucketClaim
      metadata:
        name: authentik-files
      spec:
        additionalConfig:
          maxSize: 20Gi
        bucketName: authentik-files
        storageClassName: weyma-s3-bucket