diff --git a/docs/how-to/authentik/create-authentik-secrets.md b/docs/how-to/authentik/create-authentik-secrets.md index 351805a..be9ed34 100644 --- a/docs/how-to/authentik/create-authentik-secrets.md +++ b/docs/how-to/authentik/create-authentik-secrets.md @@ -1,6 +1,5 @@ --- title: Create Authentik Secrets -status: active modified: 2026-02-20 tags: - how-to @@ -12,27 +11,22 @@ tags: Create the 1Password item that the ExternalSecret references for Authentik configuration. -## Context +## What Was Done -Discovered while attempting [[deploy-authentik]]: the ExternalSecret references 1Password item "Authentik (blumeops)" which doesn't exist. Without it, the `authentik-config` Kubernetes secret won't be created and pods can't start. - -## What to Do - -1. Generate a random secret key for Authentik (`AUTHENTIK_SECRET_KEY`) -2. Create 1Password item "Authentik (blumeops)" in vault `blumeops` with fields: - - `secret-key`: random 50+ character string - - `postgresql-host`: Tailscale-accessible postgres hostname +1. Created 1Password item "Authentik (blumeops)" in vault `blumeops` (category: database) with fields: + - `secret-key`: random 68-character base64 string (for `AUTHENTIK_SECRET_KEY`) + - `postgresql-host`: `pg.ops.eblu.me` - `postgresql-port`: `5432` - `postgresql-name`: `authentik` - `postgresql-user`: `authentik` - - `postgresql-password`: the password from [[provision-authentik-database]] -3. Verify the ExternalSecret can resolve on ringtail's cluster + - `postgresql-password`: random 44-character base64 string +2. ExternalSecret `blumeops-pg-authentik` in databases namespace resolves successfully (verified during [[provision-authentik-database]]) ## Notes -- This partially depends on [[provision-authentik-database]] for the postgres password, but the 1Password item structure and secret key can be created independently. +- The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields. ## Related - [[deploy-authentik]] — Parent goal -- [[provision-authentik-database]] — Source of database credentials +- [[provision-authentik-database]] — Database provisioning (uses `postgresql-password` field) diff --git a/docs/how-to/authentik/provision-authentik-database.md b/docs/how-to/authentik/provision-authentik-database.md index e99f76b..71cf844 100644 --- a/docs/how-to/authentik/provision-authentik-database.md +++ b/docs/how-to/authentik/provision-authentik-database.md @@ -1,6 +1,5 @@ --- title: Provision Authentik Database -status: active modified: 2026-02-20 tags: - how-to @@ -12,20 +11,18 @@ tags: Create a PostgreSQL database and user for Authentik on the existing CNPG cluster. -## Context +## What Was Done -Discovered while attempting [[deploy-authentik]]: Authentik requires a PostgreSQL database, but no `authentik` database exists on `blumeops-pg`. The CNPG cluster runs on [[indri]] (minikube) and is reachable from [[ringtail]] via Tailscale at `blumeops-pg-rw.databases.svc:5432` or the Tailscale endpoint. +1. Added `authentik` managed role to `blumeops-pg` CNPG cluster (`argocd/manifests/databases/blumeops-pg.yaml`) — non-superuser with `createdb` and `login` +2. Created ExternalSecret `blumeops-pg-authentik` pulling password from 1Password item "Authentik (blumeops)" field `postgresql-password` +3. Synced CNPG cluster — role reconciled with password set +4. Created `authentik` database owned by `authentik` user +5. Verified cross-cluster connectivity: ringtail pod → `pg.ops.eblu.me:5432` (Caddy L4) -## What to Do +## Resolved Questions -1. Create database `authentik` and user `authentik` on the CNPG cluster -2. Store credentials in 1Password (part of the "Authentik (blumeops)" item) -3. Verify cross-cluster connectivity: ringtail pod → indri postgres via Tailscale - -## Open Questions - -- What Tailscale hostname does the CNPG cluster expose? Need to check if there's a Tailscale Ingress for postgres or if we need to use the MagicDNS name directly. -- Should the database user have limited permissions or superuser access? +- **Hostname:** `pg.ops.eblu.me` via Caddy L4 plugin (not MagicDNS) +- **Permissions:** Non-superuser with `createdb` — Authentik manages its own schema via migrations ## Related