Erich Blume
fdb7fe0bfa
The 1Password item has grown since this card was written with OIDC client secrets and an API token from subsequent service integrations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.4 KiB
1.4 KiB
| title | modified | last-reviewed | tags | |||
|---|---|---|---|---|---|---|
| Create Authentik Secrets | 2026-02-22 | 2026-02-22 |
|
Create Authentik Secrets
Create the 1Password item that the ExternalSecret references for Authentik configuration.
What Was Done
- Created 1Password item "Authentik (blumeops)" in vault
blumeops(category: database) with fields:secret-key: random 68-character base64 string (forAUTHENTIK_SECRET_KEY)postgresql-host:pg.ops.eblu.mepostgresql-port:5432postgresql-name:authentikpostgresql-user:authentikpostgresql-password: random 44-character base64 string
- ExternalSecret
blumeops-pg-authentikin databases namespace resolves successfully (verified during provision-authentik-database)
Notes
- The database password in this 1Password item is the same one used by the CNPG managed role via
external-secret-authentik.yaml. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields. - The 1Password item has since grown with OIDC client secrets (
grafana-client-secret,forgejo-client-secret,zot-client-secret,jellyfin-client-secret) and anapi-tokenfield, added during subsequent service integrations.
Related
- deploy-authentik — Parent goal
- provision-authentik-database — Database provisioning (uses
postgresql-passwordfield)