fix: cluster healthcheck fixes + Authentik upgrade to 2026.2.2

- Authentik: upgrade 2025.10.3 → 2025.12.4 → 2026.2.2 with DB restore and stepped migration. Switch to existingSecret, PgBouncer session mode. - Mailserver: migrate email roundtrip probe from Mailgun to Brevo API - Redis: fix HAProxy tcp-check regex (rstring), faster health intervals - Nextcloud: fix Redis fallback to HAProxy service, update dependency - MeshCentral: fix TLSOffload + certUrl init container for first-run - Monitoring: remove authentik from latency alert exclusion - Diun: simplify to webhook notifier, remove git auto-update [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 06:41:56 +00:00 · 2026-04-15 06:41:56 +00:00 · bd41bb9230
commit bd41bb9230
parent d31bbc9a18
11 changed files with 115 additions and 282 deletions
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@ -55,21 +55,23 @@ resource "helm_release" "authentik" {

  repository = "https://charts.goauthentik.io/"
  chart      = "authentik"
-  # version    = "2025.8.1"
-  version = "2025.10.3"
+  # version    = "2025.10.3"
+  # version    = "2025.12.4"
+  version = "2026.2.2"
  atomic  = true
  timeout = 6000

-  values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })]
+  values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })]
 }


 module "ingress" {
-  source          = "../../../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.authentik.metadata[0].name
-  name            = "authentik"
-  service_name    = "goauthentik-server"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.authentik.metadata[0].name
+  name             = "authentik"
+  service_name     = "goauthentik-server"
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Authentik"
@ -84,12 +86,14 @@ module "ingress" {
 }

 module "ingress-outpost" {
-  source          = "../../../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.authentik.metadata[0].name
-  name            = "authentik-outpost"
-  host            = "authentik"
-  service_name    = "ak-outpost-authentik-embedded-outpost"
-  port            = 9000
-  ingress_path    = ["/outpost.goauthentik.io"]
-  tls_secret_name = var.tls_secret_name
+  source           = "../../../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.authentik.metadata[0].name
+  name             = "authentik-outpost"
+  host             = "authentik"
+  service_name     = "ak-outpost-authentik-embedded-outpost"
+  port             = 9000
+  ingress_path     = ["/outpost.goauthentik.io"]
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false
+  exclude_crowdsec = true
 }