diff --git a/wekan/secrets.yaml b/wekan/secrets.yaml
new file mode 100644
index 0000000..60be254
--- /dev/null
+++ b/wekan/secrets.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wekan-secrets
+  namespace: wekan
+type: Opaque
+stringData:
+  MONGO_INITDB_ROOT_USERNAME: wekan
+  MONGO_INITDB_ROOT_PASSWORD: change-me-now
+  MONGO_URL: mongodb://wekan:change-me-now@mongodb:27017/wekan?authSource=admin
+
+  # Authentik OIDC client secret
+  OAUTH2_SECRET: CrPJELM3K7orJtjNatDY8Ar3sBF5BfF08TWcKyPjlbhk21JYBIQcVq0SV3KsxHdX4Soa5o4X14uCFIxkOoyGZszUmI6zjc6m1hasxtPh2EjUZWKr2Aa4iM6YU8L71h0w
\ No newline at end of file
diff --git a/wekan/wekan.yaml b/wekan/wekan.yaml
index 3e6e12e..98e79d2 100644
--- a/wekan/wekan.yaml
+++ b/wekan/wekan.yaml
@@ -2,17 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: wekan
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wekan-secrets
-  namespace: wekan
-type: Opaque
-stringData:
-  MONGO_INITDB_ROOT_USERNAME: wekan
-  MONGO_INITDB_ROOT_PASSWORD: change-me-now
-  MONGO_URL: mongodb://wekan:change-me-now@mongodb:27017/wekan?authSource=admin
+
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -141,44 +131,71 @@ spec:
       containers:
         - name: wekan
           image: ghcr.io/wekan/wekan:v8.42
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           ports:
             - containerPort: 8080
               name: http
           env:
-            - name: BIND_IP
-              value: "::"
             - name: ROOT_URL
               value: "https://wekan.apps.undercloud.dev"
             - name: PORT
               value: "8080"
+            - name: BIND_IP
+              value: "::"
             - name: WITH_API
               value: "true"
             - name: WRITABLE_PATH
               value: "/data"
+
             - name: MONGO_URL
               valueFrom:
                 secretKeyRef:
                   name: wekan-secrets
                   key: MONGO_URL
+
+            - name: OAUTH2_ENABLED
+              value: "true"
+            - name: OAUTH2_CLIENT_ID
+              value: "M2OSpsajCTak2sfhP5qR6T1Lb2KtBgBBopCvX3vs"
+            - name: OAUTH2_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: wekan-secrets
+                  key: OAUTH2_SECRET
+            - name: OAUTH2_SERVER_URL
+              value: "https://auth.apps.undercloud.dev/application/o/wekan/"
+            - name: OAUTH2_AUTH_ENDPOINT
+              value: "authorize/"
+            - name: OAUTH2_TOKEN_ENDPOINT
+              value: "token/"
+            - name: OAUTH2_USERINFO_ENDPOINT
+              value: "userinfo/"
+            - name: OAUTH2_ID_MAP
+              value: "sub"
+            - name: OAUTH2_USERNAME_MAP
+              value: "preferred_username"
+            - name: OAUTH2_FULLNAME_MAP
+              value: "name"
+            - name: OAUTH2_EMAIL_MAP
+              value: "email"
+            - name: OAUTH2_REQUEST_PERMISSIONS
+              value: "openid email profile"
+
           volumeMounts:
             - name: wekan-data
               mountPath: /data
-          #readinessProbe:
-          #  httpGet:
-          #    path: /
-          #    port: 8080
-          #    host: 127.0.0.1
-          #  initialDelaySeconds: 20
-          #  periodSeconds: 10
-
-          #livenessProbe:
-          #  httpGet:
-          #    path: /
-          #    port: 8080
-          #    host: 127.0.0.1
-          #  initialDelaySeconds: 60
-          #  periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 20
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 20
       volumes:
         - name: wekan-data
           persistentVolumeClaim: