bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

authentik: align volumeClaimTemplates TypeMeta with SSA-created live object

Browse Source 
StatefulSet/authentik-postgres has been eternally OutOfSync since ~Sprint 65
even though 'kubectl diff --server-side --field-manager=argocd-controller'
shows zero real change. The STS was created via ServerSideApply, so the live
object carries apiVersion/kind inside volumeClaimTemplates[]; git omitting
them makes ArgoCD's normalized diff disagree forever. Declare them in git.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
2026-06-10 15:18:29 -05:00
parent b842738a0e
commit 81ac1f3e4f
1 changed files with 453 additions and 448 deletions
Download Patch File Download Diff File Expand all files Collapse all files

901
apps/authentik/authentik.yaml
View File

@@ -1,448 +1,453 @@
# Authentik OIDC backend # Authentik OIDC backend
# ArgoCD-managed. BlueJay Lab. # ArgoCD-managed. BlueJay Lab.
# #
# Stack: # Stack:
# - PostgreSQL 16 StatefulSet (single replica, Longhorn RWO 5Gi) # - PostgreSQL 16 StatefulSet (single replica, Longhorn RWO 5Gi)
# - Redis 7 Deployment (no persistence — session/cache only) # - Redis 7 Deployment (no persistence — session/cache only)
# - Authentik server + worker Deployments (image ghcr.io/goauthentik/server:2024.12.3) # - Authentik server + worker Deployments (image ghcr.io/goauthentik/server:2024.12.3)
# - Media PVC shared between server + worker (Longhorn RWO 2Gi) # - Media PVC shared between server + worker (Longhorn RWO 2Gi)
# - Certificate via step-ca-acme ClusterIssuer # - Certificate via step-ca-acme ClusterIssuer
# - Traefik IngressRoute at id.iamworkin.lan # - Traefik IngressRoute at id.iamworkin.lan
# #
# Secrets come from 1Password item "authentik-credentials" (IAmWorkin vault, id y6i74ch22q5wvm7znquq4nhhcu) # Secrets come from 1Password item "authentik-credentials" (IAmWorkin vault, id y6i74ch22q5wvm7znquq4nhhcu)
# via the OnePasswordItem CRD, materialized into k8s Secret authentik/authentik-credentials. # via the OnePasswordItem CRD, materialized into k8s Secret authentik/authentik-credentials.
# #
# Why the discovery URL is /application/o/pimanager/ : Authentik issues per-application OIDC providers. # Why the discovery URL is /application/o/pimanager/ : Authentik issues per-application OIDC providers.
# The pimanager OIDC application/provider is created after the cluster pods are healthy (manual or # The pimanager OIDC application/provider is created after the cluster pods are healthy (manual or
# via API once the bootstrap token is available — see Notes substrate). # via API once the bootstrap token is available — see Notes substrate).
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: authentik name: authentik
labels: labels:
app.kubernetes.io/part-of: bluejay-infra app.kubernetes.io/part-of: bluejay-infra
--- ---
# 1Password operator pulls the authentik-credentials item into a k8s Secret of the same name. # 1Password operator pulls the authentik-credentials item into a k8s Secret of the same name.
# Field labels in 1P become Secret keys: AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD, REDIS_PASSWORD, # Field labels in 1P become Secret keys: AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD, REDIS_PASSWORD,
# BOOTSTRAP_ADMIN_PASSWORD, BOOTSTRAP_ADMIN_TOKEN, BOOTSTRAP_ADMIN_EMAIL. # BOOTSTRAP_ADMIN_PASSWORD, BOOTSTRAP_ADMIN_TOKEN, BOOTSTRAP_ADMIN_EMAIL.
apiVersion: onepassword.com/v1 apiVersion: onepassword.com/v1
kind: OnePasswordItem kind: OnePasswordItem
metadata: metadata:
name: authentik-credentials name: authentik-credentials
namespace: authentik namespace: authentik
spec: spec:
itemPath: "vaults/IAmWorkin/items/authentik-credentials" itemPath: "vaults/IAmWorkin/items/authentik-credentials"
--- ---
# Shared media volume for server + worker pods. # Shared media volume for server + worker pods.
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: authentik-media name: authentik-media
namespace: authentik namespace: authentik
spec: spec:
storageClassName: longhorn storageClassName: longhorn
accessModes: [ReadWriteOnce] accessModes: [ReadWriteOnce]
resources: resources:
requests: requests:
storage: 2Gi storage: 2Gi
--- ---
# PostgreSQL 16 StatefulSet — Authentik's primary store. # PostgreSQL 16 StatefulSet — Authentik's primary store.
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: authentik-postgres name: authentik-postgres
namespace: authentik namespace: authentik
labels: labels:
app: authentik-postgres app: authentik-postgres
argocd.argoproj.io/instance: infra-authentik argocd.argoproj.io/instance: infra-authentik
spec: spec:
persistentVolumeClaimRetentionPolicy: persistentVolumeClaimRetentionPolicy:
whenDeleted: Retain whenDeleted: Retain
whenScaled: Retain whenScaled: Retain
podManagementPolicy: OrderedReady podManagementPolicy: OrderedReady
serviceName: authentik-postgres serviceName: authentik-postgres
replicas: 1 replicas: 1
revisionHistoryLimit: 10 revisionHistoryLimit: 10
selector: selector:
matchLabels: matchLabels:
app: authentik-postgres app: authentik-postgres
template: template:
metadata: metadata:
labels: labels:
app: authentik-postgres app: authentik-postgres
spec: spec:
containers: containers:
- name: postgres - name: postgres
image: postgres:16-alpine image: postgres:16-alpine
ports: ports:
- containerPort: 5432 - containerPort: 5432
name: postgres name: postgres
env: env:
- name: POSTGRES_USER - name: POSTGRES_USER
value: authentik value: authentik
- name: POSTGRES_PASSWORD - name: POSTGRES_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: POSTGRES_PASSWORD key: POSTGRES_PASSWORD
- name: POSTGRES_DB - name: POSTGRES_DB
value: authentik value: authentik
- name: POSTGRES_INITDB_ARGS - name: POSTGRES_INITDB_ARGS
value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C" value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
- name: PGDATA - name: PGDATA
value: /var/lib/postgresql/data/pgdata value: /var/lib/postgresql/data/pgdata
readinessProbe: readinessProbe:
exec: exec:
command: ["pg_isready", "-U", "authentik"] command: ["pg_isready", "-U", "authentik"]
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 5 periodSeconds: 5
livenessProbe: livenessProbe:
exec: exec:
command: ["pg_isready", "-U", "authentik"] command: ["pg_isready", "-U", "authentik"]
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 30 periodSeconds: 30
resources: resources:
requests: { cpu: 100m, memory: 256Mi } requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 1000m, memory: 1Gi } limits: { cpu: 1000m, memory: 1Gi }
volumeMounts: volumeMounts:
- name: pgdata - name: pgdata
mountPath: /var/lib/postgresql/data mountPath: /var/lib/postgresql/data
volumeClaimTemplates: volumeClaimTemplates:
- metadata: # apiVersion/kind included deliberately: this STS was created via ArgoCD ServerSideApply,
name: pgdata # so the live object carries PVC TypeMeta inside volumeClaimTemplates; omitting it here
spec: # leaves the app eternally OutOfSync even though kubectl SSA dry-run shows no change.
storageClassName: longhorn - apiVersion: v1
accessModes: [ReadWriteOnce] kind: PersistentVolumeClaim
volumeMode: Filesystem metadata:
resources: name: pgdata
requests: spec:
storage: 5Gi storageClassName: longhorn
accessModes: [ReadWriteOnce]
--- volumeMode: Filesystem
apiVersion: v1 resources:
kind: Service requests:
metadata: storage: 5Gi
name: authentik-postgres
namespace: authentik ---
spec: apiVersion: v1
clusterIP: None kind: Service
selector: metadata:
app: authentik-postgres name: authentik-postgres
ports: namespace: authentik
- name: postgres spec:
port: 5432 clusterIP: None
targetPort: 5432 selector:
app: authentik-postgres
--- ports:
# Redis 7 — session storage + Celery broker. No persistence needed (cache). - name: postgres
apiVersion: apps/v1 port: 5432
kind: Deployment targetPort: 5432
metadata:
name: authentik-redis ---
namespace: authentik # Redis 7 — session storage + Celery broker. No persistence needed (cache).
labels: apiVersion: apps/v1
app: authentik-redis kind: Deployment
argocd.argoproj.io/instance: infra-authentik metadata:
spec: name: authentik-redis
replicas: 1 namespace: authentik
strategy: labels:
type: Recreate app: authentik-redis
selector: argocd.argoproj.io/instance: infra-authentik
matchLabels: spec:
app: authentik-redis replicas: 1
template: strategy:
metadata: type: Recreate
labels: selector:
app: authentik-redis matchLabels:
spec: app: authentik-redis
containers: template:
- name: redis metadata:
image: redis:7-alpine labels:
args: app: authentik-redis
- "--save" spec:
- "" containers:
- "--appendonly" - name: redis
- "no" image: redis:7-alpine
- "--requirepass" args:
- "$(REDIS_PASSWORD)" - "--save"
env: - ""
- name: REDIS_PASSWORD - "--appendonly"
valueFrom: - "no"
secretKeyRef: - "--requirepass"
name: authentik-credentials - "$(REDIS_PASSWORD)"
key: REDIS_PASSWORD env:
ports: - name: REDIS_PASSWORD
- containerPort: 6379 valueFrom:
name: redis secretKeyRef:
readinessProbe: name: authentik-credentials
tcpSocket: { port: 6379 } key: REDIS_PASSWORD
initialDelaySeconds: 5 ports:
periodSeconds: 5 - containerPort: 6379
livenessProbe: name: redis
tcpSocket: { port: 6379 } readinessProbe:
initialDelaySeconds: 30 tcpSocket: { port: 6379 }
periodSeconds: 30 initialDelaySeconds: 5
resources: periodSeconds: 5
requests: { cpu: 50m, memory: 64Mi } livenessProbe:
limits: { cpu: 500m, memory: 256Mi } tcpSocket: { port: 6379 }
initialDelaySeconds: 30
--- periodSeconds: 30
apiVersion: v1 resources:
kind: Service requests: { cpu: 50m, memory: 64Mi }
metadata: limits: { cpu: 500m, memory: 256Mi }
name: authentik-redis
namespace: authentik ---
spec: apiVersion: v1
selector: kind: Service
app: authentik-redis metadata:
ports: name: authentik-redis
- name: redis namespace: authentik
port: 6379 spec:
targetPort: 6379 selector:
app: authentik-redis
--- ports:
# Authentik server Deployment — HTTP frontend on :9000. - name: redis
apiVersion: apps/v1 port: 6379
kind: Deployment targetPort: 6379
metadata:
name: authentik-server ---
namespace: authentik # Authentik server Deployment — HTTP frontend on :9000.
labels: apiVersion: apps/v1
app: authentik-server kind: Deployment
argocd.argoproj.io/instance: infra-authentik metadata:
spec: name: authentik-server
replicas: 1 namespace: authentik
strategy: labels:
type: Recreate # shares /media RWO PVC with worker app: authentik-server
selector: argocd.argoproj.io/instance: infra-authentik
matchLabels: spec:
app: authentik-server replicas: 1
template: strategy:
metadata: type: Recreate # shares /media RWO PVC with worker
labels: selector:
app: authentik-server matchLabels:
spec: app: authentik-server
securityContext: template:
# Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts metadata:
# root:root by default. fsGroup recursively chgrp + chmod g+rwx so the labels:
# non-root container can mkdir /media/public during the tenant_files migration. app: authentik-server
fsGroup: 1000 spec:
containers: securityContext:
- name: server # Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
image: ghcr.io/goauthentik/server:2024.12.3 # root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
args: ["server"] # non-root container can mkdir /media/public during the tenant_files migration.
ports: fsGroup: 1000
- containerPort: 9000 containers:
name: http - name: server
- containerPort: 9443 image: ghcr.io/goauthentik/server:2024.12.3
name: https args: ["server"]
env: ports:
- name: AUTHENTIK_SECRET_KEY - containerPort: 9000
valueFrom: name: http
secretKeyRef: - containerPort: 9443
name: authentik-credentials name: https
key: AUTHENTIK_SECRET_KEY env:
- name: AUTHENTIK_REDIS__HOST - name: AUTHENTIK_SECRET_KEY
value: authentik-redis valueFrom:
- name: AUTHENTIK_REDIS__PASSWORD secretKeyRef:
valueFrom: name: authentik-credentials
secretKeyRef: key: AUTHENTIK_SECRET_KEY
name: authentik-credentials - name: AUTHENTIK_REDIS__HOST
key: REDIS_PASSWORD value: authentik-redis
- name: AUTHENTIK_POSTGRESQL__HOST - name: AUTHENTIK_REDIS__PASSWORD
value: authentik-postgres valueFrom:
- name: AUTHENTIK_POSTGRESQL__NAME secretKeyRef:
value: authentik name: authentik-credentials
- name: AUTHENTIK_POSTGRESQL__USER key: REDIS_PASSWORD
value: authentik - name: AUTHENTIK_POSTGRESQL__HOST
- name: AUTHENTIK_POSTGRESQL__PASSWORD value: authentik-postgres
valueFrom: - name: AUTHENTIK_POSTGRESQL__NAME
secretKeyRef: value: authentik
name: authentik-credentials - name: AUTHENTIK_POSTGRESQL__USER
key: POSTGRES_PASSWORD value: authentik
- name: AUTHENTIK_BOOTSTRAP_PASSWORD - name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: BOOTSTRAP_ADMIN_PASSWORD key: POSTGRES_PASSWORD
- name: AUTHENTIK_BOOTSTRAP_TOKEN - name: AUTHENTIK_BOOTSTRAP_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: BOOTSTRAP_ADMIN_TOKEN key: BOOTSTRAP_ADMIN_PASSWORD
- name: AUTHENTIK_BOOTSTRAP_EMAIL - name: AUTHENTIK_BOOTSTRAP_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-credentials name: authentik-credentials
key: BOOTSTRAP_ADMIN_EMAIL key: BOOTSTRAP_ADMIN_TOKEN
- name: AUTHENTIK_DISABLE_UPDATE_CHECK - name: AUTHENTIK_BOOTSTRAP_EMAIL
value: "true" valueFrom:
- name: AUTHENTIK_ERROR_REPORTING__ENABLED secretKeyRef:
value: "false" name: authentik-credentials
- name: AUTHENTIK_LOG_LEVEL key: BOOTSTRAP_ADMIN_EMAIL
value: info - name: AUTHENTIK_DISABLE_UPDATE_CHECK
# First-boot Authentik can take 3+ min on the migration phase value: "true"
# (waiting on DB lock while worker also runs migrations). Initial - name: AUTHENTIK_ERROR_REPORTING__ENABLED
# delays are generous so kubelet doesn't kill the pod mid-migration; value: "false"
# periodSeconds keeps post-startup probing responsive. - name: AUTHENTIK_LOG_LEVEL
readinessProbe: value: info
httpGet: # First-boot Authentik can take 3+ min on the migration phase
path: /-/health/ready/ # (waiting on DB lock while worker also runs migrations). Initial
port: 9000 # delays are generous so kubelet doesn't kill the pod mid-migration;
initialDelaySeconds: 60 # periodSeconds keeps post-startup probing responsive.
periodSeconds: 10 readinessProbe:
timeoutSeconds: 5 httpGet:
failureThreshold: 12 path: /-/health/ready/
livenessProbe: port: 9000
httpGet: initialDelaySeconds: 60
path: /-/health/live/ periodSeconds: 10
port: 9000 timeoutSeconds: 5
initialDelaySeconds: 300 failureThreshold: 12
periodSeconds: 30 livenessProbe:
timeoutSeconds: 10 httpGet:
failureThreshold: 3 path: /-/health/live/
startupProbe: port: 9000
httpGet: initialDelaySeconds: 300
path: /-/health/live/ periodSeconds: 30
port: 9000 timeoutSeconds: 10
initialDelaySeconds: 30 failureThreshold: 3
periodSeconds: 15 startupProbe:
timeoutSeconds: 10 httpGet:
failureThreshold: 40 # 30s + 40*15s = 10.5 min budget path: /-/health/live/
resources: port: 9000
requests: { cpu: 150m, memory: 512Mi } initialDelaySeconds: 30
limits: { cpu: 1500m, memory: 1Gi } periodSeconds: 15
volumeMounts: timeoutSeconds: 10
- name: media failureThreshold: 40 # 30s + 40*15s = 10.5 min budget
mountPath: /media resources:
volumes: requests: { cpu: 150m, memory: 512Mi }
- name: media limits: { cpu: 1500m, memory: 1Gi }
persistentVolumeClaim: volumeMounts:
claimName: authentik-media - name: media
mountPath: /media
--- volumes:
# Authentik worker Deployment — runs Celery background tasks. - name: media
apiVersion: apps/v1 persistentVolumeClaim:
kind: Deployment claimName: authentik-media
metadata:
name: authentik-worker ---
namespace: authentik # Authentik worker Deployment — runs Celery background tasks.
labels: apiVersion: apps/v1
app: authentik-worker kind: Deployment
argocd.argoproj.io/instance: infra-authentik metadata:
spec: name: authentik-worker
replicas: 1 namespace: authentik
strategy: labels:
type: Recreate # shares /media RWO PVC with server app: authentik-worker
selector: argocd.argoproj.io/instance: infra-authentik
matchLabels: spec:
app: authentik-worker replicas: 1
template: strategy:
metadata: type: Recreate # shares /media RWO PVC with server
labels: selector:
app: authentik-worker matchLabels:
spec: app: authentik-worker
securityContext: template:
# Same as server pod — non-root uid 1000 needs PVC group write. metadata:
fsGroup: 1000 labels:
containers: app: authentik-worker
- name: worker spec:
image: ghcr.io/goauthentik/server:2024.12.3 securityContext:
args: ["worker"] # Same as server pod — non-root uid 1000 needs PVC group write.
env: fsGroup: 1000
- name: AUTHENTIK_SECRET_KEY containers:
valueFrom: - name: worker
secretKeyRef: image: ghcr.io/goauthentik/server:2024.12.3
name: authentik-credentials args: ["worker"]
key: AUTHENTIK_SECRET_KEY env:
- name: AUTHENTIK_REDIS__HOST - name: AUTHENTIK_SECRET_KEY
value: authentik-redis valueFrom:
- name: AUTHENTIK_REDIS__PASSWORD secretKeyRef:
valueFrom: name: authentik-credentials
secretKeyRef: key: AUTHENTIK_SECRET_KEY
name: authentik-credentials - name: AUTHENTIK_REDIS__HOST
key: REDIS_PASSWORD value: authentik-redis
- name: AUTHENTIK_POSTGRESQL__HOST - name: AUTHENTIK_REDIS__PASSWORD
value: authentik-postgres valueFrom:
- name: AUTHENTIK_POSTGRESQL__NAME secretKeyRef:
value: authentik name: authentik-credentials
- name: AUTHENTIK_POSTGRESQL__USER key: REDIS_PASSWORD
value: authentik - name: AUTHENTIK_POSTGRESQL__HOST
- name: AUTHENTIK_POSTGRESQL__PASSWORD value: authentik-postgres
valueFrom: - name: AUTHENTIK_POSTGRESQL__NAME
secretKeyRef: value: authentik
name: authentik-credentials - name: AUTHENTIK_POSTGRESQL__USER
key: POSTGRES_PASSWORD value: authentik
- name: AUTHENTIK_DISABLE_UPDATE_CHECK - name: AUTHENTIK_POSTGRESQL__PASSWORD
value: "true" valueFrom:
- name: AUTHENTIK_ERROR_REPORTING__ENABLED secretKeyRef:
value: "false" name: authentik-credentials
- name: AUTHENTIK_LOG_LEVEL key: POSTGRES_PASSWORD
value: info - name: AUTHENTIK_DISABLE_UPDATE_CHECK
resources: value: "true"
requests: { cpu: 100m, memory: 256Mi } - name: AUTHENTIK_ERROR_REPORTING__ENABLED
limits: { cpu: 1000m, memory: 768Mi } value: "false"
volumeMounts: - name: AUTHENTIK_LOG_LEVEL
- name: media value: info
mountPath: /media resources:
volumes: requests: { cpu: 100m, memory: 256Mi }
- name: media limits: { cpu: 1000m, memory: 768Mi }
persistentVolumeClaim: volumeMounts:
claimName: authentik-media - name: media
mountPath: /media
--- volumes:
apiVersion: v1 - name: media
kind: Service persistentVolumeClaim:
metadata: claimName: authentik-media
name: authentik-server
namespace: authentik ---
spec: apiVersion: v1
selector: kind: Service
app: authentik-server metadata:
ports: name: authentik-server
- name: http namespace: authentik
port: 9000 spec:
targetPort: 9000 selector:
- name: https app: authentik-server
port: 9443 ports:
targetPort: 9443 - name: http
port: 9000
--- targetPort: 9000
# step-ca leaf certificate for id.iamworkin.lan. - name: https
# step-ca container resolver uses pfSense Unbound, so the public A record for id.iamworkin.lan port: 9443
# MUST exist before this Certificate is applied (cert-manager HTTP-01 will silently 2h-backoff targetPort: 9443
# otherwise). Added 2026-05-25 via scripts/pfsense-add-id-host.py.
apiVersion: cert-manager.io/v1 ---
kind: Certificate # step-ca leaf certificate for id.iamworkin.lan.
metadata: # step-ca container resolver uses pfSense Unbound, so the public A record for id.iamworkin.lan
name: authentik-tls # MUST exist before this Certificate is applied (cert-manager HTTP-01 will silently 2h-backoff
namespace: authentik # otherwise). Added 2026-05-25 via scripts/pfsense-add-id-host.py.
spec: apiVersion: cert-manager.io/v1
secretName: authentik-tls kind: Certificate
dnsNames: metadata:
- id.iamworkin.lan name: authentik-tls
issuerRef: namespace: authentik
name: step-ca-acme spec:
kind: ClusterIssuer secretName: authentik-tls
dnsNames:
--- - id.iamworkin.lan
apiVersion: traefik.io/v1alpha1 issuerRef:
kind: IngressRoute name: step-ca-acme
metadata: kind: ClusterIssuer
name: authentik
namespace: authentik ---
spec: apiVersion: traefik.io/v1alpha1
entryPoints: [websecure] kind: IngressRoute
routes: metadata:
- match: Host(`id.iamworkin.lan`) name: authentik
kind: Rule namespace: authentik
services: spec:
- name: authentik-server entryPoints: [websecure]
port: 9000 routes:
tls: - match: Host(`id.iamworkin.lan`)
secretName: authentik-tls kind: Rule
services:
- name: authentik-server
port: 9000
tls:
secretName: authentik-tls