Authentik Kubernetes and Docker swarm setup

This one is going to be a little bit tricky. Authentik’s docs are out of date and a lot of people did this kind of crazy, and I was not able to find a working config from a single source. I’ll try my best to give you a fully working config with Authentik and a sample of how to set up one proxy with an Arr service. I did do my setup with Traefik and will post a setup guide for that later. If you don’t have traefik, all you need to change is the redirect middleware. One thing to note, I will not have a working postgres and redis server for you. I’m running with the assumption that you will provide your own

Docker Swarm#

I am a firm believer that CPU should be left to unlimited on every service that is meant to run 24/7 and that you should limit your memory to prevent OOM issues. Your memory limit should never exceed your requests limit. This is set up with traefik on a traefik network I named “traefik-public”. My certresolver is a lets encrypt resolver I named le. I also use loki for logging. If you want to deploy just the image without traefik and loki, you can delete all of those lines as well as update the volumes section. You can go lighter on the resource allocations if you like

version: "3.9"
services:
  authentik-server:
    image: ghcr.io/goauthentik/server:2023.10
    command: server
    deploy:
      resources:
        reservations:
          memory: 1G
        limits:
          memory: 1G
      labels:
      # Traefik Config
      - traefik.enable=true
      - traefik.docker.network=traefik-public
      - traefik.constraint-label=traefik-public
      # HTTPS Rules
      - traefik.http.routers.authentik.rule=Host(`auth.mydomain.com`)
      - traefik.http.routers.authentik.entrypoints=https
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=le
      # Services
      - traefik.http.services.authentik.loadbalancer.server.port=9000
    networks:
    - traefik-public
    - databases
    secrets:
    - authentik-secret
    environment:
      AUTHENTIK_SECRET_KEY: /run/secrets/authentik-secret
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: $PGPASS

  authentik-worker:
    image: ghcr.io/goauthentik/server:2023.10
    command: worker
    deploy:
      resources:
        reservations:
          memory: 1G
        limits:
          memory: 1G
    environment:
      AUTHENTIK_SECRET_KEY: /run/secrets/authentik-secret
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: $PGPASS
    user: root
    secrets:
    - authentik-secret
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock

secrets:
  pg-authentik-password:
    external: true
  authentik-secret:
    external: true
networks:
  traefik-public:
    external: true

This will create an authentik worker and server. Note the name authentik-server, for our traefik middleware we need to use the exact name that’s shown here. For your traefik server or whatever server you use to expose your sites, add a config similar to this. With this example this config for traefik will work without any modifications

http:
  routers:
    authentik:
      forwardAuth:
        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
        - X-authentik-username
        - X-authentik-groups
        - X-authentik-email
        - X-authentik-name
        - X-authentik-uid
        - X-authentik-jwt
        - X-authentik-meta-jwks
        - X-authentik-meta-outpost
        - X-authentik-meta-provider
        - X-authentik-meta-app
        - X-authentik-meta-version
        - authorization

In your traefik command key for your swarm deployment add this command

—providers.file.filename=/etc/traefik/config.yaml # path to the file that you saved the above config for the forward auth

Kubernetes#

The helm chart does simplify this for us quite a bit and will give us a redis and postgres server to use

# values/authentik.yaml
resources:
server:
  limits:
    memory: 1Gi
  requests:
    memory: 1Gi
worker:
  limits:
    memory: 512Mi
  requests:
    memory: 512Mi

image:
repository: ghcr.io/goauthentik/server
tag: "2023.10"
pullPolicy: Always
ingress:
annotations:
  cert-manager.io/cluster-issuer: le-prod # your cert manager or w/e issuier you use
  kubernetes.io/ingress.class: traefik # traefik or nginx most likely
  traefik.ingress.kubernetes.io/router.entrypoints: websecure
  traefik.ingress.kubernetes.io/router.tls: "true"
ingressClassName: traefik # traefik or nginx most likely
enabled: true
tls:
  - hosts:
    - auth.mydomain.com
    secretName: authentik-tls
hosts:
  # Specify external host name
  - host: auth.mydomain.com
    paths:
      - path: "/"
        pathType: Prefix

All that’s left is to install with helm

helm repo add authentik https://charts.goauthentik.io
helm repo update
helm upgrade --install authentik authentik/authentik --values=.\values\authentik.yaml -n YOUR_NAMESPACE

Your first Authentik Provider#

go to https://auth.mydomain.com or expose the service port and visit it directly. Adding a new service to authentik against is a 3 step process. Step one, create a provider.

In our case lets do sonarr.

Name: Sonarr
Authentication Flow: default
Authorization Flow: Explicit to have the user confirm that they want to log in, implicit to have a user login without a prompt.
Chose forward auth: external host = https://sonarr.mydomain.com
Open advanced protocol and then add this under Unauthenticated paths. Its a general catch all to not have common api paths not blocked by authentik

^/graphql/.*
^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*
^/feed.*

Under Authentication Settings under HTTPS-Base Username and Password Key, add in app_username and app_password like this. We will go into more detail later

Once you create this we need to associate it with an application. Create a new application and call it Sonarr

You should then see a button to link your application to your sonarr provider. Once you link it go to outposts. The outposts will allow us to attach this provider to the list of sites we can authenticate against. Edit the outposts and then make sure Sonarr is highlighted and then hit update

Final step#

I did say it was 3 parts but there is one last step that needs to be done once. In order for you to use some of the Arr services you do need a username and password. If you already have one and are using the form based login option awesome! If you not do this real quick

Go to your Sonarr settings -> General
Under Security -> Authentication make sure its Basic (Browser Popup)
Autnetication Required = enabled
Add a username and password

To make your life easier, make all of your Arr apps the same one. You can make it a difficult password since Authentik will be passing it in with our requests so we don’t have to remember it after the initial setup.

Back to Authentik

Go to Directory -> Groups and create a group. I named my Servarr Users
Once created click edit under the roles section
Under attributes add our app_username and app_password

Finally go to Users and add your user that you want to use to this group. Anyone you want to give Sonarr or Arr access to needs to have this group attached to them

Closing#

This is a bit rushed, feel free to email me if you get stuck. This literally took me days to a full week or two to get it dialed in exactly how I like to because the docs for authentik were so outdated