eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add authentik database user and ExternalSecret

Browse source 
Add managed role for authentik user on blumeops-pg CNPG cluster,
with ExternalSecret pulling password from 1Password item
"Authentik (blumeops)".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-02-20 10:20:23 -08:00
commit bddce1a159
3 changed files with 38 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
argocd/manifests/databases/blumeops-pg.yaml
View file

@ -55,6 +55,15 @@ spec:
createdb: true
passwordSecret:
name: blumeops-pg-teslamate
# authentik user for Authentik identity provider (runs on ringtail)
- name: authentik
login: true
connectionLimit: -1
ensure: present
inherit: true
createdb: true
passwordSecret:
name: blumeops-pg-authentik
# Resource limits for minikube environment
resources:

28
argocd/manifests/databases/external-secret-authentik.yaml Normal file
View file

@ -0,0 +1,28 @@
# ExternalSecret for Authentik database user password
#
# 1Password item: "Authentik (blumeops)" in blumeops vault
# Field: "postgresql-password"
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: blumeops-pg-authentik
namespace: databases
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-blumeops
target:
name: blumeops-pg-authentik
creationPolicy: Owner
template:
type: kubernetes.io/basic-auth
data:
username: authentik
password: "{{ .password }}"
data:
- secretKey: password
remoteRef:
key: Authentik (blumeops)
property: postgresql-password

1
argocd/manifests/databases/kustomization.yaml
View file

@ -11,3 +11,4 @@ resources:
- external-secret-eblume.yaml
- external-secret-borgmatic.yaml
- external-secret-teslamate.yaml
- external-secret-authentik.yaml