Ensure Authentik works in IPv6 only environments

[telmich]

The helm chart currently has:

            - name: AUTHENTIK_LISTEN__HTTP
              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.http | quote }}
            - name: AUTHENTIK_LISTEN__HTTPS
              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.https | quote }}
            - name: AUTHENTIK_LISTEN__METRICS
              value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.metrics | quote }}

(in deployment.yaml, lines 77+)

The 0.0.0.0 hardcodes IPv4 listeners, which do not work in an IPv6 only enviroment.

I suggest to do the following:

• add server.bindAddress in values
• Set it to 0.0.0.0 by default

That way it can be overwritten from the outside, but behaviour stays as it at the moment.

Adding for completeness: I'd expect authentik two work with server.bindAddress=[::]. I will test it in the next days.

[telmich]

For the worker, I was actually able to override it manually:

        worker:
          env:
            - name: AUTHENTIK_LISTEN__HTTP
              value: '[::]:9000'
            - name: AUTHENTIK_LISTEN__METRICS
              value: '[::]:9300'

Not the best way, but at least possible.

Meanwhile, it seems that authentik does not resolve the hostname of postgres via IPv6.

Using

        authentik:
          secret_key: "Thisshouldreallynotbehere"
          postresql:
            name: 'app'
            host: "authentik-1-postgresql-rw"
            user: file:///postgres-secret/user
            password: file:///postgres-secret/password

The worker and authentik server are logging:

{"event": "PostgreSQL connection failed, retrying... ([Errno -2] Name or service not known)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767435152.369229}
{"event": "PostgreSQL connection failed, retrying... ([Errno -2] Name or service not known)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767435153.3728411}
{"event": "PostgreSQL connection failed, retrying... ([Errno -2] Name or service not known)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767435154.3753035}
{"event": "PostgreSQL connection failed, retrying... ([Errno -2] Name or service not known)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767435155.377485}
{"event": "PostgreSQL connection failed, retrying... ([Errno -2] Name or service not known)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767435156.3800993}

While there is a service deployed matching the hostname:

vm2:~# kubectl -n authentik get svc
NAME                        TYPE        CLUSTER-IP                     EXTERNAL-IP   PORT(S)          AGE
authentik-1-postgresql-r    ClusterIP   2a0a:4cc0:c0:46d9:bbbb::2a56   <none>        5432/TCP         10h
authentik-1-postgresql-ro   ClusterIP   2a0a:4cc0:c0:46d9:bbbb::f5c1   <none>        5432/TCP         10h
authentik-1-postgresql-rw   ClusterIP   2a0a:4cc0:c0:46d9:bbbb::b68a   <none>        5432/TCP         10h
authentik-k-server          ClusterIP   2a0a:4cc0:c0:46d9:bbbb::4739   <none>        80/TCP,443/TCP   10h
vm2:~# 

[rissson]

0.0.0.0 is actually parsed as *. We have authentik running in both ipv6-only and dualstack clusters w/o any issue nor changes to the default configuration

[rissson]

We've removed that in 2026.5