From 273dea0953d212ee3ee566097a1693fdf4d2dfa8 Mon Sep 17 00:00:00 2001 From: WrenIX Date: Sun, 3 Sep 2023 14:58:07 +0200 Subject: [PATCH] fix(authentik-application): init --- authentik-application/.helmignore | 23 +++ authentik-application/Chart.yaml | 6 + authentik-application/README.adoc | 51 +++++++ authentik-application/templates/_helpers.tpl | 62 ++++++++ authentik-application/templates/secrets.yaml | 147 +++++++++++++++++++ authentik-application/values.yaml | 35 +++++ 6 files changed, 324 insertions(+) create mode 100644 authentik-application/.helmignore create mode 100644 authentik-application/Chart.yaml create mode 100644 authentik-application/README.adoc create mode 100644 authentik-application/templates/_helpers.tpl create mode 100644 authentik-application/templates/secrets.yaml create mode 100644 authentik-application/values.yaml diff --git a/authentik-application/.helmignore b/authentik-application/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/authentik-application/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/authentik-application/Chart.yaml b/authentik-application/Chart.yaml new file mode 100644 index 0000000..970d3f9 --- /dev/null +++ b/authentik-application/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: authentik-application +description: A Chart to deploy a secret for the authentik blueprint-sidecar +type: application + +version: 0.1.0 \ No newline at end of file diff --git a/authentik-application/README.adoc b/authentik-application/README.adoc new file mode 100644 index 0000000..885d803 --- /dev/null +++ b/authentik-application/README.adoc @@ -0,0 +1,51 @@ += Authentik Application + +setup configmap with blueprint for goauthentik and store values in secrets + + +Usage with FluxCD: +[source,yaml] +---- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: app-oauth2 +spec: + interval: 5m + chart: + spec: + sourceRef: + kind: GitRepository + name: "wrenix-helm-charts" + namespace: "infra" + chart: './charts/authentik-application' + reconcileStrategy: 'Revision' + interval: 1m + install: + crds: CreateReplace + remediation: + retries: -1 + disableWait: true + upgrade: + crds: CreateReplace + remediation: + retries: -1 + disableWait: true + force: true + values: + secret: + name: "oidc-auth" + blueprint: + provider: + name: "GitOps" + redirectURL: "https://application.domain/oauth2/callback" + signingKey: "authentik Self-signed Certificate" + scopes: + - "email" + application: + name: "The Application" + slug: "app" + group: "Infrastructure" + launchURL: "https://application.domain/" + openInNewTab: True +---- diff --git a/authentik-application/templates/_helpers.tpl b/authentik-application/templates/_helpers.tpl new file mode 100644 index 0000000..3eb9b18 --- /dev/null +++ b/authentik-application/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "authentik-application.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "authentik-application.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "authentik-application.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "authentik-application.labels" -}} +helm.sh/chart: {{ include "authentik-application.chart" . }} +{{ include "authentik-application.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "authentik-application.selectorLabels" -}} +app.kubernetes.io/name: {{ include "authentik-application.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "authentik-application.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "authentik-application.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/authentik-application/templates/secrets.yaml b/authentik-application/templates/secrets.yaml new file mode 100644 index 0000000..3d9e322 --- /dev/null +++ b/authentik-application/templates/secrets.yaml @@ -0,0 +1,147 @@ +{{- $clientID := .Values.blueprint.provider.clientID }} +{{- $clientSecret := .Values.blueprint.provider.clientSecret }} +{{- if .Values.secret.enabled }} +--- +{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + labels: + {{- include "authentik-application.labels" . | nindent 4 }} + {{- with .Values.secret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +stringData: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + + issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }} + {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }} + {{- $clientID = .Values.blueprint.provider.clientID | default ($clientIDCoded | b64dec) }} + clientID: {{ $clientID | quote }} + {{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }} + {{- $clientSecret = .Values.blueprint.provider.clientSecret | default ($clientSecretCoded | b64dec) }} + clientSecret: {{ $clientSecret | quote }} + redirectURL: {{ .Values.blueprint.provider.redirectURL }} + {{- with .Values.blueprint.provider.tokenDuration }} + tokenDuration: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.provider.scopes }} + customScopes: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.blueprint.provider.claimUsername }} + claimUsername: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.provider.claimGroups }} + claimGroups: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "authentik-application.fullname" . }}-blueprint + labels: + {{- include "authentik-application.labels" . | nindent 4 }} + {{- with .Values.blueprint.