eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/authentik/create-authentik-secrets.md
Erich Blume c427f04ec4 Review 3 docs: agent-change-process, build-authentik-container, create-authentik-secrets (#243) 
## Summary
- Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs
- `agent-change-process.md`: accurate, no content changes
- `build-authentik-container.md`: accurate, container image verified in registry
- `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written

## Changelog
- `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243
2026-02-22 09:12:31 -08:00

34 lines
1.4 KiB
Markdown
Raw Blame History

---
title: Create Authentik Secrets
modified: 2026-02-22
last-reviewed: 2026-02-22
tags:
- how-to
- authentik
- secrets
---
# Create Authentik Secrets
Create the 1Password item that the ExternalSecret references for Authentik configuration.
## What Was Done
1. Created 1Password item "Authentik (blumeops)" in vault `blumeops` (category: database) with fields:
- `secret-key`: random 68-character base64 string (for `AUTHENTIK_SECRET_KEY`)
- `postgresql-host`: `pg.ops.eblu.me`
- `postgresql-port`: `5432`
- `postgresql-name`: `authentik`
- `postgresql-user`: `authentik`
- `postgresql-password`: random 44-character base64 string
2. ExternalSecret `blumeops-pg-authentik` in databases namespace resolves successfully (verified during [[provision-authentik-database]])
## Notes
- The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.
- The 1Password item has since grown with OIDC client secrets (`grafana-client-secret`, `forgejo-client-secret`, `zot-client-secret`, `jellyfin-client-secret`) and an `api-token` field, added during subsequent service integrations.
## Related
- [[deploy-authentik]] — Parent goal
- [[provision-authentik-database]] — Database provisioning (uses `postgresql-password` field)
Reference in a new issue View git blame Copy permalink