Use secrets for authentik's database stuff

2023-04-07 00:49:39 -04:00 · 2023-04-07 00:49:39 -04:00 · f933e23d1c
parent a1b15de4b2
commit f933e23d1c
3 changed files with 81 additions and 4 deletions
--- a/cluster/apps/authentik/authentik-secrets.sops.yaml
+++ b/cluster/apps/authentik/authentik-secrets.sops.yaml
@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authentik-secrets
+    namespace: authentik
+stringData:
+    pgsqlAdminPassword: ENC[AES256_GCM,data:QTiI/6L2BR+qBE5dl4Vb6Dj5mrr/kJEazJocjuQUgAw=,iv:vb6ohS0DMXFXGI5ZJmWNkn7EbyfjMQfjq6GxFIxHbJM=,tag:SR034jGOv3XLkrhF/z62tA==,type:str]
+    pgsqlUserPassword: ENC[AES256_GCM,data:oFsvEIAUUmKJIyCqyW+F/HkL/hZAtbVHZN71dRIJGR8=,iv:ilioD/oa7FBUEew7L6FcLzx5qSFqU7aLDP7aCuRFNO0=,tag:qrk37fQxZPkLQPpJsRZJ6Q==,type:str]
+    redisUserPassword: ENC[AES256_GCM,data:XasVsj+I0iuF/AXpws6sLThdqMCvPyMtTXxBHLAWlGM=,iv:Y0Soq5b19HkYWk4bdLMqazOgtLpgzD3saqUslXWvxv4=,tag:BL6arsBG0gkkdItQYRphEw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-07T04:48:38Z"
+    mac: ENC[AES256_GCM,data:o3L7kGBpBh0Zg4afMa/cQvrr6c41M4qSBwVYEt5Ex1+GsIl1Q5yD6EHOfCASvWglcGOwsbIiAWUhFm97rpbX1bXjr5u5XQs6dcxMjduMU3wn77QCQ0NM+ijcEhh/Bs188Pud0IMFtxDFNSV/hjrrGPOkobaBjd3svRC9Y39T9ds=,iv:kNyyQ5n30EmyFCo1CcaH9QzZ7uW0yLVReqwZTSeJSpk=,tag:rbgkwpqobOCAv/PPuegGDQ==,type:str]
+    pgp:
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
+            KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
+            /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
+            PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
+            cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
+            W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
+            FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
+            N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
+            rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
+            9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
+            JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
+            aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
+            o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
+            pjU1GRaK5AlT
+            =mItp
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
+            TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
+            Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
+            /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
+            JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
+            AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
+            E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
+            /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
+            RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
+            hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
+            roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
+            aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
+            9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
+            fux0T5xDbgq5
+            =eiXM
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/cluster/apps/authentik/helm-release.yaml
+++ b/cluster/apps/authentik/helm-release.yaml
@ -27,12 +27,26 @@ spec:
      postgresql:
        host: "postgresql.database"
        name: "authentik" # database name
-        user: postgres
-        password: "${SECRET_DATABASE_PGSQL_ADMIN_PASS}"
-        port: 5432
+        user: "k3spostgresql"
+#        password: "${SECRET_DATABASE_PGSQL_ADMIN_PASS}"
+#        port: 5432
      redis:
        host: "redis-master.database"
-        password: "${SECRET_DATABASE_REDIS_PASS}"
+#        password: "${SECRET_DATABASE_REDIS_PASS}"
+    
+#    env:
+#      AUTHENTIK_HOST: https://auth.***REMOVED***
+#      AUTHENTIK_HOST_BROWSER: https://auth.***REMOVED***
+    
+    envValueFrom:
+      AUTHENTIK_POSTGRESQL__PASSWORD:
+        secretKeyRef:
+          key: pgsqlUserPassword
+          name: authentik-secrets
+      AUTHENTIK_REDIS__PASSWORD:
+        secretKeyRef:
+          key: redisUserPassword
+          name: authentik-secrets

    ingress:
      enabled: true
--- a/cluster/apps/authentik/kustomization.yaml
+++ b/cluster/apps/authentik/kustomization.yaml
@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./namespace.yaml
+- ./authentik-secrets.sops.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
 - ./network_policy.yaml