--- # Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION # For dooplex homelab deployment with centralized PostgreSQL # Version: 2025.12.3 # # ============================================================================ # 2026-04 tuning for worker task pile-up (issue #18368): # - THREADS 2 -> 4: doubles concurrent task slots per worker (4 -> 8) # - TASK_EXPIRATION 30d -> 3d: reduces task table bloat & cleanup load # - worker resources: guaranteed 500m CPU instead of burst-only 100m # Applies to workload of ~15 outposts; revisit if outpost count grows. # ============================================================================ global: image: repository: ghcr.io/goauthentik/server tag: "2025.12.3" deploymentAnnotations: reloader.stakater.com/auto: "true" # Auto-reload on secret changes (if using Reloader) deploymentStrategy: type: Recreate podAnnotations: prometheus.io/scrape: "true" prometheus.io/port: "9300" # Environment variables for all pods envFrom: - secretRef: name: authentik-secret-key env: - name: AUTHENTIK_REDIS__HOST value: "authentik-redis-master" # PostgreSQL config for SHARED database - name: AUTHENTIK_POSTGRESQL__HOST value: "postgresql-rw.database-system.svc.cluster.local" - name: AUTHENTIK_POSTGRESQL__NAME value: "authentik" - name: AUTHENTIK_POSTGRESQL__USER value: "authentik" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-postgresql key: password - name: AUTHENTIK_EMAIL__HOST valueFrom: secretKeyRef: name: smtp-credentials key: host - name: AUTHENTIK_EMAIL__PORT valueFrom: secretKeyRef: name: smtp-credentials key: port - name: AUTHENTIK_EMAIL__USERNAME valueFrom: secretKeyRef: name: smtp-credentials key: username - name: AUTHENTIK_EMAIL__PASSWORD valueFrom: secretKeyRef: name: smtp-credentials key: password - name: AUTHENTIK_EMAIL__FROM valueFrom: secretKeyRef: name: smtp-credentials key: from-address authentik: # Secret key will come from authentik-secret-key secret via envFrom secret_key: "" log_level: info # PostgreSQL configuration for SHARED database postgresql: host: "postgresql.database-system.svc.cluster.local" name: "authentik" user: "authentik" # Password comes from secret via global.env error_reporting: enabled: false server: enabled: true name: server replicas: 1 # Ingress configuration ingress: enabled: true ingressClassName: nginx-internal annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu" nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" hosts: - authentik.dooplex.hu paths: - / pathType: Prefix tls: - secretName: authentik-tls hosts: - authentik.dooplex.hu # Resource limits resources: requests: cpu: 100m memory: 512Mi limits: memory: 1Gi # Persistent volume for media files volumes: - name: media persistentVolumeClaim: claimName: authentik-media volumeMounts: - name: media mountPath: /media metrics: enabled: true serviceMonitor: enabled: false interval: 30s worker: enabled: true name: worker replicas: 1 # Tuning for issue #18368 (task pile-up on 2025.10+ due to Postgres broker). # These env vars are worker-only; don't promote to global.env. env: # 2 (default) -> 4. Slots = replicas × PROCESSES × THREADS. # 1 × 2 × 4 = 8 concurrent tasks. Docs: below 2 not recommended. - name: AUTHENTIK_WORKER__THREADS value: "4" # 30d (default) -> 3d. Shrinks authentik_tasks_tasks table, making # daily purge cheaper and reducing the dequeue cost per task. - name: AUTHENTIK_WORKER__TASK_EXPIRATION value: "days=3" # Resource limits - bumped from 100m/1Gi for worker throughput. # A single send_update burst from 15 outposts can saturate the old budget. resources: requests: cpu: 500m memory: 512Mi limits: cpu: "2" memory: 1Gi # Persistent volume for media files (shared with server) volumes: - name: media persistentVolumeClaim: claimName: authentik-media volumeMounts: - name: media mountPath: /media metrics: enabled: true serviceMonitor: enabled: false interval: 30s # DISABLE bundled PostgreSQL - using shared instance postgresql: enabled: false # Enable bundled Redis (required for Authentik) redis: enabled: true architecture: standalone auth: enabled: false # Internal only, no need for auth master: persistence: enabled: true storageClass: longhorn size: 1Gi resources: requests: cpu: 50m memory: 128Mi limits: memory: 256Mi # GeoIP configuration (optional, for geo-blocking features) geoip: enabled: false # To enable later: # 1. Sign up at https://www.maxmind.com/en/geolite2/signup # 2. Get accountId and licenseKey # 3. Uncomment and fill: # accountId: "" # licenseKey: "" # Service Account serviceAccount: create: true annotations: argocd.argoproj.io/sync-wave: "-1" # Prometheus metrics prometheus: rules: enabled: false