authentik: add InfisicalStaticSecret for authentik-secrets (centralize SSO secret)
Out-of-band Secret -> Infisical homelab/prod /authentik. Parallel-name target authentik-secrets-infisical (Owner), passthrough of the 2 LIVE keys (AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD). The dead orphan key AUTHENTIK_POSTGRESQL__PASSWORD is intentionally dropped. Old secret stays live until decommission. Applied via kubectl (not ArgoCD-managed). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,31 @@
|
|||||||
|
apiVersion: secrets.infisical.com/v1beta1
|
||||||
|
kind: InfisicalStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: authentik-secrets
|
||||||
|
namespace: authentik
|
||||||
|
spec:
|
||||||
|
# Shared, read-only machine identity (no write grant, no PushSecret).
|
||||||
|
# Source is the /authentik folder, 2 live keys:
|
||||||
|
# AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies,
|
||||||
|
# encrypts sensitive DB fields); lifted byte-identical.
|
||||||
|
# POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres
|
||||||
|
# (env POSTGRES_PASSWORD) AND server/worker
|
||||||
|
# (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift.
|
||||||
|
# The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is
|
||||||
|
# intentionally NOT carried; it retires when the old secret is deleted.
|
||||||
|
# Consumer secretKeyRef.key values already match these names -> passthrough.
|
||||||
|
infisicalAuthRef:
|
||||||
|
name: infisical-auth
|
||||||
|
namespace: infisical-operator
|
||||||
|
sources:
|
||||||
|
- projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab"
|
||||||
|
environmentSlug: prod
|
||||||
|
secretPath: /authentik
|
||||||
|
syncOptions:
|
||||||
|
refreshInterval: 60s
|
||||||
|
targets:
|
||||||
|
- kind: Secret
|
||||||
|
name: authentik-secrets-infisical # parallel name — old secret stays live until 3c
|
||||||
|
namespace: authentik
|
||||||
|
creationPolicy: Owner
|
||||||
|
# key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim
|
||||||
Reference in New Issue
Block a user