diff --git a/argocd/manifests/databases/blumeops-pg.yaml b/argocd/manifests/databases/blumeops-pg.yaml index 1c3c7de..73e2236 100644 --- a/argocd/manifests/databases/blumeops-pg.yaml +++ b/argocd/manifests/databases/blumeops-pg.yaml @@ -55,6 +55,15 @@ spec: createdb: true passwordSecret: name: blumeops-pg-teslamate + # authentik user for Authentik identity provider (runs on ringtail) + - name: authentik + login: true + connectionLimit: -1 + ensure: present + inherit: true + createdb: true + passwordSecret: + name: blumeops-pg-authentik # Resource limits for minikube environment resources: diff --git a/argocd/manifests/databases/external-secret-authentik.yaml b/argocd/manifests/databases/external-secret-authentik.yaml new file mode 100644 index 0000000..1486ed6 --- /dev/null +++ b/argocd/manifests/databases/external-secret-authentik.yaml @@ -0,0 +1,28 @@ +# ExternalSecret for Authentik database user password +# +# 1Password item: "Authentik (blumeops)" in blumeops vault +# Field: "postgresql-password" +# +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: blumeops-pg-authentik + namespace: databases +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-blumeops + target: + name: blumeops-pg-authentik + creationPolicy: Owner + template: + type: kubernetes.io/basic-auth + data: + username: authentik + password: "{{ .password }}" + data: + - secretKey: password + remoteRef: + key: Authentik (blumeops) + property: postgresql-password diff --git a/argocd/manifests/databases/kustomization.yaml b/argocd/manifests/databases/kustomization.yaml index 4e33a7c..8c4f506 100644 --- a/argocd/manifests/databases/kustomization.yaml +++ b/argocd/manifests/databases/kustomization.yaml @@ -11,3 +11,4 @@ resources: - external-secret-eblume.yaml - external-secret-borgmatic.yaml - external-secret-teslamate.yaml + - external-secret-authentik.yaml