A homelab engineer shares hard-won lessons from wiring Authentik SSO across Vault, Grafana, Nextcloud, Headlamp, and kubectl on a kubeadm Kubernetes cluster. Key pitfalls covered: hairpin NAT failures requiring internal DNS fixes, cert-manager HTTP-01 challenges silently expiring without port 80, Authentik's default groups scope returning empty due to a stale Django accessor (fix: use ak_groups.all() in a custom property mapping), a Grafana 11.6 regression requiring explicit groups_attribute_path, Nextcloud blocking RFC1918 addresses by default, and kube-apiserver OIDC debugging being nearly opaque at any log level. The post also documents Authentik Helm chart breaking changes (Redis removal, deprecated ingress block) and explains why Headlamp's auth model is really the apiserver's auth model. Practical Terraform snippets are included throughout.
Table of contents
What I started withThe first wall: a network that doesn’t loop backThe second wall: certificates without port 80The biggest gotcha: the empty groups claimThe shape of the whole thingApp by app, the things that bit meThings that aren’t gotchas, but cost me time anywayWhat I’d tell past-meWas it worth it?Sort: