Authentik provides centralized Single Sign-On (SSO) for all homelab services using OpenID Connect (OIDC). Users authenticate once with Authentik and are automatically logged into all connected services.
| Setting | Value |
|---|---|
| Chart | goauthentik.io/authentik v2025.10.3 |
| Namespace | authentik |
| Sync Wave | 10 |
| URL | https://authentik.homelab.vyanh.uk |
| Server Replicas | 1 |
| Worker Replicas | 1 |
| Resources | Requests: 100m / 512Mi, Limits: 1000m / 1Gi |
| Log Level | info |
| Error Reporting | Disabled |
| Setting | Value |
|---|---|
| Sub-chart | Bitnami PostgreSQL |
| Storage | Longhorn, 8Gi |
| Security | runAsUser: 100, runAsGroup: 100 (Bitnami default) |
| Credentials | Vault: kv/authentik/postgresql |
| Service | Client ID | Redirect URI | Admin Group |
|---|---|---|---|
| ArgoCD | argocd |
https://argocd.homelab.vyanh.uk/auth/callback |
ArgoCD Admins |
| Grafana | grafana |
https://grafana.homelab.vyanh.uk/login/generic_oauth |
Grafana Admins |
| Harbor | harbor |
https://harbor.homelab.vyanh.uk/c/oidc/callback |
Harbor Admins |
OIDC providers and applications are configured via Authentik Blueprints — declarative YAML files stored as Kubernetes ConfigMaps and mounted into the Authentik pod at /blueprints/custom/:
Each blueprint defines:
groups claim (returns user's group list)The client secret for each provider is injected via environment variable from VaultStaticSecret, referenced in the blueprint YAML using Authentik's !Env tag.
Each OIDC integration requires the client secret accessible from two namespaces:
Why two paths? Vault policies are scoped per-namespace (vso-<namespace>-read grants access only to kv/data/<namespace>/*). Authentik can only read from kv/authentik/*, and the target app can only read from its own namespace path.
# 1. Generate a client secret
SECRET=$(openssl rand -base64 32)
# 2. Store in both Vault paths
vault kv put kv/authentik/myapp-oidc clientSecret="$SECRET"
vault kv put kv/myapp-namespace/oidc clientSecret="$SECRET"
| Vault Path | K8s Secret | Keys | Purpose |
|---|---|---|---|
kv/authentik/secrets |
authentik-secrets |
secret-key |
Cookie signing & encryption |
kv/authentik/postgresql |
authentik-postgresql |
password, postgres-password |
Database credentials |
kv/authentik/argocd-oidc |
argocd-oidc-client-secret |
clientSecret |
ArgoCD OIDC (blueprint side) |
kv/authentik/grafana-oidc |
grafana-oidc-client-secret |
clientSecret |
Grafana OIDC (blueprint side) |
kv/authentik/harbor-oidc |
harbor-oidc-client-secret |
clientSecret |
Harbor OIDC (blueprint side) |
ArgoCD uses the OIDC groups claim for role-based access control:
# argocd-rbac-cm (patched via argocd-bootstrap)
policy.default: role:readonly
policy.csv: |
g, ArgoCD Admins, role:admin
scopes: '[groups]'
Users in the ArgoCD Admins Authentik group get full admin access. All other authenticated users get read-only access.