authentik:

  authentik:
    secret_key: "wgAt4swhmThtdOGZAqWHoXb1fLpcBeZvLy5X4RY6z6oAbvZCNLEzeH+ovbvG3mg2vy+zMLv0fpJxIhMy"
    postgresql:
      host: file:///postgres-creds/host
      name: file:///postgres-creds/dbname
      username: file:///postgres-creds/username
      password: file:///postgres-creds/password
      port: file:///postgres-creds/port

  server:
    route:
      main:
        enabled: true
        hostnames:
          - "auth.noxxos.nl"
          - "authentik.noxxos.nl"
          - "sso.noxxos.nl"
        parentRefs:
          - name: traefik-gateway
            namespace: traefik
            sectionName: websecure
    resources:
      requests:
        cpu: 100m
        memory: 512Mi
      limits:
        memory: 1Gi
    volumes:
      - name: postgres-creds
        secret:
          secretName: authentik-pg-cluster-app
    volumeMounts:
      - name: postgres-creds
        mountPath: /postgres-creds
        readOnly: true

  worker:
    replicas: 2
    resources:
      requests:
        cpu: 100m
        memory: 512Mi
      limits:
        memory: 1Gi
    volumes:
      - name: postgres-creds
        secret:
          secretName: authentik-pg-cluster-app
    volumeMounts:
      - name: postgres-creds
        mountPath: /postgres-creds
        readOnly: true

  additionalObjects:
  - apiVersion: postgresql.cnpg.io/v1
    kind: Cluster
    metadata:
      name: authentik-pg-cluster
      namespace: authentik
    spec:
      instances: 2
      postgresql:
        parameters:
          max_connections: "20"
          shared_buffers: "25MB"
          effective_cache_size: "75MB"
          maintenance_work_mem: "6400kB"
          checkpoint_completion_target: "0.9"
          wal_buffers: "768kB"
          default_statistics_target: "100"
          random_page_cost: "1.1"
          effective_io_concurrency: "300"
          work_mem: "640kB"
          huge_pages: "off"
          max_wal_size: "128MB"
      bootstrap:
        initdb:
          database: authentik
          owner: authentik
      storage:
        storageClass: local-path
        size: 10Gi
      resources:
        requests:
          cpu: 100m
          memory: 100Mi
        limits:
          memory: 512Mi
      plugins:
        - enabled: true
          name: barman-cloud.cloudnative-pg.io
          isWALArchiver: true
          parameters:
            barmanObjectName: authentik-backup-store

  - apiVersion: barmancloud.cnpg.io/v1
    kind: ObjectStore
    metadata:
      name: authentik-backup-store
      namespace: authentik
    spec:
      retentionPolicy: "30d"
      configuration:
        destinationPath: s3://postgresql-backups/authentik
        endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
        s3Credentials:
          accessKeyId:
            name: authentik-pg-backup-creds
            key: AWS_ACCESS_KEY_ID
          secretAccessKey:
            name: authentik-pg-backup-creds
            key: AWS_SECRET_ACCESS_KEY
        wal:
          compression: bzip2
        data:
          compression: bzip2

  - apiVersion: postgresql.cnpg.io/v1
    kind: ScheduledBackup
    metadata:
      name: authentik-pg-backup
      namespace: authentik
    spec:
      method: plugin
      immediate: true
      schedule: "0 30 3 * * *"  # 03:30 daily
      backupOwnerReference: self
      cluster:
        name: authentik-pg-cluster
      pluginConfiguration:
        name: barman-cloud.cloudnative-pg.io

  - apiVersion: objectbucket.io/v1alpha1
    kind: ObjectBucketClaim
    metadata:
      name: authentik-pg-backups
      namespace: authentik
    spec:
      bucketName: postgresql-backups
      storageClassName: ceph-bucket
      additionalConfig:
        maxSize: "50Gi"