Run authentik using ArgoCD finished wih error about missing provided secret key

[lukasz18dg]

Scenario:

1. Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes. In my case I had one aplicaiton, which read other aplication in specific folder => apps Definition:

   project: default
   source:
   repoURL: 'git@github.com:<censored>'
   path: apps
   targetRevision: HEAD
   directory:
   recurse: true
   jsonnet: {}
   destination:
   server: 'https://kubernetes.default.svc'
   namespace: argocd
   syncPolicy:
   automated:
   prune: true
   selfHeal: true
   syncOptions:
   - CreateNamespace=true
   - Validate=true
   - PruneLast=true
   - RespectIgnoreDifferences=false
   - ApplyOutOfSyncOnly=false
   - ServerSideApply=true
   - Replace=false
   retry:
   limit: 3
   backoff:
     duration: 60s
     factor: 2
     maxDuration: 3m0s

2. In apss I had folder with: authentik That folder have several files like: Chart.yaml

   
   apiVersion: v2
   name: goauthentik
   description: An Umbrella Helm chart
   type: application
   version: 0.1.0
   appVersion: "1.0"

dependencies:

• name: authentik version: 2023.* repository: https://charts.goauthentik.io/

  aplication.yaml

  apiVersion: v1 kind: Namespace metadata: name: authentik

  apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: authentik finalizers:

  • resources-finalizer.argocd.argoproj.io spec: destination: name: '' namespace: authentik server: 'https://kubernetes.default.svc' source: path: apps/authentik repoURL: 'git@github.com:' targetRevision: HEAD helm: valueFiles:
    • values.yaml sources: [] project: default syncPolicy: automated: prune: true selfHeal: true syncOptions:
    • CreateNamespace=true
    • PrunePropagationPolicy=foreground

      values.yaml

      replicas: 1 priorityClassName: securityContext: {}

worker: replicas: 1 priorityClassName: securityContext: {}

image: repository: ghcr.io/goauthentik/server digest: "" pullPolicy: IfNotPresent pullSecrets: []

initContainers: {}

additionalContainers: {}

ingress: enabled: false ingressClassName: "traefik-ingress" annotations: { traefik.ingress.kubernetes.io/router.entrypoints: websecure } labels: {} hosts:

• host: paths:
  • path: "/" pathType: Prefix tls: []

annotations: {}

podAnnotations: {}

authentik: log_level: error secret_key: "" geoip: /geoip/GeoLite2-City.mmdb email: host: "" port: 587 username: "" password: "" use_tls: false use_ssl: false timeout: 30 from: "" outposts: container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s error_reporting: enabled: false environment: "k8s" send_pii: false redis: host: "{{ .Release.Name }}-redis-master" password: "" geoip: enabled: false

blueprints: []

secret to avoid add information about DB

envFrom:

• secretRef: name: authentik-secret

envValueFrom: {}

service: enabled: true type: ClusterIP port: 80 name: http protocol: TCP labels: {} annotations: {}

volumes: []

volumeMounts: []

affinity: {}

tolerations: []

nodeSelector: {}

resources: server: {} worker: {}

autoscaling: server: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 50 worker: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 80

livenessProbe: enabled: true httpGet: path: /-/health/live/ port: http initialDelaySeconds: 5 periodSeconds: 10

startupProbe: enabled: true httpGet: path: /-/health/live/ port: http failureThreshold: 60 periodSeconds: 5

readinessProbe: enabled: true httpGet: path: /-/health/ready/ port: http periodSeconds: 10

serviceAccount: create: true annotations: {} serviceAccountSecret: enabled: false

prometheus: serviceMonitor: create: false interval: 30s scrapeTimeout: 3s labels: {} rules: create: false labels: {}

postgresql: enabled: false

redis: enabled: true

sealed-psql-secret.yml

apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: authentik-secret namespace: authentik spec: encryptedData: AUTHENTIK_POSTGRESQLHOST: AUTHENTIK_POSTGRESQL__NAME: AUTHENTIK_POSTGRESQLPASSWORD: AUTHENTIK_POSTGRESQL__USER: AUTHENTIK_SECRET_KEY: template: metadata: creationTimestamp: null name: authentik-secret namespace: authentik type: stringData

3. Commit changes and look if argo correctly run authenik.

Reality: No, finished with error on pods:
authentik-server-<randomstring>
authentik-worker-<randomstring>

{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4328628, "file": "/authentik/lib/default.yml"}

{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4334147, "count": 28}

{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4335992}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336236}

{"event": "Secret key missing, check https://goauthentik.io/docs/installation/.", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.433638}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336486}

however like you see, I provided secret key in secret or in values?
Then why run aplication using ArgoCD finished with failed status and complains about missing secret key?

[MrUsefull]

I have the same issue without argo