feat(infra): deploy Authentik (auth.dezky.eu) + global HTTP→HTTPS redirect

- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config:
  external DB/Redis, error-reporting off, update-check off, bootstrap admin),
  via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at
  https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden).
- Traefik HelmChartConfig: global :80 -> :443 (308) redirect via
  additionalArguments (to=:443, HTTP-01-safe).
- RUNBOOK updated.

Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with
prod URLs) + the cosmetic "Powered by Dezky" rebrand.

infrastructure/production/fleet/authentik/README.md

@@ -0,0 +1,49 @@
+# fleet/authentik — identity provider (auth.dezky.eu)
+
+Authentik, mirroring the dev docker-compose service but pointed at the
+in-cluster data tier. Deployed via the k3s Helm controller (`helmchart.yaml`,
+which mirrors `values.yaml`). Live at **https://auth.dezky.eu** (Let's Encrypt).
+
+- External **Postgres** (`postgres.dezky-data`, db/user `authentik`) + **Redis**
+  (`redis.dezky-data`) — chart's bundled subcharts disabled.
+- Secrets via `global.envFrom` → the `authentik-secret` Secret (generated
+  on-box; see `secret.example.yaml`). DB/Redis passwords match the dezky-data
+  secrets.
+- Ingress: Traefik + cert-manager `letsencrypt-prod`.
+- `error_reporting` off, update-check off, bootstrap email `admin@dezky.eu`.
+
+## Deploy
+```bash
+# 1. secret (reads DB/Redis pw from dezky-data so they match; rest generated)
+ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
+RDB=$(kubectl -n dezky-data get secret redis-secret    -o jsonpath='{.data.REDIS_PASSWORD}'        | base64 -d)
+kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
+kubectl -n dezky-auth create secret generic authentik-secret \
+  --from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
+  --from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
+  --from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
+  --from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
+  --from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
+# 2. install
+kubectl apply -f helmchart.yaml
+kubectl -n dezky-auth rollout status deploy/authentik-server --timeout=300s
+```
+
+## First login
+```bash
+# akadmin password (store in Bitwarden):
+kubectl -n dezky-auth get secret authentik-secret -o jsonpath='{.data.AUTHENTIK_BOOTSTRAP_PASSWORD}' | base64 -d; echo
+```
+Log in at https://auth.dezky.eu as **akadmin** / that password.
+
+## TODO (mirror the rest of dev — not yet applied)
+- **OIDC app blueprints.** Dev provisions the operator app + a
+  `dezky-platform-admins` access policy via a blueprint
+  (`infrastructure/docker-compose/configs/authentik/blueprints/`). For prod,
+  mount the equivalent at `/blueprints/custom` with **prod** redirect URLs
+  (`operator.dezky.eu`, `app.dezky.eu`) + the matching client IDs/secrets.
+  The portal OIDC client (hand-made in dev) also needs creating.
+- **Rebrand** ("Powered by authentik" → "Powered by Dezky"): dev runs
+  `rebrand-web.sh` as a root lifecycle script. Replicating in k8s needs a
+  root-capable initContainer/command override — cosmetic, deferred.
+- Pin the **chart version** (currently latest → app `2026.5.2`).

infrastructure/production/fleet/authentik/helmchart.yaml

@@ -0,0 +1,55 @@
+# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
+# (keep them in sync). Version intentionally unpinned for the first install —
+# PIN the resolved chart version here once it's up (see RUNBOOK.md).
+#
+# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
+# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: authentik
+  namespace: kube-system
+spec:
+  repo: https://charts.goauthentik.io
+  chart: authentik
+  targetNamespace: dezky-auth
+  createNamespace: true
+  valuesContent: |-
+    image:
+      tag: "2026.5.2"
+    global:
+      envFrom:
+        - secretRef:
+            name: authentik-secret
+      env:
+        - name: AUTHENTIK_BOOTSTRAP_EMAIL
+          value: admin@dezky.eu
+        - name: AUTHENTIK_DISABLE_UPDATE_CHECK
+          value: "true"
+    authentik:
+      error_reporting:
+        enabled: false
+      postgresql:
+        host: postgres.dezky-data
+        name: authentik
+        user: authentik
+      redis:
+        host: redis.dezky-data
+    postgresql:
+      enabled: false
+    redis:
+      enabled: false
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        hosts:
+          - auth.dezky.eu
+        paths:
+          - "/"
+        tls:
+          - hosts:
+              - auth.dezky.eu
+            secretName: authentik-tls

infrastructure/production/fleet/authentik/secret.example.yaml

@@ -0,0 +1,29 @@
+# Authentik secrets — template. Generate + apply OUT-OF-BAND, store in Bitwarden.
+# The DB/Redis passwords MUST equal the ones in the dezky-data secrets
+# (postgres-secret.AUTHENTIK_DB_PASSWORD and redis-secret.REDIS_PASSWORD), so the
+# create command below reads them back rather than inventing new ones:
+#
+#   ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
+#   RDB=$(kubectl -n dezky-data get secret redis-secret    -o jsonpath='{.data.REDIS_PASSWORD}'        | base64 -d)
+#   kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
+#   kubectl -n dezky-auth create secret generic authentik-secret \
+#     --from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
+#     --from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
+#     --from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
+#     --from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
+#     --from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
+#
+# AUTHENTIK_BOOTSTRAP_PASSWORD = first login for `akadmin` at https://auth.dezky.eu
+# AUTHENTIK_BOOTSTRAP_TOKEN    = used by platform-api/provisioning to call the API
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-secret
+  namespace: dezky-auth
+type: Opaque
+stringData:
+  AUTHENTIK_SECRET_KEY: REPLACE_openssl_rand_hex_50
+  AUTHENTIK_POSTGRESQL__PASSWORD: REPLACE_match_dezky-data_AUTHENTIK_DB_PASSWORD
+  AUTHENTIK_REDIS__PASSWORD: REPLACE_match_dezky-data_REDIS_PASSWORD
+  AUTHENTIK_BOOTSTRAP_PASSWORD: REPLACE_openssl_rand_hex_16
+  AUTHENTIK_BOOTSTRAP_TOKEN: REPLACE_openssl_rand_hex_32

infrastructure/production/fleet/authentik/values.yaml

@@ -0,0 +1,55 @@
+# Authentik production Helm values — mirrors the dev docker-compose service
+# (ghcr.io/goauthentik/server:2025.10), pointed at the in-cluster data tier.
+#
+# Secrets come from the 'authentik-secret' Secret via global.envFrom (generated
+# on-box; see README) — NEVER in this file. Non-secret config only here.
+#
+# NOTE: chart version is intentionally unpinned at first install (helm-controller
+# pulls latest). After it's up, pin the installed chart + image versions here +
+# in RUNBOOK.md for reproducibility.
+
+image:
+  tag: "2026.5.2"   # deployed version (latest chart as of 2026-06-08)
+
+global:
+  # AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
+  # AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
+  envFrom:
+    - secretRef:
+        name: authentik-secret
+  env:
+    - name: AUTHENTIK_BOOTSTRAP_EMAIL
+      value: admin@dezky.eu
+    - name: AUTHENTIK_DISABLE_UPDATE_CHECK
+      value: "true"
+
+authentik:
+  error_reporting:
+    enabled: false
+  postgresql:
+    host: postgres.dezky-data
+    name: authentik
+    user: authentik
+  redis:
+    host: redis.dezky-data
+
+# Use the in-cluster data tier, not the chart's bundled subcharts.
+postgresql:
+  enabled: false
+redis:
+  enabled: false
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - auth.dezky.eu
+    paths:
+      - "/"
+    tls:
+      - hosts:
+          - auth.dezky.eu
+        secretName: authentik-tls