From 4bf3f504eac283c599bde7ac1a9a798e6d611b75 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 17 Jun 2026 07:13:53 +0000
Subject: [PATCH] fix(authentik): SMTP host = mail.viktorbarzin.me (svc name
 fails wildcard-cert verify)

The in-cluster svc name mailserver.mailserver.svc.cluster.local fails Authentik's strict STARTTLS hostname verification (CERTIFICATE_VERIFY_FAILED): the mailserver serves the *.viktorbarzin.me wildcard cert, which doesn't cover the svc DNS name. Use the public name mail.viktorbarzin.me, which resolves in-cluster (10.0.20.1) and matches the cert. Verified end-to-end from an authentik pod (verified TLS + SASL auth + send) before this change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../authentik/modules/authentik/values.yaml   | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/stacks/authentik/modules/authentik/values.yaml b/stacks/authentik/modules/authentik/values.yaml
index 954f4661..bfe755cd 100644
--- a/stacks/authentik/modules/authentik/values.yaml
+++ b/stacks/authentik/modules/authentik/values.yaml
@@ -47,13 +47,19 @@ server:
       value: "1800"
     - name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
       value: "900"
-    # SMTP for signup verification + recovery email (tripit ADR-0020): send via
-    # the in-cluster mailserver as noreply@viktorbarzin.me (SASL, 587/STARTTLS);
-    # password from the authentik-email ExternalSecret (Vault
-    # secret/authentik.smtp_password). Set on server AND worker — the worker
-    # runs the email tasks, the server validates the Email stage config.
+    # SMTP for signup verification + recovery email (tripit ADR-0020): send as
+    # noreply@viktorbarzin.me (SASL, 587/STARTTLS); password from the
+    # authentik-email ExternalSecret (Vault secret/authentik.smtp_password). Set
+    # on server AND worker — the worker runs the email tasks, the server
+    # validates the Email stage config.
+    # HOST is the PUBLIC name mail.viktorbarzin.me, NOT the in-cluster svc
+    # (mailserver.mailserver.svc): the mailserver serves the *.viktorbarzin.me
+    # wildcard cert, which does not cover the svc DNS name, and Authentik
+    # verifies the STARTTLS hostname strictly (unlike most of our apps' SMTP
+    # clients) — the svc name fails CERTIFICATE_VERIFY_FAILED. mail.viktorbarzin.me
+    # resolves in-cluster (10.0.20.1) and matches the cert.
     - name: AUTHENTIK_EMAIL__HOST
-      value: "mailserver.mailserver.svc.cluster.local"
+      value: "mail.viktorbarzin.me"
     - name: AUTHENTIK_EMAIL__PORT
       value: "587"
     - name: AUTHENTIK_EMAIL__USE_TLS
@@ -141,11 +147,12 @@ worker:
       value: "1800"
     - name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
       value: "900"
-    # SMTP (same as server.env) — the worker runs Authentik's email tasks, so it
-    # needs the transport too (tripit ADR-0020). noreply@viktorbarzin.me via the
-    # in-cluster mailserver; password from the authentik-email ExternalSecret.
+    # SMTP (same as server.env, incl. the mail.viktorbarzin.me-not-svc-name cert
+    # reason) — the worker runs Authentik's email tasks, so it needs the
+    # transport too (tripit ADR-0020). noreply@viktorbarzin.me; password from the
+    # authentik-email ExternalSecret.
     - name: AUTHENTIK_EMAIL__HOST
-      value: "mailserver.mailserver.svc.cluster.local"
+      value: "mail.viktorbarzin.me"
     - name: AUTHENTIK_EMAIL__PORT
       value: "587"
     - name: AUTHENTIK_EMAIL__USE_TLS