ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
fd0c5d011b58428aa3886c251dde4660a5244f70
dezky/infrastructure/production/fleet/authentik/helmchart.yaml
T
Ronni Baslund d02eb5ec50 fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI 
- Pin the helm-controller chart version (unset = silent latest upgrades) and
  move the image tag under global.image per the 2026.5 chart layout.
- Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list
  rejected every authorize request. Allow authorization_code + refresh_token
  for portal and operator providers.
- Fix the portal redirect URI to the nuxt-oidc-auth callback path.
- Serve the auth ingress on :80 with a per-router HTTPS redirect so the
  cert-manager HTTP-01 solver keeps working.
2026-06-10 07:53:49 +02:00

72 lines
2.6 KiB
YAML
Raw Blame History

# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
# (keep them in sync). valuesContent here is the LIVE source — values.yaml is
# just a human-readable mirror, not consumed by helm-controller.
#
# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: authentik
namespace: kube-system
spec:
repo: https://charts.goauthentik.io
chart: authentik
# Pinned: helm-controller reconciles on a loop and pulls the LATEST chart when
# version is unset — a successful reconcile would then silently upgrade
# authentik. Keep == the deployed version.
version: 2026.5.2
targetNamespace: dezky-auth
createNamespace: true
valuesContent: |-
global:
# Image moved under global.image in chart 2026.5.x; the old top-level
# `image:` key now hard-fails the chart's deprecation guard (deprectations.yaml).
image:
tag: "2026.5.2"
envFrom:
- secretRef:
name: authentik-secret
env:
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: admin@dezky.eu
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
value: "true"
authentik:
error_reporting:
enabled: false
postgresql:
host: postgres.dezky-data
name: authentik
user: authentik
redis:
host: redis.dezky-data
postgresql:
enabled: false
redis:
enabled: false
server:
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
# Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer
# on port 80 at renewal; redirect-https bounces other traffic to HTTPS.
# (Middleware lives in authentik/redirect-middleware.yaml.)
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
hosts:
- auth.dezky.eu
paths:
- "/"
tls:
- hosts:
- auth.dezky.eu
secretName: authentik-tls
# NOTE: blueprints are mounted via a post-install initContainer patch on the
# worker Deployment (this chart version ignored worker.volumes here) — it
# copies the 'authentik-blueprints' ConfigMap into an emptyDir as real files
# at /blueprints/custom. See README "Blueprints + branding". Client secrets
# come from authentik-secret (PORTAL_OIDC_CLIENT_SECRET / OPERATOR_OIDC_CLIENT_SECRET).
Reference in New Issue View Git Blame Copy Permalink