Unimportant annoyances regarding auth.blt.chrisproject.org

[jennydaman]

• Achieving HTTPS for the ingress requires workarounds. The certificate might not be able to automatically renew. See "ingress-class" settings for a user namespace nerc-project/operations#814
• Authentik is hard-coded to use the public schema in the PostgreSQL database, which makes it hard to use Crunchy PGO (because using the public schema is considered bad practice) Authentik requires public schema goauthentik/authentik#12154
• Authentik's subchart dependencies on bitnami/postgresql and bitnami/redis are 1 year out-of-date. It would be ideal if we deployed postgresql and valkey (the successor to redis) separately instead of using the bundled subcharts.
• serviceAccount.create=true doesn't work on OpenShift, because the role is hard-coded with rules for apiextensions.k8s.io, traefik.containo.us, and traefik.io. See Least privilege for Kubernetes outposts (on OpenShift) goauthentik/helm#305
• Use Authentik blueprints to automate provisioning of LDAP for ChRIS.