wrenix/helm-charts
1
0
Fork 0
Code Issues 8 Pull requests 8 Projects Packages Activity

fix(authentik-application): support provider for proxy

Browse source
This commit is contained in:
WrenIX 2023-09-06 22:02:27 +02:00
parent a193e591a1
commit b3931d2c66
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
4 changed files with 76 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authentik-application/Chart.yaml
View file

@ -3,4 +3,4 @@ name: authentik-application
description: A Chart to deploy a secret for the authentik blueprint-sidecar description: A Chart to deploy a secret for the authentik blueprint-sidecar
type: application type: application
version: 0.2.0 version: 0.3.0

20
authentik-application/templates/ingress.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "proxy") .Values.blueprint.provider.proxy.ingress.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "authentik-application.fullname" . }}
labels:
{{- include "authentik-application.labels" . | nindent 4 }}
spec:
rules:
- host: {{ .Values.blueprint.provider.proxy.ingress.domain | quote }}
http:
paths:
- path: "/outpost.goauthentik.io/"
pathType: Prefix
backend:
name: {{ .Values.blueprint.provider.proxy.ingress.backend | quote }}
port:
name: http
{{- end }}

46
authentik-application/templates/secrets.yaml
View file

@ -1,7 +1,7 @@
{{- $clientID := .Values.blueprint.provider.clientID }} {{- $clientID := .Values.blueprint.provider.oidc.clientID }}
{{- $clientSecret := .Values.blueprint.provider.clientSecret }} {{- $clientSecret := .Values.blueprint.provider.oidc.clientSecret }}
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }} {{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
{{- if or (and .Values.blueprint.provider.enabled (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }} {{- if or (and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "oidc") (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
--- ---
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }} {{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
apiVersion: v1 apiVersion: v1
@ -24,6 +24,7 @@ stringData:
{{- if .Values.blueprint.provider.enabled }} {{- if .Values.blueprint.provider.enabled }}
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }} issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
{{- with .Values.blueprint.provider.oidc }}
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }} {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
{{- $clientID = $clientID | default ($clientIDCoded | b64dec) }} {{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
clientID: {{ $clientID | quote }} clientID: {{ $clientID | quote }}
@ -32,24 +33,25 @@ stringData:
{{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }} {{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
clientSecret: {{ $clientSecret | quote }} clientSecret: {{ $clientSecret | quote }}
redirectURL: {{ .Values.blueprint.provider.redirectURL }} redirectURL: {{ .redirectURL }}
{{- with .Values.blueprint.provider.tokenDuration }} {{- with .tokenDuration }}
tokenDuration: {{ . | quote }} tokenDuration: {{ . | quote }}
{{- end }} {{- end }}
{{- with .Values.blueprint.provider.scopes }} {{- with .scopes }}
customScopes: {{ . | join "," | quote }} customScopes: {{ . | join "," | quote }}
{{- end }} {{- end }}
{{- with .Values.blueprint.provider.claimUsername }} {{- with .claimUsername }}
claimUsername: {{ . | quote }} claimUsername: {{ . | quote }}
{{- end }} {{- end }}
{{- with .Values.blueprint.provider.claimGroups }} {{- with .claimGroups }}
claimGroups: {{ . | quote }} claimGroups: {{ . | quote }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}{{/* end when-oidc */}}
{{- end }} {{- end }}
--- ---
apiVersion: v1 apiVersion: v1
@ -69,6 +71,7 @@ stringData:
entries: entries:
{{- if .Values.blueprint.provider.enabled }} {{- if .Values.blueprint.provider.enabled }}
{{- if (eq .Values.blueprint.provider.type "oidc") }}
- model: authentik_providers_oauth2.OAuth2Provider - model: authentik_providers_oauth2.OAuth2Provider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }} id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers: identifiers:
@ -76,22 +79,39 @@ stringData:
state: present state: present
attrs: attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]] authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
client_type: {{ .Values.blueprint.provider.clientType | quote }} {{- with .Values.blueprint.provider.oidc }}
client_type: {{ .clientType | quote }}
client_id: {{ $clientID | quote }} client_id: {{ $clientID | quote }}
client_secret: {{ $clientSecret | quote }} client_secret: {{ $clientSecret | quote }}
redirect_uris: {{ .Values.blueprint.provider.redirectURL }} redirect_uris: {{ .redirectURL }}
{{- with .Values.blueprint.provider.tokenDuration }} {{- with .tokenDuration }}
access_token_validity: {{ . | quote }} access_token_validity: {{ . | quote }}
{{- end }} {{- end }}
{{- with .Values.blueprint.provider.signingKey }} {{- with .signingKey }}
signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]] signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
{{- end }} {{- end }}
{{- with .Values.blueprint.provider.scopes }} {{- with .scopes }}
property_mappings: property_mappings:
{{- range . }} {{- range . }}
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]] - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }}{{/* with-oidc */}}
{{- end }}{{/* if-oidc */}}
{{- if (eq .Values.blueprint.provider.type "proxy") }}
- model: authentik_providers_proxy.ProxyProvider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
state: present
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
mode: "forward_single"
{{- with .Values.blueprint.provider.proxy }}
external_host: {{ .externalHost | quote }}
{{- end }}{{/* with-proxy */}}
{{- end }}{{/* if-proxy */}}
{{- end }} {{- end }}
- model: authentik_core.Application - model: authentik_core.Application

12
authentik-application/values.yaml
View file

@ -11,6 +11,9 @@ blueprint:
enabled: true enabled: true
name: "" name: ""
authorizationFlow: "default-provider-authorization-implicit-consent" authorizationFlow: "default-provider-authorization-implicit-consent"
type: "oidc" # or proxy
# used for oidc provider
oidc:
clientType: "confidential" clientType: "confidential"
# -- client id - generated if secret enabled # -- client id - generated if secret enabled
clientID: clientID:
@ -21,6 +24,15 @@ blueprint:
signingKey: "" signingKey: ""
# -- Scope # -- Scope
scopes: scopes:
# -- used for proxy provider
proxy:
externalHost:
# -- not yet supported
ingress:
enabled: false
domain:
# service backend
backend: authentik
application: application:
name: "" name: ""
slug: "app-name" slug: "app-name"