fix(authentik-application): support provider optional, group policy bidng (+ icon)
This commit is contained in:
parent
bc16cc73de
commit
a193e591a1
GPG key ID:
7AFDB012974B1BB5
3 changed files with 38 additions and 13 deletions
|
|
@ -3,4 +3,4 @@ name: authentik-application
|
||||||
description: A Chart to deploy a secret for the authentik blueprint-sidecar
|
description: A Chart to deploy a secret for the authentik blueprint-sidecar
|
||||||
type: application
|
type: application
|
||||||
|
|
||||||
version: 0.1.1
|
version: 0.2.0
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
{{- $clientID := .Values.blueprint.provider.clientID }}
|
{{- $clientID := .Values.blueprint.provider.clientID }}
|
||||||
{{- $clientSecret := .Values.blueprint.provider.clientSecret }}
|
{{- $clientSecret := .Values.blueprint.provider.clientSecret }}
|
||||||
{{- if .Values.secret.enabled }}
|
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
|
||||||
|
{{- if or (and .Values.blueprint.provider.enabled (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
|
||||||
---
|
---
|
||||||
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
|
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
|
@ -16,27 +17,40 @@ stringData:
|
||||||
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
|
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
|
||||||
{{- $secretData := (get $secretObj "data") | default dict }}
|
{{- $secretData := (get $secretObj "data") | default dict }}
|
||||||
|
|
||||||
|
{{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
|
||||||
|
{{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
|
||||||
|
bindPolicyID: {{ $bindPolicyID | quote }}
|
||||||
|
|
||||||
|
{{- if .Values.blueprint.provider.enabled }}
|
||||||
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
|
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
|
||||||
|
|
||||||
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
|
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
|
||||||
{{- $clientID = .Values.blueprint.provider.clientID | default ($clientIDCoded | b64dec) }}
|
{{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
|
||||||
clientID: {{ $clientID | quote }}
|
clientID: {{ $clientID | quote }}
|
||||||
|
|
||||||
{{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
|
{{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
|
||||||
{{- $clientSecret = .Values.blueprint.provider.clientSecret | default ($clientSecretCoded | b64dec) }}
|
{{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
|
||||||
clientSecret: {{ $clientSecret | quote }}
|
clientSecret: {{ $clientSecret | quote }}
|
||||||
|
|
||||||
redirectURL: {{ .Values.blueprint.provider.redirectURL }}
|
redirectURL: {{ .Values.blueprint.provider.redirectURL }}
|
||||||
|
|
||||||
{{- with .Values.blueprint.provider.tokenDuration }}
|
{{- with .Values.blueprint.provider.tokenDuration }}
|
||||||
tokenDuration: {{ . | quote }}
|
tokenDuration: {{ . | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- with .Values.blueprint.provider.scopes }}
|
{{- with .Values.blueprint.provider.scopes }}
|
||||||
customScopes: {{ . | join "," | quote }}
|
customScopes: {{ . | join "," | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- with .Values.blueprint.provider.claimUsername }}
|
{{- with .Values.blueprint.provider.claimUsername }}
|
||||||
claimUsername: {{ . | quote }}
|
claimUsername: {{ . | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- with .Values.blueprint.provider.claimGroups }}
|
{{- with .Values.blueprint.provider.claimGroups }}
|
||||||
claimGroups: {{ . | quote }}
|
claimGroups: {{ . | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
|
|
@ -54,6 +68,7 @@ stringData:
|
||||||
name: {{ include "authentik-application.fullname" . }}
|
name: {{ include "authentik-application.fullname" . }}
|
||||||
entries:
|
entries:
|
||||||
|
|
||||||
|
{{- if .Values.blueprint.provider.enabled }}
|
||||||
- model: authentik_providers_oauth2.OAuth2Provider
|
- model: authentik_providers_oauth2.OAuth2Provider
|
||||||
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
||||||
identifiers:
|
identifiers:
|
||||||
|
|
@ -77,6 +92,7 @@ stringData:
