fix(authentik-application): init

authentik-application/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

authentik-application/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: authentik-application
+description: A Chart to deploy a secret for the authentik blueprint-sidecar
+type: application
+
+version: 0.1.0

authentik-application/README.adoc

@@ -0,0 +1,51 @@
+= Authentik Application
+
+setup configmap with blueprint for goauthentik and store values in secrets
+
+
+Usage with FluxCD:
+[source,yaml]
+----
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: app-oauth2
+spec:
+  interval: 5m
+  chart:
+    spec:
+      sourceRef:
+        kind: GitRepository
+        name: "wrenix-helm-charts"
+        namespace: "infra"
+      chart: './charts/authentik-application'
+      reconcileStrategy: 'Revision'
+      interval: 1m
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: -1
+    disableWait: true
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: -1
+    disableWait: true
+    force: true
+  values:
+    secret:
+      name: "oidc-auth"
+    blueprint:
+      provider:
+        name: "GitOps"
+        redirectURL: "https://application.domain/oauth2/callback"
+        signingKey: "authentik Self-signed Certificate"
+        scopes:
+          - "email"
+      application:
+        name: "The Application"
+        slug: "app"
+        group: "Infrastructure"
+        launchURL: "https://application.domain/"
+        openInNewTab: True
+----

authentik-application/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "authentik-application.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "authentik-application.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "authentik-application.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "authentik-application.labels" -}}
+helm.sh/chart: {{ include "authentik-application.chart" . }}
+{{ include "authentik-application.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "authentik-application.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "authentik-application.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "authentik-application.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "authentik-application.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

authentik-application/templates/secrets.yaml

@@ -0,0 +1,147 @@
+{{- $clientID := .Values.blueprint.provider.clientID }}
+{{- $clientSecret := .Values.blueprint.provider.clientSecret }}
+{{- if .Values.secret.enabled }}
+---
+{{- $secretName :=  .Values.secret.name | default (include "authentik-application.fullname" .) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "authentik-application.labels" . | nindent 4 }}
+    {{- with .Values.secret.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+stringData:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+
+  issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
+  {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
+  {{- $clientID = .Values.blueprint.provider.clientID | default ($clientIDCoded | b64dec) }}
+  clientID: {{ $clientID | quote }}
+  {{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
+  {{- $clientSecret = .Values.blueprint.provider.clientSecret | default ($clientSecretCoded | b64dec) }}
+  clientSecret: {{ $clientSecret | quote }}
+  redirectURL: {{ .Values.blueprint.provider.redirectURL }}
+  {{- with .Values.blueprint.provider.tokenDuration }}
+  tokenDuration: {{ . | quote }}
+  {{- end }} 
+  {{- with .Values.blueprint.provider.scopes }}
+  customScopes: {{ . | join "," | quote }}
+  {{- end }} 
+  {{- with .Values.blueprint.provider.claimUsername }}
+  claimUsername: {{ . | quote }}
+  {{- end }} 
+  {{- with .Values.blueprint.provider.claimGroups }}
+  claimGroups: {{ . | quote }}
+  {{- end }}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "authentik-application.fullname" . }}-blueprint
+  labels:
+    {{- include "authentik-application.labels" . | nindent 4 }}
+    {{- with .Values.blueprint.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+stringData:
+  blueprint.yaml: |-
+    version: 1
+    metadata:
+      name: {{ include "authentik-application.fullname" . }}
+    entries:
+    
+      - model: authentik_providers_oauth2.OAuth2Provider
+        id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+        identifiers:
+          name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+        state: present
+        attrs:
+          authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
+          client_type: {{ .Values.blueprint.provider.clientType | quote }}
+          client_id: {{ $clientID | quote }}
+          client_secret: {{ $clientSecret | quote }}
+          redirect_uris: {{ .Values.blueprint.provider.redirectURL }}
+          {{- with .Values.blueprint.provider.tokenDuration }}
+          access_token_validity: {{ . | quote }}
+          {{- end }} 
+          {{- with .Values.blueprint.provider.signingKey }}
+          signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
+          {{- end }}
+          {{- with .Values.blueprint.provider.scopes }}
+          property_mappings:
+            {{- range . }}
+            - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
+            {{- end }}
+          {{- end }}
+    
+      - model: authentik_core.Application
+        id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
+        identifiers:
+          slug: {{ .Values.blueprint.application.slug }}
+        state: present
+        attrs:
+          name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
+          slug: {{ .Values.blueprint.application.slug }}
+          provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+          policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
+          {{- with .Values.blueprint.application.group }}
+          group: {{ . | quote }}
+          {{- end }}
+          {{- with .Values.blueprint.application.launchURL }}
+          meta_launch_url: {{ . | quote }}
+          {{- end }}
+          open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
+          {{- with .Values.blueprint.application.icon }}
+          meta_icon: {{ . | quote }}
+          {{- end }}
+          {{- with .Values.blueprint.application.description }}
+          meta_description: {{ . | quote }}
+          {{- end }}
+          {{- with .Values.blueprint.application.publisher }}
+          meta_publisher: {{ . | quote }}
+          {{- end }}
+      
+      {{- if (eq (len .Values.blueprint.groups) 0) }}
+      
+      - model: authentik_core.group
+        id: "app: {{ .Values.blueprint.application.slug }}"
+        identifiers:
+          name: "app: {{ .Values.blueprint.application.slug }}"
+        state: "present"
+        attrs:
+          name: "app: {{ .Values.blueprint.application.slug }}"
+      
+      - model: authentik_policies.PolicyBinding
+        id: "app: {{ .Values.blueprint.application.slug }}"
+        identifiers:
+          group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
+        attrs:
+          group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
+          order: 10
+          target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
+      {{- end }}
+    
+      {{- range $group := .Values.blueprint.groups }}
+      
+      - model: authentik_core.group
+        id: {{ $group.slug | quote }}
+        identifiers:
+          name: {{ $group.slug | quote }}
+        state: {{ $group.state | default "present" | quote }}
+        attrs:
+          name: {{ $group.slug | quote }}
+      
+      - model: authentik_policies.PolicyBinding
+        id: {{ $group.slug | quote }}
+        identifiers:
+          group: !KeyOf {{ $group.slug | quote }}
+        attrs:
+          group: !KeyOf {{ $group.slug | quote}}
+          order: 10
+          target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
+      {{- end }}
+    

authentik-application/values.yaml

@@ -0,0 +1,35 @@
+secret:
+  enabled: true
+  name: ""
+  labels: {}
+
+blueprint:
+  authentik:
+    domain: "https://auth.wrenix.eu"
+  labels:
+    goauthentik_blueprint: "1"
+  provider:
+    name: ""
+    authorizationFlow: "default-provider-authorization-implicit-consent"
+    clientType: "confidential"
+    # -- client id - generated if secret enabled
+    clientID:
+    # -- client secret - generated if secret enabled
+    clientSecret:
+    redirectURL: ""
+    # -- Need for non-curve / RSA
+    signingKey: ""
+    # -- Scope
+    scopes:
+  application:
+    name: ""
+    slug: "app-name"
+    policyEngineMode: "any"
+    group: ""
+    launchURL: ""
+    openInNewTab: false 
+    icon: ""
+    description: ""
+    publisher: ""
+  # - additional groups
+  groups: []