Ronni Baslund
406e2ca78b
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config: external DB/Redis, error-reporting off, update-check off, bootstrap admin), via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden). - Traefik HelmChartConfig: global :80 -> :443 (308) redirect via additionalArguments (to=:443, HTTP-01-safe). - RUNBOOK updated. Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with prod URLs) + the cosmetic "Powered by Dezky" rebrand.
fleet/authentik — identity provider (auth.dezky.eu)
Authentik, mirroring the dev docker-compose service but pointed at the
in-cluster data tier. Deployed via the k3s Helm controller (helmchart.yaml,
which mirrors values.yaml). Live at https://auth.dezky.eu (Let's Encrypt).
- External Postgres (
postgres.dezky-data, db/userauthentik) + Redis (redis.dezky-data) — chart's bundled subcharts disabled. - Secrets via
global.envFrom→ theauthentik-secretSecret (generated on-box; seesecret.example.yaml). DB/Redis passwords match the dezky-data secrets. - Ingress: Traefik + cert-manager
letsencrypt-prod. error_reportingoff, update-check off, bootstrap emailadmin@dezky.eu.
Deploy
# 1. secret (reads DB/Redis pw from dezky-data so they match; rest generated)
ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
RDB=$(kubectl -n dezky-data get secret redis-secret -o jsonpath='{.data.REDIS_PASSWORD}' | base64 -d)
kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
kubectl -n dezky-auth create secret generic authentik-secret \
--from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
--from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
--from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
--from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
--from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
# 2. install
kubectl apply -f helmchart.yaml
kubectl -n dezky-auth rollout status deploy/authentik-server --timeout=300s
First login
# akadmin password (store in Bitwarden):
kubectl -n dezky-auth get secret authentik-secret -o jsonpath='{.data.AUTHENTIK_BOOTSTRAP_PASSWORD}' | base64 -d; echo
Log in at https://auth.dezky.eu as akadmin / that password.
TODO (mirror the rest of dev — not yet applied)
- OIDC app blueprints. Dev provisions the operator app + a
dezky-platform-adminsaccess policy via a blueprint (infrastructure/docker-compose/configs/authentik/blueprints/). For prod, mount the equivalent at/blueprints/customwith prod redirect URLs (operator.dezky.eu,app.dezky.eu) + the matching client IDs/secrets. The portal OIDC client (hand-made in dev) also needs creating. - Rebrand ("Powered by authentik" → "Powered by Dezky"): dev runs
rebrand-web.shas a root lifecycle script. Replicating in k8s needs a root-capable initContainer/command override — cosmetic, deferred. - Pin the chart version (currently latest → app
2026.5.2).