Run authentik using ArgoCD finished wih error about missing provided secret key

[lukasz18dg]

Scenario:

1. Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes.
   In my case I had one aplicaiton, which read other aplication in specific folder => apps
   Definition:

project: default
source:
  repoURL: 'git@github.com:<censored>'
  path: apps
  targetRevision: HEAD
  directory:
    recurse: true
    jsonnet: {}
destination:
  server: 'https://kubernetes.default.svc'
  namespace: argocd
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true
    - Validate=true
    - PruneLast=true
    - RespectIgnoreDifferences=false
    - ApplyOutOfSyncOnly=false
    - ServerSideApply=true
    - Replace=false
  retry:
    limit: 3
    backoff:
      duration: 60s
      factor: 2
      maxDuration: 3m0s

2. In apss I had folder with: authentik
   That folder have several files like:
   Chart.yaml

apiVersion: v2
name: goauthentik
description: An Umbrella Helm chart
type: application
version: 0.1.0
appVersion: "1.0"

dependencies:
- name: authentik
  version: 2023.*
  repository: https://charts.goauthentik.io/

aplication.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: authentik
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    name: ''
    namespace: authentik
    server: 'https://kubernetes.default.svc'
  source:
    path: apps/authentik
    repoURL: 'git@github.com:<censored>'
    targetRevision: HEAD
    helm:
      valueFiles:
      - values.yaml
  sources: []
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground

values.yaml

replicas: 1
priorityClassName:
securityContext: {}

worker:
  replicas: 1
  priorityClassName:
  securityContext: {}

image:
  repository: ghcr.io/goauthentik/server
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

initContainers: {}

additionalContainers: {}

ingress:
  enabled: false
  ingressClassName: "traefik-ingress"
  annotations: {
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  }
  labels: {}
  hosts:
    - host: <censored my domain>
      paths:
        - path: "/"
          pathType: Prefix
  tls: []

annotations: {}

podAnnotations: {}

authentik:
  log_level: error
  secret_key: "<censored some value>"
  geoip: /geoip/GeoLite2-City.mmdb
  email:
    host: ""
    port: 587
    username: ""
    password: ""
    use_tls: false
    use_ssl: false
    timeout: 30
    from: ""
  outposts:
    container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  error_reporting:
    enabled: false
    environment: "k8s"
    send_pii: false
  redis:
    host: "{{ .Release.Name }}-redis-master"
    password: ""
  geoip:
    enabled: false

blueprints: []

#secret to avoid add information about DB
envFrom:
  - secretRef:
       name: authentik-secret

envValueFrom: {}

service:
  enabled: true
  type: ClusterIP
  port: 80
  name: http
  protocol: TCP
  labels: {}
  annotations: {}

volumes: []

volumeMounts: []

affinity: {}

tolerations: []

nodeSelector: {}

resources:
  server: {}
  worker: {}

autoscaling:
  server:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
  worker:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80

livenessProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  initialDelaySeconds: 5
  periodSeconds: 10

startupProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  failureThreshold: 60
  periodSeconds: 5

readinessProbe:
  enabled: true
  httpGet:
    path: /-/health/ready/
    port: http
  periodSeconds: 10

serviceAccount:
  create: true
  annotations: {}
  serviceAccountSecret:
    enabled: false

prometheus:
  serviceMonitor:
    create: false
    interval: 30s
    scrapeTimeout: 3s
    labels: {}
  rules:
    create: false
    labels: {}

postgresql:
  enabled: false

redis:
  enabled: true

sealed-psql-secret.yml

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: authentik-secret
  namespace: authentik
spec:
  encryptedData:
    AUTHENTIK_POSTGRESQL__HOST: <censored>
    AUTHENTIK_POSTGRESQL__NAME: <censored>
    AUTHENTIK_POSTGRESQL__PASSWORD: <censored>
    AUTHENTIK_POSTGRESQL__USER: <censored>
    AUTHENTIK_SECRET_KEY: <censored>
  template:
    metadata:
      creationTimestamp: null
      name: authentik-secret
      namespace: authentik
    type: stringData
---

3. Commit changes and look if argo correctly run authenik.

Reality: No, finished with error on pods:
authentik-server-
authentik-worker-

{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4328628, "file": "/authentik/lib/default.yml"}

{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4334147, "count": 28}

{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4335992}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336236}

{"event": "Secret key missing, check https://goauthentik.io/docs/installation/.", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.433638}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336486}

however like you see, I provided secret key in secret or in values?
Then why run aplication using ArgoCD finished with failed status and complains about missing secret key?

[MrUsefull]

I have the same issue without argo