Complete deploy-authentik goal — Authentik running on ringtail
Mikado chain complete: all three prerequisites resolved, Authentik server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
7300f72e18
commit
f144581ec2
2 changed files with 24 additions and 6 deletions
1
docs/changelog.d/feature-deploy-authentik.feature.md
Normal file
1
docs/changelog.d/feature-deploy-authentik.feature.md
Normal file
|
|
@ -0,0 +1 @@
|
|||
Deploy Authentik identity provider on ringtail k3s cluster, replacing Dex as the SSO provider. Includes Nix-built container, CNPG database, Redis, and Caddy routing at `authentik.ops.eblu.me`.
|
||||
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
title: Deploy Authentik Identity Provider
|
||||
status: active
|
||||
modified: 2026-02-20
|
||||
requires:
|
||||
- build-authentik-container
|
||||
|
|
@ -22,17 +21,35 @@ Replace [[dex]] with [Authentik](https://goauthentik.io/) as the SSO identity pr
|
|||
| Decision | Choice | Rationale |
|
||||
|----------|--------|-----------|
|
||||
| **Cluster** | [[ringtail]] (k3s) | IdP independent of main services cluster, same as Dex |
|
||||
| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Tailscale, no new operator needed |
|
||||
| **Database** | CNPG `blumeops-pg` on [[indri]] | Cross-cluster via Caddy L4 (`pg.ops.eblu.me`), no new operator needed |
|
||||
| **Redis** | Co-deployed in authentik namespace | Required for caching/sessions/task queue |
|
||||
| **Containers** | Nix-built (`dockerTools.buildLayeredImage`) | Supply chain control, consistent with Dex/ntfy pattern |
|
||||
| **Manifests** | Kustomize (no Helm) | Consistent with all other BlumeOps services |
|
||||
| **Networking** | Tailscale Ingress + Caddy reverse proxy | Same pattern as Dex |
|
||||
|
||||
## Open Questions
|
||||
## What Was Done
|
||||
|
||||
- ~~**nixpkgs:** Verify `pkgs.authentik` exists.~~ **Resolved:** exists at v2025.10.1, entrypoint is `ak` (bash wrapper). See [[build-authentik-container]].
|
||||
- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail needs a new pattern (Dex has no metrics collection today).
|
||||
- **Dex decommission:** Separate effort after all OIDC clients migrate to Authentik.
|
||||
1. Built Nix container image (`v1.1.0-nix`) — `pkgs.authentik` + `coreutils` + `bashInteractive`
|
||||
2. Created 1Password item "Authentik (blumeops)" with secret key and DB credentials
|
||||
3. Provisioned `authentik` database and CNPG managed role on `blumeops-pg`
|
||||
4. Deployed to ringtail k3s: server, worker, Redis (3 deployments)
|
||||
5. ExternalSecret pulls config from 1Password
|
||||
6. Tailscale Ingress at `authentik.tail8d86e.ts.net`
|
||||
7. Caddy reverse proxy at `authentik.ops.eblu.me`
|
||||
|
||||
## URLs
|
||||
|
||||
- **Admin:** https://authentik.ops.eblu.me/if/admin/
|
||||
- **Tailscale:** https://authentik.tail8d86e.ts.net
|
||||
|
||||
## Remaining Work
|
||||
|
||||
- **Initial setup:** Complete first-run wizard (create admin account)
|
||||
- **Forgejo connector:** Configure OAuth2 source for Forgejo federation
|
||||
- **Client migration:** Move Grafana (and future services) from Dex to Authentik
|
||||
- **Cross-cluster metrics:** Prometheus on indri scraping authentik on ringtail
|
||||
- **Dex decommission:** Separate effort after all OIDC clients migrate
|
||||
- **Redis image:** Replace upstream `redis:7-alpine` with Nix-built container
|
||||
|
||||
## Related
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue