feat(authentik): wire SMTP (noreply@) for TripIt signup verification + recovery email (ADR-0020)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Authentik email was unconfigured (localhost), so the TripIt enrollment flow's email-verification stage couldn't send. Add AUTHENTIK_EMAIL__* to server.env + worker.env pointing at the in-cluster mailserver as noreply@viktorbarzin.me (587/STARTTLS), with the SASL password synced from Vault secret/authentik.smtp_password via a new authentik-email ExternalSecret (reloader-annotated). Image pin unchanged (2026.2.4 == live). Prereq for the tripit-enrollment flow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
8a2a3d9eca
commit
c3d0c121bb
2 changed files with 78 additions and 0 deletions
40
stacks/authentik/email-secret.tf
Normal file
40
stacks/authentik/email-secret.tf
Normal file
|
|
@ -0,0 +1,40 @@
|
||||||
|
# SMTP password for Authentik's signup-verification + recovery email (tripit
|
||||||
|
# ADR-0020). Synced from Vault secret/authentik.smtp_password into the authentik
|
||||||
|
# namespace as the `authentik-email` Secret, referenced by
|
||||||
|
# AUTHENTIK_EMAIL__PASSWORD in values.yaml (server.env + worker.env). The sender
|
||||||
|
# account is noreply@viktorbarzin.me (a mailserver SASL account); host/port/from
|
||||||
|
# are non-secret and live in values.yaml. The reloader annotation rolls the
|
||||||
|
# authentik pods if the password ever changes.
|
||||||
|
resource "kubernetes_manifest" "authentik_email_secret" {
|
||||||
|
manifest = {
|
||||||
|
apiVersion = "external-secrets.io/v1beta1"
|
||||||
|
kind = "ExternalSecret"
|
||||||
|
metadata = {
|
||||||
|
name = "authentik-email"
|
||||||
|
namespace = "authentik"
|
||||||
|
}
|
||||||
|
spec = {
|
||||||
|
refreshInterval = "1h"
|
||||||
|
secretStoreRef = {
|
||||||
|
name = "vault-kv"
|
||||||
|
kind = "ClusterSecretStore"
|
||||||
|
}
|
||||||
|
target = {
|
||||||
|
name = "authentik-email"
|
||||||
|
template = {
|
||||||
|
metadata = {
|
||||||
|
annotations = {
|
||||||
|
"reloader.stakater.com/match" = "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
data = [
|
||||||
|
{
|
||||||
|
secretKey = "AUTHENTIK_EMAIL__PASSWORD"
|
||||||
|
remoteRef = { key = "authentik", property = "smtp_password" }
|
||||||
|
},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -47,6 +47,26 @@ server:
|
||||||
value: "1800"
|
value: "1800"
|
||||||
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
||||||
value: "900"
|
value: "900"
|
||||||
|
# SMTP for signup verification + recovery email (tripit ADR-0020): send via
|
||||||
|
# the in-cluster mailserver as noreply@viktorbarzin.me (SASL, 587/STARTTLS);
|
||||||
|
# password from the authentik-email ExternalSecret (Vault
|
||||||
|
# secret/authentik.smtp_password). Set on server AND worker — the worker
|
||||||
|
# runs the email tasks, the server validates the Email stage config.
|
||||||
|
- name: AUTHENTIK_EMAIL__HOST
|
||||||
|
value: "mailserver.mailserver.svc.cluster.local"
|
||||||
|
- name: AUTHENTIK_EMAIL__PORT
|
||||||
|
value: "587"
|
||||||
|
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||||
|
value: "true"
|
||||||
|
- name: AUTHENTIK_EMAIL__USERNAME
|
||||||
|
value: "noreply@viktorbarzin.me"
|
||||||
|
- name: AUTHENTIK_EMAIL__FROM
|
||||||
|
value: "TripIt <noreply@viktorbarzin.me>"
|
||||||
|
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: authentik-email
|
||||||
|
key: AUTHENTIK_EMAIL__PASSWORD
|
||||||
# Do NOT set AUTHENTIK_POSTGRESQL__CONN_MAX_AGE here. With PgBouncer in
|
# Do NOT set AUTHENTIK_POSTGRESQL__CONN_MAX_AGE here. With PgBouncer in
|
||||||
# session mode every persistent Django connection pins a server connection
|
# session mode every persistent Django connection pins a server connection
|
||||||
# 1:1, so the 3x(20+5) pool saturated during the 2026-06-10 rolling
|
# 1:1, so the 3x(20+5) pool saturated during the 2026-06-10 rolling
|
||||||
|
|
@ -121,6 +141,24 @@ worker:
|
||||||
value: "1800"
|
value: "1800"
|
||||||
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
- name: AUTHENTIK_CACHE__TIMEOUT_POLICIES
|
||||||
value: "900"
|
value: "900"
|
||||||
|
# SMTP (same as server.env) — the worker runs Authentik's email tasks, so it
|
||||||
|
# needs the transport too (tripit ADR-0020). noreply@viktorbarzin.me via the
|
||||||
|
# in-cluster mailserver; password from the authentik-email ExternalSecret.
|
||||||
|
- name: AUTHENTIK_EMAIL__HOST
|
||||||
|
value: "mailserver.mailserver.svc.cluster.local"
|
||||||
|
- name: AUTHENTIK_EMAIL__PORT
|
||||||
|
value: "587"
|
||||||
|
- name: AUTHENTIK_EMAIL__USE_TLS
|
||||||
|
value: "true"
|
||||||
|
- name: AUTHENTIK_EMAIL__USERNAME
|
||||||
|
value: "noreply@viktorbarzin.me"
|
||||||
|
- name: AUTHENTIK_EMAIL__FROM
|
||||||
|
value: "TripIt <noreply@viktorbarzin.me>"
|
||||||
|
- name: AUTHENTIK_EMAIL__PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: authentik-email
|
||||||
|
key: AUTHENTIK_EMAIL__PASSWORD
|
||||||
strategy:
|
strategy:
|
||||||
type: RollingUpdate
|
type: RollingUpdate
|
||||||
rollingUpdate:
|
rollingUpdate:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue