Update Authentik values.yaml to clarify PVC usage for media uploads. Specify that authentik-data is mounted on the server only to avoid Multi-Attach errors, and recommend using S3 or an RWX StorageClass for shared media access from workers.

clusters/noble/bootstrap/authentik/values.yaml

@@ -11,16 +11,9 @@
 # helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
 #   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
 #
-# **Media / uploads:** server + worker mount **PVC `authentik-data`** at **`/data`** (Authentik stores media under **`/data/media`**). Chart **`additionalObjects`** creates the PVC (**Longhorn**, RWO). Increase **storage** or use another **storageClassName** if needed.
-
-global:
-  volumes:
-    - name: authentik-data
-      persistentVolumeClaim:
-        claimName: authentik-data
-  volumeMounts:
-    - name: authentik-data
-      mountPath: /data
+# **Media / uploads:** PVC **`authentik-data`** at **`/data`** is mounted on **server only**. Longhorn **RWO** allows
+# a single attachment — the same PVC on **server** and **worker** causes **Multi-Attach** errors. For shared media from
+# workers, use **S3** or an **RWX** StorageClass (e.g. **`longhorn-rwx`** when installed) and **ReadWriteMany** on the PVC.
 
 additionalObjects:
   - apiVersion: v1
@@ -58,6 +51,13 @@ authentik:
 
 server:
   replicas: 1
+  volumes:
+    - name: authentik-data
+      persistentVolumeClaim:
+        claimName: authentik-data
+  volumeMounts:
+    - name: authentik-data
+      mountPath: /data
   ingress:
     enabled: true
     ingressClassName: traefik