You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Automate the authentik token rotation — kill the manual reseal step (ADLC)
Why: FuzeFront #104 (handed off from FuzeInfra#103) was root-caused + code-fixed in #105 (whitespace-scrubbing seal path + trim). But #105 still requires a human to manually reseal the live AUTHENTIK_BOOTSTRAP_TOKEN and redeploy — a manual runbook step, which our agentic SDLC does not accept. Secret rotation must be a hands-off automated primitive.
FuzeInfra just shipped the family-standard rotation workflow to close this gap:
It generates a fresh value, seals it offline against the cluster's published public cert (no cluster access, plaintext never logged) via seal-secret.sh, opens an auto-merging PR → Argo syncs the SealedSecret → controller decrypts. FuzeFront seals against the same cluster controller, so the same approach applies.
Replicate rotate-sealed-secret.yml into FuzeFront — mirror the FuzeInfra template, pointed at FuzeFront's deploy/scripts/seal-secret.sh and the fuzefront/fuzefront-secrets SealedSecret manifest (deploy/contabo/sealed/fuzefront-secrets.yaml). Keep the env-not-${{ }} input handling + validation.
Wire automatic reload on authentik-server / authentik-worker so a Secret change restarts them with no human: a stakater/reloader annotation or a Helm checksum/secret pod annotation. (If reloader isn't installed cluster-side, prefer the checksum annotation, or use the workflow's reload_argocd_app input.)
@claude please implement tasks 1–4 above, open the PR(s), run the rotation, and report back here when triggered, merged, rotated, and the loop is confirmed cleared.
Automate the authentik token rotation — kill the manual reseal step (ADLC)
Why: FuzeFront #104 (handed off from FuzeInfra#103) was root-caused + code-fixed in #105 (whitespace-scrubbing seal path +
trim). But #105 still requires a human to manually reseal the liveAUTHENTIK_BOOTSTRAP_TOKENand redeploy — a manual runbook step, which our agentic SDLC does not accept. Secret rotation must be a hands-off automated primitive.FuzeInfra just shipped the family-standard rotation workflow to close this gap:
It generates a fresh value, seals it offline against the cluster's published public cert (no cluster access, plaintext never logged) via
seal-secret.sh, opens an auto-merging PR → Argo syncs the SealedSecret → controller decrypts. FuzeFront seals against the same cluster controller, so the same approach applies.Tasks (@claude)
rotate-sealed-secret.ymlinto FuzeFront — mirror the FuzeInfra template, pointed at FuzeFront'sdeploy/scripts/seal-secret.shand thefuzefront/fuzefront-secretsSealedSecret manifest (deploy/contabo/sealed/fuzefront-secrets.yaml). Keep the env-not-${{ }}input handling + validation.authentik-server/authentik-workerso a Secret change restarts them with no human: a stakater/reloader annotation or a Helmchecksum/secretpod annotation. (If reloader isn't installed cluster-side, prefer the checksum annotation, or use the workflow'sreload_argocd_appinput.)AUTHENTIK_BOOTSTRAP_TOKEN(scopefuzefront/fuzefront-secrets) to clear 🚨 authentik outpost token malformed — config-fetch error loop (handed off from FuzeInfra #103) #104's loop, and confirm the outpost stops emittinginvalid header field value for "Authorization".Acceptance
rotate-sealed-secret.ymlexists in FuzeFront and a rotation runs end-to-end (PR auto-merges → Argo syncs) with no manualseal-secret.sh.STATE
rotate-sealed-secret.ymlmerged (feat(secrets): hands-off SealedSecret rotation workflow (family-standard) FuzeInfra#111).@claude please implement tasks 1–4 above, open the PR(s), run the rotation, and report back here when triggered, merged, rotated, and the loop is confirmed cleared.