admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feat/renovate-termix-regex-versioning
homelab-manifests/auth-system/authentik-values.yaml
T
admin 7928992e2a Tuned authentik worker
2026-04-17 21:16:18 +02:00

224 lines
5.6 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
# Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION
# For dooplex homelab deployment with centralized PostgreSQL
# Version: 2025.12.3
#
# ============================================================================
# 2026-04 tuning for worker task pile-up (issue #18368):
# - THREADS 2 -> 4: doubles concurrent task slots per worker (4 -> 8)
# - TASK_EXPIRATION 30d -> 3d: reduces task table bloat & cleanup load
# - worker resources: guaranteed 500m CPU instead of burst-only 100m
# Applies to workload of ~15 outposts; revisit if outpost count grows.
# ============================================================================
global:
image:
repository: ghcr.io/goauthentik/server
tag: "2025.12.3"
deploymentAnnotations:
reloader.stakater.com/auto: "true" # Auto-reload on secret changes (if using Reloader)
deploymentStrategy:
type: Recreate
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9300"
# Environment variables for all pods
envFrom:
- secretRef:
name: authentik-secret-key
env:
- name: AUTHENTIK_REDIS__HOST
value: "authentik-redis-master"
# PostgreSQL config for SHARED database
- name: AUTHENTIK_POSTGRESQL__HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: AUTHENTIK_POSTGRESQL__NAME
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__USER
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-postgresql
key: password
- name: AUTHENTIK_EMAIL__HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: AUTHENTIK_EMAIL__PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
authentik:
# Secret key will come from authentik-secret-key secret via envFrom
secret_key: ""
log_level: info
# PostgreSQL configuration for SHARED database
postgresql:
host: "postgresql.database-system.svc.cluster.local"
name: "authentik"
user: "authentik"
# Password comes from secret via global.env
error_reporting:
enabled: false
server:
enabled: true
name: server
replicas: 1
# Ingress configuration
ingress:
enabled: true
ingressClassName: nginx-internal
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- authentik.dooplex.hu
paths:
- /
pathType: Prefix
tls:
- secretName: authentik-tls
hosts:
- authentik.dooplex.hu
# Resource limits
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 1Gi
# Persistent volume for media files
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
volumeMounts:
- name: media
mountPath: /media
metrics:
enabled: true
serviceMonitor:
enabled: false
interval: 30s
worker:
enabled: true
name: worker
replicas: 1
# Tuning for issue #18368 (task pile-up on 2025.10+ due to Postgres broker).
# These env vars are worker-only; don't promote to global.env.
env:
# 2 (default) -> 4. Slots = replicas × PROCESSES × THREADS.
# 1 × 2 × 4 = 8 concurrent tasks. Docs: below 2 not recommended.
- name: AUTHENTIK_WORKER__THREADS
value: "4"
# 30d (default) -> 3d. Shrinks authentik_tasks_tasks table, making
# daily purge cheaper and reducing the dequeue cost per task.
- name: AUTHENTIK_WORKER__TASK_EXPIRATION
value: "days=3"
# Resource limits - bumped from 100m/1Gi for worker throughput.
# A single send_update burst from 15 outposts can saturate the old budget.
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
# Persistent volume for media files (shared with server)
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
volumeMounts:
- name: media
mountPath: /media
metrics:
enabled: true
serviceMonitor:
enabled: false
interval: 30s
# DISABLE bundled PostgreSQL - using shared instance
postgresql:
enabled: false
# Enable bundled Redis (required for Authentik)
redis:
enabled: true
architecture: standalone
auth:
enabled: false # Internal only, no need for auth
master:
persistence:
enabled: true
storageClass: longhorn
size: 1Gi
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi
# GeoIP configuration (optional, for geo-blocking features)
geoip:
enabled: false
# To enable later:
# 1. Sign up at https://www.maxmind.com/en/geolite2/signup
# 2. Get accountId and licenseKey
# 3. Uncomment and fill:
# accountId: ""
# licenseKey: ""
# Service Account
serviceAccount:
create: true
annotations:
argocd.argoproj.io/sync-wave: "-1"
# Prometheus metrics
prometheus:
rules:
enabled: false
Reference in New Issue View Git Blame Copy Permalink