---
# Authentik Configuration (Shared Env Vars)
apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-config
  namespace: authentik
data:
  AUTHENTIK_REDIS__HOST: "authentik-redis"
  AUTHENTIK_POSTGRESQL__HOST: "authentik-postgresql"
  AUTHENTIK_POSTGRESQL__USER: "authentik"
  AUTHENTIK_POSTGRESQL__NAME: "authentik"
  AUTHENTIK_EMAIL__HOST: "smtp.example.com"
  AUTHENTIK_EMAIL__PORT: "587"
  AUTHENTIK_EMAIL__USE_TLS: "true"
  AUTHENTIK_EMAIL__USERNAME: "user"
  AUTHENTIK_EMAIL__FROM: "authentik@stabify.de"
  AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
---
# PVC for Media (Uploads)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: authentik-media
  namespace: authentik
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 1Gi
---
# SERVER (Web/API)
apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-server
  namespace: authentik
  labels:
    app: authentik
    component: server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: authentik
      component: server
  template:
    metadata:
      labels:
        app: authentik
        component: server
    spec:
      containers:
        - name: authentik
          image: ghcr.io/goauthentik/server:2025.10.3
          args: ["server"]
          ports:
            - containerPort: 9000
              name: http
            - containerPort: 9443
              name: https
          envFrom:
            - configMapRef:
                name: authentik-config
            - secretRef:
                name: authentik-secrets
          readinessProbe:
            httpGet:
              path: /-/health/ready/
              port: 9000
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /-/health/live/
              port: 9000
            initialDelaySeconds: 10
            periodSeconds: 20
          volumeMounts:
            - name: media
              mountPath: /media
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: authentik-media
---
# WORKER (Background Tasks)
apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-worker
  namespace: authentik
  labels:
    app: authentik
    component: worker
spec:
  replicas: 1
  selector:
    matchLabels:
      app: authentik
      component: worker
  template:
    metadata:
      labels:
        app: authentik
        component: worker
    spec:
      containers:
        - name: authentik
          image: ghcr.io/goauthentik/server:2025.10.3
          args: ["worker"]
          envFrom:
            - configMapRef:
                name: authentik-config
            - secretRef:
                name: authentik-secrets
          volumeMounts:
            - name: media
              mountPath: /media
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: authentik-media
---
apiVersion: v1
kind: Service
metadata:
  name: authentik-server
  namespace: authentik
spec:
  ports:
    - port: 80
      targetPort: 9000
      protocol: TCP
      name: http
  selector:
    app: authentik
    component: server