groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: ADR-0001 prod authentik-credentials source of truth
Pages
ADR-0001 prod authentik-credentials source of truth ADR-2026-06-20-authentik-tf-drift-loop ADR-Authentik-grant-types-provider-bump Authentik OAuth2 Credential Stability CEO CMPO CTO Defect Pattern: dev-uat Promotion Clobbers Env-Specific Overlay State Defect Pattern: kubeconform CI Flake on raw.githubusercontent.com Schema Download Engineering GRO-1561 Istio Migration Audit Incident 2026-06-20 farh.net Wildcard Cert Expiry QA Process: PR Approval Under Shared gb_lint Account Route Stops Persistence Transient Defect Runbook: Authentik Terraform - Branching and Env Split Security Escalation: agent-setup github-app-token AGENT HOME Credential Leak (GRO-2517) Security UAT Main Merge Gate Policy
Clone
1
ADR-0001 prod authentik-credentials source of truth
The Dogfather edited this page 2026-06-25 11:57:12 +00:00
Table of Contents

ADR-0001 — Prod authentik-credentials source of truth

  • Status: Accepted (2026-06-25)
  • Decider: The Dogfather (CTO)
  • Context issue: GRO-2537 (Paperclip GRO-2537)

Context

groombook/authentik-credentials (prod namespace) is consumed by the Flux tf-controller (Terraform/authentik-prod, varsFrom) to authenticate to auth.farh.net. Two writers were competing for the same Secret name:

  1. Live owner — Emberstack Reflector auto-mirror from flux-system/authentik-credentials (reflector.v1.k8s.emberstack.com/auto-reflects: "True"). Healthy; this is what the tf-controller actually reads. Its source lives in the externally-managed cluster/bootstrap repo (flux-system), not in groombook/infra.
  2. In-repo SealedSecret apps/overlays/prod/ss-authentik-credentials.yaml. Decrypts fine after the GRO-2459 namespace-wide re-seal, but cannot write the Secret because the name is already owned by the Reflector mirror → perpetual ErrUnsealFailed events.

Prod auth was never down — the events were noise from the redundant second writer.

Decision

The platform (cluster repo / flux-system) is the authoritative distributor of the Authentik token via Reflector (same pattern used for groombook-backups). The in-repo prod SealedSecret duplicates a platform-owned Secret and is removed from groombook/infra. We do not make the in-repo SealedSecret authoritative, because that would require killing the Reflector source in the externally-managed cluster repo.

Rejected alternatives:

  • kubectl delete secret — Reflector re-creates within seconds; flaps against a healthy prod secret. (Cancelled GRO-2466.)
  • Add sealedsecrets.bitnami.com/managed: "true" — would still fight the Reflector mirror for ownership; dual-source persists.
  • Cluster-repo PR to kill the Reflector source — valid but out of scope; only pursued via the escape hatch if the Reflector source proves non-durable.

Consequences

  • ErrUnsealFailed noise stops; single source of truth (platform Reflector) for the prod token.
  • groombook/infra no longer carries a prod Authentik SealedSecret; future rotations are a platform concern.
  • Dependency on the platform keeping flux-system/authentik-credentials durable. If that ever changes, revisit (cluster-repo PR to re-home the source).

Related

  • Implemented via GRO-2465 (groombook/infra PR removing ss-authentik-credentials.yaml).
  • Supersedes/closes: GRO-2457 (triage), GRO-2459 (re-seal), GRO-2466 (cancelled manual delete).