apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-worker
  namespace: "authentik"
  labels:
    helm.sh/chart: "authentik-2026.5.0"
    app.kubernetes.io/name: "authentik"
    app.kubernetes.io/instance: "authentik"
    app.kubernetes.io/component: "worker"
    app.kubernetes.io/managed-by: "Helm"
    app.kubernetes.io/part-of: "authentik"
    app.kubernetes.io/version: "2026.5.0"
spec:
  replicas: 2
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: "authentik"
      app.kubernetes.io/instance: "authentik"
      app.kubernetes.io/component: "worker"
  template:
    metadata:
      labels:
        helm.sh/chart: "authentik-2026.5.0"
        app.kubernetes.io/name: "authentik"
        app.kubernetes.io/instance: "authentik"
        app.kubernetes.io/component: "worker"
        app.kubernetes.io/managed-by: "Helm"
        app.kubernetes.io/part-of: "authentik"
        app.kubernetes.io/version: "2026.5.0"
      annotations:
        checksum/secret: cc1c7eca2c3060a0e4a9c705a21e11c57f0a477f6f83775a44ec124f97686d47
    spec:
      serviceAccountName: authentik
      terminationGracePeriodSeconds: 30
      containers:
        - name: worker
          image: ghcr.io/goauthentik/server:2026.5.0
          imagePullPolicy: IfNotPresent
          args:
            - worker
          env:
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: key
                  name: authentik-key
            - name: AUTHENTIK_POSTGRESQL__HOST
              valueFrom:
                secretKeyRef:
                  key: host
                  name: authentik-postgresql-18-cluster-app
            - name: AUTHENTIK_POSTGRESQL__NAME
              valueFrom:
                secretKeyRef:
                  key: dbname
                  name: authentik-postgresql-18-cluster-app
            - name: AUTHENTIK_POSTGRESQL__USER
              valueFrom:
                secretKeyRef:
                  key: user
                  name: authentik-postgresql-18-cluster-app
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: authentik-postgresql-18-cluster-app
          envFrom:
            - secretRef:
                name: authentik
          ports:
            - name: http
              containerPort: 9000
              protocol: TCP
            - name: metrics
              containerPort: 9300
              protocol: TCP
          livenessProbe:
            exec:
              command:
                - ak
                - healthcheck
            failureThreshold: 3
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 3
          readinessProbe:
            exec:
              command:
                - ak
                - healthcheck
            failureThreshold: 3
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 3
          startupProbe:
            exec:
              command:
                - ak
                - healthcheck
            failureThreshold: 60
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 3
          resources:
            requests:
              cpu: 80m
              memory: 650Mi
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/name: "authentik"
                    app.kubernetes.io/instance: "authentik"
                    app.kubernetes.io/component: "worker"
                topologyKey: kubernetes.io/hostname
      enableServiceLinks: true