*: remove Redis leftovers (#17146)

* *: remove Redis leftovers Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * more removal Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix leftover Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more removal Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * fix broken anchor Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> * re-add redis for previous version migrations Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2026-06-17 19:09:11 +03:00 · 2025-10-11 01:46:53 +02:00
parent 7dbdb4c613
commit 23357f45e9
28 changed files with 21 additions and 318 deletions
@@ -209,7 +209,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker compose pull -q
          docker compose up --no-start
-          docker compose start postgresql redis
+          docker compose start postgresql
          docker compose run -u root server test-all
  sentry-release:
    needs:
@@ -72,7 +72,7 @@ unittest.xml

 # Translations
 # Have to include binary mo files as they are annoying to compile at build time
-# since a full postgres and redis instance are required
+# since a full postgres instance is required
 # *.mo

 # Django stuff:
@@ -16,7 +16,6 @@ GEN_API_GO = gen-go-api
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
-redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)

 UNAME := $(shell uname)

@@ -107,7 +106,6 @@ dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall

 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -56,7 +56,6 @@ class ConfigSerializer(PassiveSerializer):
    cache_timeout = IntegerField(required=True)
    cache_timeout_flows = IntegerField(required=True)
    cache_timeout_policies = IntegerField(required=True)
-    cache_timeout_reputation = IntegerField(required=True)


 class ConfigView(APIView):
@@ -103,7 +102,6 @@ class ConfigView(APIView):
                "cache_timeout": CONFIG.get_int("cache.timeout"),
                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
            }
        )

@@ -15,7 +15,7 @@ from pathlib import Path
 from sys import argv, stderr
 from time import time
 from typing import Any
-from urllib.parse import quote_plus, urlparse
+from urllib.parse import urlparse

 import yaml
 from django.conf import ImproperlyConfigured
@@ -28,24 +28,10 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")

-REDIS_ENV_KEYS = [
-    f"{ENV_PREFIX}_REDIS__HOST",
-    f"{ENV_PREFIX}_REDIS__PORT",
-    f"{ENV_PREFIX}_REDIS__DB",
-    f"{ENV_PREFIX}_REDIS__USERNAME",
-    f"{ENV_PREFIX}_REDIS__PASSWORD",
-    f"{ENV_PREFIX}_REDIS__TLS",
-    f"{ENV_PREFIX}_REDIS__TLS_REQS",
-]
-
 # Old key -> new key
 DEPRECATIONS = {
    "geoip": "events.context_processors.geoip",
    "worker.concurrency": "worker.threads",
-    "redis.cache_timeout": "cache.timeout",
-    "redis.cache_timeout_flows": "cache.timeout_flows",
-    "redis.cache_timeout_policies": "cache.timeout_policies",
-    "redis.cache_timeout_reputation": "cache.timeout_reputation",
 }


@@ -332,26 +318,6 @@ class ConfigLoader:
 CONFIG = ConfigLoader()


-def redis_url(db: int) -> str:
-    """Helper to create a Redis URL for a specific database"""
-    _redis_protocol_prefix = "redis://"
-    _redis_tls_requirements = ""
-    if CONFIG.get_bool("redis.tls", False):
-        _redis_protocol_prefix = "rediss://"
-        _redis_tls_requirements = f"?ssl_cert_reqs={CONFIG.get('redis.tls_reqs')}"
-        if _redis_ca := CONFIG.get("redis.tls_ca_cert", None):
-            _redis_tls_requirements += f"&ssl_ca_certs={_redis_ca}"
-    _redis_url = (
-        f"{_redis_protocol_prefix}"
-        f"{quote_plus(CONFIG.get('redis.username'))}:"
-        f"{quote_plus(CONFIG.get('redis.password'))}@"
-        f"{quote_plus(CONFIG.get('redis.host'))}:"
-        f"{CONFIG.get_int('redis.port')}"
-        f"/{db}{_redis_tls_requirements}"
-    )
-    return _redis_url
-
-
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
@@ -47,16 +47,6 @@ listen:
    - fe80::/10
    - ::1/128

