From be8bc01370347ea28f3c6dc6eaed396808e2c11d Mon Sep 17 00:00:00 2001
From: Zoe Roux <zoe.roux@zoriya.dev>
Date: Thu, 17 Jul 2025 13:57:20 +0200
Subject: [PATCH] Fix authentik cert ns

---
 apps/authentik.yaml      | 9 +++++++--
 apps/postgres/ca.yaml    | 5 +++--
 apps/postgres/certs.yaml | 4 ++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/apps/authentik.yaml b/apps/authentik.yaml
index 483c3fb..0cbf611 100644
--- a/apps/authentik.yaml
+++ b/apps/authentik.yaml
@@ -29,13 +29,19 @@ spec:
           env:
             - name: AUTHENTIK_POSTGRESQL__SSLCERT
               value: /var/postgres-ssl/tls.crt
+            - name: AUTHENTIK_POSTGRESQL__SSLKEY
+              value: /var/postgres-ssl/tls.key
           volumeMounts:
             - name: postgres-cert
               mountPath: /var/postgres-ssl
           volumes:
             - name: postgres-cert
               secret:
+                defaultMode: 0640
                 secretName: postgres-authentik
+          securityContext:
+            fsGroup: 1001
+            runAsUser: 1001
 
           ingress:
             enabled: true
@@ -64,7 +70,6 @@ spec:
             kind: Certificate
             metadata:
               name: postgres-authentik
-              namespace: postgres
             spec:
               secretName: postgres-authentik
               usages:
@@ -73,5 +78,5 @@ spec:
               commonName: authentik
               issuerRef:
                 name: postgres-ca
-                kind: Issuer
+                kind: ClusterIssuer
                 group: cert-manager.io
diff --git a/apps/postgres/ca.yaml b/apps/postgres/ca.yaml
index 0cd8d9b..5233953 100644
--- a/apps/postgres/ca.yaml
+++ b/apps/postgres/ca.yaml
@@ -2,7 +2,8 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: postgres-ca
-  namespace: postgres
+  # cert needs to be on the cluster's default resource ns aka cert-manager by default
+  namespace: cert-manager
 spec:
   isCA: true
   commonName: postgres-ca
@@ -16,7 +17,7 @@ spec:
     group: cert-manager.io
 ---
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
   name: postgres-ca
   namespace: postgres
diff --git a/apps/postgres/certs.yaml b/apps/postgres/certs.yaml
index 0c5f057..11c170e 100644
--- a/apps/postgres/certs.yaml
+++ b/apps/postgres/certs.yaml
@@ -22,7 +22,7 @@ spec:
    - postgres-cluster-ro.postgres.svc
   issuerRef:
     name: postgres-ca
-    kind: Issuer
+    kind: ClusterIssuer
     group: cert-manager.io
 ---
 apiVersion: cert-manager.io/v1
@@ -36,5 +36,5 @@ spec:
   commonName: streaming_replica
   issuerRef:
     name: postgres-ca
-    kind: Issuer
+    kind: ClusterIssuer
     group: cert-manager.io