Deploy Authentik identity provider (C2 Mikado) #227

Merged

eblume merged 23 commits from feature/deploy-authentik into main 2026-02-20 12:56:00 -08:00

Conversation 0 Commits 23 Files changed 46 +848 -395

eblume commented 2026-02-20 09:43:58 -08:00

Owner

Copy link

Summary

C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

Current Mikado State

• Goal: deploy-authentik (active)
• Leaf prerequisites:
  • build-authentik-container — Build Nix container image
  • provision-authentik-database — Create PostgreSQL database on CNPG cluster
  • create-authentik-secrets — Create 1Password item with credentials

Process refinements

• Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

Test plan

• mise run docs-mikado shows correct dependency chain
• Leaf nodes can be worked independently
• Container builds on ringtail
• Authentik starts and reaches healthy state
• Forgejo OAuth2 connector works

## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works

eblume added 2 commits 2026-02-20 09:43:59 -08:00

Mikado: identify three leaf prerequisites for Authentik deploy ... a79a33eeed

Attempted deployment fails on three independent blockers:
1. Container image doesn't exist (build-authentik-container)
2. PostgreSQL database doesn't exist (provision-authentik-database)
3. 1Password secrets don't exist (create-authentik-secrets)

Created cards for each and added requires to goal card.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Refine C2 Mikado method: failed attempt handling and early PRs ... 08ee70d6df

Lessons learned from first C2 attempt (deploy-authentik):
- When an attempt fails, reset code changes before committing cards
- Cherry-pick doc commits onto clean base if code/docs got mixed
- Open a PR early so the user can review the Mikado graph evolving

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 09:55:07 -08:00

Move Mikado cards to topic subdirectory, not plans/ ... fbf230b414

Mikado cards are discovered through failed attempts, not designed
upfront — they don't belong in plans/. Cards now live where they
topically belong (how-to/authentik/ for this chain). Updated
agent-change-process to document this convention.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 2 commits 2026-02-20 10:09:27 -08:00

Mikado: document build artifact and tag handling ... fdcb4d2ae3

Build artifacts (container images, git tags) are independent of branch
lifecycle and don't need to be deferred or reset during Mikado iterations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add Authentik container definition (Nix) ... ac94cf6c5d

Nix-built container using pkgs.authentik with ak entrypoint.
Includes bashInteractive (ak is a bash wrapper), cacert, tzdata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:14:21 -08:00

Complete build-authentik-container leaf node ... 8116d6294a

Image registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix built
via Nix on ringtail and verified in zot registry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:14:48 -08:00

Mikado: add push-after-every-iteration to git discipline ... cc9ed2f2de

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:20:36 -08:00

Add authentik database user and ExternalSecret ... bddce1a159

Add managed role for authentik user on blumeops-pg CNPG cluster,
with ExternalSecret pulling password from 1Password item
"Authentik (blumeops)".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:23:59 -08:00

Complete provision-authentik-database and create-authentik-secrets leaf nodes ... cbf08a7bde

Both prerequisites for deploy-authentik are now satisfied:
- CNPG managed role + ExternalSecret for authentik DB user
- 1Password item "Authentik (blumeops)" with all required fields
- Database created and cross-cluster connectivity verified

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:51:49 -08:00

Add Authentik deployment manifests and ArgoCD app ... 8016427a3c

Server, worker, Redis deployments targeting ringtail k3s cluster.
ExternalSecret pulls config from 1Password "Authentik (blumeops)".
Tailscale Ingress exposes at authentik.tail8d86e.ts.net.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:54:48 -08:00

Add coreutils to authentik container ... 41ee4161a9

The ak wrapper script requires mkdir (and likely other coreutils)
to create runtime directories.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:56:39 -08:00

Bump authentik image to v1.1.0-nix (adds coreutils) ... d90c993c6d

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 10:59:30 -08:00

Add authentik.ops.eblu.me to Caddy reverse proxy ... 7300f72e18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 11:02:41 -08:00

Complete deploy-authentik goal — Authentik running on ringtail ... f144581ec2

Mikado chain complete: all three prerequisites resolved, Authentik
server/worker/Redis healthy on k3s, accessible at authentik.ops.eblu.me.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 11:19:39 -08:00

Mikado: add migrate-grafana-to-authentik prerequisite ... 4e3f7bead7

Authentik is deployed but no services use it yet. New leaf node
to migrate Grafana's OIDC from Dex to Authentik, then decommission Dex.
Goal card re-activated with new dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 11:47:32 -08:00

Migrate Grafana OIDC from Dex to Authentik ... 00e4dc46e3

- Add Authentik Blueprint (ConfigMap) defining Grafana OAuth2 provider,
  application, admins group, and policy binding
- Mount blueprint in worker, pass grafana client secret via env
- Switch Grafana auth.generic_oauth from Dex to Authentik endpoints
- Replace dex-oauth ExternalSecret with authentik-oauth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 11:55:31 -08:00

Mikado: document blueprint loading issue on Nix container ... 9417bdb451

Nix-built authentik hardcodes blueprints_dir to the Nix store path.
Custom blueprints at /blueprints/custom/ are not discovered.
Need to override AUTHENTIK_BLUEPRINTS_DIR or patch the container.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:09:25 -08:00

Fix blueprint loading: create /blueprints symlink dir in container ... b99c655c47

The nixpkgs authentik-django package hardcodes blueprints_dir to its
Nix store path, making custom blueprints mounted at /blueprints/custom
invisible to the discovery system. Add extraCommands to create a
/blueprints directory with symlinks to the built-in blueprint dirs,
and set AUTHENTIK_BLUEPRINTS_DIR=/blueprints so authentik scans the
unified directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:11:51 -08:00

Bump authentik image to v1.1.1-nix (blueprint path fix) ... 746435a905

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:16:17 -08:00

Fix blueprint symlinks: use runtime entrypoint wrapper ... 3e3fe0b2eb

extraCommands in buildLayeredImage can't access store paths from
contents (they're in separate layers), so the glob matched nothing.
Instead, create a wrapper entrypoint that symlinks built-in blueprint
dirs from the Nix store into /blueprints at container start. The
directory is created world-writable so user 65534 can create links.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:16:41 -08:00

Bump authentik image to v1.1.2-nix (entrypoint blueprint fix) ... b3f30fd947

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:22:06 -08:00

Fix blueprint !Env tag: use scalar not sequence ... 25d43aa743

!Env expects a bare string (e.g. !Env FOO), not a YAML sequence
(!Env [FOO]). The list form caused IndexError during blueprint
discovery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-20 12:53:05 -08:00

Decommission Dex: remove all references, replace with Authentik ... 7ac7c6a3e5

- Delete dex manifests, ArgoCD app, container build, and reference doc
- Remove dex from Caddy reverse proxy config
- Create authentik.md reference doc
- Rewrite federated-login.md for Authentik architecture
- Update grafana, forgejo, ringtail, harden-zot-registry docs
- Update services-check: replace dex health/pod checks with authentik
- Fix all broken [[dex]] wiki-links

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume merged commit 71cb256527 into main 2026-02-20 12:56:00 -08:00

eblume referenced this pull request from a commit 2026-02-20 12:56:02 -08:00

Deploy Authentik identity provider (C2 Mikado) (#227)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!227

No description provided.