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +stringData: + blueprint.yaml: |- + version: 1 + metadata: + name: {{ include "authentik-application.fullname" . }} + entries: + + - model: authentik_providers_oauth2.OAuth2Provider + id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }} + identifiers: + name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }} + state: present + attrs: + authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]] + client_type: {{ .Values.blueprint.provider.clientType | quote }} + client_id: {{ $clientID | quote }} + client_secret: {{ $clientSecret | quote }} + redirect_uris: {{ .Values.blueprint.provider.redirectURL }} + {{- with .Values.blueprint.provider.tokenDuration }} + access_token_validity: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.provider.signingKey }} + signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]] + {{- end }} + {{- with .Values.blueprint.provider.scopes }} + property_mappings: + {{- range . }} + - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]] + {{- end }} + {{- end }} + + - model: authentik_core.Application + id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }} + identifiers: + slug: {{ .Values.blueprint.application.slug }} + state: present + attrs: + name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }} + slug: {{ .Values.blueprint.application.slug }} + provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }} + policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }} + {{- with .Values.blueprint.application.group }} + group: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.application.launchURL }} + meta_launch_url: {{ . | quote }} + {{- end }} + open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }} + {{- with .Values.blueprint.application.icon }} + meta_icon: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.application.description }} + meta_description: {{ . | quote }} + {{- end }} + {{- with .Values.blueprint.application.publisher }} + meta_publisher: {{ . | quote }} + {{- end }} + + {{- if (eq (len .Values.blueprint.groups) 0) }} + + - model: authentik_core.group + id: "app: {{ .Values.blueprint.application.slug }}" + identifiers: + name: "app: {{ .Values.blueprint.application.slug }}" + state: "present" + attrs: + name: "app: {{ .Values.blueprint.application.slug }}" + + - model: authentik_policies.PolicyBinding + id: "app: {{ .Values.blueprint.application.slug }}" + identifiers: + group: !KeyOf "app: {{ .Values.blueprint.application.slug }}" + attrs: + group: !KeyOf "app: {{ .Values.blueprint.application.slug }}" + order: 10 + target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]] + {{- end }} + + {{- range $group := .Values.blueprint.groups }} + + - model: authentik_core.group + id: {{ $group.slug | quote }} + identifiers: + name: {{ $group.slug | quote }} + state: {{ $group.state | default "present" | quote }} + attrs: + name: {{ $group.slug | quote }} + + - model: authentik_policies.PolicyBinding + id: {{ $group.slug | quote }} + identifiers: + group: !KeyOf {{ $group.slug | quote }} + attrs: + group: !KeyOf {{ $group.slug | quote}} + order: 10 + target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]] + {{- end }} + diff --git a/authentik-application/values.yaml b/authentik-application/values.yaml new file mode 100644 index 0000000..87ce2bb --- /dev/null +++ b/authentik-application/values.yaml @@ -0,0 +1,35 @@ +secret: + enabled: true + name: "" + labels: {} + +blueprint: + authentik: + domain: "https://auth.wrenix.eu" + labels: + goauthentik_blueprint: "1" + provider: + name: "" + authorizationFlow: "default-provider-authorization-implicit-consent" + clientType: "confidential" + # -- client id - generated if secret enabled + clientID: + # -- client secret - generated if secret enabled + clientSecret: + redirectURL: "" + # -- Need for non-curve / RSA + signingKey: "" + # -- Scope + scopes: + application: + name: "" + slug: "app-name" + policyEngineMode: "any" + group: "" + launchURL: "" + openInNewTab: false + icon: "" + description: "" + publisher: "" + # - additional groups + groups: []