update chart

clusters/cl01tl/helm/authentik/Chart.lock

@@ -7,9 +7,9 @@ dependencies:
   version: 2.1.4
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.1.4
+  version: 7.4.3
 - name: redis-replication
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.5.0
-digest: sha256:1126f39ebc7e18ae1aa96fefa42e7450ffe0b7339017abd22aa453a08608efda
+digest: sha256:d250e40d77b3010d55c258e264e36de060a6dbdb78fe56bdbfbc427692cfdcc7
-generated: "2025-12-21T19:01:52.261263152Z"
+generated: "2025-12-23T16:28:00.416521-06:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -28,7 +28,7 @@ dependencies:
     version: 2.1.4
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.1.4
+    version: 7.4.3
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: redis-replication
     version: 0.5.0

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -19,70 +19,3 @@ spec:
         key: /cl01tl/authentik/key
         metadataPolicy: None
         property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: authentik-postgresql-18-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: authentik-postgresql-18-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/postgres-backups
-        metadataPolicy: None
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: authentik-postgresql-18-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: authentik-postgresql-18-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
-        property: ACCESS_REGION

clusters/cl01tl/helm/authentik/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: http-route-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: http-route-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - authentik.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: authentik-server
-          port: 80
-          weight: 100

clusters/cl01tl/helm/authentik/values.yaml

@@ -36,8 +36,23 @@ authentik:
       enabled: true
       serviceMonitor:
         enabled: true
-    ingress:
+    route:
-      enabled: false
+      main:
+        enabled: true
+        apiVersion: gateway.networking.k8s.io/v1
+        kind: HTTPRoute
+        hostnames:
+          - authentik.alexlebens.net
+        parentRefs:
+          - group: gateway.networking.k8s.io
+            kind: Gateway
+            name: traefik-gateway
+            namespace: traefik
+        httpsRedirect: false
+        matches:
+          - path:
+              type: PathPrefix
+              value: /
   worker:
     name: worker
     replicas: 1
@@ -50,58 +65,46 @@ authentik:
     enabled: false
 postgres-18-cluster:
   mode: recovery
-  cluster:
-    storage:
-      storageClass: local-path
-    walStorage:
-      storageClass: local-path
   recovery:
     method: objectStore
     objectStore:
-      destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
-      endpointURL: http://garage-main.garage:3900
       index: 1
-      endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
   backup:
     objectStore:
       - name: garage-local
-        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
         index: 1
-        endpointURL: http://garage-main.garage:3900
+        destinationBucket: postgres-backups
-        endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
-        endpointCredentialsIncludeRegion: true
-        retentionPolicy: "3d"
         isWALArchiver: true
-      # - name: external
-      #   destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-18-cluster
-      #   index: 1
-      #   retentionPolicy: "30d"
-      #   isWALArchiver: false
       # - name: garage-remote
-      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-18-cluster
       #   index: 1
-      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   destinationBucket: postgres-backups
-      #   endpointCredentials: authentik-postgresql-18-cluster-backup-secret-garage
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "30d"
+      #   retentionPolicy: "90d"
       #   data:
       #     compression: bzip2
-      #     jobs: 2
+      # - name: external
+      #   index: 1
+      #   endpointURL: https://nyc3.digitaloceanspaces.com
+      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
+      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
+      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 0 0 * * *"
         backupName: garage-local
-      # - name: daily-backup
-      #   suspend: false
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external
       # - name: weekly-backup
-      #   suspend: false
+      #   suspend: true
       #   immediate: true
       #   schedule: "0 0 4 * * SAT"
       #   backupName: garage-remote
+      # - name: daily-backup
+      #   suspend: true
+      #   immediate: true
+      #   schedule: "0 0 0 * * *"
+      #   backupName: external
 redis-replication:
   existingSecret:
     enabled: false