Erich Blume d790a38ebb Convert deploy-authentik plan to C2 Mikado chain entry point

Strip detailed phase instructions, retain architecture decisions and
open questions. Add status: active frontmatter for Mikado tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-20 08:21:28 -08:00

1.8 KiB

Raw Blame History

title

status

modified

Deploy Authentik Identity Provider

Replace dex with Authentik as the SSO identity provider. Authentik adds central user/group management, multi-protocol support (OIDC, SAML, LDAP), self-service flows, and an admin UI that Dex lacks. Forgejo remains the upstream identity source via OAuth2 connector.

Architecture Decisions

Decision	Choice	Rationale
Cluster	ringtail (k3s)	IdP independent of main services cluster, same as Dex
Database	CNPG `blumeops-pg` on indri	Cross-cluster via Tailscale, no new operator needed
Redis	Co-deployed in authentik namespace	Required for caching/sessions/task queue
Containers	Nix-built (`dockerTools.buildLayeredImage`)	Supply chain control, consistent with Dex/ntfy pattern
Manifests	Kustomize (no Helm)	Consistent with all other BlumeOps services
Networking	Tailscale Ingress + Caddy reverse proxy	Same pattern as Dex

Open Questions

nixpkgs: Verify pkgs.authentik exists. If not, packaging from source is a significant sub-task.
Cross-cluster metrics: Prometheus on indri scraping authentik on ringtail needs a new pattern (Dex has no metrics collection today).
Dex decommission: Separate effort after all OIDC clients migrate to Authentik.

dex — Current IdP (to be replaced)
federated-login — How authentication works across BlumeOps
adopt-oidc-provider — Dex deployment plan (completed)
ringtail — Target cluster
agent-change-process — C2 methodology used for this change

1.8 KiB Raw Blame History

Deploy Authentik Identity Provider

Architecture Decisions

Open Questions

Related

1.8 KiB

Raw Blame History