apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  namespace: argocd
spec:
  destination:
    namespace: authentik
    server: {{ .Values.spec.destination.server }}
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  source:
    chart: authentik
    repoURL: https://charts.goauthentik.io
    targetRevision: 2025.4.0
    helm:
      valuesObject:
        global:
          priorityClassName: homelab-critical
        authentik:
          secret_key: bGd7nChCpPQmypR64rgF
          postgresql:
            host: file:///postgres-creds/host
            name: file:///postgres-creds/dbname
            user: file:///postgres-creds/username
            password: file:///postgres-creds/password
        server:
          metrics:
            enabled: true
            serviceMonitor:
              enabled: true
          ingress:
            ingressClassName: traefik
            enabled: true
            hosts:
              - authentik.noxxos.nl
            annotations:
              traefik.ingress.kubernetes.io/router.entrypoints: web
          volumes:
            - name: postgres-creds
              secret:
                secretName: pg-authentik-cluster-app
          volumeMounts:
            - name: postgres-creds
              mountPath: /postgres-creds
              readOnly: true
        worker:
          volumes:
            - name: postgres-creds
              secret:
                secretName: pg-authentik-cluster-app
          volumeMounts:
            - name: postgres-creds
              mountPath: /postgres-creds
              readOnly: true
        postgresql:
          enabled: false
        redis:
          enabled: true
          master:
            persistence:
              enabled: false
        prometheus:
          rules:
            enabled: true
---

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: postgres-authentik-backup
  namespace: authentik
spec:
  bucketName: postgres-authentik-backup
  storageClassName: rgw-bulk
  additionalConfig:
    maxSize: "10G"
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: pg-authentik-cluster
  namespace: authentik
spec:
  instances: 2
  priorityClassName: homelab-critical
  resources:
    requests:
      memory: 128Mi
      cpu: 100m
    limits:
      memory: 1Gi
      cpu: '1'
  postgresql:
    parameters:
      max_connections: "200"
      shared_buffers: "32MB"
      effective_cache_size: "96MB"
      maintenance_work_mem: "8MB"
      wal_buffers: "2MB"
      random_page_cost: "1.1"
      effective_io_concurrency: "300"
      work_mem: "1MB"
  monitoring:
    enablePodMonitor: true
  storage:
    size: 1Gi
    storageClass: local-path
  backup:
    barmanObjectStore:
      endpointURL: http://rook-ceph-rgw-rgw-bulk.ceph.svc:80
      destinationPath: s3://postgres-authentik-backup/
      s3Credentials:
        accessKeyId:
          name: postgres-authentik-backup
          key: AWS_ACCESS_KEY_ID
        secretAccessKey:
          name: postgres-authentik-backup
          key: AWS_SECRET_ACCESS_KEY
      data:
        compression: bzip2
      wal:
        compression: bzip2
    retentionPolicy: "60d"