diff --git a/kubernetes/apps/security/authentik/app/externalsecret.yaml b/kubernetes/apps/security/authentik/app/externalsecret.yaml
new file mode 100644
index 000000000..4d8f4d1b1
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/externalsecret.yaml
@@ -0,0 +1,34 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  refreshInterval: 15m
+  target:
+    name: authentik-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        # Authentik
+        AUTHENTIK_BOOTSTRAP_EMAIL: '{{ .AUTHENTIK_EMAIL }}'
+        AUTHENTIK_BOOTSTRAP_PASSWORD: '{{ .AUTHENTIK_PASSWORD }}'
+        AUTHENTIK_BOOTSTRAP_TOKEN: '{{ .AUTHENTIK_TOKEN }}'
+        AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}'
+        AUTHENTIK_REDIS__DB: "1"
+        AUTHENTIK_POSTGRESQL__NAME: '{{ .dbname }}'
+        AUTHENTIK_POSTGRESQL__HOST: '{{ .host }}' #pgBouncer is set to session for Grafana, and Authentik requires transaction
+        AUTHENTIK_POSTGRESQL__USER: '{{ .user }}'
+        AUTHENTIK_POSTGRESQL__PASSWORD: '{{ .password }}'
+        AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false'
+        AUTHENTIK_POSTGRESQL__SSLMODE: 'require'
+  dataFrom:
+    - extract:
+        key: postgres-pguser-authentik
+    - extract:
+        key: authentik
diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml
new file mode 100644
index 000000000..eaa58cb01
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml
@@ -0,0 +1,54 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.6.0
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    global:
+      podAnnotations:
+        secret.reloader.stakater.com/reload: authentik-secret
+      deploymentStrategy:
+        type: RollingUpdate
+      envFrom:
+        - secretRef:
+            name: authentik-secret
+    authentik:
+      redis:
+        host: redis.database.svc.cluster.local
+    server:
+      autoscaling:
+        enabled: true
+        minReplicas: 1
+      metrics:
+        prometheus:
+          serviceMonitor:
+            enabled: true
+      ingress:
+        enabled: true
+        ingressClassName: external
+        # annotations:
+        hosts:
+          - sso.${SECRET_DOMAIN}
+        https: false
+    worker:
+      autoscaling:
+        enabled: true
+        minReplicas: 1
diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml
new file mode 100644
index 000000000..4eed917b9
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml
new file mode 100644
index 000000000..cd37515eb
--- /dev/null
+++ b/kubernetes/apps/security/authentik/ks.yaml
@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://lds-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app authentik
+  namespace: flux-system
+spec:
+  targetNamespace: security
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cluster-apps-external-database
+    - name: external-secrets-stores
+  path: ./kubernetes/apps/security/authentik/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false # no flux ks dependents
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml
index 2cf386965..470442908 100644
--- a/kubernetes/apps/security/kustomization.yaml
+++ b/kubernetes/apps/security/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./pastebin/ks.yaml
+  - ./authentik/ks.yaml
diff --git a/kubernetes/flux/repositories/helm/authentik.yaml b/kubernetes/flux/repositories/helm/authentik.yaml
index abc712dcf..54770c6a8 100644
--- a/kubernetes/flux/repositories/helm/authentik.yaml
+++ b/kubernetes/flux/repositories/helm/authentik.yaml
@@ -2,9 +2,9 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: authentik
+  name: authentik-charts
   namespace: flux-system
 spec:
   interval: 1h
-  url: https://charts.goauthentik.io/
+  url: https://charts.goauthentik.io
   timeout: 3m