apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  namespace: argocd
spec:
  destination:
    namespace: authentik
    server: {{ .Values.spec.destination.server }}
  project: default
  syncPolicy:
    automated:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  source:
    chart: authentik
    repoURL: https://charts.goauthentik.io
    targetRevision: 2025.4.0
    helm:
      valuesObject:
        global:
          priorityClassName: homelab-critical
          env:
          - name: AUTHENTIK_DATABASE__HOST
            valueFrom:
              secretKeyRef:
                name: postgres-authentik-cluster-app
                key: host
          - name: AUTHENTIK_POSTGRESQL__NAME
            valueFrom:
              secretKeyRef:
                name: postgres-authentik-cluster-app
                key: dbname
          - name: AUTHENTIK_POSTGRESQL__PASSWORD
            valueFrom:
              secretKeyRef:
                name: postgres-authentik-cluster-app
                key: password
          - name: AUTHENTIK_POSTGRESQL__USER
            valueFrom:
              secretKeyRef:
                name: postgres-authentik-cluster-app
                key: username
        authentik:
          secret_key: bGd7nChCpPQmypR64rgF
        server:
          metrics:
            enabled: true
            serviceMonitor:
              enabled: true
          ingress:
            ingressClassName: traefik
            enabled: true
            hosts:
              - authentik.noxxos.nl
            annotations:
              traefik.ingress.kubernetes.io/router.entrypoints: web
        postgresql:
          enabled: false
        redis:
          enabled: true
        prometheus:
          rules:
            enabled: true
---

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: postgres-authentik-backup
  namespace: authentik
spec:
  bucketName: postgres-authentik-backup
  storageClassName: rgw-bulk
  additionalConfig:
    maxSize: "10G"
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: pg-authentik-cluster
  namespace: authentik
spec:
  instances: 2
  priorityClassName: homelab-critical
  resources:
    requests:
      memory: 128Mi
      cpu: 100m
    limits:
      memory: 1Gi
      cpu: '1'
  postgresql:
    parameters:
      max_connections: "200"
      shared_buffers: "32MB"
      effective_cache_size: "96MB"
      maintenance_work_mem: "8MB"
      wal_buffers: "2MB"
      random_page_cost: "1.1"
      effective_io_concurrency: "300"
      work_mem: "1MB"
  monitoring:
    enablePodMonitor: true
  storage:
    size: 1Gi
    storageClass: local-path
  backup:
    barmanObjectStore:
      endpointURL: http://rook-ceph-rgw-rgw-bulk.ceph.svc:80
      destinationPath: s3://postgres-authentik-backup/
      s3Credentials:
        accessKeyId:
          name: postgres-authentik-backup
          key: AWS_ACCESS_KEY_ID
        secretAccessKey:
          name: postgres-authentik-backup
          key: AWS_SECRET_ACCESS_KEY
      data:
        compression: bzip2
      wal:
        compression: bzip2
    retentionPolicy: "60d"