authentik: add InfisicalStaticSecret for authentik-secrets (centralize SSO secret)

Out-of-band Secret -> Infisical homelab/prod /authentik. Parallel-name target
authentik-secrets-infisical (Owner), passthrough of the 2 LIVE keys
(AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD). The dead orphan key
AUTHENTIK_POSTGRESQL__PASSWORD is intentionally dropped. Old secret stays live
until decommission. Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-22 11:14:18 +00:00
co-authored by Claude Opus 4.8
parent 74c00cc7b7
commit 26871ef0c3
@@ -0,0 +1,31 @@
apiVersion: secrets.infisical.com/v1beta1
kind: InfisicalStaticSecret
metadata:
name: authentik-secrets
namespace: authentik
spec:
# Shared, read-only machine identity (no write grant, no PushSecret).
# Source is the /authentik folder, 2 live keys:
# AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies,
# encrypts sensitive DB fields); lifted byte-identical.
# POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres
# (env POSTGRES_PASSWORD) AND server/worker
# (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift.
# The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is
# intentionally NOT carried; it retires when the old secret is deleted.
# Consumer secretKeyRef.key values already match these names -> passthrough.
infisicalAuthRef:
name: infisical-auth
namespace: infisical-operator
sources:
- projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab"
environmentSlug: prod
secretPath: /authentik
syncOptions:
refreshInterval: 60s
targets:
- kind: Secret
name: authentik-secrets-infisical # parallel name — old secret stays live until 3c
namespace: authentik
creationPolicy: Owner
# key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim