Run authentik using ArgoCD finished wih error about missing provided secret key #206
Description
Scenario:
- Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes.
In my case I had one aplicaiton, which read other aplication in specific folder => apps
Definition:
project: default
source:
repoURL: '[email protected]:<censored>'
path: apps
targetRevision: HEAD
directory:
recurse: true
jsonnet: {}
destination:
server: 'https://kubernetes.default.svc'
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- Validate=true
- PruneLast=true
- RespectIgnoreDifferences=false
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- Replace=false
retry:
limit: 3
backoff:
duration: 60s
factor: 2
maxDuration: 3m0s
- In apss I had folder with: authentik
That folder have several files like:
Chart.yaml
apiVersion: v2
name: goauthentik
description: An Umbrella Helm chart
type: application
version: 0.1.0
appVersion: "1.0"
dependencies:
- name: authentik
version: 2023.*
repository: https://charts.goauthentik.io/
aplication.yaml
apiVersion: v1
kind: Namespace
metadata:
name: authentik
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
name: ''
namespace: authentik
server: 'https://kubernetes.default.svc'
source:
path: apps/authentik
repoURL: '[email protected]:<censored>'
targetRevision: HEAD
helm:
valueFiles:
- values.yaml
sources: []
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
values.yaml
replicas: 1
priorityClassName:
securityContext: {}
worker:
replicas: 1
priorityClassName:
securityContext: {}
image:
repository: ghcr.io/goauthentik/server
digest: ""
pullPolicy: IfNotPresent
pullSecrets: []
initContainers: {}
additionalContainers: {}
ingress:
enabled: false
ingressClassName: "traefik-ingress"
annotations: {
traefik.ingress.kubernetes.io/router.entrypoints: websecure
}
labels: {}
hosts:
- host: <censored my domain>
paths:
- path: "/"
pathType: Prefix
tls: []
annotations: {}
podAnnotations: {}
authentik:
log_level: error
secret_key: "<censored some value>"
geoip: /geoip/GeoLite2-City.mmdb
email:
host: ""
port: 587
username: ""
password: ""
use_tls: false
use_ssl: false
timeout: 30
from: ""
outposts:
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
error_reporting:
enabled: false
environment: "k8s"
send_pii: false
redis:
host: "{{ .Release.Name }}-redis-master"
password: ""
geoip:
enabled: false
blueprints: []
#secret to avoid add information about DB
envFrom:
- secretRef:
name: authentik-secret
envValueFrom: {}
service:
enabled: true
type: ClusterIP
port: 80
name: http
protocol: TCP
labels: {}
annotations: {}
volumes: []
volumeMounts: []
affinity: {}
tolerations: []
nodeSelector: {}
resources:
server: {}
worker: {}
autoscaling:
server:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
worker:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
livenessProbe:
enabled: true
httpGet:
path: /-/health/live/
port: http
initialDelaySeconds: 5
periodSeconds: 10
startupProbe:
enabled: true
httpGet:
path: /-/health/live/
port: http
failureThreshold: 60
periodSeconds: 5
readinessProbe:
enabled: true
httpGet:
path: /-/health/ready/
port: http
periodSeconds: 10
serviceAccount:
create: true
annotations: {}
serviceAccountSecret:
enabled: false
prometheus:
serviceMonitor:
create: false
interval: 30s
scrapeTimeout: 3s
labels: {}
rules:
create: false
labels: {}
postgresql:
enabled: false
redis:
enabled: true
sealed-psql-secret.yml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: authentik-secret
namespace: authentik
spec:
encryptedData:
AUTHENTIK_POSTGRESQL__HOST: <censored>
AUTHENTIK_POSTGRESQL__NAME: <censored>
AUTHENTIK_POSTGRESQL__PASSWORD: <censored>
AUTHENTIK_POSTGRESQL__USER: <censored>
AUTHENTIK_SECRET_KEY: <censored>
template:
metadata:
creationTimestamp: null
name: authentik-secret
namespace: authentik
type: stringData
---
- Commit changes and look if argo correctly run authenik.
Reality: No, finished with error on pods:
authentik-server-
authentik-worker-
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4328628, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4334147, "count": 28}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4335992}
{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336236}
{"event": "Secret key missing, check https://goauthentik.io/docs/installation/.", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.433638}
{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336486}
however like you see, I provided secret key in secret or in values?
Then why run aplication using ArgoCD finished with failed status and complains about missing secret key?