Update Authentik values.yaml to clarify PVC usage for media uploads. Specify that authentik-data is mounted on the server only to avoid Multi-Attach errors, and recommend using S3 or an RWX StorageClass for shared media access from workers.

2026-05-14 20:05:30 -04:00
parent 032ffee866
commit 57a149b3d2
2 changed files with 11 additions and 11 deletions
--- a/ansible/inventory/group_vars/all.yml
+++ b/ansible/inventory/group_vars/all.yml
@@ -20,7 +20,7 @@ noble_newt_install: true
 noble_cert_manager_require_cloudflare_secret: true

 # Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
-noble_velero_install: false
+noble_velero_install: true

 # Bootstrap kustomize in Argo (**noble-bootstrap-root** → **clusters/noble/bootstrap**, includes **clusters/noble/apps**). Applied with manual sync; enable automation after **noble.yml** (see **clusters/noble/bootstrap/argocd/README.md** §5).
 noble_argocd_apply_bootstrap_root_application: true
--- a/clusters/noble/bootstrap/authentik/values.yaml
+++ b/clusters/noble/bootstrap/authentik/values.yaml
@@ -11,16 +11,9 @@
 # helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
 #   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
 #
-# **Media / uploads:** server + worker mount **PVC `authentik-data`** at **`/data`** (Authentik stores media under **`/data/media`**). Chart **`additionalObjects`** creates the PVC (**Longhorn**, RWO). Increase **storage** or use another **storageClassName** if needed.
-
-global:
-  volumes:
-    - name: authentik-data
-      persistentVolumeClaim:
-        claimName: authentik-data
-  volumeMounts:
-    - name: authentik-data
-      mountPath: /data
+# **Media / uploads:** PVC **`authentik-data`** at **`/data`** is mounted on **server only**. Longhorn **RWO** allows
+# a single attachment — the same PVC on **server** and **worker** causes **Multi-Attach** errors. For shared media from
+# workers, use **S3** or an **RWX** StorageClass (e.g. **`longhorn-rwx`** when installed) and **ReadWriteMany** on the PVC.

 additionalObjects:
  - apiVersion: v1
@@ -58,6 +51,13 @@ authentik:

 server:
  replicas: 1
+  volumes:
+    - name: authentik-data
+      persistentVolumeClaim:
+        claimName: authentik-data
+  volumeMounts:
+    - name: authentik-data
+      mountPath: /data
  ingress:
    enabled: true
    ingressClassName: traefik