# yaml-language-server: $schema=./values.schema.json image: repository: ghcr.io/goauthentik/server tag: 2026.5.4@sha256:a8e80071e5938cca7c8d03461a56740041f274d721100974e042b6d265001f50 pullPolicy: IfNotPresent geoipImage: repository: ghcr.io/maxmind/geoipupdate tag: v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 pullPolicy: IfNotPresent ldapImage: repository: ghcr.io/goauthentik/ldap tag: 2026.5.4@sha256:9812f9af3a9d9f82cefb101af03960d2b914d35327f1405f072e95c132f667c7 pullPolicy: IfNotPresent radiusImage: repository: ghcr.io/goauthentik/radius tag: 2026.5.4@sha256:db32f3c97af736281aa221e3810b563502bd9057c7f34118340ef136992fd191 pullPolicy: IfNotPresent proxyImage: repository: ghcr.io/goauthentik/proxy tag: 2026.5.4@sha256:3e990b064516f3aa50cdf3e2b3dd5cc17d4606e59f6ac16c99b7c476ff0a892e pullPolicy: IfNotPresent authentik: credentials: # Only works on initial install email: my-mail@example.com password: my-password # Optional, only set if you want to use it bootstrapToken: "" general: disableUpdateCheck: false disableStartupAnalytics: true allowUserChangeName: true allowUserChangeEmail: true allowUserChangeUsername: true overwriteDefaultBlueprints: false gdprCompliance: true tokenLength: 128 impersonation: true avatars: - gravatar - initials footerLinks: - name: Authentik href: https://goauthentik.io email: host: "" port: 587 username: password: useTLS: true useSSL: false timeout: 10 from: "" ldap: tlsCiphers: "null" taskTimeoutHours: 2 logging: # info, debug, warning, error, trace logLevel: info errorReporting: enabled: false sendPII: false environment: customer sentryDSN: "" geoip: enabled: false # Ignored if enabled is true # If enabled is false, and this is true, the # built-in GeoIP database will be wiped wipeBuiltInDb: false editionID: GeoLite2-City frequency: 8 accountID: "" licenseKey: "" outposts: proxy: enabled: false token: "" radius: enabled: false token: "" ldap: enabled: false token: "" # ===== DO NOT EDIT BELOW THIS LINE ===== workload: # ===== Server ===== main: enabled: true type: Deployment podSpec: containers: main: enabled: true primary: true imageSelector: image securityContext: runAsUser: 1000 runAsGroup: 1000 # readOnlyRootFilesystem: false envFrom: - configMapRef: name: server - secretRef: name: server-worker - configMapRef: name: server-worker args: - server probes: liveness: enabled: true type: exec command: - /lifecycle/ak - healthcheck readiness: enabled: true type: exec command: - /lifecycle/ak - healthcheck startup: enabled: true type: exec command: - /lifecycle/ak - healthcheck # ===== Worker ===== worker: enabled: true type: Deployment podSpec: containers: worker: enabled: true primary: true imageSelector: image securityContext: runAsUser: 1000 runAsGroup: 1000 # readOnlyRootFilesystem: false envFrom: - secretRef: name: server-worker - configMapRef: name: server-worker - configMapRef: name: worker args: - worker probes: liveness: enabled: true type: exec command: - /lifecycle/ak - healthcheck readiness: enabled: true type: exec command: - /lifecycle/ak - healthcheck startup: enabled: true type: exec command: - /lifecycle/ak - healthcheck # ===== PROXY ===== proxy: enabled: true type: Deployment podSpec: containers: proxy: enabled: true primary: true imageSelector: proxyImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: proxy - secretRef: name: proxy probes: liveness: enabled: true type: exec command: - /proxy - healthcheck readiness: enabled: true type: exec command: - /proxy - healthcheck startup: enabled: true type: exec command: - /proxy - healthcheck # ===== RADIUS ===== radius: enabled: true type: Deployment podSpec: containers: radius: enabled: true primary: true imageSelector: radiusImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: radius - secretRef: name: radius probes: liveness: enabled: true type: exec command: - /radius - healthcheck readiness: enabled: true type: exec command: - /radius - healthcheck startup: enabled: true type: exec command: - /radius - healthcheck # ===== LDAP ===== ldap: enabled: true type: Deployment podSpec: containers: ldap: enabled: true primary: true imageSelector: ldapImage securityContext: runAsUser: 1000 runAsGroup: 1000 envFrom: - configMapRef: name: ldap - secretRef: name: ldap probes: liveness: enabled: true type: exec command: - /ldap - healthcheck readiness: enabled: true type: exec command: - /ldap - healthcheck startup: enabled: true type: exec command: - /ldap - healthcheck # ===== GeoIP Updater ===== geoip: enabled: true type: Deployment podSpec: containers: geoip: enabled: true primary: true imageSelector: geoipImage securityContext: runAsUser: 0 runAsGroup: 0 capabilities: disableS6Caps: true envFrom: - configMapRef: name: geoip - secretRef: name: geoip probes: liveness: enabled: false readiness: enabled: false startup: enabled: false service: # Server HTTPS main: ports: main: protocol: https port: 10229 # Server HTTP http: enabled: true type: ClusterIP ports: http: enabled: true protocol: http port: 10230 # Proxy proxy: enabled: true targetSelector: proxy ports: http: enabled: true protocol: http port: 10227 targetSelector: proxy https: enabled: true protocol: https port: 10228 targetSelector: proxy # Radius radius: enabled: true targetSelector: radius ports: radius: enabled: true protocol: udp targetSelector: radius port: 1812 # LDAP ldap: enabled: true targetSelector: ldap ports: ldap: enabled: true port: 389 targetSelector: ldap # LDAPS ldaps: enabled: true targetSelector: ldap ports: ldaps: enabled: true port: 636 targetSelector: ldap # Server Metrics servermetrics: enabled: true type: ClusterIP ports: servermetrics: enabled: true protocol: http port: 10231 # Worker Metrics workermetrics: enabled: true type: ClusterIP targetSelector: worker ports: workermetrics: enabled: true protocol: http port: 10235 targetSelector: worker # Radius Metrics radiusmetrics: enabled: true type: ClusterIP targetSelector: radius ports: radiusmetrics: enabled: true protocol: http port: 10232 targetSelector: radius # LDAP Metrics ldapmetrics: enabled: true type: ClusterIP targetSelector: ldap ports: ldapmetrics: enabled: true protocol: http port: 10233 targetSelector: ldap # Proxy Metrics proxymetrics: enabled: true type: ClusterIP targetSelector: proxy ports: proxymetrics: enabled: true protocol: http port: 10234 targetSelector: proxy persistence: media: enabled: true targetSelector: main: main: mountPath: /data worker: worker: mountPath: /data templates: enabled: true targetSelector: main: main: mountPath: /templates worker: worker: mountPath: /templates blueprints: enabled: true targetSelector: worker: worker: # This will automatically change to `/blueprints` # if `overwriteDefaultBlueprints` is set to `true # Otherwise it will respect the value specified here mountPath: /blueprints/custom certs: enabled: true mountPath: /certs targetSelector: worker: worker: mountPath: /certs geoip: enabled: true targetSelector: main: main: mountPath: /geoip worker: worker: mountPath: /geoip geoip: geoip: mountPath: /usr/share/GeoIP cnpg: main: enabled: true user: authentik database: authentik metrics: servermetrics: enabled: true type: servicemonitor endpoints: - port: "servermetrics" path: /metrics targetSelector: servermetrics prometheusRule: enabled: false workermetrics: enabled: true type: servicemonitor endpoints: - port: "workermetrics" path: /metrics targetSelector: workermetrics prometheusRule: enabled: false radiusmetrics: enabled: true type: servicemonitor endpoints: - port: "radiusmetrics" path: /metrics targetSelector: radiusmetrics prometheusRule: enabled: false ldapmetrics: enabled: true type: servicemonitor endpoints: - port: "ldapmetrics" path: /metrics targetSelector: ldapmetrics prometheusRule: enabled: false proxymetrics: enabled: true type: servicemonitor endpoints: - port: "proxymetrics" path: /metrics targetSelector: proxymetrics prometheusRule: enabled: false updated: true ingress: main: required: true