Installation¶
This guide covers installing, upgrading, and uninstalling the AuthentikOperator Helm chart.
Prerequisites¶
- Kubernetes 1.28+ (K3s, EKS, GKE, AKS, etc.)
- Helm 3.12+
- A running Authentik instance with OIDC providers configured
AUTHENTIK_BOOTSTRAP_TOKENset on the Authentik instance (for initial token bootstrap)
Helm OCI Install¶
The chart is published as an OCI artifact on GHCR. Install it directly with helm install:
helm install authentik-operator \
oci://ghcr.io/kettleofketchup/authentik-operator \
--version 0.1.2 \
--set authentik.url=https://auth.example.com \
--namespace authentik-operator \
--create-namespace
| Flag | Purpose |
|---|---|
oci://ghcr.io/kettleofketchup/authentik-operator | OCI chart reference on GHCR |
--version 0.1.2 | Pin to a specific chart version (recommended) |
--set authentik.url=... | Required. Base URL of your Authentik instance |
--namespace authentik-operator | Target namespace for the operator |
--create-namespace | Create the namespace if it does not exist |
OCI registry login
The chart repository is public. No helm registry login is required.
Custom Values File¶
For more complex configurations, create a values.yaml and pass it with -f:
authentik:
url: https://auth.example.com
bootstrapSecretRef: authentik-bootstrap
bootstrapSecretKey: bootstrap_token
tokenSecretName: authentik-operator-token
reconcileInterval: 5m
bootstrap:
enabled: true
resources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
Then install with:
helm install authentik-operator \
oci://ghcr.io/kettleofketchup/authentik-operator \
--version 0.1.2 \
-f values.yaml \
--namespace authentik-operator \
--create-namespace
See Configuration for the full reference of available values.
ArgoCD Application¶
If you manage your cluster with ArgoCD, declare the operator as an Application:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik-operator
namespace: argocd
spec:
project: default
source:
chart: authentik-operator
repoURL: ghcr.io/kettleofketchup
targetRevision: 0.1.2
helm:
valuesObject:
authentik:
url: https://auth.example.com
destination:
server: https://kubernetes.default.svc
namespace: authentik-operator
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Bootstrap Job and ArgoCD
The bootstrap Job is annotated as an ArgoCD PostSync hook. ArgoCD will run it automatically after a successful sync and clean it up on success. See the Bootstrap guide for details.
Verifying the Installation¶
After installation, confirm the operator is running and the bootstrap completed successfully.
Check the operator pod¶
Expected output:
Check the bootstrap Job¶
If bootstrap is enabled and ArgoCD is managing the release, the Job will appear briefly and then be cleaned up. For non-ArgoCD installs, it remains for ttlSecondsAfterFinished (default 300s):
Verify the API token secret¶
The bootstrap Job creates this secret. Its presence confirms bootstrap succeeded:
Check OIDCClient CRD¶
Upgrading¶
Upgrade with helm upgrade, specifying the new chart version:
helm upgrade authentik-operator \
oci://ghcr.io/kettleofketchup/authentik-operator \
--version 0.2.0 \
-f values.yaml \
--namespace authentik-operator
CRD upgrades require manual application
Helm does not upgrade CRDs that were installed with the chart. If a new version ships updated CRDs, apply them manually before running helm upgrade:
Uninstalling¶
Remove the Helm release¶
Clean up CRDs¶
Helm does not delete CRDs on uninstall. Remove them manually if you are fully decommissioning the operator:
Deleting the CRD removes all OIDCClient resources
Deleting the CRD will cascade-delete every OIDCClient CR in the cluster. The Secrets those CRs created are not deleted automatically (they are not owned via ownerReferences since they live in different namespaces).