From 57a149b3d23a0eff531dd99d1268f870739904a7 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Thu, 14 May 2026 20:05:30 -0400
Subject: [PATCH] Update Authentik values.yaml to clarify PVC usage for media
 uploads. Specify that `authentik-data` is mounted on the server only to avoid
 Multi-Attach errors, and recommend using S3 or an RWX StorageClass for shared
 media access from workers.

---
 ansible/inventory/group_vars/all.yml          |  2 +-
 .../noble/bootstrap/authentik/values.yaml     | 20 +++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml
index 6a8d9d1..7fcb19c 100644
--- a/ansible/inventory/group_vars/all.yml
+++ b/ansible/inventory/group_vars/all.yml
@@ -20,7 +20,7 @@ noble_newt_install: true
 noble_cert_manager_require_cloudflare_secret: true
 
 # Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
-noble_velero_install: false
+noble_velero_install: true
 
 # Bootstrap kustomize in Argo (**noble-bootstrap-root** → **clusters/noble/bootstrap**, includes **clusters/noble/apps**). Applied with manual sync; enable automation after **noble.yml** (see **clusters/noble/bootstrap/argocd/README.md** §5).
 noble_argocd_apply_bootstrap_root_application: true
diff --git a/clusters/noble/bootstrap/authentik/values.yaml b/clusters/noble/bootstrap/authentik/values.yaml
index 5493ede..63ac02f 100644
--- a/clusters/noble/bootstrap/authentik/values.yaml
+++ b/clusters/noble/bootstrap/authentik/values.yaml
@@ -11,16 +11,9 @@
 # helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
 #   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
 #
-# **Media / uploads:** server + worker mount **PVC `authentik-data`** at **`/data`** (Authentik stores media under **`/data/media`**). Chart **`additionalObjects`** creates the PVC (**Longhorn**, RWO). Increase **storage** or use another **storageClassName** if needed.
-
-global:
-  volumes:
-    - name: authentik-data
-      persistentVolumeClaim:
-        claimName: authentik-data
-  volumeMounts:
-    - name: authentik-data
-      mountPath: /data
+# **Media / uploads:** PVC **`authentik-data`** at **`/data`** is mounted on **server only**. Longhorn **RWO** allows
+# a single attachment — the same PVC on **server** and **worker** causes **Multi-Attach** errors. For shared media from
+# workers, use **S3** or an **RWX** StorageClass (e.g. **`longhorn-rwx`** when installed) and **ReadWriteMany** on the PVC.
 
 additionalObjects:
   - apiVersion: v1
@@ -58,6 +51,13 @@ authentik:
 
 server:
   replicas: 1
+  volumes:
+    - name: authentik-data
+      persistentVolumeClaim:
+        claimName: authentik-data
+  volumeMounts:
+    - name: authentik-data
+      mountPath: /data
   ingress:
     enabled: true
     ingressClassName: traefik