Authservice
What you’ll accomplish
Section titled “What you’ll accomplish”You’ll configure Authservice for production high availability by connecting it to an external Redis or Valkey session store and scaling to multiple replicas. This ensures SSO sessions persist across pod restarts and failovers.
Prerequisites
Section titled “Prerequisites”- UDS CLI installed
- Access to a Kubernetes cluster (multi-node, multi-AZ recommended)
- A Redis or Valkey instance accessible from the cluster
- Applications using Authservice for SSO (see Identity & Authentication concepts for when Authservice is used vs. native SSO)
Before you begin
Section titled “Before you begin”-
Configure an external Redis session store
Add the Redis URI to your
uds-config.yaml:uds-config.yaml variables:core:AUTHSERVICE_REDIS_URI: redis://redis.redis.svc.cluster.local:6379 -
Scale Authservice replicas
With a session store configured, scale Authservice using a bundle override:
uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/coreref: x.x.x-upstreamoverrides:authservice:authservice:values:# Number of Authservice replicas- path: replicaCountvalue: 2Alternatively, enable the HPA for dynamic scaling based on CPU utilization:
uds-bundle.yaml packages:- name: corerepository: registry.defenseunicorns.com/public/coreref: x.x.x-upstreamoverrides:authservice:authservice:values:# Enable HorizontalPodAutoscaler- path: autoscaling.enabledvalue: trueSetting Default Minimum replicas 1 Maximum replicas 3 CPU target utilization 80% -
Create and deploy your bundle
Terminal window uds create <path-to-bundle-dir>uds deploy uds-bundle-<name>-<arch>-<version>.tar.zst
Verification
Section titled “Verification”Confirm Authservice HA is working:
# Check replica countuds zarf tools kubectl get pods -n authservice -l app.kubernetes.io/name=authservice
# Check HPA (if enabled)uds zarf tools kubectl get hpa -n authserviceSession persistence test: Log in to an Authservice-protected application, then delete one Authservice pod. Refresh the page — your session should survive:
# Delete one pod to simulate failover (replace with an actual pod name)uds zarf tools kubectl delete pod -n authservice <pod-name>Success criteria:
- Multiple Authservice pods are
RunningandReady - SSO login sessions survive pod deletion
- No
503errors during pod failover
Troubleshooting
Section titled “Troubleshooting”Problem: Session loss after pod restart
Section titled “Problem: Session loss after pod restart”Symptoms: Users are logged out or see login prompts after a pod restart, even with multiple replicas running.
Solution: Verify Redis connectivity from inside the cluster:
uds zarf tools kubectl logs -n authservice -l app.kubernetes.io/name=authservice --tail=50 | grep -i redisCheck that AUTHSERVICE_REDIS_URI is set correctly and that the Redis instance is reachable.
Problem: 503 errors during SSO login
Section titled “Problem: 503 errors during SSO login”Symptoms: Users see 503 Service Unavailable when attempting to log in through Authservice.
Solution: Check Authservice pod logs for connection errors. Common causes:
- Redis instance is down or unreachable
- Incorrect Redis URI format
- Network policy blocking Authservice → Redis traffic
uds zarf tools kubectl logs -n authservice -l app.kubernetes.io/name=authservice --tail=100Related Documentation
Section titled “Related Documentation”- Authservice: Configuration Reference — session store and OIDC configuration options
- Redis: Documentation — general Redis documentation for the backing session store
- Valkey: Documentation — Redis-compatible alternative supported by Authservice
Next steps
Section titled “Next steps”These guides and concepts may be useful to explore next: