Files
k8s-manifests/authentik/infisical-authentik-secrets.yaml
T
chemavxandClaude Opus 4.8 26871ef0c3 authentik: add InfisicalStaticSecret for authentik-secrets (centralize SSO secret)
Out-of-band Secret -> Infisical homelab/prod /authentik. Parallel-name target
authentik-secrets-infisical (Owner), passthrough of the 2 LIVE keys
(AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD). The dead orphan key
AUTHENTIK_POSTGRESQL__PASSWORD is intentionally dropped. Old secret stays live
until decommission. Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:14:18 +00:00

32 lines
1.4 KiB
YAML

apiVersion: secrets.infisical.com/v1beta1
kind: InfisicalStaticSecret
metadata:
name: authentik-secrets
namespace: authentik
spec:
# Shared, read-only machine identity (no write grant, no PushSecret).
# Source is the /authentik folder, 2 live keys:
# AUTHENTIK_SECRET_KEY - authentik's crypto root (signs sessions/cookies,
# encrypts sensitive DB fields); lifted byte-identical.
# POSTGRES_PASSWORD - the SINGLE DB-password key; feeds BOTH postgres
# (env POSTGRES_PASSWORD) AND server/worker
# (env AUTHENTIK_POSTGRESQL__PASSWORD) -> cannot drift.
# The old secret's dead 3rd key (AUTHENTIK_POSTGRESQL__PASSWORD, orphan) is
# intentionally NOT carried; it retires when the old secret is deleted.
# Consumer secretKeyRef.key values already match these names -> passthrough.
infisicalAuthRef:
name: infisical-auth
namespace: infisical-operator
sources:
- projectId: 17e98e9d-70f5-43d1-8382-7da818dfcdd0 # project "homelab"
environmentSlug: prod
secretPath: /authentik
syncOptions:
refreshInterval: 60s
targets:
- kind: Secret
name: authentik-secrets-infisical # parallel name — old secret stays live until 3c
namespace: authentik
creationPolicy: Owner
# key passthrough: synced Secret carries AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD verbatim