-redis:
-  host: localhost
-  port: 6379
-  db: 0
-  username: ""
-  password: ""
-  tls: false
-  tls_reqs: "none"
-  tls_ca_cert: null
-
 http_timeout: 30

 cache:
@@ -104,7 +104,6 @@ def get_logger_config():
        "daphne": "WARNING",
        "kubernetes": "INFO",
        "asyncio": "WARNING",
-        "redis": "WARNING",
        "fsevents": "WARNING",
        "uvicorn": "WARNING",
        "gunicorn": "INFO",
@@ -24,10 +24,6 @@ class TestConfig(TestCase):

    check_deprecations_env_vars = {
        ENV_PREFIX + "_WORKER__CONCURRENCY": "2",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
    }

    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
@@ -143,7 +139,7 @@ class TestConfig(TestCase):

    def test_attr_json_encoder(self):
        """Test AttrEncoder"""
-        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
+        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_POSTGRESQL__USERNAME")
        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
        self.assertEqual(json_attr, '"foo"')

@@ -176,15 +172,7 @@ class TestConfig(TestCase):
        config.update_from_env()
        config.check_deprecations()
        self.assertEqual(config.get("worker.concurrency", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
        self.assertEqual(config.get("worker.threads"), 2)
-        self.assertEqual(config.get("cache.timeout"), "124s")
-        self.assertEqual(config.get("cache.timeout_flows"), "32m")
-        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
-        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")

    def test_get_keys(self):
        """Test get_keys"""
@@ -188,7 +188,7 @@ class KerberosSource(ScheduledModel, Source):

    @property
    def sync_lock(self) -> pglock.advisory:
-        """Redis lock for syncing Kerberos to prevent multiple parallel syncs happening"""
+        """Lock for syncing Kerberos to prevent multiple parallel syncs happening"""
        return pglock.advisory(
            lock_id=f"goauthentik.io/{connection.schema_name}/sources/kerberos/sync/{self.slug}",
            timeout=0,
@@ -18,27 +18,11 @@ services:
    restart: unless-stopped
    volumes:
    - database:/var/lib/postgresql/data
-  redis:
-    command: --save 60 1 --loglevel warning
-    healthcheck:
-      interval: 30s
-      retries: 5
-      start_period: 20s
-      test:
-      - CMD-SHELL
-      - redis-cli ping | grep PONG
-      timeout: 3s
-    image: docker.io/library/redis:alpine
-    restart: unless-stopped
-    volumes:
-    - redis:/data
  server:
    command: server
    depends_on:
      postgresql:
        condition: service_healthy
-      redis:
-        condition: service_healthy
    env_file:
    - .env
    environment:
@@ -46,7 +30,6 @@ services:
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.0-rc1}
    ports:
@@ -61,8 +44,6 @@ services:
    depends_on:
      postgresql:
        condition: service_healthy
-      redis:
-        condition: service_healthy
    env_file:
    - .env
    environment:
@@ -70,7 +51,6 @@ services:
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.0-rc1}
    restart: unless-stopped
@@ -83,5 +63,3 @@ services:
 volumes:
  database:
    driver: local
-  redis:
-    driver: local
@@ -24,7 +24,6 @@ func MockConfig() api.Config {
 		100,
 		100,
 		100,
-		100,
 	)
 }

@@ -20,9 +20,6 @@ from aws_cdk import (
 from aws_cdk import (
    aws_efs as efs,
 )
-from aws_cdk import (
-    aws_elasticache as elasticache,
-)
 from aws_cdk import (
    aws_elasticloadbalancingv2 as elbv2,
 )
@@ -62,21 +59,6 @@ class AuthentikStack(Stack):
            description="RDS PostgreSQL storage size in GB",
        )

-        redis_instance_type = CfnParameter(
-            self,
-            "RedisInstanceType",
-            type="String",
-            default="cache.t4g.medium",
-            description="ElastiCache Redis instance type (with the leading cache.)",
-        )
-        redis_version = CfnParameter(
-            self,
-            "RedisVersion",
-            type="String",
-            default="7.1",
-            description="ElastiCache Redis version",
-        )
-
        authentik_image = CfnParameter(
            self,
            "AuthentikImage",
@@ -156,9 +138,6 @@ class AuthentikStack(Stack):
        db_security_group = ec2.SecurityGroup(
            self, "DatabaseSG", vpc=vpc, description="Security Group for authentik RDS PostgreSQL"
        )
-        redis_security_group = ec2.SecurityGroup(
-            self, "RedisSG", vpc=vpc, description="Security Group for authentik ElastiCache Redis"
-        )
        authentik_security_group = ec2.SecurityGroup(
            self, "AuthentikSG", vpc=vpc, description="Security Group for authentik services"
        )
@@ -167,11 +146,6 @@ class AuthentikStack(Stack):
            connection=ec2.Port.tcp(5432),
            description="Allow authentik to connect to RDS PostgreSQL",
        )
-        redis_security_group.add_ingress_rule(
-            peer=authentik_security_group,
-            connection=ec2.Port.tcp(6379),
-            description="Allow authentik to connect to ElastiCache Redis",
-        )

        # Generated secrets

@@ -212,30 +186,6 @@ class AuthentikStack(Stack):
            removal_policy=RemovalPolicy.SNAPSHOT,
        )

-        # Redis
-
-        redis_subnet_group = elasticache.CfnSubnetGroup(
-            self,
-            "AuthentikRedisSubnetGroup",
-            subnet_ids=vpc.select_subnets(
-                subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
-            ).subnet_ids,
-            description="Subnet group for authentik ElastiCache Redis",
-        )
-
-        redis = elasticache.CfnReplicationGroup(
-            self,
-            "AuthentikRedis",
-            replication_group_description="Redis cluster for authentik",
-            engine="redis",
-            engine_version=redis_version.value_as_string,
-            cache_node_type=redis_instance_type.value_as_string,
-            num_cache_clusters=2,
-            automatic_failover_enabled=True,
-            security_group_ids=[redis_security_group.security_group_id],
-            cache_subnet_group_name=redis_subnet_group.ref,
-        )
-
        # Storage

        media_fs = efs.FileSystem(
@@ -270,7 +220,6 @@ class AuthentikStack(Stack):
        environment = {
            "AUTHENTIK_POSTGRESQL__HOST": database.instance_endpoint.hostname,
            "AUTHENTIK_POSTGRESQL__USER": "authentik",
-            "AUTHENTIK_REDIS__HOST": redis.attr_primary_end_point_address,
        }

