stabify/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
gitops/apps/authentik/deployment.yaml
Nick Adam 23e50e657c fix: pg pvc for outline
2026-01-19 12:57:29 +01:00

183 lines
4.4 KiB
YAML
Raw Permalink Blame History

---
# Authentik Configuration (Shared Env Vars)
apiVersion: v1
kind: ConfigMap
metadata:
name: authentik-config
namespace: authentik
data:
AUTHENTIK_REDIS__HOST: "authentik-redis"
AUTHENTIK_POSTGRESQL__HOST: "authentik-postgresql"
AUTHENTIK_POSTGRESQL__USER: "authentik"
AUTHENTIK_POSTGRESQL__NAME: "authentik"
AUTHENTIK_EMAIL__HOST: "smtp.example.com"
AUTHENTIK_EMAIL__PORT: "587"
AUTHENTIK_EMAIL__USE_TLS: "true"
AUTHENTIK_EMAIL__USERNAME: "user"
AUTHENTIK_EMAIL__FROM: "authentik@stabify.de"
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
---
# PVC for Media (Uploads)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authentik-media
namespace: authentik
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi
---
# SERVER (Web/API)
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-server
namespace: authentik
labels:
app: authentik
component: server
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: server
template:
metadata:
labels:
app: authentik
component: server
spec:
# Pod-Level SecurityContext: fsGroup für Volume-Berechtigungen
securityContext:
fsGroup: 1000
# InitContainer: Setze Berechtigungen für /media
initContainers:
- name: init-media-permissions
image: busybox:latest
command: ["sh", "-c"]
args:
- |
mkdir -p /media/public /media/private
chmod -R 777 /media
chown -R 1000:1000 /media || true
securityContext:
runAsUser: 0
volumeMounts:
- name: media
mountPath: /media
containers:
- name: authentik
image: ghcr.io/goauthentik/server:2025.10.3
args: ["server"]
ports:
- containerPort: 9000
name: http
- containerPort: 9443
name: https
envFrom:
- configMapRef:
name: authentik-config
- secretRef:
name: authentik-secrets
securityContext:
runAsUser: 1000
runAsGroup: 1000
readinessProbe:
httpGet:
path: /-/health/ready/
port: 9000
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /-/health/live/
port: 9000
initialDelaySeconds: 10
periodSeconds: 20
volumeMounts:
- name: media
mountPath: /media
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
---
# WORKER (Background Tasks)
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-worker
namespace: authentik
labels:
app: authentik
component: worker
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: worker
template:
metadata:
labels:
app: authentik
component: worker
spec:
# Pod-Level SecurityContext: fsGroup für Volume-Berechtigungen
securityContext:
fsGroup: 1000
# InitContainer: Setze Berechtigungen für /media
initContainers:
- name: init-media-permissions
image: busybox:latest
command: ["sh", "-c"]
args:
- |
mkdir -p /media/public /media/private
chmod -R 777 /media
chown -R 1000:1000 /media || true
securityContext:
runAsUser: 0
volumeMounts:
- name: media
mountPath: /media
containers:
- name: authentik
image: ghcr.io/goauthentik/server:2025.10.3
args: ["worker"]
envFrom:
- configMapRef:
name: authentik-config
- secretRef:
name: authentik-secrets
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: media
mountPath: /media
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
---
apiVersion: v1
kind: Service
metadata:
name: authentik-server
namespace: authentik
spec:
ports:
- port: 80
targetPort: 9000
protocol: TCP
name: http
selector:
app: authentik
component: server
Reference in New Issue View Git Blame Copy Permalink