Authentik
Authentik is the identity provider for the platform. It provides single sign-on via OIDC/OAuth2 to every web UI and to the Kubernetes API itself, so a single Authentik account is the only credential a user needs.
Deployment
Section titled “Deployment”| Field | Value |
|---|---|
| Flux path | flux-clusters/stefanzhelev/apps/authentik |
| Base path | flux-apps/authentik |
| Namespace | authentik |
| Sync wave | 4 |
| Depends on | cloudnative-pg, external-secrets-config |
What it deploys
Section titled “What it deploys”- HelmRelease for Authentik chart
>= 2026.2.0 - ExternalSecrets for the secret key, admin password, and database credentials
- Terraform CR (via Tofu Controller) that materializes those credentials in Vault
Configuration highlights
Section titled “Configuration highlights”- Database:
postgresql-rw.cnpg.svc.cluster.local:5432(external CNPG cluster) - Cache: built-in Redis
- Server resources: 100m CPU / 512Mi memory request, 1Gi memory limit
- Worker resources: 100m CPU / 256Mi memory request, 512Mi memory limit
- Error reporting: disabled
Integrations
Section titled “Integrations”- Vault + Tofu Controller: Authentik’s secret key and admin password are generated and stored in Vault by a Terraform CR, then synced into the namespace by ExternalSecrets
- CloudNative-PG: PostgreSQL backend
- Kubernetes API: Authentik is the OIDC issuer for
kubectlauthentication, configured at the cluster level
oidc_enabled = trueoidc_issuer_url = "<authentik-issuer-url>"oidc_client_id = "<client-id>"Key commands
Section titled “Key commands”kubectl get pods -n authentikkubectl logs -n authentik -l app.kubernetes.io/component=serverkubectl logs -n authentik -l app.kubernetes.io/component=workerkubectl port-forward -n authentik svc/authentik-server 9000:80