Erich Blume cbf08a7bde Complete provision-authentik-database and create-authentik-secrets leaf nodes

Both prerequisites for deploy-authentik are now satisfied:
- CNPG managed role + ExternalSecret for authentik DB user
- 1Password item "Authentik (blumeops)" with all required fields
- Database created and cross-cluster connectivity verified

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-20 10:23:48 -08:00

1 KiB

Raw Blame History

title

modified

Provision Authentik Database

Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.

What Was Done

Added authentik managed role to blumeops-pg CNPG cluster (argocd/manifests/databases/blumeops-pg.yaml) — non-superuser with createdb and login
Created ExternalSecret blumeops-pg-authentik pulling password from 1Password item "Authentik (blumeops)" field postgresql-password
Synced CNPG cluster — role reconciled with password set
Created authentik database owned by authentik user
Verified cross-cluster connectivity: ringtail pod → pg.ops.eblu.me:5432 (Caddy L4)

Resolved Questions

Hostname: pg.ops.eblu.me via Caddy L4 plugin (not MagicDNS)
Permissions: Non-superuser with createdb — Authentik manages its own schema via migrations

deploy-authentik — Parent goal
postgresql — CNPG cluster reference

1 KiB Raw Blame History

Provision Authentik Database

What Was Done

Resolved Questions

Related

1 KiB

Raw Blame History