|
||||||
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
|
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
- model: authentik_core.Application
|
- model: authentik_core.Application
|
||||||
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
||||||
|
|
@ -86,7 +102,9 @@ stringData:
|
||||||
attrs:
|
attrs:
|
||||||
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
||||||
slug: {{ .Values.blueprint.application.slug }}
|
slug: {{ .Values.blueprint.application.slug }}
|
||||||
|
{{- if .Values.blueprint.provider.enabled }}
|
||||||
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
||||||
|
{{- end }}
|
||||||
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
|
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
|
||||||
{{- with .Values.blueprint.application.group }}
|
{{- with .Values.blueprint.application.group }}
|
||||||
group: {{ . | quote }}
|
group: {{ . | quote }}
|
||||||
|
|
@ -96,7 +114,7 @@ stringData:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
|
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
|
||||||
{{- with .Values.blueprint.application.icon }}
|
{{- with .Values.blueprint.application.icon }}
|
||||||
meta_icon: {{ . | quote }}
|
icon: {{ . | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.blueprint.application.description }}
|
{{- with .Values.blueprint.application.description }}
|
||||||
meta_description: {{ . | quote }}
|
meta_description: {{ . | quote }}
|
||||||
|
|
@ -116,9 +134,9 @@ stringData:
|
||||||
name: "app: {{ .Values.blueprint.application.slug }}"
|
name: "app: {{ .Values.blueprint.application.slug }}"
|
||||||
|
|
||||||
- model: authentik_policies.PolicyBinding
|
- model: authentik_policies.PolicyBinding
|
||||||
id: "app: {{ .Values.blueprint.application.slug }}"
|
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
|
||||||
identifiers:
|
identifiers:
|
||||||
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
|
pk: {{ $bindPolicyID | quote }}
|
||||||
attrs:
|
attrs:
|
||||||
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
|
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
|
||||||
order: 10
|
order: 10
|
||||||
|
|
@ -141,9 +159,9 @@ stringData:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
- model: authentik_policies.PolicyBinding
|
- model: authentik_policies.PolicyBinding
|
||||||
id: {{ $group.slug | quote }}
|
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
|
||||||
identifiers:
|
identifiers:
|
||||||
group: !KeyOf {{ $group.slug | quote }}
|
pk: {{ $group.bindID | quote }}
|
||||||
attrs:
|
attrs:
|
||||||
group: !KeyOf {{ $group.slug | quote}}
|
group: !KeyOf {{ $group.slug | quote}}
|
||||||
order: 10
|
order: 10
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,4 @@
|
||||||
secret:
|
secret:
|
||||||
enabled: true
|
|
||||||
name: ""
|
name: ""
|
||||||
labels: {}
|
labels: {}
|
||||||
|
|
||||||
|
|
@ -9,6 +8,7 @@ blueprint:
|
||||||
labels:
|
labels:
|
||||||
goauthentik_blueprint: "1"
|
goauthentik_blueprint: "1"
|
||||||
provider:
|
provider:
|
||||||
|
enabled: true
|
||||||
name: ""
|
name: ""
|
||||||
authorizationFlow: "default-provider-authorization-implicit-consent"
|
authorizationFlow: "default-provider-authorization-implicit-consent"
|
||||||
clientType: "confidential"
|
clientType: "confidential"
|
||||||
|
|
@ -24,6 +24,8 @@ blueprint:
|
||||||
application:
|
application:
|
||||||
name: ""
|
name: ""
|
||||||
slug: "app-name"
|
slug: "app-name"
|
||||||
|
# -- uuid for bindPolicyID for group - if not set generated on secret for be stable (or groups: [] filled)
|
||||||
|
bindPolicyID:
|
||||||
policyEngineMode: "any"
|
policyEngineMode: "any"
|
||||||
group: ""
|
group: ""
|
||||||
launchURL: ""
|
launchURL: ""
|
||||||
|
|
@ -31,5 +33,10 @@ blueprint:
|
||||||
icon: ""
|
icon: ""
|
||||||
description: ""
|
description: ""
|
||||||
publisher: ""
|
publisher: ""
|
||||||
# - additional groups
|
# -- additional groups
|
||||||
|
# example:
|
||||||
|
# - slug: "app: grafana-admin"
|
||||||
|
# parent: "app: infra"
|
||||||
|
# bindID: uuid
|
||||||
|
#
|
||||||
groups: []
|
groups: []
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue