authentik/website/docs/installation/kubernetes.md

---
title: Kubernetes installation
---

authentik is installed using a helm-chart.

To install authentik using the helm chart, generate a password for the database and the cache, using `pwgen -s 50 1` or `openssl rand -base64 36`.

Create a values.yaml file with a minimum of these settings:

```yaml
authentik:
  secret_key: "PleaseGenerateA50CharKey"
  # This sends anonymous usage-data, stack traces on errors and
  # performance data to sentry.beryju.org, and is fully opt-in
  error_reporting:
    enabled: true
  postgresql:
    password: "ThisIsNotASecurePassword"

ingress:
  enabled: true
  hosts:
  - host: authentik.domain.tld
    paths:
    - path: "/"
      pathType: Prefix

postgresql:
  enabled: true
  postgresqlPassword: "ThisIsNotASecurePassword"
redis:
  enabled: true

```

See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).

Afterwards, run these commands to install authentik:

```
helm repo add authentik https://charts.goauthentik.io
helm repo update
helm upgrade --install authentik authentik/authentik -f values.yaml
```

This installation automatically applies database migrations on startup. After the installation is done, navigate to the `https://<ingress you've specified>/if/flow/initial-setup/`, to set a password for the akadmin user.

It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by [Email stages](../flow/stages/email/) to send verification/recovery emails.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00			`---`
			`title: Kubernetes installation`
			`---`

root: fix references to helm chart Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-13 12:30:44 +00:00			`authentik is installed using a helm-chart.`
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00
website/docs: Enable 'secure' option for pwgen (#2260) * Enable 'secure' option for pwgen As per the [pwgen manual](https://linux.die.net/man/1/pwgen, "pwgen manual"), the "-s"(secure) option instructs pwgen to generate completely random passwords, where as the default for pwgen is to generate more memorable passwords. Since, the passwords generated in this part of the installation process are to be "remembered" by the dot env file, I believe that users may benefit from the additional entropy provided by the "-s" option in pwgen. * Enable 'secure' option for pwgen 2022-02-08 11:24:29 +00:00			To install authentik using the helm chart, generate a password for the database and the cache, using `pwgen -s 50 1` or `openssl rand -base64 36`.
docs: add note for minimum values.yaml file for k8s install closes #745 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-17 09:06:21 +00:00
			`Create a values.yaml file with a minimum of these settings:`

			```yaml
website/docs: update k8s install docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-21 17:02:05 +00:00			`authentik:`
			`secret_key: "PleaseGenerateA50CharKey"`
			`# This sends anonymous usage-data, stack traces on errors and`
			`# performance data to sentry.beryju.org, and is fully opt-in`
			`error_reporting:`
			`enabled: true`
			`postgresql:`
			`password: "ThisIsNotASecurePassword"`

			`ingress:`
			`enabled: true`
			`hosts:`
			`- host: authentik.domain.tld`
			`paths:`
			`- path: "/"`
			`pathType: Prefix`

docs: add note for minimum values.yaml file for k8s install closes #745 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-17 09:06:21 +00:00			`postgresql:`
website/docs: update k8s install docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-21 17:02:05 +00:00			`enabled: true`
			`postgresqlPassword: "ThisIsNotASecurePassword"`
docs: add note for minimum values.yaml file for k8s install closes #745 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-17 09:06:21 +00:00			`redis:`
website/docs: update k8s install docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-21 17:02:05 +00:00			`enabled: true`

docs: add note for minimum values.yaml file for k8s install closes #745 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-17 09:06:21 +00:00			```

root: remove old helm chart Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 14:25:11 +00:00			`See all configurable values on [artifacthub](https://artifacthub.io/packages/helm/goauthentik/authentik).`

docs: add note for minimum values.yaml file for k8s install closes #745 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-17 09:06:21 +00:00			`Afterwards, run these commands to install authentik:`
Application Icon upload (#341) * core: add initial implementation for File Upload * root: add volumes to docker-compose for file upload * helm: add pvc for uploads * core: allow meta_icon to be overwritten with static files 2020-11-23 19:50:19 +00:00
			```
website/docs: fix URL for new chart repo Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-09 15:32:14 +00:00			`helm repo add authentik https://charts.goauthentik.io`
Application Icon upload (#341) * core: add initial implementation for File Upload * root: add volumes to docker-compose for file upload * helm: add pvc for uploads * core: allow meta_icon to be overwritten with static files 2020-11-23 19:50:19 +00:00			`helm repo update`
website/docs: default to upgrade with install flag set (#2234) 2022-02-04 21:36:34 +00:00			`helm upgrade --install authentik authentik/authentik -f values.yaml`
Application Icon upload (#341) * core: add initial implementation for File Upload * root: add volumes to docker-compose for file upload * helm: add pvc for uploads * core: allow meta_icon to be overwritten with static files 2020-11-23 19:50:19 +00:00			```

improved out-of-box experience (#704) 2021-04-06 18:25:22 +00:00			This installation automatically applies database migrations on startup. After the installation is done, navigate to the `https://<ingress you've specified>/if/flow/initial-setup/`, to set a password for the akadmin user.
Migrate to Docusaurus (#329) * docs: initial migration to docusaurus * website: add custom font, update blurbs and icons * website: update splash * root: update links to docs * flows: use .pbflow extension so docusaurus doesn't mangle the files * e2e: workaround prospector * Squashed commit of the following: commit 1248585dcae5d65ddb8ecc75b76204fd1407c33a Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:46:53 2020 +0100 e2e: attempt to fix prospector error again commit 1319c480c4c6f86cf0dde91305dea52749c867a3 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Sun Nov 15 20:41:35 2020 +0100 ci: install previous python version for upgrade testing * web: update accent colours and format * website: format markdown files * website: fix colours for text * website: switch to temporary accent colour to improve readability * flows: fix path for TestTransferDocs * flows: fix formatting of tests 2020-11-15 21:42:02 +00:00
website: remove remaining /index URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-13 17:57:13 +00:00			`It is also recommended to configure global email credentials. These are used by authentik to notify you about alerts, configuration issues. They can also be used by [Email stages](../flow/stages/email/) to send verification/recovery emails.`