authentik: add InfisicalStaticSecret for authentik-secrets (centralize SSO secret)
Out-of-band Secret -> Infisical homelab/prod /authentik. Parallel-name target authentik-secrets-infisical (Owner), passthrough of the 2 LIVE keys (AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD). The dead orphan key AUTHENTIK_POSTGRESQL__PASSWORD is intentionally dropped. Old secret stays live until decommission. Applied via kubectl (not ArgoCD-managed). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,31 @@
|
||||
apiVersion: secrets.infisical.com/v1beta1
|
||||
kind: InfisicalStaticSecret
|
||||
metadata:
|
||||
name: authentik-secrets
|
||||
namespace: authentik
|
||||
spec:
|
||||
# Shared, read-only machine identity (no write grant, no PushSecret).
|
||||
# Source is the /authentik folder, 2 live keys:
|
||||
# AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies,
|
||||
# encrypts sensitive DB fields); lifted byte-identical.
|
||||
# POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres
|
||||
# (env POSTGRES_PASSWORD) AND server/worker
|
||||
# (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift.
|
||||
# The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is
|
||||
# intentionally NOT carried; it retires when the old secret is deleted.
|
||||
# Consumer secretKeyRef.key values already match these names -> passthrough.
|
||||
infisicalAuthRef:
|
||||
name: infisical-auth
|
||||
namespace: infisical-operator
|
||||
sources:
|
||||
- projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab"
|
||||
environmentSlug: prod
|
||||
secretPath: /authentik
|
||||
syncOptions:
|
||||
refreshInterval: 60s
|
||||
targets:
|
||||
- kind: Secret
|
||||
name: authentik-secrets-infisical # parallel name — old secret stays live until 3c
|
||||
namespace: authentik
|
||||
creationPolicy: Owner
|
||||
# key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim
|
||||
Reference in New Issue
Block a user