authentik:
  # --- App Configuration ---
  authentik:
    error_reporting:
      enabled: false
    email:
      host: "smtp.example.com"
      port: 587
      username: "user"
      use_tls: true
      from: "authentik@stabify.de"
    secret_key: "" # Via Env Var

  # --- Server Component (UI & API) ---
  server:
    envFrom:
      - secretRef:
          name: authentik-secrets
    ingress:
      enabled: true
      ingressClassName: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
      hosts:
        - "auth.apps.k3s.stabify.de"
      paths:
        - "/"
      tls:
        - secretName: authentik-tls
          hosts:
            - "auth.apps.k3s.stabify.de"

  # --- Worker Component ---
  worker:
    envFrom:
      - secretRef:
          name: authentik-secrets

  # --- Dependencies (Postgres & Redis) ---
  postgresql:
    enabled: true
    image:
      tag: "15.5.0-debian-11-r2" # Älter aber existent
    auth:
      existingSecret: "authentik-secrets"
      secretKeys:
        adminPasswordKey: "postgres-password"
        userPasswordKey: "postgres-password"
    primary:
      persistence:
        enabled: true
        size: 8Gi

  redis:
    enabled: true
    image:
      tag: "7.2.4-debian-11-r2" # Älter aber existent
    auth:
      existingSecret: "authentik-secrets"
      existingSecretPasswordKey: "redis-password"
    architecture: standalone