homelab-manifests/auth-system/authentik-values.yaml

---
# Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION
# For dooplex homelab deployment with centralized PostgreSQL
# Version: 2025.12.3
#
# ============================================================================
# 2026-04 tuning for worker task pile-up (issue #18368):
# - THREADS 2 -> 4: doubles concurrent task slots per worker (4 -> 8)
# - TASK_EXPIRATION 30d -> 3d: reduces task table bloat & cleanup load
# - worker resources: guaranteed 500m CPU instead of burst-only 100m
# Applies to workload of ~15 outposts; revisit if outpost count grows.
# ============================================================================

global:
  image:
    repository: ghcr.io/goauthentik/server
    tag: "2025.12.3"
  
  deploymentAnnotations:
    reloader.stakater.com/auto: "true"  # Auto-reload on secret changes (if using Reloader)

  deploymentStrategy:
    type: Recreate
  
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "9300"
  
  # Environment variables for all pods
  envFrom:
    - secretRef:
        name: authentik-secret-key
  
  env:
    - name: AUTHENTIK_REDIS__HOST
      value: "authentik-redis-master"
    # PostgreSQL config for SHARED database
    - name: AUTHENTIK_POSTGRESQL__HOST
      value: "postgresql-rw.database-system.svc.cluster.local"
    - name: AUTHENTIK_POSTGRESQL__NAME
      value: "authentik"
    - name: AUTHENTIK_POSTGRESQL__USER
      value: "authentik"
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-postgresql
          key: password
    - name: AUTHENTIK_EMAIL__HOST
      valueFrom:
        secretKeyRef:
          name: smtp-credentials
          key: host
    - name: AUTHENTIK_EMAIL__PORT
      valueFrom:
        secretKeyRef:
          name: smtp-credentials
          key: port
    - name: AUTHENTIK_EMAIL__USERNAME
      valueFrom:
        secretKeyRef:
          name: smtp-credentials
          key: username
    - name: AUTHENTIK_EMAIL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: smtp-credentials
          key: password
    - name: AUTHENTIK_EMAIL__FROM
      valueFrom:
        secretKeyRef:
          name: smtp-credentials
          key: from-address

authentik:
  # Secret key will come from authentik-secret-key secret via envFrom
  secret_key: ""
  
  log_level: info
  
  # PostgreSQL configuration for SHARED database
  postgresql:
    host: "postgresql.database-system.svc.cluster.local"
    name: "authentik"
    user: "authentik"
    # Password comes from secret via global.env
  
  error_reporting:
    enabled: false

server:
  enabled: true
  name: server
  replicas: 1
  
  # Ingress configuration
  ingress:
    enabled: true
    ingressClassName: nginx-internal
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
      external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    hosts:
      - authentik.dooplex.hu
    paths:
      - /
    pathType: Prefix
    tls:
      - secretName: authentik-tls
        hosts:
          - authentik.dooplex.hu
  
  # Resource limits
  resources:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      memory: 1Gi
  
  # Persistent volume for media files
  volumes:
    - name: media
      persistentVolumeClaim:
        claimName: authentik-media
  
  volumeMounts:
    - name: media
      mountPath: /media
  
  metrics:
    enabled: true
    serviceMonitor:
      enabled: false
      interval: 30s

worker:
  enabled: true
  name: worker
  replicas: 1
  
  # Tuning for issue #18368 (task pile-up on 2025.10+ due to Postgres broker).
  # These env vars are worker-only; don't promote to global.env.
  env:
    # 2 (default) -> 4. Slots = replicas × PROCESSES × THREADS.
    # 1 × 2 × 4 = 8 concurrent tasks. Docs: below 2 not recommended.
    - name: AUTHENTIK_WORKER__THREADS
      value: "4"
    # 30d (default) -> 3d. Shrinks authentik_tasks_tasks table, making
    # daily purge cheaper and reducing the dequeue cost per task.
    - name: AUTHENTIK_WORKER__TASK_EXPIRATION
      value: "days=3"
  
  # Resource limits - bumped from 100m/1Gi for worker throughput.
  # A single send_update burst from 15 outposts can saturate the old budget.
  resources:
    requests:
      cpu: 500m
      memory: 512Mi
    limits:
      cpu: "2"
      memory: 1Gi
  
  # Persistent volume for media files (shared with server)
  volumes:
    - name: media
      persistentVolumeClaim:
        claimName: authentik-media
  
  volumeMounts:
    - name: media
      mountPath: /media
  
  metrics:
    enabled: true
    serviceMonitor:
      enabled: false
      interval: 30s

# DISABLE bundled PostgreSQL - using shared instance
postgresql:
  enabled: false

# Enable bundled Redis (required for Authentik)
redis:
  enabled: true
  architecture: standalone
  auth:
    enabled: false  # Internal only, no need for auth
  master:
    persistence:
      enabled: true
      storageClass: longhorn
      size: 1Gi
    resources:
      requests:
        cpu: 50m
        memory: 128Mi
      limits:
        memory: 256Mi

# GeoIP configuration (optional, for geo-blocking features)
geoip:
  enabled: false
  # To enable later:
  # 1. Sign up at https://www.maxmind.com/en/geolite2/signup
  # 2. Get accountId and licenseKey
  # 3. Uncomment and fill:
  # accountId: ""
  # licenseKey: ""

# Service Account
serviceAccount:
  create: true
  annotations:
    argocd.argoproj.io/sync-wave: "-1"

# Prometheus metrics
prometheus:
  rules:
    enabled: false