eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/create-authentik-secrets.md
Erich Blume 71cb256527 Deploy Authentik identity provider (C2 Mikado) (#227) 
## Summary
C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex.

This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved.

## Current Mikado State
- **Goal:** `deploy-authentik` (active)
- **Leaf prerequisites:**
  - `build-authentik-container` — Build Nix container image
  - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster
  - `create-authentik-secrets` — Create 1Password item with credentials

## Process refinements
- Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early

## Test plan
- [ ] `mise run docs-mikado` shows correct dependency chain
- [ ] Leaf nodes can be worked independently
- [ ] Container builds on ringtail
- [ ] Authentik starts and reaches healthy state
- [ ] Forgejo OAuth2 connector works

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227
2026-02-20 12:55:59 -08:00

1.2 KiB
Raw Blame History

title modified tags
Create Authentik Secrets 2026-02-20
how-to
authentik
secrets

Create Authentik Secrets

Create the 1Password item that the ExternalSecret references for Authentik configuration.

What Was Done

  1. Created 1Password item "Authentik (blumeops)" in vault blumeops (category: database) with fields:
    • secret-key: random 68-character base64 string (for AUTHENTIK_SECRET_KEY)
    • postgresql-host: pg.ops.eblu.me
    • postgresql-port: 5432
    • postgresql-name: authentik
    • postgresql-user: authentik
    • postgresql-password: random 44-character base64 string
  2. ExternalSecret blumeops-pg-authentik in databases namespace resolves successfully (verified during provision-authentik-database)

Notes

  • The database password in this 1Password item is the same one used by the CNPG managed role via external-secret-authentik.yaml. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.

Related