home-server/applications/40-authentik/authentik.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  namespace: argocd
spec:
  project: default
  source:
    repoURL: "https://charts.goauthentik.io/"
    chart: "authentik"
    targetRevision: "2025.6.4"
    type: "helm"
    helm:
      releaseName: "authentik"
      values: |
        global:
          envFrom:
            - secretRef:
                name: authentik-secret
        authentik:
          secret_key: "env://AUTHENTIK_SECRET_KEY"
          postgresql:
            password: "env://AUTHENTIK_POSTGRES_PASSWORD"
          error_reporting:
            enabled: true
        server:
          ingress:
            enabled: true
            hosts:
              - auth.hxme.net
            annotations:
              external-dns.alpha.kubernetes.io/hostname: auth.hxme.net
            tls:
              - secretName: wildcard-hxme-net
                hosts:
                  - auth.hxme.net
        postgresql:
          enabled: false
        redis:
          enabled: false

  destination:
    server: "https://kubernetes.default.svc"
    namespace: home-server
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true