authentik: speed up first-time signin (single-screen login, live env tuning, asset caching, outpost+nginx hot path)

Viktor asked to review Authentik and the web tier and make first-time signin to apps faster. Review found the slowness is screens and round trips, not server time. Changes: - values.yaml: the authentik.* Helm values (gunicorn workers, cache timeouts, conn_max_age) were silently INERT because existingSecret skips chart env rendering — pods ran defaults (2 workers, 300s caches, no persistent DB conns). Moved all tuning into server.env/worker.env, which actually reaches the pods. - authentik_provider.tf: adopt the identification stage and pin password_stage so username+password render on ONE screen (the separate order-20 password binding is deleted via API — authentik requires that when embedding). Outpost log_level trace->info and 1->2 replicas (it is on the hot path of every forward-auth request; PG-backed sessions make 2 replicas safe). - authentik module: /static ingress carve-out with immutable Cache-Control (assets are version-fingerprinted but served with no max-age — internal split-horizon users got zero caching). - traefik auth-proxy nginx: upstream keepalive 32 + HTTP/1.1 (was opening a fresh TCP connection to the outpost per subrequest) + config-checksum annotation so config changes roll the pods. - docs: authentication.md + authentik-state.md updated; fixed stale 'postgresql.dbaas has no endpoints' claim in CLAUDE.md/CONTEXT.md (it is a live CNPG primary-selector compatibility service). Done via API in the same change (UI-managed objects): 6 OIDC providers (Vault, Forgejo, Immich, Headscale, linkwarden, Cloudflare Access) switched from explicit to implicit consent — all first-party, the 4-weekly consent screen only slowed first-time signin. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 21:58:10 +00:00 · 2026-06-10 21:58:10 +00:00 · 97ccdbecb8
commit 97ccdbecb8
parent 93ba67c84a
8 changed files with 232 additions and 55 deletions
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -720,6 +720,11 @@ resource "kubernetes_config_map" "auth_proxy_config" {
    "default.conf" = <<-EOT
      upstream authentik {
          server ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000;
+          # Reuse connections to the outpost. Without this every forward-auth
+          # subrequest (= every request to every auth="required" ingress) opens
+          # a fresh TCP connection. Requires HTTP/1.1 + cleared Connection
+          # header on the proxy_pass locations below.
+          keepalive 32;
      }
      server {
          listen 9000;
@ -734,6 +739,8 @@ resource "kubernetes_config_map" "auth_proxy_config" {

          location /outpost.goauthentik.io/auth/traefik {
              proxy_pass http://authentik;
+              proxy_http_version 1.1;
+              proxy_set_header Connection "";
              proxy_connect_timeout 3s;
              proxy_read_timeout 5s;
              proxy_send_timeout 5s;
@ -764,6 +771,8 @@ resource "kubernetes_config_map" "auth_proxy_config" {

          location /outpost.goauthentik.io/ {
              proxy_pass http://authentik;
+              proxy_http_version 1.1;
+              proxy_set_header Connection "";
              proxy_connect_timeout 3s;
              proxy_read_timeout 10s;
              proxy_set_header Host $host;
@ -820,6 +829,11 @@ resource "kubernetes_deployment" "auth_proxy" {
        labels = {
          app = "auth-proxy"
        }
+        annotations = {
+          # nginx only reads its config at startup — roll the pods whenever
+          # the ConfigMap content changes.
+          "checksum/auth-proxy-config" = sha1(kubernetes_config_map.auth_proxy_config.data["default.conf"])
+        }
      }
      spec {
        topology_spread_constraint {