Ronni Baslund
406e2ca78b
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config: external DB/Redis, error-reporting off, update-check off, bootstrap admin), via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden). - Traefik HelmChartConfig: global :80 -> :443 (308) redirect via additionalArguments (to=:443, HTTP-01-safe). - RUNBOOK updated. Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with prod URLs) + the cosmetic "Powered by Dezky" rebrand.
30 lines
1.6 KiB
YAML
30 lines
1.6 KiB
YAML
# Authentik secrets — template. Generate + apply OUT-OF-BAND, store in Bitwarden.
|
|
# The DB/Redis passwords MUST equal the ones in the dezky-data secrets
|
|
# (postgres-secret.AUTHENTIK_DB_PASSWORD and redis-secret.REDIS_PASSWORD), so the
|
|
# create command below reads them back rather than inventing new ones:
|
|
#
|
|
# ADB=$(kubectl -n dezky-data get secret postgres-secret -o jsonpath='{.data.AUTHENTIK_DB_PASSWORD}' | base64 -d)
|
|
# RDB=$(kubectl -n dezky-data get secret redis-secret -o jsonpath='{.data.REDIS_PASSWORD}' | base64 -d)
|
|
# kubectl create namespace dezky-auth --dry-run=client -o yaml | kubectl apply -f -
|
|
# kubectl -n dezky-auth create secret generic authentik-secret \
|
|
# --from-literal=AUTHENTIK_SECRET_KEY=$(openssl rand -hex 50) \
|
|
# --from-literal=AUTHENTIK_POSTGRESQL__PASSWORD="$ADB" \
|
|
# --from-literal=AUTHENTIK_REDIS__PASSWORD="$RDB" \
|
|
# --from-literal=AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -hex 16) \
|
|
# --from-literal=AUTHENTIK_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
|
|
#
|
|
# AUTHENTIK_BOOTSTRAP_PASSWORD = first login for `akadmin` at https://auth.dezky.eu
|
|
# AUTHENTIK_BOOTSTRAP_TOKEN = used by platform-api/provisioning to call the API
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: authentik-secret
|
|
namespace: dezky-auth
|
|
type: Opaque
|
|
stringData:
|
|
AUTHENTIK_SECRET_KEY: REPLACE_openssl_rand_hex_50
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: REPLACE_match_dezky-data_AUTHENTIK_DB_PASSWORD
|
|
AUTHENTIK_REDIS__PASSWORD: REPLACE_match_dezky-data_REDIS_PASSWORD
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD: REPLACE_openssl_rand_hex_16
|
|
AUTHENTIK_BOOTSTRAP_TOKEN: REPLACE_openssl_rand_hex_32
|