Update Authentik values.yaml to clarify PVC usage for media uploads. Specify that authentik-data is mounted on the server only to avoid Multi-Attach errors, and recommend using S3 or an RWX StorageClass for shared media access from workers.

ansible/inventory/group_vars/all.yml

@@ -20,7 +20,7 @@ noble_newt_install: true
 noble_cert_manager_require_cloudflare_secret: true
 
 # Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
-noble_velero_install: false
+noble_velero_install: true
 
 # Bootstrap kustomize in Argo (**noble-bootstrap-root** → **clusters/noble/bootstrap**, includes **clusters/noble/apps**). Applied with manual sync; enable automation after **noble.yml** (see **clusters/noble/bootstrap/argocd/README.md** §5).
 noble_argocd_apply_bootstrap_root_application: true

clusters/noble/bootstrap/authentik/values.yaml

@@ -11,16 +11,9 @@
 # helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
 #   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
 #
-# **Media / uploads:** server + worker mount **PVC `authentik-data`** at **`/data`** (Authentik stores media under **`/data/media`**). Chart **`additionalObjects`** creates the PVC (**Longhorn**, RWO). Increase **storage** or use another **storageClassName** if needed.
+# **Media / uploads:** PVC **`authentik-data`** at **`/data`** is mounted on **server only**. Longhorn **RWO** allows
-
+# a single attachment — the same PVC on **server** and **worker** causes **Multi-Attach** errors. For shared media from
-global:
+# workers, use **S3** or an **RWX** StorageClass (e.g. **`longhorn-rwx`** when installed) and **ReadWriteMany** on the PVC.
-  volumes:
-    - name: authentik-data
-      persistentVolumeClaim:
-        claimName: authentik-data
-  volumeMounts:
-    - name: authentik-data
-      mountPath: /data
 
 additionalObjects:
   - apiVersion: v1
@@ -58,6 +51,13 @@ authentik:
 
 server:
   replicas: 1
+  volumes:
+    - name: authentik-data
+      persistentVolumeClaim:
+        claimName: authentik-data
+  volumeMounts:
+    - name: authentik-data
+      mountPath: /data
   ingress:
     enabled: true
     ingressClassName: traefik