# Authentik secrets — template. Generate + apply OUT-OF-BAND, store in Bitwarden.
# The DB/Redis passwords MUST equal the ones in the dezky-data secrets
# (postgres-secret.AUTHENTIK_DB_PASSWORD and redis-secret.REDIS_PASSWORD), so the
# create command below reads them back rather than inventing new ones:
#
#   ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
#   RDB=$(kubectl -n dezky-data get secret redis-secret    -o jsonpath='{.data.REDIS_PASSWORD}'        | base64 -d)
#   kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
#   kubectl -n dezky-auth create secret generic authentik-secret \
#     --from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
#     --from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
#     --from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
#     --from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
#     --from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
#
# AUTHENTIK_BOOTSTRAP_PASSWORD = first login for `akadmin` at https://auth.dezky.eu
# AUTHENTIK_BOOTSTRAP_TOKEN    = used by platform-api/provisioning to call the API
apiVersion: v1
kind: Secret
metadata:
  name: authentik-secret
  namespace: dezky-auth
type: Opaque
stringData:
  AUTHENTIK_SECRET_KEY: REPLACE_openssl_rand_hex_50
  AUTHENTIK_POSTGRESQL__PASSWORD: REPLACE_match_dezky-data_AUTHENTIK_DB_PASSWORD
  AUTHENTIK_REDIS__PASSWORD: REPLACE_match_dezky-data_REDIS_PASSWORD
  AUTHENTIK_BOOTSTRAP_PASSWORD: REPLACE_openssl_rand_hex_16
  AUTHENTIK_BOOTSTRAP_TOKEN: REPLACE_openssl_rand_hex_32