Add Authentik blueprint secrets docs and test TODO#1215
Add Authentik blueprint secrets docs and test TODO#1215agentydragon wants to merge 1 commit intodevelfrom
Conversation
Document how secrets get into Authentik blueprints: the three capable tags (!Env, !File, !Context), external approaches (TF provider, REST API, bootstrap token), reapplication behavior, and why blueprints are the only interface that accepts caller-specified token keys. Add TODO to test the Authentik TF provider migration for Gatus SSO (#1214) and Grocy agent access (#1213). https://claude.ai/code/session_01UH89sEjbCdDjtY4u9w2Zam
There was a problem hiding this comment.
Pull request overview
Adds internal documentation explaining how secrets can be injected into Authentik blueprints (and why blueprints are unique for caller-chosen token keys), plus a roadmap TODO to validate the ongoing Authentik Terraform provider migrations for Gatus SSO and Grocy agent access.
Changes:
- Add
cluster/docs/authentik_blueprint_secrets.mddocumenting!Env,!File,!Context, rotation/reapply behavior, and non-blueprint alternatives. - Add a “Next Actions” checklist item in
cluster/docs/plan.mdto test PRs #1213/#1214 end-to-end.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
cluster/docs/plan.md |
Adds an actionable verification TODO for the Authentik TF provider migrations. |
cluster/docs/authentik_blueprint_secrets.md |
Introduces blueprint secret-injection docs and rotation/reapplication guidance. |
| Declared in `cluster/terraform.tf` but intentionally unused. The codebase avoids | ||
| it due to state lifecycle coupling — when Authentik's DB is wiped, Terraform state | ||
| becomes stale, causing resource ID conflicts and cascading failures. See |
There was a problem hiding this comment.
This section says the Authentik Terraform provider is "intentionally unused", but the repo now actively uses it (e.g., cluster/terraform/gitops/gatus-sso/main.tf and cluster/terraform/gitops/agent-machine-access/main.tf). Please update the wording to reflect current usage (or clarify the narrower claim, e.g., that it can’t set a caller-chosen token key).
| Declared in `cluster/terraform.tf` but intentionally unused. The codebase avoids | |
| it due to state lifecycle coupling — when Authentik's DB is wiped, Terraform state | |
| becomes stale, causing resource ID conflicts and cascading failures. See | |
| The repo does use the Authentik Terraform provider in some places, but not for | |
| injecting a caller-chosen token value into Authentik. For this secret-injection | |
| use case, it still has the same limitation as the REST API: token keys are | |
| server-generated. There is also a separate trade-off around state lifecycle | |
| coupling for some Authentik-managed resources — when Authentik's DB is wiped, | |
| Terraform state can become stale, causing resource ID conflicts and cascading | |
| failures. See |
| | Approach | Set token to known value? | State coupling? | Used in repo? | | ||
| |---|---|---|---| | ||
| | Blueprint `!Env` | **Yes** (unique to blueprints) | None | Yes | | ||
| | TF provider | No (server-generated) | Yes | No (intentionally) | | ||
| | REST API | No (server-generated) | N/A | No | |
There was a problem hiding this comment.
The summary table marks the TF provider as "Used in repo? No (intentionally)", which is no longer accurate given the existing Authentik-managed Terraform roots (e.g., cluster/terraform/gitops/gatus-sso and cluster/terraform/gitops/agent-machine-access). Update this row to avoid misleading readers.
Document how secrets get into Authentik blueprints: the three capable tags (!Env, !File, !Context), external approaches (TF provider, REST API, bootstrap token), reapplication behavior, and why blueprints are the only interface that accepts caller-specified token keys.
Add TODO to test the Authentik TF provider migration for Gatus SSO (#1214) and Grocy agent access (#1213).
https://claude.ai/code/session_01UH89sEjbCdDjtY4u9w2Zam