Skip to content

feat: add Helm test for Authentik deployment validation #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timothyclin merged 50 commits into from
Apr 7, 2026
Merged

feat: add Helm test for Authentik deployment validation #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
d16ea02
docs: add shared ingress with Authentik design spec
timothyclin Apr 7, 2026
7141250
docs: update spec to support any OIDC provider, not just Google Works…
timothyclin Apr 7, 2026
a00735c
feat: add comprehensive implementation plan for Authentik shared ingress
timothyclin Apr 7, 2026
55642a3
feat: add Authentik Redis cache components
timothyclin Apr 7, 2026
8cf47de
feat: add Authentik secrets for database and OIDC
timothyclin Apr 7, 2026
0a5ba58
fix: secure authentik secrets with stable keys and validation
timothyclin Apr 7, 2026
8079e6a
fix: require secure authentik.secretKey to prevent production vulnera…
timothyclin Apr 7, 2026
eedfce9
feat: add Authentik main server deployment and configuration
timothyclin Apr 7, 2026
2982a67
feat: add Authentik main server deployment and configuration
timothyclin Apr 7, 2026
e59a8c4
feat: add Authentik main server deployment and configuration
timothyclin Apr 7, 2026
e5eea62
feat: add Authentik main server deployment and configuration
timothyclin Apr 7, 2026
eab6b77
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
e378d76
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
5adf6ea
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
f4241d5
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
f496b18
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
526c12e
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
443651c
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
715ada0
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
32e3174
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
21970e0
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
968098a
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
7a0f0eb
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
5208561
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
5338895
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
831a6ad
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
baaa428
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
592c586
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
948d26d
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
d456306
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
0937f89
Merge branch 'agent/shared-ingress-authentik' into main
timothyclin Apr 7, 2026
576e828
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
9b72bae
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
e59fb3c
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
d79a8b0
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
da0f20c
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
fab2b43
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
0c4e9cf
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
518827a
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
6f09545
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
be45937
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
d670141
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
cc463bd
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
81a0b43
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
f5e300b
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
e0d3db4
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
177bf13
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
a7da994
feat: update ingress to route through Authentik for shared hostname
timothyclin Apr 7, 2026
b4db45b
feat: add network policy for Authentik security
timothyclin Apr 7, 2026
acc1b5a
feat: add Helm test for Authentik deployment validation
timothyclin Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions chart/templates/authentik/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ConfigMap is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Other templates in this chart consistently set both (e.g., chart/templates/configmap.yaml), so adding them here will keep resources discoverable and consistent.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik
name: {{ include "ok8s.fullname" . }}-authentik
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
data:
# Authentik configuration
authentik.yml: |
# Basic configuration
debug: false
secret_key: /secrets/secretKey
disable_startup_analytics: true

# Database
database:
host: {{ include "ok8s.fullname" . }}-authentik-postgres
name: {{ .Values.authentik.postgres.database }}
user: {{ .Values.authentik.postgres.username }}
password: /secrets/postgresPassword

# Redis
redis:
host: {{ include "ok8s.fullname" . }}-authentik-redis
password: /secrets/redisPassword

# Email (disabled for this use case)
email:
backend: dummy

# OIDC provider settings (configured via UI after deployment)
oidc:
enabled: {{ .Values.authentik.oidc.enabled }}
{{- if .Values.authentik.oidc.issuerUrl }}
issuer_url: {{ .Values.authentik.oidc.issuerUrl }}
{{- end }}
{{- end }}
51 changes: 51 additions & 0 deletions chart/templates/authentik/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
{{- if .Values.authentik.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
Comment on lines +6 to +10
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chart/templates/authentik/deployment.yaml uses custom labels instead of the chart’s common labels helper (include "ok8s.labels"). Other templates consistently apply ok8s.labels for cross-resource consistency (selectors can still use dedicated labels). Add the common labels here (and in related Authentik resources) to match chart conventions.

Copilot uses AI. Check for mistakes.
replicas: {{ .Values.authentik.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
containers:
- name: authentik
image: {{ .Values.authentik.image.repository }}:{{ .Values.authentik.image.tag }}
Comment thread
timothyclin marked this conversation as resolved.
command: ["ak", "server"]
env:
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
value: "admin" # Change in production
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: "admin@local"
Comment on lines +28 to +30
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Authentik bootstrap admin credentials are hardcoded (AUTHENTIK_BOOTSTRAP_PASSWORD=admin, AUTHENTIK_BOOTSTRAP_EMAIL=admin@local). This is unsafe: a default admin password can be deployed accidentally, and it’s not configurable via values. Move these to a Secret/values with required, generate them once (not on every upgrade), or omit them entirely and document the manual bootstrap flow.

Suggested change
value: "admin" # Change in production
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: "admin@local"
value: {{ required "authentik.bootstrap.password is required" .Values.authentik.bootstrap.password | quote }}
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: {{ required "authentik.bootstrap.email is required" .Values.authentik.bootstrap.email | quote }}

Copilot uses AI. Check for mistakes.
- name: AUTHENTIK_CONFIG__path
value: "/config/authentik.yml"
ports:
- containerPort: 9000
name: http
- containerPort: 9443
volumeMounts:
- name: config
mountPath: /config
- name: secrets
mountPath: /secrets
resources:
{{ toYaml .Values.authentik.resources | nindent 10 }}
volumes:
- name: config
configMap:
name: {{ include "ok8s.fullname" . }}-authentik
- name: secrets
secret:
secretName: {{ include "ok8s.fullname" . }}-authentik
{{- end }}
41 changes: 41 additions & 0 deletions chart/templates/authentik/networkpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{{- if .Values.authentik.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
Comment thread
timothyclin marked this conversation as resolved.
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: {{ .Release.Name }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector: {} # Allow from all namespaces
ports:
- protocol: TCP
port: 9000
- protocol: TCP
port: 9443
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: postgres
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: redis
ports:
- protocol: TCP
port: 6379
- to: [] # Allow external access for OIDC providers
ports:
Comment thread
timothyclin marked this conversation as resolved.
- protocol: TCP
port: 443
{{- end }}
45 changes: 45 additions & 0 deletions chart/templates/authentik/postgres-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{{- if .Values.authentik.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
labels:
Comment thread
timothyclin marked this conversation as resolved.
Comment on lines +5 to +6
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Postgres Deployment is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). The rest of the chart consistently applies these, so adding them here improves consistency and makes operations/monitoring easier.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik-postgres
labels:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
app.kubernetes.io/name: postgres
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: database
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: postgres
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: postgres
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
containers:
- name: postgres
image: "{{ .Values.authentik.postgres.image.repository }}:{{ .Values.authentik.postgres.image.tag }}"
env:
- name: POSTGRES_DB
value: {{ .Values.authentik.postgres.database | quote }}
- name: POSTGRES_USER
value: {{ .Values.authentik.postgres.username | quote }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
key: password
ports:
- containerPort: 5432
resources: {{ toYaml .Values.authentik.postgres.resources | nindent 10 }}
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: {{ include "ok8s.fullname" . }}-authentik-postgres
Comment thread
timothyclin marked this conversation as resolved.
{{- end }}
12 changes: 12 additions & 0 deletions chart/templates/authentik/postgres-pvc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if and .Values.authentik.enabled .Values.authentik.postgres.persistence.enabled }}
Comment thread
timothyclin marked this conversation as resolved.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PVC is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Other PVC templates in the chart set both (see chart/templates/pvc.yaml).

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik-postgres
name: {{ include "ok8s.fullname" . }}-authentik-postgres
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.authentik.postgres.persistence.size }}
{{- end }}
13 changes: 13 additions & 0 deletions chart/templates/authentik/postgres-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Postgres Service is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Align it with other Services in this chart to keep resource metadata consistent.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik-postgres
name: {{ include "ok8s.fullname" . }}-authentik-postgres
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
Comment thread
timothyclin marked this conversation as resolved.
spec:
ports:
- port: 5432
targetPort: 5432
selector:
app.kubernetes.io/name: postgres
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
34 changes: 34 additions & 0 deletions chart/templates/authentik/redis-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if .Values.authentik.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-redis
labels:
Comment on lines +1 to +6
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Redis deployment is only gated by authentik.enabled but ignores authentik.redis.enabled. Since values.yaml exposes authentik.redis.enabled, the template should honor it so Redis can be disabled when using an external cache.

Copilot uses AI. Check for mistakes.
app.kubernetes.io/name: redis
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
Comment on lines +3 to +9
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Redis Deployment is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Add the common labels to match the rest of the chart (selectors can still use the dedicated redis labels).

Copilot uses AI. Check for mistakes.
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: redis
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
containers:
- name: redis
image: "{{ .Values.authentik.redis.image.repository }}:{{ .Values.authentik.redis.image.tag }}"
command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"]
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "ok8s.fullname" . }}-authentik-redis
key: password
ports:
- containerPort: 6379
resources: {{ toYaml .Values.authentik.redis.resources | nindent 10 }}
{{- end }}
13 changes: 13 additions & 0 deletions chart/templates/authentik/redis-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-redis
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Redis Service is missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Align with other chart Services for consistent metadata.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik-redis
name: {{ include "ok8s.fullname" . }}-authentik-redis
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
Comment thread
timothyclin marked this conversation as resolved.
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app.kubernetes.io/name: redis
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
34 changes: 34 additions & 0 deletions chart/templates/authentik/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
type: Opaque
Comment on lines +2 to +6
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These Secrets are missing metadata.namespace: {{ .Release.Namespace }} and the common chart labels (include "ok8s.labels"). Most chart resources include both, and adding them here improves consistency and supports label-based tooling/policies.