        secrets = {
@@ -12,14 +12,6 @@ Parameters:
    Default: 10
    Description: RDS PostgreSQL storage size in GB
    MinValue: 10
-  RedisInstanceType:
-    Type: String
-    Default: cache.t4g.medium
-    Description: ElastiCache Redis instance type (with the leading cache.)
-  RedisVersion:
-    Type: String
-    Default: "7.1"
-    Description: ElastiCache Redis version
  AuthentikImage:
    Type: String
    Default: ghcr.io/goauthentik/server
@@ -342,35 +334,6 @@ Resources:
      ToPort: 5432
    Metadata:
      aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432
-  RedisSGEA80AC17:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupDescription: Security Group for authentik ElastiCache Redis
-      SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          Description: Allow all outbound traffic by default
-          IpProtocol: "-1"
-      VpcId:
-        Ref: AuthentikVpcA1ABE6C2
-    Metadata:
-      aws:cdk:path: AuthentikStack/RedisSG/Resource
-  RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      Description: Allow authentik to connect to ElastiCache Redis
-      FromPort: 6379
-      GroupId:
-        Fn::GetAtt:
-          - RedisSGEA80AC17
-          - GroupId
-      IpProtocol: tcp
-      SourceSecurityGroupId:
-        Fn::GetAtt:
-          - AuthentikSG3040E46F
-          - GroupId
-      ToPort: 6379
-    Metadata:
-      aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379
  AuthentikSG3040E46F:
    Type: AWS::EC2::SecurityGroup
    Properties:
@@ -481,34 +444,6 @@ Resources:
    DeletionPolicy: Snapshot
    Metadata:
      aws:cdk:path: AuthentikStack/AuthentikDB/Resource
-  AuthentikRedisSubnetGroup:
-    Type: AWS::ElastiCache::SubnetGroup
-    Properties:
-      Description: Subnet group for authentik ElastiCache Redis
-      SubnetIds:
-        - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
-        - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
-    Metadata:
-      aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup
-  AuthentikRedis:
-    Type: AWS::ElastiCache::ReplicationGroup
-    Properties:
-      AutomaticFailoverEnabled: true
-      CacheNodeType:
-        Ref: RedisInstanceType
-      CacheSubnetGroupName:
-        Ref: AuthentikRedisSubnetGroup
-      Engine: redis
-      EngineVersion:
-        Ref: RedisVersion
-      NumCacheClusters: 2
-      ReplicationGroupDescription: Redis cluster for authentik
-      SecurityGroupIds:
-        - Fn::GetAtt:
-            - RedisSGEA80AC17
-            - GroupId
-    Metadata:
-      aws:cdk:path: AuthentikStack/AuthentikRedis
  AuthentikMediaEFSSecurityGroup1840BA29:
    Type: AWS::EC2::SecurityGroup
    Properties:
@@ -653,11 +588,6 @@ Resources:
                  - Endpoint.Address
            - Name: AUTHENTIK_POSTGRESQL__USER
              Value: authentik
-            - Name: AUTHENTIK_REDIS__HOST
-              Value:
-                Fn::GetAtt:
-                  - AuthentikRedis
-                  - PrimaryEndPoint.Address
          Essential: true
          HealthCheck:
            Command:
@@ -874,11 +804,6 @@ Resources:
                  - Endpoint.Address
            - Name: AUTHENTIK_POSTGRESQL__USER
              Value: authentik
-            - Name: AUTHENTIK_REDIS__HOST
-              Value:
-                Fn::GetAtt:
-                  - AuthentikRedis
-                  - PrimaryEndPoint.Address
          Essential: true
          HealthCheck:
            Command:
@@ -1,5 +1,4 @@
 # flake8: noqa
-
 from lifecycle.migrate import BaseMigration

 SQL_STATEMENT = """BEGIN TRANSACTION;
@@ -33416,13 +33416,10 @@ components:
          type: integer
        cache_timeout_policies:
          type: integer
-        cache_timeout_reputation:
-          type: integer
      required:
      - cache_timeout
      - cache_timeout_flows
      - cache_timeout_policies
-      - cache_timeout_reputation
      - capabilities
      - error_reporting
    ConnectionToken:
@@ -12,12 +12,6 @@ services:
    ports:
      - 127.0.0.1:5432:5432
    restart: always
-  redis:
-    container_name: redis
-    image: docker.io/library/redis
-    ports:
-      - 127.0.0.1:6379:6379
-    restart: always
  s3:
    container_name: s3
    image: docker.io/zenko/cloudserver
@@ -12,38 +12,24 @@ base = {
            "env_file": [".env"],
            "environment": {
                "POSTGRES_DB": "${PG_DB:-authentik}",
-                "POSTGRES_PASSWORD": "${PG_PASS:?database " "password " "required}",
+                "POSTGRES_PASSWORD": "${PG_PASS:?database password required}",
                "POSTGRES_USER": "${PG_USER:-authentik}",
            },
            "healthcheck": {
                "interval": "30s",
                "retries": 5,
                "start_period": "20s",
-                "test": ["CMD-SHELL", "pg_isready -d " "$${POSTGRES_DB} -U " "$${POSTGRES_USER}"],
+                "test": ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"],
                "timeout": "5s",
            },
            "image": "docker.io/library/postgres:16-alpine",
            "restart": "unless-stopped",
            "volumes": ["database:/var/lib/postgresql/data"],
        },
-        "redis": {
-            "command": "--save 60 1 --loglevel warning",
-            "healthcheck": {
-                "interval": "30s",
-                "retries": 5,
-                "start_period": "20s",
-                "test": ["CMD-SHELL", "redis-cli ping | grep PONG"],
-                "timeout": "3s",
-            },
-            "image": "docker.io/library/redis:alpine",
-            "restart": "unless-stopped",
-            "volumes": ["redis:/data"],
-        },
        "server": {
            "command": "server",
            "depends_on": {
                "postgresql": {"condition": "service_healthy"},
-                "redis": {"condition": "service_healthy"},
            },
            "env_file": [".env"],
            "environment": {
@@ -51,8 +37,7 @@ base = {
                "AUTHENTIK_POSTGRESQL__NAME": "${PG_DB:-authentik}",
                "AUTHENTIK_POSTGRESQL__PASSWORD": "${PG_PASS}",
                "AUTHENTIK_POSTGRESQL__USER": "${PG_USER:-authentik}",
-                "AUTHENTIK_REDIS__HOST": "redis",
-                "AUTHENTIK_SECRET_KEY": "${AUTHENTIK_SECRET_KEY:?secret " "key " "required}",
+                "AUTHENTIK_SECRET_KEY": "${AUTHENTIK_SECRET_KEY:?secret key required}",
            },
            "image": authentik_image,
            "ports": ["${COMPOSE_PORT_HTTP:-9000}:9000", "${COMPOSE_PORT_HTTPS:-9443}:9443"],
@@ -63,7 +48,6 @@ base = {
            "command": "worker",
            "depends_on": {
                "postgresql": {"condition": "service_healthy"},
-                "redis": {"condition": "service_healthy"},
            },
            "env_file": [".env"],
            "environment": {
@@ -71,8 +55,7 @@ base = {
                "AUTHENTIK_POSTGRESQL__NAME": "${PG_DB:-authentik}",
                "AUTHENTIK_POSTGRESQL__PASSWORD": "${PG_PASS}",
                "AUTHENTIK_POSTGRESQL__USER": "${PG_USER:-authentik}",
-                "AUTHENTIK_REDIS__HOST": "redis",
-                "AUTHENTIK_SECRET_KEY": "${AUTHENTIK_SECRET_KEY:?secret " "key " "required}",
+                "AUTHENTIK_SECRET_KEY": "${AUTHENTIK_SECRET_KEY:?secret key required}",
            },
            "image": authentik_image,
            "restart": "unless-stopped",
@@ -85,7 +68,11 @@ base = {
            ],
        },
    },
-    "volumes": {"database": {"driver": "local"}, "redis": {"driver": "local"}},
+    "volumes": {
+        "database": {
+            "driver": "local",
+        },
+    },
 }

 with open("docker-compose.yml", "w") as _compose:
@@ -28,6 +28,6 @@ if [[ -v BUILD ]]; then
 fi

 docker compose up --no-start
-docker compose start postgresql redis
+docker compose start postgresql
 docker compose run -u root server test-all
 docker compose down -v
@@ -10,9 +10,7 @@ graph LR
    ak_server --> ak_server_core(authentik Server Core)
    ak_server --> ak_outpost(Embedded outpost)
    ak_server_core --> db(PostgreSQL)
-    ak_server_core --> cache(Redis)
    ak_worker(Background Worker) --> db(PostgreSQL)
-    ak_worker(Background Worker) --> cache(Redis)
 ```

 ### Server
@@ -49,13 +47,3 @@ authentik uses PostgreSQL to store all of its configuration and other data (excl
 - `/var/lib/postgresql/data` is used to store the PostgreSQL database

 On Kubernetes, with the default Helm chart and using the packaged PostgreSQL sub-chart, persistent data is stored in a PVC.
-
-### Redis
-
-authentik uses Redis as a message-queue and a cache. Data in Redis is not required to be persistent.
-
-#### Persistence
-
- `/data` is used to store the Redis data
-
-On Kubernetes, with the default Helm chart and using the packaged Redis sub-chart, persistent data is stored in a PVC.
@@ -29,7 +29,6 @@ Before you begin, ensure you have the following tools installed:

 authentik depends on several external services:

- [Redis](https://redis.io/) for caching
 - [PostgreSQL](https://www.postgresql.org/) for database storage
 - [Zenko CloudServer (S3)](https://www.zenko.io/cloudserver/) for object storage
 - [Sentry Spotlight](https://spotlightjs.com/) for error tracking and visualization
@@ -64,7 +63,6 @@ libpq \
 pkg-config \
 uv \
 postgresql \
-redis \
 node@24 \
 golangci-lint \
 krb5
@@ -82,8 +80,7 @@ libgss-dev \
 krb5-config \
 libkrb5-dev \
 postgresql-server-dev-all \
-postgresql \
-redis
+postgresql
 ```

 For other distributions (Red Hat, SUSE, Arch), adjust the package names as needed.
@@ -79,7 +79,6 @@ authentik deployments require access to the following container images. In an ai
 #### Supporting services

 - PostgreSQL
- Redis

 ### Helm repositories

@@ -177,36 +177,11 @@ When your PostgreSQL databases are running behind a connection pooler (like PgBo
 - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjusts the database configuration to support connections to a PgBouncer connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](#using-a-postgresql-connection-pooler) section.
 - `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjusts the database configuration to support connections to a Pgpool connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](#using-a-postgresql-connection-pooler) section.

-## Redis Settings
-
- `AUTHENTIK_REDIS__HOST`: Redis server host when not using configuration URL
- `AUTHENTIK_REDIS__PORT`: Redis server port when not using configuration URL
- `AUTHENTIK_REDIS__DB`: Redis server database when not using configuration URL
- `AUTHENTIK_REDIS__USERNAME`: Redis server username when not using configuration URL
- `AUTHENTIK_REDIS__PASSWORD`: Redis server password when not using configuration URL
- `AUTHENTIK_REDIS__TLS`: Redis server connection using TLS when not using configuration URL
- `AUTHENTIK_REDIS__TLS_REQS`: Redis server TLS connection requirements when not using configuration URL. Defaults to `"none"`. Allowed values are `"none"` and `"required"`.
- `AUTHENTIK_REDIS__TLS_CA_CERT`: Path to the Redis server TLS CA root when not using configuration URL. Defaults to `null`.
-
-## Result Backend Settings
-
- `AUTHENTIK_RESULT_BACKEND__URL`: Result backend configuration URL, uses [the Redis Settings](#redis-settings) by default
-
 ## Cache Settings

- `AUTHENTIK_CACHE__URL`: Cache configuration URL, uses [the Redis Settings](#redis-settings) by default
 - `AUTHENTIK_CACHE__TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
 - `AUTHENTIK_CACHE__TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
 - `AUTHENTIK_CACHE__TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
- `AUTHENTIK_CACHE__TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
-
-    :::info
-    `AUTHENTIK_CACHE__TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
-    :::
-
-## Channel Layer Settings (inter-instance communication)
-
- `AUTHENTIK_CHANNEL__URL`: Channel layers configuration URL, uses [the Redis Settings](#redis-settings) by default

 ## Worker settings

@@ -496,7 +471,7 @@ Defaults to `null`.

 ### `AUTHENTIK_REPUTATION__EXPIRY`

-Configure how long reputation scores should be saved for in seconds. Note that this is different than [`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`](#redis-settings), as reputation is saved to the database every 5 minutes.
+Configure how long reputation scores should be saved for in seconds.

 Defaults to `86400`.

