31 lines
1 KiB
Markdown
31 lines
1 KiB
Markdown
---
|
|
title: Provision Authentik Database
|
|
modified: 2026-02-20
|
|
last-reviewed: 2026-02-25
|
|
tags:
|
|
- how-to
|
|
- authentik
|
|
- postgresql
|
|
---
|
|
|
|
# Provision Authentik Database
|
|
|
|
Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.
|
|
|
|
## What Was Done
|
|
|
|
1. Added `authentik` managed role to `blumeops-pg` CNPG cluster (`argocd/manifests/databases/blumeops-pg.yaml`) — non-superuser with `createdb` and `login`
|
|
2. Created ExternalSecret `blumeops-pg-authentik` pulling password from 1Password item "Authentik (blumeops)" field `postgresql-password`
|
|
3. Synced CNPG cluster — role reconciled with password set
|
|
4. Created `authentik` database owned by `authentik` user
|
|
5. Verified cross-cluster connectivity: ringtail pod → `pg.ops.eblu.me:5432` (Caddy L4)
|
|
|
|
## Resolved Questions
|
|
|
|
- **Hostname:** `pg.ops.eblu.me` via Caddy L4 plugin (not MagicDNS)
|
|
- **Permissions:** Non-superuser with `createdb` — Authentik manages its own schema via migrations
|
|
|
|
## Related
|
|
|
|
- [[deploy-authentik]] — Parent goal
|
|
- [[postgresql]] — CNPG cluster reference
|