blumeops/docs/how-to/authentik/create-authentik-secrets.md

---
title: Create Authentik Secrets
modified: 2026-02-22
last-reviewed: 2026-02-22
tags:
  - how-to
  - authentik
  - secrets
---

# Create Authentik Secrets

Create the 1Password item that the ExternalSecret references for Authentik configuration.

## What Was Done

1. Created 1Password item "Authentik (blumeops)" in vault `blumeops` (category: database) with fields:
   - `secret-key`: random 68-character base64 string (for `AUTHENTIK_SECRET_KEY`)
   - `postgresql-host`: `pg.ops.eblu.me`
   - `postgresql-port`: `5432`
   - `postgresql-name`: `authentik`
   - `postgresql-user`: `authentik`
   - `postgresql-password`: random 44-character base64 string
2. ExternalSecret `blumeops-pg-authentik` in databases namespace resolves successfully (verified during [[provision-authentik-database]])

## Notes

- The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.
- The 1Password item has since grown with OIDC client secrets (`grafana-client-secret`, `forgejo-client-secret`, `zot-client-secret`, `jellyfin-client-secret`) and an `api-token` field, added during subsequent service integrations.

## Related

- [[deploy-authentik]] — Parent goal
- [[provision-authentik-database]] — Database provisioning (uses `postgresql-password` field)
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`---`
			`title: Create Authentik Secrets`
Review 3 docs: agent-change-process, build-authentik-container, create-authentik-secrets (#243) ## Summary - Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs - `agent-change-process.md`: accurate, no content changes - `build-authentik-container.md`: accurate, container image verified in registry - `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written ## Changelog - `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243 2026-02-22 09:12:31 -08:00			`modified: 2026-02-22`
			`last-reviewed: 2026-02-22`
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`tags:`
			`- how-to`
			`- authentik`
			`- secrets`
			`---`

			`# Create Authentik Secrets`

			`Create the 1Password item that the ExternalSecret references for Authentik configuration.`

			`## What Was Done`

			1. Created 1Password item "Authentik (blumeops)" in vault `blumeops` (category: database) with fields:
			- `secret-key`: random 68-character base64 string (for `AUTHENTIK_SECRET_KEY`)
			- `postgresql-host`: `pg.ops.eblu.me`
			- `postgresql-port`: `5432`
			- `postgresql-name`: `authentik`
			- `postgresql-user`: `authentik`
			- `postgresql-password`: random 44-character base64 string
			2. ExternalSecret `blumeops-pg-authentik` in databases namespace resolves successfully (verified during [[provision-authentik-database]])

			`## Notes`

			- The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.
Review 3 docs: agent-change-process, build-authentik-container, create-authentik-secrets (#243) ## Summary - Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs - `agent-change-process.md`: accurate, no content changes - `build-authentik-container.md`: accurate, container image verified in registry - `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written ## Changelog - `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243 2026-02-22 09:12:31 -08:00			- The 1Password item has since grown with OIDC client secrets (`grafana-client-secret`, `forgejo-client-secret`, `zot-client-secret`, `jellyfin-client-secret`) and an `api-token` field, added during subsequent service integrations.
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00
			`## Related`

			`- [[deploy-authentik]] — Parent goal`
			- [[provision-authentik-database]] — Database provisioning (uses `postgresql-password` field)