apiVersion: secrets.infisical.com/v1beta1 kind: InfisicalStaticSecret metadata: name: authentik-secrets namespace: authentik spec: # Shared, read-only machine identity (no write grant, no PushSecret). # Source is the /authentik folder, 2 live keys: # AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies, # encrypts sensitive DB fields); lifted byte-identical. # POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres # (env POSTGRES_PASSWORD) AND server/worker # (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift. # The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is # intentionally NOT carried; it retires when the old secret is deleted. # Consumer secretKeyRef.key values already match these names -> passthrough. infisicalAuthRef: name: infisical-auth namespace: infisical-operator sources: - projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab" environmentSlug: prod secretPath: /authentik syncOptions: refreshInterval: 60s targets: - kind: Secret name: authentik-secrets-infisical # parallel name — old secret stays live until 3c namespace: authentik creationPolicy: Owner # key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim