eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/deploy-authentik.md

62 lines
2.8 KiB
Markdown
Raw Normal View History

Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
---
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
title: Deploy Authentik Identity Provider
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
status: active
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
modified: 2026-02-20
Mikado: identify three leaf prerequisites for Authentik deploy Attempted deployment fails on three independent blockers: 1. Container image doesn't exist (build-authentik-container) 2. PostgreSQL database doesn't exist (provision-authentik-database) 3. 1Password secrets don't exist (create-authentik-secrets) Created cards for each and added requires to goal card. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 09:01:11 -08:00
requires:
- build-authentik-container
- provision-authentik-database
- create-authentik-secrets
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
- migrate-grafana-to-authentik
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
tags:
- how-to
- authentik
- security
- oidc
---
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
# Deploy Authentik Identity Provider
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity provider. Authentik is the **source of truth** for user identity in BlumeOps. Users are created and managed in Authentik; services authenticate against it via OIDC. Forgejo federation is deferred to a future effort (existing `eblume` account has extensive automations that need careful migration).
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
## Architecture Decisions
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
| Decision | Choice | Rationale |
|----------|--------|-----------|
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
| **Identity model** | Authentik is source of truth | Central user/group management, not Forgejo-upstream like Dex |
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
| **Cluster** | [[ringtail]] (k3s) | IdP independent of main services cluster, same as Dex |
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed |
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
| **Redis** | Co-deployed in authentik namespace | Required for caching/sessions/task queue |
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
| **Containers** | Nix-built (`dockerTools.buildLayeredImage`) | Supply chain control, consistent with Dex/ntfy pattern |
| **Manifests** | Kustomize (no Helm) | Consistent with all other BlumeOps services |
| **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex |
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
| **IaC** | Authentik Blueprints (YAML in ConfigMap) | GitOps-native, config stored in repo |
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
## What Was Done
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
1. Built Nix container image (`v1.1.0-nix`) — `pkgs.authentik` + `coreutils` + `bashInteractive`
2. Created 1Password item "Authentik (blumeops)" with secret key and DB credentials
3. Provisioned `authentik` database and CNPG managed role on `blumeops-pg`
4. Deployed to ringtail k3s: server, worker, Redis (3 deployments)
5. ExternalSecret pulls config from 1Password
6. Tailscale Ingress at `authentik.tail8d86e.ts.net`
7. Caddy reverse proxy at `authentik.ops.eblu.me`
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
8. Completed first-run wizard (admin account created)
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
## URLs
- **Admin:** https://authentik.ops.eblu.me/if/admin/
- **Tailscale:** https://authentik.tail8d86e.ts.net
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
## Future Work (not blocking this card)
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
- **Forgejo federation:** Make Forgejo an OIDC client of Authentik (deferred — needs careful `eblume` account migration)
Complete deploy-authentik goal — Authentik running on ringtail Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:02:36 -08:00
- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail
- **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
## Related
Mikado: add migrate-grafana-to-authentik prerequisite Authentik is deployed but no services use it yet. New leaf node to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex. Goal card re-activated with new dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 11:19:34 -08:00
- [[dex]] — Current IdP (to be replaced by [[migrate-grafana-to-authentik]])
Add Authentik deployment plan (#224) ## Summary - New plan document at `docs/how-to/plans/deploy-authentik.md` covering full Authentik deployment - 6 phases: Helm analysis, prerequisites (CNPG/Redis/1Password), Nix containers, kustomize manifests, networking, monitoring - Authentik replaces Dex as the identity provider for central user management and multi-protocol SSO - Updated plans index and how-to index ## Deployment and Testing - [x] Pre-commit hooks pass (docs-check-links, docs-check-index, docs-check-frontmatter) - [ ] Review plan content for accuracy and completeness - No deployment needed — documentation only Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/224
2026-02-20 07:06:56 -08:00
- [[federated-login]] — How authentication works across BlumeOps
- [[adopt-oidc-provider]] — Dex deployment plan (completed)
Convert deploy-authentik plan to C2 Mikado chain (#226) ## Summary - Strip detailed phase instructions from deploy-authentik plan (400→50 lines) - Retain architecture decisions (ringtail, CNPG on indri, Nix containers, kustomize, Tailscale+Caddy) and open questions - Add `status: active` frontmatter — now visible as a root goal in `mise run docs-mikado` - Update plans index to reflect Active (C2) status This is the first real use of the C2 Mikado chain system from #225. Future sessions will discover prerequisites, create sub-cards with `requires`, and work leaf nodes first. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/226
2026-02-20 08:22:19 -08:00
- [[ringtail]] — Target cluster
- [[agent-change-process]] — C2 methodology used for this change
Reference in a new issue Copy permalink