Deploy and Host Authentik on Sealos

Authentik is an open-source identity provider and access management platform. This template deploys Authentik with a dedicated worker and managed PostgreSQL backend on Sealos Cloud.

About Hosting Authentik

Authentik provides centralized authentication, single sign-on (SSO), policy-based access control, and identity lifecycle management. It supports modern protocols such as OIDC and SAML, making it suitable for self-hosted applications and internal platforms.

This Sealos template deploys Authentik as a multi-service stack: a primary server for web/API traffic, a background worker for asynchronous tasks, and a PostgreSQL cluster for persistent data. It also provisions HTTPS ingress and persistent volumes for runtime data.

After deployment, you get a public URL with TLS and can complete the initial setup wizard in the browser. Ongoing operations can be managed through Canvas with AI dialog updates or resource-card edits.

Common Use Cases

• Single Sign-On for Internal Tools: Centralize login across internal dashboards and services.
• OIDC/SAML Gateway for Self-Hosted Apps: Add standards-based authentication to apps that support federated login.
• MFA and Passwordless Access: Enforce stronger sign-in policies with multi-factor and modern auth methods.
• Team and Role-Based Access Control: Map users and groups to permissions for SaaS and platform workloads.
• Identity Front Door for Kubernetes Apps: Protect app endpoints with unified authentication and policy controls.

Dependencies for Authentik Hosting

The Sealos template includes all required dependencies: Authentik server, Authentik worker, PostgreSQL database, ingress, and persistent storage.

Deployment Dependencies

• Authentik Documentation - Official documentation and setup guides
• Authentik GitHub Repository - Source code, releases, and issue tracking
• Authentik Providers Guide - Integration guidance for OIDC, SAML, and proxy providers
• Sealos Platform - Deployment and operations environment

Implementation Details

Architecture Components

This template deploys the following resources:

• Authentik Server (StatefulSet): Runs ghcr.io/goauthentik/server:2025.12.3 with server mode, serves web UI/API on port 9000, and exposes 9443 internally.
• Authentik Worker (StatefulSet): Runs the same image in worker mode to process background and scheduled jobs.
• PostgreSQL Cluster (KubeBlocks): Provisions PostgreSQL 16.4.0 with persistent storage and secret-based credentials.
• PostgreSQL Init Job: Waits for database readiness, then creates the authentik database if it does not exist.
• Service + Ingress: Exposes Authentik through HTTPS with automatic TLS certificate integration on Sealos.
• App Resource: Publishes the access URL into the Sealos app card for quick entry from Canvas.

Default Resources and Storage

Configuration

At deploy time, the template uses these primary parameters:

• app_host: Public hostname prefix used by Ingress.
• app_name: Resource naming prefix for this deployment.
• authentik_secret_key: Runtime secret key (auto-generated by default).

Database host, port, username, and password are injected from generated Kubernetes secrets. The Authentik server and worker both use the same PostgreSQL backend and secret key for consistent runtime behavior.

License Information

Authentik is open source with upstream licensing terms maintained by the project. Refer to the Authentik LICENSE for current details.

Why Deploy Authentik on Sealos?

Sealos is an AI-assisted Cloud Operating System built on Kubernetes that simplifies application delivery from deployment to operations. By deploying Authentik on Sealos, you get:

• One-Click Deployment: Launch a multi-service identity stack without manual Kubernetes manifests.
• Managed Database Provisioning: PostgreSQL is created, wired, and initialized automatically.
• Easy Customization: Adjust environment variables, storage, and compute resources from Canvas dialogs.
• Secure Public Access: Automatic HTTPS ingress with managed certificate integration.
• Persistent Storage Included: Durable volumes keep identity and configuration data across restarts.
• Pay-as-You-Go Efficiency: Scale resources based on workload without long-term overprovisioning.
• AI-Assisted Operations: Use AI dialog updates for post-deployment adjustments.

Deploy Authentik on Sealos and focus on identity architecture instead of infrastructure plumbing.

Deployment Guide

1. Open the Authentik template and click Deploy Now.
2. Configure deployment parameters:
   • App Host: Public domain prefix.
   • App Name: Deployment resource prefix.
   • Authentik Secret Key: Keep default generated value or provide your own strong secret.
3. Wait for deployment to complete (typically 2-3 minutes). After deployment, you will be redirected to Canvas. For later changes, describe your requirements in the dialog to let AI apply updates, or click relevant resource cards to modify settings.
4. Open the generated URL and complete the Authentik initial setup flow to create your first administrator account.

Configuration

After deployment, you can configure Authentik through:

• AI Dialog: Request changes in plain language and let AI apply updates.
• Resource Cards: Adjust StatefulSet resources, environment variables, and storage from Canvas.
• Authentik Admin UI: Manage providers, applications, flows, policies, groups, and branding.

Typical post-deploy setup tasks include:

1. Create your first admin account in the initial setup wizard.
2. Configure external identity sources (if needed).
3. Add OIDC/SAML providers and map applications.
4. Enable MFA policies for privileged users.

Scaling

To scale runtime capacity:

1. Open the deployment in Canvas.
2. Select the server or worker StatefulSet resource card.
3. Increase CPU and memory resources as needed.
4. Apply and verify readiness probes return healthy.

For most installations, vertical scaling is the first step. If you need horizontal scale, adjust architecture settings based on your workload and upstream Authentik guidance.

Troubleshooting

Common Issues

Issue: Initial setup page is unavailable

• Cause: Server container is still starting or dependencies are not ready.
• Solution: Wait until the Authentik server probe status is healthy, then refresh the public URL.

Issue: Database connection errors on startup

• Cause: PostgreSQL is not ready or the init job has not completed.
• Solution: Check PostgreSQL cluster status and verify the init job completed successfully before restarting Authentik pods.

Issue: Worker reports healthcheck failures

• Cause: Secret mismatch or temporary backend connectivity issues.
• Solution: Confirm server and worker share the same AUTHENTIK_SECRET_KEY and PostgreSQL credentials, then restart the worker pod.

Issue: Cannot reach Authentik over HTTPS

• Cause: Ingress or certificate provisioning still in progress.
• Solution: Verify ingress host configuration and wait for TLS certificate readiness in Sealos.

Getting Help

• Authentik Documentation
• Authentik GitHub Issues
• Sealos Discord

Additional Resources

• Authentik User Guides
• Authentik Release Notes
• Sealos Documentation

License

This Sealos template follows repository licensing terms. Authentik itself follows upstream licensing; refer to the official repository for current license details.