diff --git a/authentik/infisical-authentik-secrets.yaml b/authentik/infisical-authentik-secrets.yaml new file mode 100644 index 0000000..ef5a150 --- /dev/null +++ b/authentik/infisical-authentik-secrets.yaml @@ -0,0 +1,31 @@ +apiVersion: secrets.infisical.com/v1beta1 +kind: InfisicalStaticSecret +metadata: + name: authentik-secrets + namespace: authentik +spec: + # Shared, read-only machine identity (no write grant, no PushSecret). + # Source is the /authentik folder, 2 live keys: + # AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies, + # encrypts sensitive DB fields); lifted byte-identical. + # POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres + # (env POSTGRES_PASSWORD) AND server/worker + # (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift. + # The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is + # intentionally NOT carried; it retires when the old secret is deleted. + # Consumer secretKeyRef.key values already match these names -> passthrough. + infisicalAuthRef: + name: infisical-auth + namespace: infisical-operator + sources: + - projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab" + environmentSlug: prod + secretPath: /authentik + syncOptions: + refreshInterval: 60s + targets: + - kind: Secret + name: authentik-secrets-infisical # parallel name — old secret stays live until 3c + namespace: authentik + creationPolicy: Owner + # key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim