fix: cluster healthcheck fixes + Authentik upgrade to 2026.2.2

- Authentik: upgrade 2025.10.3 → 2025.12.4 → 2026.2.2 with DB restore and stepped migration. Switch to existingSecret, PgBouncer session mode. - Mailserver: migrate email roundtrip probe from Mailgun to Brevo API - Redis: fix HAProxy tcp-check regex (rstring), faster health intervals - Nextcloud: fix Redis fallback to HAProxy service, update dependency - MeshCentral: fix TLSOffload + certUrl init container for first-run - Monitoring: remove authentik from latency alert exclusion - Diun: simplify to webhook notifier, remove git auto-update [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 06:41:56 +00:00 · 2026-04-15 06:41:56 +00:00 · bd41bb9230
commit bd41bb9230
parent d31bbc9a18
11 changed files with 115 additions and 282 deletions
--- a/docs/architecture/authentication.md
+++ b/docs/architecture/authentication.md
@ -40,8 +40,8 @@ graph TB

 | Component | Version | Location | Purpose |
 |-----------|---------|----------|---------|
-| Authentik Server | Latest | `stacks/authentik/` | Core IdP application servers (3 replicas) |
-| Authentik Worker | Latest | `stacks/authentik/` | Background task processors (3 replicas) |
+| Authentik Server | 2026.2.2 | `stacks/authentik/` | Core IdP application servers (2 replicas) |
+| Authentik Worker | 2026.2.2 | `stacks/authentik/` | Background task processors (2 replicas) |
 | PgBouncer | Latest | `stacks/authentik/` | PostgreSQL connection pooler (3 replicas) |
 | Embedded Outpost | - | Built into Authentik | Forward auth endpoint for Traefik |
 | Traefik ForwardAuth | - | `ingress_factory` module | Middleware for protected ingresses |