Erich Blume
71cb256527
## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - **Goal:** `deploy-authentik` (active) - **Leaf prerequisites:** - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
28 lines
683 B
YAML
28 lines
683 B
YAML
# ExternalSecret for Authentik database user password
|
|
#
|
|
# 1Password item: "Authentik (blumeops)" in blumeops vault
|
|
# Field: "postgresql-password"
|
|
#
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: blumeops-pg-authentik
|
|
namespace: databases
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: blumeops-pg-authentik
|
|
creationPolicy: Owner
|
|
template:
|
|
type: kubernetes.io/basic-auth
|
|
data:
|
|
username: authentik
|
|
password: "{{ .password }}"
|
|
data:
|
|
- secretKey: password
|
|
remoteRef:
|
|
key: Authentik (blumeops)
|
|
property: postgresql-password
|