authentik: repoint to the SLOW-1a overlay image + un-enroll Keel

GHA built ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1 (public, verified anonymously pullable). Point global.image at it (repository + tag pinned explicitly so neither helm's appVersion default nor Keel can downgrade it — the 2026-06-10 boot-storm class) and remove keel.sh/enrolled from the namespace so Keel won't auto-bump the custom tag. authentik is now manual-upgrade: bump the Dockerfile FROM + this tag together on each authentik version bump. Net effect once rolled: the identification-stage query drops ~1.4s -> ~14ms, so the cold login-flow first-load stops being slow. (Does NOT affect old-browser clients — iPadOS<=15/Safari<=15.6 still can't run the SPA; that's unfixable server-side.) Docs: .claude/CLAUDE.md Authentik row. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 10:46:21 +00:00 · 2026-06-28 10:46:21 +00:00 · a1cf7ccaf6
commit a1cf7ccaf6
parent 7ec64ed5ff
3 changed files with 20 additions and 11 deletions
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@ -29,7 +29,12 @@ resource "kubernetes_namespace" "authentik" {
    labels = {
      tier                               = var.tier
      "resource-governance/custom-quota" = "true"
-      "keel.sh/enrolled"                 = "true"
+      # Keel intentionally NOT enrolled: server+worker run our custom overlay image
+      # (ghcr.io/viktorbarzin/authentik-server — see values.yaml global.image +
+      # stacks/authentik/Dockerfile). The tag is pinned explicitly and bumped
+      # manually (rebuild the overlay FROM the new authentik version + repoint), so
+      # a Keel auto-bump would only risk re-introducing the upstream tag / the
+      # 2026-06-10 downgrade-boot-storm class. Re-enroll only if the overlay is dropped.
    }
  }
  lifecycle {
--- a/stacks/authentik/modules/authentik/values.yaml
+++ b/stacks/authentik/modules/authentik/values.yaml
@ -145,15 +145,19 @@ server:
 global:
  addPrometheusAnnotations: true
  image:
-    # Pin to the Keel-managed live tag. Keel (diun-annotated, keel.sh/enrolled
-    # namespace) bumps the IMAGE between chart releases, while helm defaults
-    # the tag to the chart appVersion — so any helm upgrade silently
-    # DOWNGRADES the running pods to the chart pin (2026-06-10: a values-only
-    # apply rolled live 2026.2.4 back to 2026.2.2 against a 2026.2.4-migrated
-    # DB → boot storm, see docs/post-mortems/2026-06-10-authentik-downgrade-
-    # boot-storm.md). Keep this tag in sync with what Keel has deployed when
-    # touching this chart; clear it only when bumping the chart version itself.
-    tag: "2026.2.4"
+    # CUSTOM OVERLAY (SLOW-1a): our thin patch over the official authentik server
+    # image — see stacks/authentik/Dockerfile (narrows the login-flow
+    # select_subclasses() query, ~1.4s -> ~14ms). Built by
+    # .github/workflows/build-authentik.yml to ghcr.io/viktorbarzin/authentik-server
+    # (public package, anonymous pull — no imagePullSecret needed, like the
+    # upstream goauthentik image). Keel is NO LONGER enrolled for this namespace
+    # (see main.tf) so it can't bump/downgrade the tag; helm also defaults the tag
+    # to the chart appVersion (2026.2.2) — so BOTH repository AND tag are pinned
+    # explicitly here to prevent the 2026-06-10 downgrade-boot-storm class.
+    # UPGRADE = bump the Dockerfile FROM tag + this tag together (e.g. ->
+    # 2026.3.0-patch1), let GHA rebuild, then apply.
+    repository: ghcr.io/viktorbarzin/authentik-server
+    tag: "2026.2.4-patch1"

 worker:
  # 2 replicas: workers handle background tasks (LDAP sync, email,