2025.12 upgrade

templates/server/deployment.yaml

@@ -0,0 +1,238 @@
+{{- if .Values.server.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "authentik.server.fullname" . }}
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.server.deploymentAnnotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key}}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- with include "authentik.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.server.deploymentStrategy) }}
+  strategy:
+    {{- trim . | nindent 4 }}
+  {{- end }}
+  {{- if not .Values.server.autoscaling.enabled }}
+  replicas: {{ .Values.server.replicas }}
+  {{- end }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 8 }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.server.podLabels) }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+    spec:
+      {{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.serviceAccountName }}
+      serviceAccountName: {{ . }}
+      {{- end }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.server.securityContext) }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- if .Values.server.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
+      {{- end }}
+      {{- with .Values.server.initContainers }}
+      initContainers:
+        {{- tpl (toYaml . ) $ | nindent 6 }}
+      {{- end }}
+      containers:
+        - name: {{ .Values.server.name }}
+          image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "authentik.defaultTag" .) .Values.server.image.tag }}{{- if (default .Values.global.image.digest .Values.server.image.digest) -}}@{{ default .Values.global.image.digest .Values.server.image.digest }}{{- end }}
+          imagePullPolicy: {{ default .Values.global.image.pullPolicy .Values.server.image.pullPolicy }}
+          args:
+            - server
+          env:
+            {{- with (concat .Values.global.env .Values.server.env) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            - name: AUTHENTIK_LISTEN__HTTP
+              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.http | quote }}
+            - name: AUTHENTIK_LISTEN__HTTPS
+              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.https | quote }}
+            - name: AUTHENTIK_LISTEN__METRICS
+              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.metrics | quote }}
+          envFrom:
+            - secretRef:
+                name: {{ template "authentik.secret.name" . }}
+            {{- with (concat .Values.global.envFrom .Values.server.envFrom) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- if or .Values.geoip.enabled .Values.global.volumeMounts .Values.server.volumeMounts }}
+          volumeMounts:
+            {{- with .Values.global.volumeMounts }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.server.volumeMounts }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- if .Values.geoip.enabled }}
+            - name: geoip-db
+              mountPath: /geoip
+            {{- end }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.server.containerPorts.http }}
+              protocol: TCP
+            - name: https
+              containerPort: {{ .Values.server.containerPorts.https }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.server.containerPorts.metrics }}
+              protocol: TCP
+          {{- with .Values.server.livenessProbe }}
+          livenessProbe:
+            {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.server.readinessProbe }}
+          readinessProbe:
+            {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.server.startupProbe }}
+          startupProbe:
+            {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.server.resources | nindent 12 }}
+          {{- with .Values.server.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.server.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- if .Values.geoip.enabled }}
+        - name: geoip
+          image: {{ .Values.geoip.image.repository }}:{{ .Values.geoip.image.tag }}{{- if .Values.geoip.image.digest -}}@{{ .Values.geoip.image.digest }}{{- end }}
+          imagePullPolicy: {{ .Values.geoip.image.pullPolicy }}
+          env:
+            {{- with .Values.geoip.env }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            - name: GEOIPUPDATE_FREQUENCY
+              value: {{ .Values.geoip.updateInterval | quote }}
+            - name: GEOIPUPDATE_PRESERVE_FILE_TIMES
+              value: "1"
+            {{- if not .Values.geoip.existingSecret.secretName }}
+            - name: GEOIPUPDATE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "authentik.fullname" . }}
+                  key: GEOIPUPDATE_ACCOUNT_ID
+            - name: GEOIPUPDATE_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "authentik.fullname" . }}
+                  key: GEOIPUPDATE_LICENSE_KEY
+            {{- else }}
+            - name: GEOIPUPDATE_ACCOUNT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.geoip.existingSecret.secretName }}
+                  key: {{ .Values.geoip.existingSecret.accountId }}
+            - name: GEOIPUPDATE_LICENSE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.geoip.existingSecret.secretName }}
+                  key: {{ .Values.geoip.existingSecret.licenseKey }}
+            {{- end }}
+            - name: GEOIPUPDATE_EDITION_IDS
+              value: {{ required "geoip edition id required" .Values.geoip.editionIds | quote }}
+          {{- with .Values.geoip.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            {{- with .Values.geoip.volumeMounts }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            - name: geoip-db
+              mountPath: /usr/share/GeoIP
+          resources:
+            {{- toYaml .Values.geoip.resources | nindent 12 }}
+          {{- with .Values.geoip.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- with .Values.server.extraContainers }}
+          {{- tpl (toYaml . ) $ | nindent 8 }}
+        {{- end }}
+      {{- with include "authentik.affinity" (dict "context" . "component" .Values.server) }}
+      affinity:
+        {{- trim . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.tolerations | default .Values.global.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+      - {{ toYaml $constraint | nindent 8 | trim }}
+        {{- if not $constraint.labelSelector }}
+        labelSelector:
+          matchLabels:
+            {{- include "authentik.selectorLabels" (dict "context" $ "component" $.Values.server.name) | nindent 12 }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if or .Values.geoip.enabled .Values.global.volumes .Values.server.volumes }}
+      volumes:
+      {{- with .Values.global.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.geoip.enabled }}
+        - name: geoip-db
+          emptyDir: {}
+      {{- end }}
+      {{- end }}
+      enableServiceLinks: true
+      {{- if .Values.server.hostNetwork }}
+      hostNetwork: {{ .Values.server.hostNetwork }}
+      {{- end }}
+      {{- with .Values.server.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.server.dnsPolicy }}
+      dnsPolicy: {{ .Values.server.dnsPolicy }}
+      {{- end }}
+{{- end }}

