# Authentik — noble lab (Helm: goauthentik/authentik)
#
# Secrets (secret_key, postgres password, bootstrap) are supplied at install time by Ansible
# (-f authentik-extra-values.yaml from noble_authentik role). Do not commit real secrets here.
#
# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml).
#
# helm repo add goauthentik https://charts.goauthentik.io && helm repo update
# kubectl apply -f clusters/noble/bootstrap/authentik/namespace.yaml
# helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
#   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait

postgresql:
  enabled: true
  auth:
    username: authentik
    database: authentik
    password: ""
  primary:
    persistence:
      enabled: true
      storageClassName: longhorn
      size: 10Gi

authentik:
  secret_key: ""
  postgresql:
    name: authentik
    user: authentik
    password: ""
    port: 5432

server:
  replicas: 1
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    # Chart expects **strings** (FQDNs only); paths come from **server.ingress.paths** / **pathType**.
    hosts:
      - auth.apps.noble.lab.pcenicni.dev
    paths:
      - /
    pathType: Prefix
    tls:
      - secretName: authentik-apps-noble-tls
        hosts:
          - auth.apps.noble.lab.pcenicni.dev

worker:
  replicas: 1