wrenix/helm-charts
1
0
Fork 0
Code Issues 8 Pull requests 8 Projects Packages Activity

fix(authentik-application): support provider optional, group policy bidng (+ icon)

Browse source
This commit is contained in:
WrenIX 2023-09-06 00:40:34 +02:00
parent bc16cc73de
commit a193e591a1
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
3 changed files with 38 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authentik-application/Chart.yaml
View file

@ -3,4 +3,4 @@ name: authentik-application
description: A Chart to deploy a secret for the authentik blueprint-sidecar
type: application
version: 0.1.1
version: 0.2.0

38
authentik-application/templates/secrets.yaml
View file

@ -1,6 +1,7 @@
{{- $clientID := .Values.blueprint.provider.clientID }}
{{- $clientSecret := .Values.blueprint.provider.clientSecret }}
{{- if .Values.secret.enabled }}
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
{{- if or (and .Values.blueprint.provider.enabled (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
---
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
apiVersion: v1
@ -16,26 +17,39 @@ stringData:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
{{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
bindPolicyID: {{ $bindPolicyID | quote }}
{{- if .Values.blueprint.provider.enabled }}
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
{{- $clientID = .Values.blueprint.provider.clientID | default ($clientIDCoded | b64dec) }}
{{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
clientID: {{ $clientID | quote }}
{{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
{{- $clientSecret = .Values.blueprint.provider.clientSecret | default ($clientSecretCoded | b64dec) }}
{{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
clientSecret: {{ $clientSecret | quote }}
redirectURL: {{ .Values.blueprint.provider.redirectURL }}
{{- with .Values.blueprint.provider.tokenDuration }}
tokenDuration: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.provider.scopes }}
customScopes: {{ . | join "," | quote }}
{{- end }}
{{- with .Values.blueprint.provider.claimUsername }}
claimUsername: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.provider.claimGroups }}
claimGroups: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}
---
apiVersion: v1
@ -53,7 +67,8 @@ stringData:
metadata:
name: {{ include "authentik-application.fullname" . }}
entries:
{{- if .Values.blueprint.provider.enabled }}
- model: authentik_providers_oauth2.OAuth2Provider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
@ -77,6 +92,7 @@ stringData:
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
{{- end }}
{{- end }}
{{- end }}
- model: authentik_core.Application
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
@ -86,7 +102,9 @@ stringData:
attrs:
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
slug: {{ .Values.blueprint.application.slug }}
{{- if .Values.blueprint.provider.enabled }}
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
{{- end }}
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
{{- with .Values.blueprint.application.group }}
group: {{ . | quote }}
@ -96,7 +114,7 @@ stringData:
{{- end }}
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
{{- with .Values.blueprint.application.icon }}
meta_icon: {{ . | quote }}
icon: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.description }}
meta_description: {{ . | quote }}
@ -116,9 +134,9 @@ stringData:
name: "app: {{ .Values.blueprint.application.slug }}"
- model: authentik_policies.PolicyBinding
id: "app: {{ .Values.blueprint.application.slug }}"
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
identifiers:
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
pk: {{ $bindPolicyID | quote }}
attrs:
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
order: 10
@ -126,7 +144,7 @@ stringData:
{{- end }}
{{- range $group := .Values.blueprint.groups }}
- model: authentik_core.group
id: {{ $group.slug | quote }}
identifiers:
@ -141,9 +159,9 @@ stringData:
{{- end }}
- model: authentik_policies.PolicyBinding
id: {{ $group.slug | quote }}
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
identifiers:
group: !KeyOf {{ $group.slug | quote }}
pk: {{ $group.bindID | quote }}
attrs:
group: !KeyOf {{ $group.slug | quote}}
order: 10

11
authentik-application/values.yaml
View file

@ -1,5 +1,4 @@
secret:
enabled: true
name: ""
labels: {}
@ -9,6 +8,7 @@ blueprint:
labels:
goauthentik_blueprint: "1"
provider:
enabled: true
name: ""
authorizationFlow: "default-provider-authorization-implicit-consent"
clientType: "confidential"
@ -24,6 +24,8 @@ blueprint:
application:
name: ""
slug: "app-name"
# -- uuid for bindPolicyID for group - if not set generated on secret for be stable (or groups: [] filled)
bindPolicyID:
policyEngineMode: "any"
group: ""
launchURL: ""
@ -31,5 +33,10 @@ blueprint:
icon: ""
description: ""
publisher: ""
# - additional groups
# -- additional groups
# example:
# - slug: "app: grafana-admin"
# parent: "app: infra"
# bindID: uuid
#
groups: []