Erich Blume
86317315ed
Now that argocd's Authentik OAuth2 client is public (PKCE-only), the client_secret plumbing is dead code: - delete argocd-oidc-authentik ExternalSecret and drop it from kustomization - remove AUTHENTIK_ARGOCD_CLIENT_SECRET env from authentik-worker - remove argocd-client-secret mapping from authentik-config ExternalSecret The argocd-client-secret field in the 1Password "Authentik (blumeops)" item is now unreferenced and can be deleted there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
102 lines
3.2 KiB
YAML
102 lines
3.2 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authentik-worker
|
|
namespace: authentik
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: authentik
|
|
component: worker
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: authentik
|
|
component: worker
|
|
spec:
|
|
containers:
|
|
- name: worker
|
|
image: registry.ops.eblu.me/blumeops/authentik:kustomized
|
|
args: ["worker"]
|
|
env:
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: secret-key
|
|
- name: AUTHENTIK_POSTGRESQL__HOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: postgresql-host
|
|
- name: AUTHENTIK_POSTGRESQL__PORT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: postgresql-port
|
|
- name: AUTHENTIK_POSTGRESQL__NAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: postgresql-name
|
|
- name: AUTHENTIK_POSTGRESQL__USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: postgresql-user
|
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: postgresql-password
|
|
- name: AUTHENTIK_REDIS__HOST
|
|
value: authentik-redis
|
|
- name: AUTHENTIK_WORKER_CONCURRENCY
|
|
value: "2"
|
|
- name: AUTHENTIK_GRAFANA_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: grafana-client-secret
|
|
- name: AUTHENTIK_FORGEJO_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: forgejo-client-secret
|
|
- name: AUTHENTIK_ZOT_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: zot-client-secret
|
|
- name: AUTHENTIK_JELLYFIN_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: jellyfin-client-secret
|
|
- name: AUTHENTIK_MEALIE_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: mealie-client-secret
|
|
- name: AUTHENTIK_PAPERLESS_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-config
|
|
key: paperless-client-secret
|
|
volumeMounts:
|
|
- name: blueprints
|
|
mountPath: /blueprints/custom
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
memory: "512Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "2Gi"
|
|
cpu: "1000m"
|
|
volumes:
|
|
- name: blueprints
|
|
configMap:
|
|
name: authentik-blueprints
|