Provision Authentik Database

Create a PostgreSQL database and user for Authentik on the existing CNPG cluster.

What Was Done

1. Added authentik managed role to blumeops-pg CNPG cluster (argocd/manifests/databases/blumeops-pg.yaml) — non-superuser with createdb and login
2. Created ExternalSecret blumeops-pg-authentik pulling password from 1Password item “Authentik (blumeops)” field postgresql-password
3. Synced CNPG cluster — role reconciled with password set
4. Created authentik database owned by authentik user
5. Verified cross-cluster connectivity: ringtail pod → pg.ops.eblu.me:5432 (Caddy L4)

Resolved Questions

• Hostname: pg.ops.eblu.me via Caddy L4 plugin (not MagicDNS)
• Permissions: Non-superuser with createdb — Authentik manages its own schema via migrations

Related

• deploy-authentik — Parent goal
• postgresql — CNPG cluster reference