From a193e591a16abe14b54ddfd864bc10d88271e66c Mon Sep 17 00:00:00 2001
From: WrenIX <dev@wrenix.eu>
Date: Wed, 6 Sep 2023 00:40:34 +0200
Subject: [PATCH] fix(authentik-application): support provider optional, group
 policy bidng (+ icon)

---
 authentik-application/Chart.yaml             |  2 +-
 authentik-application/templates/secrets.yaml | 38 ++++++++++++++------
 authentik-application/values.yaml            | 11 ++++--
 3 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/authentik-application/Chart.yaml b/authentik-application/Chart.yaml
index 5b9f633..87f5883 100644
--- a/authentik-application/Chart.yaml
+++ b/authentik-application/Chart.yaml
@@ -3,4 +3,4 @@ name: authentik-application
 description: A Chart to deploy a secret for the authentik blueprint-sidecar
 type: application
 
-version: 0.1.1
\ No newline at end of file
+version: 0.2.0
\ No newline at end of file
diff --git a/authentik-application/templates/secrets.yaml b/authentik-application/templates/secrets.yaml
index 2b91cb0..4472209 100644
--- a/authentik-application/templates/secrets.yaml
+++ b/authentik-application/templates/secrets.yaml
@@ -1,6 +1,7 @@
 {{- $clientID := .Values.blueprint.provider.clientID }}
 {{- $clientSecret := .Values.blueprint.provider.clientSecret }}
-{{- if .Values.secret.enabled }}
+{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
+{{- if or (and .Values.blueprint.provider.enabled (not $clientID)  (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
 ---
 {{- $secretName :=  .Values.secret.name | default (include "authentik-application.fullname" .) }}
 apiVersion: v1
@@ -16,26 +17,39 @@ stringData:
   {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
   {{- $secretData := (get $secretObj "data") | default dict }}
 
+  {{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
+  {{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
+  bindPolicyID: {{ $bindPolicyID | quote }}
+
+  {{- if .Values.blueprint.provider.enabled }}
   issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
+
   {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
-  {{- $clientID = .Values.blueprint.provider.clientID | default ($clientIDCoded | b64dec) }}
+  {{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
   clientID: {{ $clientID | quote }}
+
   {{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
-  {{- $clientSecret = .Values.blueprint.provider.clientSecret | default ($clientSecretCoded | b64dec) }}
+  {{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
   clientSecret: {{ $clientSecret | quote }}
+
   redirectURL: {{ .Values.blueprint.provider.redirectURL }}
+
   {{- with .Values.blueprint.provider.tokenDuration }}
   tokenDuration: {{ . | quote }}
   {{- end }} 
+
   {{- with .Values.blueprint.provider.scopes }}
   customScopes: {{ . | join "," | quote }}
   {{- end }} 
+
   {{- with .Values.blueprint.provider.claimUsername }}
   claimUsername: {{ . | quote }}
   {{- end }} 
+
   {{- with .Values.blueprint.provider.claimGroups }}
   claimGroups: {{ . | quote }}
   {{- end }}
+  {{- end }}
 {{- end }}
 ---
 apiVersion: v1
@@ -53,7 +67,8 @@ stringData:
     metadata:
       name: {{ include "authentik-application.fullname" . }}
     entries:
-    
+
+      {{- if .Values.blueprint.provider.enabled }}
       - model: authentik_providers_oauth2.OAuth2Provider
         id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
         identifiers:
@@ -77,6 +92,7 @@ stringData:
             - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
             {{- end }}
           {{- end }}
+      {{- end }}
     
       - model: authentik_core.Application
         id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
@@ -86,7 +102,9 @@ stringData:
         attrs:
           name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
           slug: {{ .Values.blueprint.application.slug }}
+          {{- if .Values.blueprint.provider.enabled }}
           provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
+          {{- end }}
           policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
           {{- with .Values.blueprint.application.group }}
           group: {{ . | quote }}
@@ -96,7 +114,7 @@ stringData:
           {{- end }}
           open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
           {{- with .Values.blueprint.application.icon }}
-          meta_icon: {{ . | quote }}
+          icon: {{ . | quote }}
           {{- end }}
           {{- with .Values.blueprint.application.description }}
           meta_description: {{ . | quote }}
@@ -116,9 +134,9 @@ stringData:
           name: "app: {{ .Values.blueprint.application.slug }}"
       
       - model: authentik_policies.PolicyBinding
-        id: "app: {{ .Values.blueprint.application.slug }}"
+        id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
         identifiers:
-          group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
+          pk: {{ $bindPolicyID | quote }}
         attrs:
           group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
           order: 10
@@ -126,7 +144,7 @@ stringData:
       {{- end }}
     
       {{- range $group := .Values.blueprint.groups }}
-      
+
       - model: authentik_core.group
         id: {{ $group.slug | quote }}
         identifiers:
@@ -141,9 +159,9 @@ stringData:
           {{- end }}
 
       - model: authentik_policies.PolicyBinding
-        id: {{ $group.slug | quote }}
+        id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
         identifiers:
-          group: !KeyOf {{ $group.slug | quote }}
+          pk: {{ $group.bindID | quote }}
         attrs:
           group: !KeyOf {{ $group.slug | quote}}
           order: 10
diff --git a/authentik-application/values.yaml b/authentik-application/values.yaml
index 87ce2bb..81beabe 100644
--- a/authentik-application/values.yaml
+++ b/authentik-application/values.yaml
@@ -1,5 +1,4 @@
 secret:
-  enabled: true
   name: ""
   labels: {}
 
@@ -9,6 +8,7 @@ blueprint:
   labels:
     goauthentik_blueprint: "1"
   provider:
+    enabled: true
     name: ""
     authorizationFlow: "default-provider-authorization-implicit-consent"
     clientType: "confidential"
@@ -24,6 +24,8 @@ blueprint:
   application:
     name: ""
     slug: "app-name"
+    # -- uuid for bindPolicyID for group - if not set generated on secret for be stable (or groups: [] filled)
+    bindPolicyID:
     policyEngineMode: "any"
     group: ""
     launchURL: ""
@@ -31,5 +33,10 @@ blueprint:
     icon: ""
     description: ""
     publisher: ""
-  # - additional groups
+  # -- additional groups
+  # example:
+  #   - slug: "app: grafana-admin"
+  #     parent: "app: infra"
+  #     bindID: uuid
+  #
   groups: []