templates/server/hpa.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.server.enabled }}
+{{- if .Values.server.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "authentik.server.fullname" . }}
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+  {{- with .Values.server.autoscaling.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "authentik.server.fullname" . }}
+  minReplicas: {{ .Values.server.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.server.autoscaling.maxReplicas }}
+  metrics:
+  {{- with .Values.server.autoscaling.metrics }}
+    {{- toYaml . | nindent 4 }}
+  {{- else }}
+    {{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ . }}
+    {{- end }}
+    {{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.server.autoscaling.behavior }}
+  behavior:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

templates/server/ingress.yaml

@@ -0,0 +1,73 @@
+{{- if .Values.server.enabled }}
+{{- if .Values.server.ingress.enabled -}}
+{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
+{{- $paths := .Values.server.ingress.paths -}}
+{{- $extraPaths := .Values.server.ingress.extraPaths -}}
+{{- $pathType := .Values.server.ingress.pathType -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "authentik.server.fullname" . }}
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+    {{- with .Values.server.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.server.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.server.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+  {{- if .Values.server.ingress.hosts }}
+    {{- range $host := .Values.server.ingress.hosts }}
+    - host: {{ $host | quote }}
+      http:
+        paths:
+          {{- with $extraPaths }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- range $p := $paths }}
+          - path: {{ tpl (toYaml $p) $ }}
+            pathType: {{ $pathType }}
+            backend:
+              service:
+                name: {{ include "authentik.server.fullname" $ }}
+                port:
+                  {{- if kindIs "float64" $servicePort }}
+                  number: {{ $servicePort }}
+                  {{- else }}
+                  name: {{ $servicePort }}
+                  {{- end }}
+          {{- end -}}
+    {{- end -}}
+  {{- else }}
+    - http:
+        paths:
+          {{- with $extraPaths }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- range $p := $paths }}
+          - path: {{ tpl (toYaml $p) $ }}
+            pathType: {{ $pathType }}
+            backend:
+              service:
+                name: {{ include "authentik.server.fullname" $ }}
+                port:
+                  {{- if kindIs "float64" $servicePort }}
+                  number: {{ $servicePort }}
+                  {{- else }}
+                  name: {{ $servicePort }}
+                  {{- end }}
+          {{- end -}}
+  {{- end -}}
+  {{- with .Values.server.ingress.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

templates/server/metrics.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.server.enabled }}
+{{- if .Values.server.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "authentik.server.fullname" . }}-metrics
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }}
+    {{- with .Values.server.metrics.service.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.server.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
+  annotations:
+    {{- if .Values.global.addPrometheusAnnotations }}
+    prometheus.io/port: {{ .Values.server.metrics.service.servicePort | quote }}
+    prometheus.io/scrape: "true"
+    {{- end }}
+    {{- range $key, $value := .Values.server.metrics.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: {{ .Values.server.metrics.service.type }}
+  {{- if and .Values.server.metrics.service.clusterIP (eq .Values.server.metrics.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.server.metrics.service.clusterIP }}
+  {{- end }}
+  ports:
+  - name: {{ .Values.server.metrics.service.portName }}
+    protocol: TCP
+    port: {{ .Values.server.metrics.service.servicePort }}
+    targetPort: metrics
+  selector:
+    {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+{{- end }}
+{{- end }}

templates/server/pdb.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.server.enabled }}
+{{- if .Values.server.pdb.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "authentik.server.fullname" . }}
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+    {{- with .Values.server.pdb.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{ with .Values.server.pdb.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.server.pdb.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- else }}
+  minAvailable: {{ .Values.server.pdb.minAvailable | default 0 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }}
+{{- end }}
+{{- end }}

templates/server/route.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.server.enabled }}
+{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}}
+{{- range $name, $route := .Values.server.route }}
+{{- if $route.enabled }}
+apiVersion: {{ $route.apiVersion | default "gateway.networking.k8s.io/v1" }}
+kind: {{ $route.kind | default "HTTPRoute" }}
+metadata:
+  name: {{ include "authentik.server.fullname" $ }}{{ if ne $name "main" }}-{{ $name }}{{ end }}
+  namespace: {{ include "authentik.namespace" $ | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" $ "component" $.Values.server.name) | nindent 4 }}
+    {{- with $route.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $route.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with $route.parentRefs }}
+  parentRefs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $route.hostnames }}
+  hostnames:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- if $route.additionalRules }}
+    {{- tpl (toYaml $route.additionalRules) $ | nindent 4 }}
+    {{- end }}
+    {{- if $route.httpsRedirect }}
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+    {{- else }}
+    - backendRefs:
+        - name: {{ include "authentik.server.fullname" $ }}
+          port: {{ $servicePort }}
+      {{- with $route.filters }}
+      filters:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $route.matches }}
+      matches:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    {{- end }}
+{{- end }}
+---
+{{- end }}
+{{- end }}

templates/server/service.yaml

@@ -0,0 +1,71 @@
+{{- if .Values.server.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "authentik.server.fullname" . }}
+  namespace: {{ include "authentik.namespace" . | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+    {{- with .Values.server.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.server.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.server.service.type }}
+  ports:
+    - name: {{ .Values.server.service.servicePortHttpName }}
+      protocol: TCP
+      port: {{ .Values.server.service.servicePortHttp }}
+      targetPort: {{ .Values.server.containerPorts.http }}
+      {{- if eq .Values.server.service.type "NodePort" }}
+      nodePort: {{ .Values.server.service.nodePortHttp }}
+      {{- end }}
+      {{- with .Values.server.service.servicePortHttpAppProtocol }}
+      appProtocol: {{ . }}
+      {{- end }}
+    - name: {{ .Values.server.service.servicePortHttpsName }}
+      protocol: TCP
+      port: {{ .Values.server.service.servicePortHttps }}
+      targetPort: {{ .Values.server.containerPorts.https }}
+      {{- if eq .Values.server.service.type "NodePort" }}
+      nodePort: {{ .Values.server.service.nodePortHttps }}
+      {{- end }}
+      {{- with .Values.server.service.servicePortHttpsAppProtocol }}
+      appProtocol: {{ . }}
+      {{- end }}
+  selector:
+    {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }}
+  {{- if eq .Values.server.service.type "LoadBalancer" }}
+  {{- if .Values.server.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.server.service.loadBalancerIP | quote }}
+  {{- end }}
+  {{- if .Values.server.service.externalIPs }}
+  externalIPs: {{ .Values.server.service.externalIPs }}
+  {{- end }}
+  {{- if .Values.server.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{ toYaml .Values.server.service.loadBalancerSourceRanges | indent 4 }}
+  {{- end }}
+  {{- end -}}
+  {{- if eq .Values.server.service.type "ClusterIP" }}
+  {{- if .Values.server.service.clusterIP }}
+  clusterIP: {{ .Values.server.service.clusterIP | quote }}
+  {{- end }}
+  {{- end -}}
+  {{- with .Values.server.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ . }}
+  {{- end }}
+  {{- with .Values.server.service.sessionAffinity }}
+  sessionAffinity: {{ . }}
+  {{- end }}
+  {{- with .Values.server.service.sessionAffinityConfig }}
+  sessionAffinityConfig:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.server.service.publishNotReadyAddresses }}
+  publishNotReadyAddresses: {{ . }}
+  {{- end }}
+{{- end }}

templates/server/servicemonitor.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.server.enabled }}
+{{- if and .Values.server.metrics.enabled .Values.server.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "authentik.server.fullname" . }}
+  namespace: {{ .Values.server.metrics.serviceMonitor.namespace | default (include "authentik.namespace" .) | quote }}
+  labels:
+    {{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }}
+    {{- with .Values.server.metrics.serviceMonitor.selector }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.server.metrics.serviceMonitor.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.server.metrics.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+    - port: {{ .Values.server.metrics.service.portName }}
+      {{- with .Values.server.metrics.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.server.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: /metrics
+      {{- with .Values.server.metrics.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.server.metrics.serviceMonitor.scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .Values.server.metrics.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "authentik.namespace" . }}
+  selector:
+    matchLabels:
+      {{- include "authentik.selectorLabels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 6 }}
+{{- end }}
+{{- end }}