Copilot uses AI. Check for mistakes.
data:
# Authentik secret key for encryption
secretKey: {{ required "authentik.secretKey must be set" .Values.authentik.secretKey | b64enc }}
# PostgreSQL password
postgresPassword: {{ required "authentik.postgres.password must be set" .Values.authentik.postgres.password | b64enc }}
# Redis password
redisPassword: {{ required "authentik.redis.password must be set" .Values.authentik.redis.password | b64enc }}
Comment on lines +8 to +13
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secret.yaml unconditionally requires and renders Postgres/Redis passwords and secrets, even if authentik.postgres.enabled / authentik.redis.enabled are set false. This makes it impossible to disable those components cleanly and still render the chart. Render and required-validate these only when the corresponding subcomponent is enabled.

Copilot uses AI. Check for mistakes.
# OIDC client secret (if provided)
{{- if .Values.authentik.oidc.clientSecret }}
oidcClientSecret: {{ .Values.authentik.oidc.clientSecret | b64enc }}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-postgres
type: Opaque
data:
password: {{ required "authentik.postgres.password must be set" .Values.authentik.postgres.password | b64enc }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-redis
type: Opaque
data:
password: {{ required "authentik.redis.password must be set" .Values.authentik.redis.password | b64enc }}
{{- end }}
17 changes: 17 additions & 0 deletions chart/templates/authentik/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most chart resources set metadata.namespace and apply common ok8s.labels labels (e.g., chart/templates/service.yaml). This Service omits both, which is inconsistent and can break label-based automation/policies.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik
name: {{ include "ok8s.fullname" . }}-authentik
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}

Copilot uses AI. Check for mistakes.
spec:
ports:
- name: http
port: 80
targetPort: 9000
- name: https
port: 443
targetPort: 9443
selector:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
53 changes: 53 additions & 0 deletions chart/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{{- if .Values.authentik.enabled }}
# Authentik ingress for shared hostname
apiVersion: networking.k8s.io/v1
Comment thread
timothyclin marked this conversation as resolved.
kind: Ingress
metadata:
name: {{ include "ok8s.fullname" . }}-authentik
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
Comment thread
timothyclin marked this conversation as resolved.
spec:
ingressClassName: nginx
tls:
- hosts:
- {{ .Values.authentik.proxy.hostname }}
secretName: {{ include "ok8s.fullname" . }}-authentik-tls
rules:
- host: {{ .Values.authentik.proxy.hostname }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ include "ok8s.fullname" . }}-authentik
port:
number: 80
{{- else }}
# Direct ingress to OpenCode service
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "ok8s.fullname" . }}
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- {{ .Values.ingress.hostname | default (include "ok8s.ingressHostname" .) }}
secretName: {{ include "ok8s.fullname" . }}-tls
rules:
- host: {{ .Values.ingress.hostname | default (include "ok8s.ingressHostname" .) }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ include "ok8s.fullname" . }}
port:
number: 4096
{{- end }}
22 changes: 22 additions & 0 deletions chart/templates/tests/authentik-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if .Values.authentik.enabled }}
apiVersion: v1
kind: Pod
metadata:
name: {{ include "ok8s.fullname" . }}-authentik-test
Comment on lines +1 to +5
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title/description indicate this change is only adding a Helm test pod, but the diff also adds new Authentik Deployments/Services/Secrets, a new nginx Ingress template, NetworkPolicy, and multiple design/plan docs. Please update the PR description (or split into smaller PRs) so reviewers understand the full scope and risk of the changes.

Copilot uses AI. Check for mistakes.
annotations:
"helm.sh/hook": test
Comment on lines +5 to +7
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Helm test Pod is missing the standard metadata used elsewhere in chart tests (namespace + ok8s.labels, and typically a hook delete policy to avoid accumulating test Pods). Align it with chart/templates/tests/connection-test.yaml so tests are cleaned up and consistently labeled.

Suggested change
name: {{ include "ok8s.fullname" . }}-authentik-test
annotations:
"helm.sh/hook": test
name: {{ include "ok8s.fullname" . }}-authentik-test
namespace: {{ .Release.Namespace }}
labels:
{{- include "ok8s.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

Copilot uses AI. Check for mistakes.
spec:
restartPolicy: Never
containers:
- name: test
image: curlimages/curl:8.4.0
command:
- sh
- -c
- |
# Test Authentik service availability
curl -f http://{{ include "ok8s.fullname" . }}-authentik:80 || exit 1

# Test PostgreSQL connectivity (basic)
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script comment says it tests PostgreSQL connectivity, but the test only does an HTTP curl and then prints a success message. Either implement an actual DB connectivity check (e.g., TCP check/pg_isready with an appropriate image) or remove/rename the comment to reflect what is actually tested.

Suggested change
# Test PostgreSQL connectivity (basic)
# Report successful Authentik availability test

Copilot uses AI. Check for mistakes.
echo "Authentik components deployed successfully"
{{- end }}
Loading
Loading