93ee45bd25
Update `.claude/reference/authentik-state.md`:
- Add `ProxyProvider.access_token_validity = "weeks=4"` to the Session
Duration table with the gotcha that the gorilla session store binds
the value once at outpost startup (rollout restart needed).
- Replace the "session storage moved to Postgres in 2025.10" note that
falsely implied the migration was automatic — explain that the
`Outpost.managed` field gates the postgres path and our outpost
silently stayed on `FilesystemStore` until 2026-05-10.
- Document the goauthentik 2026.2.2 service-selector bug
(service.py:52) and the JSON-patch workaround.
- Document that the standalone embedded-outpost deployment needs
`AUTHENTIK_POSTGRESQL__*` env vars injected via JSON patch, plus the
`app.kubernetes.io/component=server` pod label.
- Note the "Terraform doesn't expose `Outpost.managed`" assumption
that holds the `managed=embedded` value in place across applies.
Close out post-mortem `2026-04-18-authentik-outpost-shm-full.md`:
- P2 codify-in-Terraform: DONE.
- P3 access_token_validity reduce: DONE-alt (we did the opposite —
bumped to 4 weeks — because postgres backend mooted the storage
concern).
- P3 move-off-embedded-outpost: DONE-alt (postgres backend addresses
the loss-of-state class on the embedded outpost itself).
|
||
|---|---|---|
| .. | ||
| 2026-03-16-kured-containerd-cascade-outage.html | ||
| 2026-03-16-nfs-csi-cascade-failure.md | ||
| 2026-04-14-nfs-fsid0-dns-vault-outage.md | ||
| 2026-04-14-postmortem-pipeline-test.md | ||
| 2026-04-18-authentik-outpost-shm-full.md | ||
| 2026-04-19-registry-orphan-index.md | ||
| 2026-04-22-vault-raft-leader-deadlock.md | ||
| 2026-05-09-io-pressure-stale-nfs.md | ||
| index.html | ||