diff --git a/cluster/base/infra/authentik.yaml b/cluster/base/infra/authentik.yaml
new file mode 100644
index 0000000..dce73f9
--- /dev/null
+++ b/cluster/base/infra/authentik.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-authentik
+  namespace: flux-system
+spec:
+  interval: 1h0m0s
+  path: ./infra/controllers/authentik
+  dependsOn:
+  - name: infra-1password-config
+  prune: true
+  retryInterval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  timeout: 5m0s
+  wait: true
diff --git a/cluster/base/infra/longhorn.yaml b/cluster/base/infra/longhorn.yaml
index 1e387cf..b1f5d16 100644
--- a/cluster/base/infra/longhorn.yaml
+++ b/cluster/base/infra/longhorn.yaml
@@ -7,8 +7,6 @@ metadata:
 spec:
   interval: 1h0m0s
   path: ./infra/controllers/longhorn
-  dependsOn:
-  - name: infra-metallb-config
   prune: true
   retryInterval: 1m0s
   sourceRef:
diff --git a/cluster/base/infra/namespaces.yaml b/cluster/base/infra/namespaces.yaml
index b565110..2baab8f 100644
--- a/cluster/base/infra/namespaces.yaml
+++ b/cluster/base/infra/namespaces.yaml
@@ -38,3 +38,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: reflector-system
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik-system
diff --git a/infra/configs/cert-manager/certificates.yaml b/infra/configs/cert-manager/certificates.yaml
index 1782754..1855948 100644
--- a/infra/configs/cert-manager/certificates.yaml
+++ b/infra/configs/cert-manager/certificates.yaml
@@ -30,4 +30,3 @@ spec:
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
       reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
-      # reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "traefik-system" # Control auto-reflection namespaces
diff --git a/infra/controllers/authentik/authentik.yaml b/infra/controllers/authentik/authentik.yaml
new file mode 100644
index 0000000..558b568
--- /dev/null
+++ b/infra/controllers/authentik/authentik.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: authentik-secret-key
+  namespace: authentik-system
+spec:
+  itemPath: "vaults/cluster/items/authentik-secret-key"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: authentik-postgresql-password
+  namespace: authentik-system
+spec:
+  itemPath: "vaults/cluster/items/authentik-postgresql-password"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik-repo
+  namespace: authentik-system
+spec:
+  interval: 15m0s
+  url: https://charts.goauthentik.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik-system
+spec:
+  chart:
+    spec:
+      chart: authentik
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-repo
+      version: 2024.10.1
+  interval: 1m0s
+  values:
+    authentik:
+      secret_key: 
+        valueFrom:
+          secretKeyRef:
+            name: authentik-secret-key
+            key: password
+      error_reporting:
+        enabled: false
+      postgresql:
+        password:
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgresql-password
+              key: password
+    server:
+      ingress:
+        ingressClassName: traefik
+        enabled: true
+        hosts:
+          - authentik.yadunut.dev
+        tls:
+          - secretName: wildcard-cert-yadunut.dev-prod
+            hosts:
+              - authentik.yadunut.dev
+    postgresql:
+      enabled: true
+      auth:
+        password:
+          secretKeyRef:
+            name: authentik-postgresql-password
+            key: password
+    redis:
+      enabled: true
+