home-server/clusters/noble/bootstrap/authentik/values.yaml

# Authentik — noble lab (Helm: goauthentik/authentik)
#
# Secrets (secret_key, postgres password, bootstrap) are supplied at install time by Ansible
# (-f authentik-extra-values.yaml from noble_authentik role). Do not commit real secrets here.
#
# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml). Optional **extra** Ingress hostnames
# (e.g. a public Pangolin FQDN) are merged by Ansible — **`noble_authentik_ingress_extra_hosts`** in **group_vars** (see **noble_authentik** README).
#
# helm repo add goauthentik https://charts.goauthentik.io && helm repo update
# kubectl apply -f clusters/noble/bootstrap/authentik/namespace.yaml
# helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
#   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
#
# **Media / uploads:** PVC **`authentik-data`** at **`/data`** is mounted on **server only**. Longhorn **RWO** allows
# a single attachment — the same PVC on **server** and **worker** causes **Multi-Attach** errors. For shared media from
# workers, use **S3** or an **RWX** StorageClass (e.g. **`longhorn-rwx`** when installed) and **ReadWriteMany** on the PVC.

additionalObjects:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: authentik-data
      namespace: "{{ .Release.Namespace }}"
    spec:
      accessModes:
        - ReadWriteOnce
      storageClassName: longhorn
      resources:
        requests:
          storage: 10Gi

postgresql:
  enabled: true
  auth:
    username: authentik
    database: authentik
    password: ""
  primary:
    persistence:
      enabled: true
      storageClassName: longhorn
      size: 10Gi

authentik:
  secret_key: ""
  postgresql:
    name: authentik
    user: authentik
    password: ""
    port: 5432

server:
  replicas: 1
  volumes:
    - name: authentik-data
      persistentVolumeClaim:
        claimName: authentik-data
  volumeMounts:
    - name: authentik-data
      mountPath: /data
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    # Chart expects **strings** (FQDNs only); paths come from **server.ingress.paths** / **pathType**.
    hosts:
      - auth.apps.noble.lab.pcenicni.dev
    paths:
      - /
    pathType: Prefix
    tls:
      - secretName: authentik-apps-noble-tls
        hosts:
          - auth.apps.noble.lab.pcenicni.dev

worker:
  replicas: 1