diff --git a/authentik-application/Chart.yaml b/authentik-application/Chart.yaml index 4820932..487396c 100644 --- a/authentik-application/Chart.yaml +++ b/authentik-application/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: authentik-application description: "A Chart to deploy a secret for the authentik blueprint-sidecar." type: application -version: "0.4.3" +version: "0.4.4" maintainers: - name: WrenIX url: https://wrenix.eu diff --git a/authentik-application/README.adoc b/authentik-application/README.adoc deleted file mode 100644 index 71f4efc..0000000 --- a/authentik-application/README.adoc +++ /dev/null @@ -1,284 +0,0 @@ - - -= authentik-application - -image::https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square[Version: 0.4.3] -image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] -== Maintainers - -.Maintainers -|=== -| Name | Email | Url - -| WrenIX -| -| -|=== - -## Pre-Requirement -Usage of https://github.com/goauthentik/helm/pull/146 - -## or manual: -Install authentik with this `values.yaml`: -```yaml -serviceAccount: - create: true - -additionalContainers: - - name: sidecar-blueprints - image: "ghcr.io/kiwigrid/k8s-sidecar:1.25.1" - env: - - name: "FOLDER" - value: "/blueprints/sidecar" - - name: "LABEL" - value: "goauthentik_blueprint" - - name: "LABEL_VALUE" - value: "1" - # - name: "NAMESPACE" - # value: "ALL" - - name: "RESOURCE" - value: "both" - - name: "UNIQUE_FILENAMES" - value: "true" - volumeMounts: - - name: sidecar-blueprints - mountPath: /blueprints/sidecar - -volumeMounts: - - name: sidecar-blueprints - mountPath: /blueprints/sidecar - -volumes: - - name: sidecar-blueprints - emptyDir: {} -``` - -And create an Role and bind them on to the ServiceAccount to read secrets: -```yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: authentik-blueprint-sidecar -rules: - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: authentik-blueprint-sidecar -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: authentik-blueprint-sidecar -subjects: - - kind: ServiceAccount - name: authentik -``` - -== Usage - -Helm must be installed and setup to your kubernetes cluster to use the charts. -Refer to Helm's https://helm.sh/docs[documentation] to get started. -Once Helm has been set up correctly, fetch the charts as follows: - -[source,bash] ----- -helm pull oci://codeberg.org/wrenix/helm-charts/authentik-application ----- - -You can install a chart release using the following command: - -[source,bash] ----- -helm install authentik-application-release oci://codeberg.org/wrenix/helm-charts/authentik-application --values values.yaml ----- - -To uninstall a chart release use `helm`'s delete command: - -[source,bash] ----- -helm uninstall authentik-application-release ----- - -== Values - -.Values -|=== -| Key | Type | Default | Description - -| blueprint.application.bindPolicyID -| string -| `nil` -| uuid for bindPolicyID for group - if not set generated on secret for be stable (or groups: [] filled) - -| blueprint.application.description -| string -| `""` -| description of application - -| blueprint.application.group -| string -| `""` -| put this application in authentik in group - -| blueprint.application.icon -| string -| `""` -| icon of application (url) - -| blueprint.application.launchURL -| string -| `""` -| - -| blueprint.application.name -| string -| `""` -| application name in menu - -| blueprint.application.openInNewTab -| bool -| `false` -| open application in new tab - -| blueprint.application.policyEngineMode -| string -| `"any"` -| - -| blueprint.application.publisher -| string -| `""` -| publisher of application - -| blueprint.application.slug -| string -| `"app-name"` -| application slug - -| blueprint.authentik.domain -| string -| `"https://auth.wrenix.eu"` -| domain to authentik, used in generated url (like issuer) - -| blueprint.groups -| string -| `nil` -| authentik groups created / give access to this application disable any groups by set groups: [] (to a slice) example: - slug: "app: grafana-admin" parent: "app: infra" bindID: uuid - -| blueprint.labels -| object -| `{"goauthentik_blueprint":"1"}` -| label of generated secret with blueprint - -| blueprint.provider.authorizationFlow -| string -| `"default-provider-authorization-implicit-consent"` -| - -| blueprint.provider.enabled -| bool -| `true` -| creat an provider for authentification (otherwise just a like in menu is created) - -| blueprint.provider.name -| string -| `""` -| - -| blueprint.provider.oidc.clientID -| string -| `nil` -| client id - generated if secret enabled - -| blueprint.provider.oidc.clientSecret -| string -| `nil` -| client secret - generated if secret enabled - -| blueprint.provider.oidc.clientType -| string -| `"confidential"` -| - -| blueprint.provider.oidc.redirectURL -| string -| `""` -| - -| blueprint.provider.oidc.scopes -| string -| `nil` -| Scope - -| blueprint.provider.oidc.signingKey -| string -| `""` -| Need for non-curve / RSA - -| blueprint.provider.proxy.cookieDomain -| string -| `""` -| - -| blueprint.provider.proxy.externalHost -| string -| `nil` -| - -| blueprint.provider.proxy.ingress.annotations -| list -| `[]` -| annotations to ingress for outpost - -| blueprint.provider.proxy.ingress.backend -| string -| `"authentik"` -| service backend to authentik - -| blueprint.provider.proxy.ingress.domain -| string -| `nil` -| domain of application (where outpost should be deployed) - -| blueprint.provider.proxy.ingress.enabled -| bool -| `false` -| deploy ingress on application domain for e.g. logout (WIP) - -| blueprint.provider.proxy.ingress.tls -| list -| `[]` -| tls to ingress for outpost - -| blueprint.provider.proxy.skipPathRegex -| string -| `""` -| - -| blueprint.provider.saml -| string -| `nil` -| - -| blueprint.provider.type -| string -| `"oidc"` -| type of application connection, current support: oidc, saml and proxy - -| secret.labels -| object -| `{}` -| label of secret to store generated secret - -| secret.name -| string -| `""` -| name of secret to store generated secret (like clientI) -|=== - -Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs] - diff --git a/authentik-application/README.md b/authentik-application/README.md index 83d2f8b..d030537 100644 --- a/authentik-application/README.md +++ b/authentik-application/README.md @@ -7,7 +7,7 @@ description: "A Chart to deploy a secret for the authentik blueprint-sidecar." # authentik-application -![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) A Chart to deploy a secret for the authentik blueprint-sidecar. diff --git a/authentik-application/files/provider/oidc.yaml.gotmpl b/authentik-application/files/provider/oidc.yaml.gotmpl index 6468f57..9c7d82d 100644 --- a/authentik-application/files/provider/oidc.yaml.gotmpl +++ b/authentik-application/files/provider/oidc.yaml.gotmpl @@ -26,7 +26,8 @@ client_type: {{ .clientType | quote }} client_id: {{ $clientID | quote }} client_secret: {{ $clientSecret | quote }} - redirect_uris: {{ .redirectURL }} + redirect_uris: + - {{ .redirectURL | quote }} {{- with .tokenDuration }} access_token_validity: {{ . | quote }} {{- end }}