Deploy Authentik identity provider (C2 Mikado) #227
2 changed files with 17 additions and 26 deletions
Complete provision-authentik-database and create-authentik-secrets leaf nodes
Both prerequisites for deploy-authentik are now satisfied: - CNPG managed role + ExternalSecret for authentik DB user - 1Password item "Authentik (blumeops)" with all required fields - Database created and cross-cluster connectivity verified Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
commit
cbf08a7bde
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
title: Create Authentik Secrets
|
||||
status: active
|
||||
modified: 2026-02-20
|
||||
tags:
|
||||
- how-to
|
||||
|
|
@ -12,27 +11,22 @@ tags:
|
|||
|
||||
Create the 1Password item that the ExternalSecret references for Authentik configuration.
|
||||
|
||||
## Context
|
||||
## What Was Done
|
||||
|
||||
Discovered while attempting [[deploy-authentik]]: the ExternalSecret references 1Password item "Authentik (blumeops)" which doesn't exist. Without it, the `authentik-config` Kubernetes secret won't be created and pods can't start.
|
||||
|
||||
## What to Do
|
||||
|
||||
1. Generate a random secret key for Authentik (`AUTHENTIK_SECRET_KEY`)
|
||||
2. Create 1Password item "Authentik (blumeops)" in vault `blumeops` with fields:
|
||||
- `secret-key`: random 50+ character string
|
||||
- `postgresql-host`: Tailscale-accessible postgres hostname
|
||||
1. Created 1Password item "Authentik (blumeops)" in vault `blumeops` (category: database) with fields:
|
||||
- `secret-key`: random 68-character base64 string (for `AUTHENTIK_SECRET_KEY`)
|
||||
- `postgresql-host`: `pg.ops.eblu.me`
|
||||
- `postgresql-port`: `5432`
|
||||
- `postgresql-name`: `authentik`
|
||||
- `postgresql-user`: `authentik`
|
||||
- `postgresql-password`: the password from [[provision-authentik-database]]
|
||||
3. Verify the ExternalSecret can resolve on ringtail's cluster
|
||||
- `postgresql-password`: random 44-character base64 string
|
||||
2. ExternalSecret `blumeops-pg-authentik` in databases namespace resolves successfully (verified during [[provision-authentik-database]])
|
||||
|
||||
## Notes
|
||||
|
||||
- This partially depends on [[provision-authentik-database]] for the postgres password, but the 1Password item structure and secret key can be created independently.
|
||||
- The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.
|
||||
|
||||
## Related
|
||||
|
||||
- [[deploy-authentik]] — Parent goal
|
||||
- [[provision-authentik-database]] — Source of database credentials
|
||||
- [[provision-authentik-database]] — Database provisioning (uses `postgresql-password` field)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
title: Provision Authentik Database
|
||||
status: active
|
||||
modified: 2026-02-20
|
||||
tags:
|
||||
- how-to
|
||||
|
|
@ -12,20 +11,18 @@ tags:
|
|||
|
||||
Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.
|
||||
|
||||
## Context
|
||||
## What Was Done
|
||||
|
||||
Discovered while attempting [[deploy-authentik]]: Authentik requires a PostgreSQL database, but no `authentik` database exists on `blumeops-pg`. The CNPG cluster runs on [[indri]] (minikube) and is reachable from [[ringtail]] via Tailscale at `blumeops-pg-rw.databases.svc:5432` or the Tailscale endpoint.
|
||||
1. Added `authentik` managed role to `blumeops-pg` CNPG cluster (`argocd/manifests/databases/blumeops-pg.yaml`) — non-superuser with `createdb` and `login`
|
||||
2. Created ExternalSecret `blumeops-pg-authentik` pulling password from 1Password item "Authentik (blumeops)" field `postgresql-password`
|
||||
3. Synced CNPG cluster — role reconciled with password set
|
||||
4. Created `authentik` database owned by `authentik` user
|
||||
5. Verified cross-cluster connectivity: ringtail pod → `pg.ops.eblu.me:5432` (Caddy L4)
|
||||
|
||||
## What to Do
|
||||
## Resolved Questions
|
||||
|
||||
1. Create database `authentik` and user `authentik` on the CNPG cluster
|
||||
2. Store credentials in 1Password (part of the "Authentik (blumeops)" item)
|
||||
3. Verify cross-cluster connectivity: ringtail pod → indri postgres via Tailscale
|
||||
|
||||
## Open Questions
|
||||
|
||||
- What Tailscale hostname does the CNPG cluster expose? Need to check if there's a Tailscale Ingress for postgres or if we need to use the MagicDNS name directly.
|
||||
- Should the database user have limited permissions or superuser access?
|
||||
- **Hostname:** `pg.ops.eblu.me` via Caddy L4 plugin (not MagicDNS)
|
||||
- **Permissions:** Non-superuser with `createdb` — Authentik manages its own schema via migrations
|
||||
|
||||
## Related
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue