Worker metrics and healthcheck dualstack IPv6 error on Kubernetes with IPv6 disabled in 2025.8.0 #16300
Description
Describe the bug
Running authentik 2025.8.0 on Kubernetes with IPv6 disabled causes the worker’s metrics and healthcheck processes to crash at startup. The processes try to bind a dual-stack IPv6 socket via socket.create_server(..., dualstack_ipv6=True), and Python raises:
ValueError: dualstack_ipv6 not supported on this platform
This error appears in both MetricsMiddleware.run(addr, port) and WorkerHealthcheckMiddleware.run(host, port) logs. This prevents worker pods from starting cleanly.
To Reproduce
- Deploy authentik 2025.8.0 in a Kubernetes cluster where IPv6 is disabled at the node/pod level.
- Start the worker pods.
- Observe worker logs; the worker metrics or healthcheck subprocess crashes with a traceback ending in
ValueError: dualstack_ipv6 not supported on this platform.
Expected behavior
The worker metrics and healthcheck HTTP servers should fallback to IPv4-only binds on IPv4-only systems, or respect the configured metrics listener (e.g. AUTHENTIK_LISTEN__METRICS=0.0.0.0:9300) without attempting a dual-stack IPv6 bind. The worker pods should start cleanly without crashing.
Logs
Example traceback from worker pod:
File "/authentik/tasks/forks.py", line 43, in worker_metrics
MetricsMiddleware.run(addr, port)
File "/ak-root/packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py", line 282, in run
server = HTTPServer((addr, port), _MetricsHandler)
File "/usr/local/lib/python3.13/socketserver.py", line 457, in __init__
self.server_bind()
File "/ak-root/packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py", line 42, in server_bind
self.socket = socket.create_server(self.server_address, family=self.address_family, dualstack_ipv6=self.address_family == socket.AF_INET6)
File "/usr/local/lib/python3.13/socket.py", line 912, in create_server
raise ValueError("dualstack_ipv6 not supported on this platform")
ValueError: dualstack_ipv6 not supported on this platform
Similar errors appear for worker_healthcheck.
Version and Deployment
- authentik version: 2025.8.0
- Deployment method: Kubernetes (Helm)
- Kubernetes cluster: IPv6 disabled on nodes and pods
Additional context
We attempted several workarounds without success:
- Set
AUTHENTIK_LISTEN__METRICS=0.0.0.0:9300on both server and worker. - Set
dramatiq_prom_host=0.0.0.0anddramatiq_prom_port=9191. - Set
PROMETHEUS_MULTIPROC_DIR=/dev/shm/authentik_prometheus_tmp. - Enabled IPv6 sysctls inside the worker pod.
None of these prevented the crash.
There is an existing issue (#16292) about an empty metrics response, but our case involves the socket bind. A temporary workaround is to enable IPv6 on the host, but a fix to gracefully handle IPv4-only environments would be appreciated.