From 9841dca9d1e6332dfdd900e58e73489dbc278899 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 21 Feb 2026 23:44:05 +0000
Subject: [PATCH] [ci skip] Add custom resource quota for authentik namespace

Authentik runs ~10 pods (3 server + 3 worker + 3 pgbouncer + outpost)
which exceeds the default tier-1-cluster quota limits. Add custom-quota
label to opt out of Kyverno-generated quotas and define a Terraform-managed
ResourceQuota with limits appropriate for authentik's workload.
---
 modules/kubernetes/authentik/main.tf | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/modules/kubernetes/authentik/main.tf b/modules/kubernetes/authentik/main.tf
index 75ca8deb..0a73e6f3 100644
--- a/modules/kubernetes/authentik/main.tf
+++ b/modules/kubernetes/authentik/main.tf
@@ -14,7 +14,24 @@ resource "kubernetes_namespace" "authentik" {
   metadata {
     name = "authentik"
     labels = {
-      tier = var.tier
+      tier                                = var.tier
+      "resource-governance/custom-quota" = "true"
+    }
+  }
+}
+
+resource "kubernetes_resource_quota" "authentik" {
+  metadata {
+    name      = "authentik-quota"
+    namespace = kubernetes_namespace.authentik.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "8"
+      "requests.memory" = "8Gi"
+      "limits.cpu"      = "24"
+      "limits.memory"   = "48Gi"
+      pods              = "30"
     }
   }
 }