Ronni Baslund
d02eb5ec50
- Pin the helm-controller chart version (unset = silent latest upgrades) and move the image tag under global.image per the 2026.5 chart layout. - Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list rejected every authorize request. Allow authorization_code + refresh_token for portal and operator providers. - Fix the portal redirect URI to the nuxt-oidc-auth callback path. - Serve the auth ingress on :80 with a per-router HTTPS redirect so the cert-manager HTTP-01 solver keeps working.
67 lines
2.3 KiB
YAML
67 lines
2.3 KiB
YAML
# Authentik production Helm values — mirrors the dev docker-compose service
|
|
# (ghcr.io/goauthentik/server:2025.10), pointed at the in-cluster data tier.
|
|
#
|
|
# Secrets come from the 'authentik-secret' Secret via global.envFrom (generated
|
|
# on-box; see README) — NEVER in this file. Non-secret config only here.
|
|
#
|
|
# NOTE: chart version is intentionally unpinned at first install (helm-controller
|
|
# pulls latest). After it's up, pin the installed chart + image versions here +
|
|
# in RUNBOOK.md for reproducibility.
|
|
|
|
global:
|
|
# Image moved under global.image in chart 2026.5.x; the old top-level `image:`
|
|
# key now hard-fails the chart's deprecation guard.
|
|
image:
|
|
tag: "2026.5.2" # deployed version; pinned == spec.version in helmchart.yaml
|
|
# AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
|
|
# AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
|
|
envFrom:
|
|
- secretRef:
|
|
name: authentik-secret
|
|
env:
|
|
- name: AUTHENTIK_BOOTSTRAP_EMAIL
|
|
value: admin@dezky.eu
|
|
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
|
|
value: "true"
|
|
|
|
authentik:
|
|
error_reporting:
|
|
enabled: false
|
|
postgresql:
|
|
host: postgres.dezky-data
|
|
name: authentik
|
|
user: authentik
|
|
redis:
|
|
host: redis.dezky-data
|
|
|
|
# Use the in-cluster data tier, not the chart's bundled subcharts.
|
|
postgresql:
|
|
enabled: false
|
|
redis:
|
|
enabled: false
|
|
|
|
server:
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
# Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
|
|
# port 80 at renewal; redirect-https bounces other traffic to HTTPS.
|
|
# (Middleware lives in authentik/redirect-middleware.yaml.)
|
|
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
|
|
traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
|
|
hosts:
|
|
- auth.dezky.eu
|
|
paths:
|
|
- "/"
|
|
tls:
|
|
- hosts:
|
|
- auth.dezky.eu
|
|
secretName: authentik-tls
|
|
|
|
# Blueprints (portal + operator OIDC apps + brand) are mounted via a post-install
|
|
# initContainer patch on the worker (this chart version ignored worker.volumes),
|
|
# copying the authentik-blueprints ConfigMap to an emptyDir as real files at
|
|
# /blueprints/custom. See README "Blueprints + branding".
|