From c9c16d18337c48e7c92e88c764690e4a5280255c Mon Sep 17 00:00:00 2001
From: Fred <fredspiers@gmail.com>
Date: Thu, 14 May 2026 23:02:10 +0200
Subject: [PATCH] feat(authentik/genmachine): HA reliability improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Scale server and worker to 2 replicas for redundancy
- Add PodDisruptionBudget (minAvailable: 1) for both server and worker
- Set RollingUpdate strategy with maxUnavailable: 0 to prevent downtime during rollouts
- Add soft pod anti-affinity to spread across nodes
- Add topologySpreadConstraints (ScheduleAnyway) for best-effort node distribution
- Set resource requests/limits for server (200m/512Mi → 1/1Gi) and worker (100m/256Mi → 500m/512Mi)
- Remove dead redis subchart config (chart 2026.x has no redis subchart)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../genmachine/app/genmachine-values.yaml     | 81 ++++++++++++++++---
 1 file changed, 70 insertions(+), 11 deletions(-)

diff --git a/gitops/manifests/authentik/genmachine/app/genmachine-values.yaml b/gitops/manifests/authentik/genmachine/app/genmachine-values.yaml
index 28a5c2521..fee99806e 100644
--- a/gitops/manifests/authentik/genmachine/app/genmachine-values.yaml
+++ b/gitops/manifests/authentik/genmachine/app/genmachine-values.yaml
@@ -60,6 +60,40 @@ authentik:
       password: file:///pgsql-creds/password
 
   server:
+    replicas: 2
+    deploymentStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxSurge: 1
+        maxUnavailable: 0
+    pdb:
+      enabled: true
+      minAvailable: 1
+    resources:
+      requests:
+        cpu: 200m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: authentik
+                  app.kubernetes.io/component: server
+              topologyKey: kubernetes.io/hostname
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/component: server
     ingress:
       enabled: true
       ingressClassName: traefik
@@ -78,6 +112,42 @@ authentik:
       # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp`
       https: false
 
+  worker:
+    replicas: 2
+    deploymentStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxSurge: 1
+        maxUnavailable: 0
+    pdb:
+      enabled: true
+      minAvailable: 1
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: authentik
+                  app.kubernetes.io/component: worker
+              topologyKey: kubernetes.io/hostname
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/component: worker
+
   postgresql:
     enabled: true
     image:
@@ -92,14 +162,3 @@ authentik:
         existingClaim: pvc-authentik-pgsql-data
         storageClass: proxmox-retain
         size: 8Gi
-  redis:
-    enabled: true
-    master:
-      persistence:
-        enabled: false
-        sizeLimit: ''
-        path: /data
-        storageClass: nfs-csi-delete
-        accessModes:
-          - ReadWriteOnce
-        size: 7Gi