# Authentik — SSO / identity provider # PostgreSQL backend via cluster DNS: postgres # No Redis required as of 2026.2.x # Unpinned — scheduler places freely, local-path PVCs # NodePort 32372 (HTTP), 32373 (HTTPS) # # Deploy: # kubectl create secret generic authentik-secret \ # --namespace \ # --from-literal=db-password='' \ # --from-literal=secret-key='' # kubectl apply -f authentik-db-init.yaml -n # kubectl get jobs -n -w # wait for completion # kubectl apply -f authentik.yaml -n # # Initial setup wizard: http://:32372/if/flow/initial-setup/ # # Generate secret-key with: openssl rand -base64 36 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authentik-media-pvc spec: accessModes: - ReadWriteOnce storageClassName: local-path resources: requests: storage: 5Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authentik-certs-pvc spec: accessModes: - ReadWriteOnce storageClassName: local-path resources: requests: storage: 1Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server spec: replicas: 1 selector: matchLabels: app: authentik-server template: metadata: labels: app: authentik-server spec: containers: - name: authentik-server image: ghcr.io/goauthentik/server:2026.2.1 command: ["ak", "server"] env: - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-secret key: secret-key - name: AUTHENTIK_POSTGRESQL__HOST value: postgres - name: AUTHENTIK_POSTGRESQL__PORT value: "5432" - name: AUTHENTIK_POSTGRESQL__NAME value: authentik_db - name: AUTHENTIK_POSTGRESQL__USER value: authentik_user - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-secret key: db-password ports: - containerPort: 9000 - containerPort: 9443 volumeMounts: - name: media mountPath: /media volumes: - name: media persistentVolumeClaim: claimName: authentik-media-pvc --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-worker spec: replicas: 1 selector: matchLabels: app: authentik-worker template: metadata: labels: app: authentik-worker spec: containers: - name: authentik-worker image: ghcr.io/goauthentik/server:2026.2.1 command: ["ak", "worker"] env: - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-secret key: secret-key - name: AUTHENTIK_POSTGRESQL__HOST value: postgres - name: AUTHENTIK_POSTGRESQL__PORT value: "5432" - name: AUTHENTIK_POSTGRESQL__NAME value: authentik_db - name: AUTHENTIK_POSTGRESQL__USER value: authentik_user - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-secret key: db-password volumeMounts: - name: media mountPath: /media - name: certs mountPath: /certs volumes: - name: media persistentVolumeClaim: claimName: authentik-media-pvc - name: certs persistentVolumeClaim: claimName: authentik-certs-pvc --- apiVersion: v1 kind: Service metadata: name: authentik spec: selector: app: authentik-server ports: - name: http port: 9000 targetPort: 9000 nodePort: 32372 - name: https port: 9443 targetPort: 9443 nodePort: 32373 type: NodePort