--- # Authentik Configuration (Shared Env Vars) apiVersion: v1 kind: ConfigMap metadata: name: authentik-config namespace: authentik data: AUTHENTIK_REDIS__HOST: "authentik-redis" AUTHENTIK_POSTGRESQL__HOST: "authentik-postgresql" AUTHENTIK_POSTGRESQL__USER: "authentik" AUTHENTIK_POSTGRESQL__NAME: "authentik" AUTHENTIK_EMAIL__HOST: "smtp.example.com" AUTHENTIK_EMAIL__PORT: "587" AUTHENTIK_EMAIL__USE_TLS: "true" AUTHENTIK_EMAIL__USERNAME: "user" AUTHENTIK_EMAIL__FROM: "authentik@stabify.de" AUTHENTIK_ERROR_REPORTING__ENABLED: "false" --- # PVC for Media (Uploads) apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authentik-media namespace: authentik spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 1Gi --- # SERVER (Web/API) apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server namespace: authentik labels: app: authentik component: server spec: replicas: 1 selector: matchLabels: app: authentik component: server template: metadata: labels: app: authentik component: server spec: # InitContainer: Setze Berechtigungen für /media initContainers: - name: init-media-permissions image: busybox:latest command: ["sh", "-c"] args: - | mkdir -p /media/public /media/private chmod -R 777 /media chown -R 1000:1000 /media || true securityContext: runAsUser: 0 volumeMounts: - name: media mountPath: /media containers: - name: authentik image: ghcr.io/goauthentik/server:2025.10.3 args: ["server"] ports: - containerPort: 9000 name: http - containerPort: 9443 name: https envFrom: - configMapRef: name: authentik-config - secretRef: name: authentik-secrets securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 readinessProbe: httpGet: path: /-/health/ready/ port: 9000 initialDelaySeconds: 10 periodSeconds: 10 livenessProbe: httpGet: path: /-/health/live/ port: 9000 initialDelaySeconds: 10 periodSeconds: 20 volumeMounts: - name: media mountPath: /media volumes: - name: media persistentVolumeClaim: claimName: authentik-media --- # WORKER (Background Tasks) apiVersion: apps/v1 kind: Deployment metadata: name: authentik-worker namespace: authentik labels: app: authentik component: worker spec: replicas: 1 selector: matchLabels: app: authentik component: worker template: metadata: labels: app: authentik component: worker spec: # InitContainer: Setze Berechtigungen für /media initContainers: - name: init-media-permissions image: busybox:latest command: ["sh", "-c"] args: - | mkdir -p /media/public /media/private chmod -R 777 /media chown -R 1000:1000 /media || true securityContext: runAsUser: 0 volumeMounts: - name: media mountPath: /media containers: - name: authentik image: ghcr.io/goauthentik/server:2025.10.3 args: ["worker"] envFrom: - configMapRef: name: authentik-config - secretRef: name: authentik-secrets securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 volumeMounts: - name: media mountPath: /media volumes: - name: media persistentVolumeClaim: claimName: authentik-media --- apiVersion: v1 kind: Service metadata: name: authentik-server namespace: authentik spec: ports: - port: 80 targetPort: 9000 protocol: TCP name: http selector: app: authentik component: server