@@ -20,7 +20,6 @@ This stack will create the following resources:
 - AWS SSM secrets for the PostgreSQL user and the authentik secret key
 - A VPC for all other resources
 - A RDS PostgreSQL Multi-AZ cluster
- An ElastiCache Redis Multi-AZ cluster
 - An ECS cluster with two tasks:
    - One for the authentik server
    - One for the authentik worker
@@ -52,8 +52,6 @@ postgresql:
    enabled: true
    auth:
        password: "ThisIsNotASecurePassword"
-redis:
-    enabled: true
 ```

 See all configurable values on [ArtifactHub](https://artifacthub.io/packages/helm/goauthentik/authentik).
@@ -55,7 +55,7 @@ slug: /releases/2024.2

    Cache settings have been moved from the `redis` top-level config key to their own `cache` top-level config key.

-    Settings have also been added to configure the Redis instance/database used for tasks and websockets separately from cache. See [here](../../install-config/configuration/configuration.mdx#redis-settings).
+    Settings have also been added to configure the Redis instance/database used for tasks and websockets separately from cache. See [here](../../install-config/configuration/configuration.mdx).

    Typically, _no changes to the configuration are required_.

@@ -22,24 +22,6 @@ This guide outlines the critical components to back up and restore in authentik.
 - **Restoration Guidance:**
    - Use PostgreSQL's [`pg_restore`](https://www.postgresql.org/docs/current/app-pgrestore.html) or other official methods.

-## Redis database
-
-### Backup
-
- **Role:** Manages temporary data:
-    - Pending tasks (e.g., queued emails, outpost syncs).
-    - Cache
- **Impact of Loss:** Temporary performance loss (while cache gets rebuilt), and potential permanent data loss (e.g., queued emails).
- **Backup Guidance:**
-    - Use Redis' [`SAVE`](https://redis.io/commands/save) or [`BGSAVE`](https://redis.io/commands/bgsave).
- **Official Documentation:** [Redis Persistence](https://redis.io/docs/management/persistence/)
-
-### Restore
-
- **Restoration Importance:** Service impact but no permanent data loss.
- **Restoration Guidance:**
-    - Follow [Redis' Import Data Guide](https://redis.io/learn/guides/import#restore-an-rdb-file) to restore an RDB file.
-
 ## Static directories

 These directories are mounted as volumes in containerized installations and must be restored if they were part of the backup to maintain authentik’s expected functionality.
@@ -6,13 +6,13 @@ authentik can be easily monitored in multiple ways.

 ## Server monitoring

-Configure your monitoring software to send requests to `/-/health/live/`, which will return a `HTTP 200` response as long as authentik is running. You can also send HTTP requests to `/-/health/ready/`, which will return `HTTP 200` if both PostgreSQL and Redis connections can be established correctly.
+Configure your monitoring software to send requests to `/-/health/live/`, which will return a `HTTP 200` response as long as authentik is running. You can also send HTTP requests to `/-/health/ready/`, which will return `HTTP 200` if a PostgreSQL connection can be established correctly.

 ## Worker monitoring

-The worker container can be monitored by running `ak healthcheck` in the worker container. This will check that the worker is running and ensure that both PostgreSQL and Redis connections can be established correctly.
+The worker container can be monitored by running `ak healthcheck` in the worker container. This will check that the worker is running and ensure that a PostgreSQL connection can be established correctly.

-You can also send HTTP requests to `/-/health/ready/`, which will return `HTTP 200` if both PostgreSQL and Redis connections can be established correctly.
+You can also send HTTP requests to `/-/health/ready/`, which will return `HTTP 200` if a PostgreSQL connection can be established correctly.

 ## Outpost monitoring

@@ -35,8 +35,6 @@ Learn more in our documentation about [Enterprise licenses](../enterprise/manage

 - Upon creating another tenant, a new schema will be created by cloning the `template` schema. This special schema is like a tenant with no data created in it. Cloning an existing schema instead of creating a new one and running migrations on it is done for efficiency purposes.

- In a typical deployment, all data stored in Redis (such as tasks, locks, and cached objects) will have its keys prefixed by the `schema_name`.
-
 - Files are isolated on a per-tenant basis, with each tenant folder named according to the schema_name. For example, `/media/t_example`. The same is true regardless of the storage backend.

 - Using an [embedded outpost](../add-secure-apps/outposts/embedded/embedded.mdx) with multi-tenancy is not currently supported. Disable the embedded outpost with `AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true` configuration setting.