Ronni Baslund
d02eb5ec50
- Pin the helm-controller chart version (unset = silent latest upgrades) and move the image tag under global.image per the 2026.5 chart layout. - Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list rejected every authorize request. Allow authorization_code + refresh_token for portal and operator providers. - Fix the portal redirect URI to the nuxt-oidc-auth callback path. - Serve the auth ingress on :80 with a per-router HTTPS redirect so the cert-manager HTTP-01 solver keeps working.
fleet/authentik — identity provider (auth.dezky.eu)
Authentik, mirroring the dev docker-compose service but pointed at the
in-cluster data tier. Deployed via the k3s Helm controller (helmchart.yaml,
which mirrors values.yaml). Live at https://auth.dezky.eu (Let's Encrypt).
- External Postgres (
postgres.dezky-data, db/userauthentik) + Redis (redis.dezky-data) — chart's bundled subcharts disabled. - Secrets via
global.envFrom→ theauthentik-secretSecret (generated on-box; seesecret.example.yaml). DB/Redis passwords match the dezky-data secrets. - Ingress: Traefik + cert-manager
letsencrypt-prod. error_reportingoff, update-check off, bootstrap emailadmin@dezky.eu.
Deploy
# 1. secret (reads DB/Redis pw from dezky-data so they match; rest generated)
ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
RDB=$(kubectl -n dezky-data get secret redis-secret -o jsonpath='{.data.REDIS_PASSWORD}' | base64 -d)
kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
kubectl -n dezky-auth create secret generic authentik-secret \
--from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
--from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
--from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
--from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
--from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
# 2. install
kubectl apply -f helmchart.yaml
kubectl -n dezky-auth rollout status deploy/authentik-server --timeout=300s
First login
# akadmin password (store in Bitwarden):
kubectl -n dezky-auth get secret authentik-secret -o jsonpath='{.data.AUTHENTIK_BOOTSTRAP_PASSWORD}' | base64 -d; echo
Log in at https://auth.dezky.eu as akadmin / that password.
Blueprints + branding (APPLIED)
blueprints/ holds prod blueprints (applied & successful on node1):
brand.yaml— dezky branding on the default brand (title + signal-green custom CSS). This is what puts the login page in dezky colors.portal-application.yaml—dezky-portalOIDC app/provider (https://app.dezky.eu/api/auth/callback).operator-application.yaml—dezky-operatorOIDC app/provider (https://operator.dezky.eu/auth/oidc/callback) +dezky-platform-adminsgroup + an access policy restricting operator login to that group.
Client secrets live in authentik-secret (PORTAL_OIDC_CLIENT_SECRET,
OPERATOR_OIDC_CLIENT_SECRET) — the apps must reuse the SAME values.
Applying them (two gotchas, both handled)
invalidation_flowis REQUIRED on OAuth2 providers in Authentik 2026.5 (dev's 2025.10 didn't need it) — both providers set it via!Find.- ConfigMap mounts present files as symlinks, which Authentik's discovery
won't read. So the worker uses an initContainer that copies the ConfigMap
into an emptyDir as real files at
/blueprints/custom:kubectl -n dezky-auth create configmap authentik-blueprints \ --from-file=blueprints/ --dry-run=client -o yaml | kubectl apply -f - # patch worker: add bp-src(configMap) + bp-cust(emptyDir) + initContainer # `cp -L /bp-src/*.yaml /bp-cust/`, mount bp-cust at /blueprints/custom kubectl -n dezky-auth rollout restart deploy/authentik-worker # apply each (or let discovery): ak apply_blueprint custom/<file>.yamlThe chart's
worker.volumesvalue did NOT take effect on this chart version, hence the direct Deployment patch. Caveat: a helm upgrade of Authentik reverts the patch — re-apply it (move it into a custom image or a post-render kustomize patch to make it durable). TODO.
Still deferred
- Pin the chart version (currently latest → app
2026.5.2). - Durability: the server-rebrand Deployment patch + the brand image-field PATCH revert on a helm upgrade of Authentik — re-run them, or bake a custom image / post-render kustomize patch.
Full visual rebrand (logo / favicon / background / footer) — APPLIED
Brand custom CSS only reaches shadow DOM via CSS vars (so colors work), not the logo/favicon (deeper shadow root) or the "Powered by authentik" footer (light DOM). Those use dev's mechanism — real files + a bundle sed:
web-assets/—dezky-logo.svg,dezky-favicon.svg,dezky-bg.svg(carbon).- ConfigMap
authentik-web-assetsis built fromweb-assets/. server-rebrand.pypatches the authentik-server Deployment: an initContainer copies/web/distinto an emptyDir, drops the 3 svgs into/web/dist/assets/icons/, and sedsPowered by authentik->Powered by Dezky. The server then serves the patched bundle.- The brand's
branding_logo/branding_favicon/branding_default_flow_backgroundpoint at those served svgs (carried in brand.yaml; if the blueprint leaves them default, PATCH the brand via API).
Apply:
kubectl -n dezky-auth create configmap authentik-web-assets --from-file=web-assets/ --dry-run=client -o yaml | kubectl apply -f -
kubectl -n dezky-auth get deploy authentik-server -o json | python3 server-rebrand.py | kubectl apply -f -
CAVEAT: the server patch + brand PATCH revert on a helm upgrade of Authentik — re-run them (or bake a custom image) for durability.