# database-system/postgresql/authentik-database.yaml
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
  name: authentik
  namespace: database-system
spec:
  cluster:
    name: postgresql
  name: authentik
  owner: authentik
---
# Grant permissions job
apiVersion: batch/v1
kind: Job
metadata:
  name: authentik-grant-permissions
  namespace: database-system
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: psql
          image: ghcr.io/cloudnative-pg/postgresql:17.2
          env:
            - name: PGHOST
              value: postgresql-rw
            - name: PGUSER
              value: postgres
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-superuser
                  key: password
          command:
            - /bin/sh
            - -c
            - |
              psql -c "CREATE USER authentik WITH PASSWORD '$(cat /secrets/authentik-password)';"
              psql -d authentik -c "GRANT ALL PRIVILEGES ON SCHEMA public TO authentik;"
              psql -d authentik -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO authentik;"
              psql -d authentik -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO authentik;"
          volumeMounts:
            - name: authentik-password
              mountPath: /secrets
      volumes:
        - name: authentik-password
          secret:
            secretName: authentik-user