domain-incoming/share/authentik/authentik_workers.tf

resource "kubectl_manifest" "Deployment_worker" {
  yaml_body  = <<-EOF
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: "${var.instance}-${var.component}-worker"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.worker_all_labels)}
      annotations:
        configmap.reloader.stakater.com/reload: "${kubectl_manifest.cm.name}"
        secret.reloader.stakater.com/reload: "${kubectl_manifest.authentik_secret.name}"
    spec:
      revisionHistoryLimit: 3
      selector:
        matchLabels: ${jsonencode(local.worker_labels)}
      template:
        metadata:
          labels: ${jsonencode(local.worker_labels)}
          annotations:
        spec:
          serviceAccountName: ${kubectl_manifest.sa.name}
          terminationGracePeriodSeconds: 30
          affinity:
            podAntiAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
              - weight: 100
                podAffinityTerm:
                  labelSelector:
                    matchLabels: ${jsonencode(local.worker_labels)}
                  topologyKey: kubernetes.io/hostname
          enableServiceLinks: true
          containers:
          - name: worker
            image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}"
            imagePullPolicy: ${var.images.app.pull_policy}
            args: ["worker"]
            env:
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ${var.instance}-${var.component}-pg-app
                  key: password
            envFrom:
            - configMapRef:
                name: "${kubectl_manifest.cm.name}"
            - secretRef:
                name: "${kubectl_manifest.authentik_secret.name}"
            livenessProbe:
              exec:
                command: ["ak", "healthcheck"]
              failureThreshold: 3
              initialDelaySeconds: 5
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            readinessProbe:
              exec:
                command: ["ak", "healthcheck"]
              failureThreshold: 3
              initialDelaySeconds: 5
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            startupProbe:
              exec:
                command: ["ak", "healthcheck"]
              failureThreshold: 60
              initialDelaySeconds: 30
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            resources: {}
EOF
}

resource "kubectl_manifest" "PodDisruptionBudget_authentik-worker" {
  yaml_body  = <<-EOF
    apiVersion: policy/v1
    kind: PodDisruptionBudget
    metadata:
      name: ${kubectl_manifest.Deployment_worker.name}
      namespace: ${var.namespace}
      labels: ${jsonencode(local.worker_all_labels)}
    spec:
      minAvailable: 0
      selector:
        matchLabels: ${jsonencode(local.worker_labels)}
EOF
}
resource "kubectl_manifest" "HorizontalPodAutoscaler_authentik-worker" {
  yaml_body  = <<-EOF
    apiVersion: autoscaling/v2
    kind: HorizontalPodAutoscaler
    metadata:
      name: ${kubectl_manifest.Deployment_worker.name}
      namespace: ${var.namespace}
      labels: ${jsonencode(local.worker_all_labels)}
    spec:
      scaleTargetRef:
        apiVersion: apps/v1
        kind: Deployment
        name: ${kubectl_manifest.Deployment_worker.name}
      minReplicas: 1
      maxReplicas: 5
      metrics:
      - type: Resource
        resource:
          name: cpu
          target:
            type: Utilization
            averageUtilization: 50
EOF
}