[ci skip] Add custom resource quota for authentik namespace

Authentik runs ~10 pods (3 server + 3 worker + 3 pgbouncer + outpost) which exceeds the default tier-1-cluster quota limits. Add custom-quota label to opt out of Kyverno-generated quotas and define a Terraform-managed ResourceQuota with limits appropriate for authentik's workload.
2026-02-21 23:44:05 +00:00 · 2026-02-21 23:44:05 +00:00 · 9841dca9d1
commit 9841dca9d1
parent b242b7586d
1 changed files with 18 additions and 1 deletions
--- a/modules/kubernetes/authentik/main.tf
+++ b/modules/kubernetes/authentik/main.tf
@ -14,7 +14,24 @@ resource "kubernetes_namespace" "authentik" {
  metadata {
    name = "authentik"
    labels = {
-      tier = var.tier
+      tier                                = var.tier
+      "resource-governance/custom-quota" = "true"
+    }
+  }
+}
+
+resource "kubernetes_resource_quota" "authentik" {
+  metadata {
+    name      = "authentik-quota"
+    namespace = kubernetes_namespace.authentik.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "8"
+      "requests.memory" = "8Gi"
+      "limits.cpu"      = "24"
+      "limits.memory"   = "48Gi"
+      pods              = "30"
    }
  }
 }