Erich Blume
c427f04ec4
## Summary - Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs - `agent-change-process.md`: accurate, no content changes - `build-authentik-container.md`: accurate, container image verified in registry - `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written ## Changelog - `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243
1.4 KiB
1.4 KiB
| title | modified | last-reviewed | tags | |||
|---|---|---|---|---|---|---|
| Create Authentik Secrets | 2026-02-22 | 2026-02-22 |
|
Create Authentik Secrets
Create the 1Password item that the ExternalSecret references for Authentik configuration.
What Was Done
- Created 1Password item "Authentik (blumeops)" in vault
blumeops(category: database) with fields:secret-key: random 68-character base64 string (forAUTHENTIK_SECRET_KEY)postgresql-host:pg.ops.eblu.mepostgresql-port:5432postgresql-name:authentikpostgresql-user:authentikpostgresql-password: random 44-character base64 string
- ExternalSecret
blumeops-pg-authentikin databases namespace resolves successfully (verified during provision-authentik-database)
Notes
- The database password in this 1Password item is the same one used by the CNPG managed role via
external-secret-authentik.yaml. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields. - The 1Password item has since grown with OIDC client secrets (
grafana-client-secret,forgejo-client-secret,zot-client-secret,jellyfin-client-secret) and anapi-tokenfield, added during subsequent service integrations.
Related
- deploy-authentik — Parent goal
- provision-authentik-database — Database provisioning (uses
postgresql-passwordfield)