Skip to content

Automate authentik token rotation (adopt FuzeInfra rotate-sealed-secret) — kill the manual reseal from #104/#105 #106

Description

@izzywdev

Automate the authentik token rotation — kill the manual reseal step (ADLC)

Why: FuzeFront #104 (handed off from FuzeInfra#103) was root-caused + code-fixed in #105 (whitespace-scrubbing seal path + trim). But #105 still requires a human to manually reseal the live AUTHENTIK_BOOTSTRAP_TOKEN and redeploy — a manual runbook step, which our agentic SDLC does not accept. Secret rotation must be a hands-off automated primitive.

FuzeInfra just shipped the family-standard rotation workflow to close this gap:

It generates a fresh value, seals it offline against the cluster's published public cert (no cluster access, plaintext never logged) via seal-secret.sh, opens an auto-merging PR → Argo syncs the SealedSecret → controller decrypts. FuzeFront seals against the same cluster controller, so the same approach applies.

Tasks (@claude)

  1. Merge fix(authentik): scrub whitespace from sealed tokens — fix malformed outpost Authorization header #105 first (the hardened seal path must be in place before rotating).
  2. Replicate rotate-sealed-secret.yml into FuzeFront — mirror the FuzeInfra template, pointed at FuzeFront's deploy/scripts/seal-secret.sh and the fuzefront/fuzefront-secrets SealedSecret manifest (deploy/contabo/sealed/fuzefront-secrets.yaml). Keep the env-not-${{ }} input handling + validation.
  3. Wire automatic reload on authentik-server / authentik-worker so a Secret change restarts them with no human: a stakater/reloader annotation or a Helm checksum/secret pod annotation. (If reloader isn't installed cluster-side, prefer the checksum annotation, or use the workflow's reload_argocd_app input.)
  4. Run the rotation for AUTHENTIK_BOOTSTRAP_TOKEN (scope fuzefront/fuzefront-secrets) to clear 🚨 authentik outpost token malformed — config-fetch error loop (handed off from FuzeInfra #103) #104's loop, and confirm the outpost stops emitting invalid header field value for "Authorization".

Acceptance

  • rotate-sealed-secret.yml exists in FuzeFront and a rotation runs end-to-end (PR auto-merges → Argo syncs) with no manual seal-secret.sh.
  • authentik pods auto-restart on the Secret change.
  • The 3s outpost config-fetch error loop is gone.

STATE

@claude please implement tasks 1–4 above, open the PR(s), run the rotation, and report back here when triggered, merged, rotated, and the loop is confirmed cleared.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions