flux-charts/mycloud-authentik/templates/release.yaml

---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: "{{ .Release.Name }}-hr"
spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: "{{ .Release.Name }}-hr"
      chart: "authentik"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    authentik:
      secret_key: {{ .Values.secret_key | default (derivePassword 1 "long" .Values.commons.masterPassword "authentik" "secret_key") | quote }}
      avatars: "none"
      postgresql:
        host: {{ .Values.database.host | quote }}
        name: {{ .Values.database.name | quote }}
        user: {{ .Values.database.username | quote }}
        password: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "authentik" "database_password" | b64enc) | quote }}
      email:
        host: {{ .Values.commons.mail.host | quote }}
        username: {{ .Values.commons.mail.username | quote }}
        password: {{ .Values.commons.mail.password | quote }}
        use_tls: {{ .Values.commons.mail.use_tls }}
        use_ssl: {{ .Values.commons.mail.use_ssl }}
        from: {{ .Values.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "authentik" .Values.commons.mail.from) | quote }}

    redis:
      enabled: true
      architecture: replication
      replica:
        replicaCount: {{ .Values.commons.redis.replicas }}
      metrics:
        enabled: true
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        prometheusRule:
          # empty rules
          enabled: false
          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []

    postgresql:
      enabled: false

    prometheus:
      rules:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
        labels:
          {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}


    #
    # https://github.com/goauthentik/helm/pull/146
    #
    serviceAccount:
      create: false

    {{- $host := .Values.ingress.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}
    global:
      volumeMounts:
        - name: sidecar-blueprints
          mountPath: /blueprints/sidecar

      volumes:
        - name: sidecar-blueprints
          emptyDir: {}

    server:
      metrics:
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}

      serviceAccountName: {{ .Release.Name }}
      extraContainers:
        - name: sidecar-blueprints
          image: "ghcr.io/kiwigrid/k8s-sidecar:1.26.0"
          env:
            - name: "FOLDER"
              value: "/blueprints/sidecar"
            - name: "LABEL"
              value: "goauthentik_blueprint"
            - name: "LABEL_VALUE"
              value: "1"
            # - name: "NAMESPACE"
            #   value: "ALL"
            - name: "RESOURCE"
              value: "both"
            - name: "UNIQUE_FILENAMES"
              value: "true"
          volumeMounts:
            - name: sidecar-blueprints
              mountPath: /blueprints/sidecar

      ingress:
        enabled: true
        annotations:
          {{- with .Values.commons.ingress.annotations }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.ingress.annotations }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
        hosts:
          - "{{ $host }}"
        {{- if .Values.commons.ingress.tls.enabled }}
        tls:
          {{- with .Values.commons.ingress.tls.override }}
          {{- toYaml . | nindent 10 }}
          {{- else }}
          - secretName: "mycloud-authentik-cert"
            hosts:
              - "{{ $host }}"
          {{- end }}
        {{- end }}

    worker:
      metrics:
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}

      serviceAccountName: {{ .Release.Name }}
      extraContainers:
        - name: sidecar-blueprints
          image: "ghcr.io/kiwigrid/k8s-sidecar:1.26.0"
          env:
            - name: "FOLDER"
              value: "/blueprints/sidecar"
            - name: "LABEL"
              value: "goauthentik_blueprint"
            - name: "LABEL_VALUE"
              value: "1"
            # - name: "NAMESPACE"
            #   value: "ALL"
            - name: "RESOURCE"
              value: "both"
            - name: "UNIQUE_FILENAMES"
              value: "true"
          volumeMounts:
            - name: sidecar-blueprints
              mountPath: /blueprints/sidecar