ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(infra): deploy Authentik (auth.dezky.eu) + global HTTP→HTTPS redirect
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details

Browse Source 
- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config:
  external DB/Redis, error-reporting off, update-check off, bootstrap admin),
  via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at
  https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden).
- Traefik HelmChartConfig: global :80 -> :443 (308) redirect via
  additionalArguments (to=:443, HTTP-01-safe).
- RUNBOOK updated.

Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with
prod URLs) + the cosmetic "Powered by Dezky" rebrand.
This commit is contained in:
Ronni Baslund
2026-06-08 19:00:07 +02:00
parent 153d7053ca
commit 406e2ca78b
6 changed files with 231 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/production/fleet/authentik/secret.example.yaml
+29
View File
@@ -0,0 +1,29 @@
# Authentik secrets — template. Generate + apply OUT-OF-BAND, store in Bitwarden.
# The DB/Redis passwords MUST equal the ones in the dezky-data secrets
# (postgres-secret.AUTHENTIK_DB_PASSWORD and redis-secret.REDIS_PASSWORD), so the
# create command below reads them back rather than inventing new ones:
#
# ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
# RDB=$(kubectl -n dezky-data get secret redis-secret -o jsonpath='{.data.REDIS_PASSWORD}' | base64 -d)
# kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
# kubectl -n dezky-auth create secret generic authentik-secret \
# --from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
# --from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
# --from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
# --from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
# --from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
#
# AUTHENTIK_BOOTSTRAP_PASSWORD = first login for `akadmin` at https://auth.dezky.eu
# AUTHENTIK_BOOTSTRAP_TOKEN = used by platform-api/provisioning to call the API
apiVersion: v1
kind: Secret
metadata:
name: authentik-secret
namespace: dezky-auth
type: Opaque
stringData:
AUTHENTIK_SECRET_KEY: REPLACE_openssl_rand_hex_50
AUTHENTIK_POSTGRESQL__PASSWORD: REPLACE_match_dezky-data_AUTHENTIK_DB_PASSWORD
AUTHENTIK_REDIS__PASSWORD: REPLACE_match_dezky-data_REDIS_PASSWORD
AUTHENTIK_BOOTSTRAP_PASSWORD: REPLACE_openssl_rand_hex_16
AUTHENTIK_BOOTSTRAP_TOKEN: REPLACE_openssl_rand_hex_32