wrenix/helm-charts
1
0
Fork 0
Code Issues 8 Pull requests 8 Projects Packages Activity

chore(authentik-application): refactory for easiert templating of blueprint

Browse source
This commit is contained in:
WrenIX 2023-11-05 18:33:34 +01:00
parent 3b7a10478e
commit d1d4f8492f
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
8 changed files with 152 additions and 140 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
authentik-application/README.md
View file

@ -121,7 +121,8 @@ helm uninstall authentik-application-release
| blueprint.provider.proxy.ingress.domain | string | `nil` | domain of application (where outpost should be deployed) | | blueprint.provider.proxy.ingress.domain | string | `nil` | domain of application (where outpost should be deployed) |
| blueprint.provider.proxy.ingress.enabled | bool | `false` | deploy ingress on application domain for e.g. logout (WIP) | | blueprint.provider.proxy.ingress.enabled | bool | `false` | deploy ingress on application domain for e.g. logout (WIP) |
| blueprint.provider.proxy.skipPathRegex | string | `""` | | | blueprint.provider.proxy.skipPathRegex | string | `""` | |
| blueprint.provider.type | string | `"oidc"` | type of application connection, current support: oidc and proxy | | blueprint.provider.saml | string | `nil` | |
| blueprint.provider.type | string | `"oidc"` | type of application connection, current support: oidc, saml and proxy |
| secret.labels | object | `{}` | label of secret to store generated secret | | secret.labels | object | `{}` | label of secret to store generated secret |
| secret.name | string | `""` | name of secret to store generated secret (like clientI) | | secret.name | string | `""` | name of secret to store generated secret (like clientI) |

30
authentik-application/files/application.yaml.gotmpl Normal file
View file

@ -0,0 +1,30 @@
{{- with get . "root" }}
- model: authentik_core.Application
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
identifiers:
slug: {{ .Values.blueprint.application.slug }}
state: present
attrs:
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
slug: {{ .Values.blueprint.application.slug }}
{{- if .Values.blueprint.provider.enabled }}
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
{{- end }}
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
{{- with .Values.blueprint.application.group }}
group: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.launchURL }}
meta_launch_url: {{ . | quote }}
{{- end }}
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
{{- with .Values.blueprint.application.icon }}
icon: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.description }}
meta_description: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.publisher }}
meta_publisher: {{ . | quote }}
{{- end }}
{{- end }}{{/* end with of get-root */}}

47
authentik-application/files/groups.yaml.gotmpl Normal file
View file

@ -0,0 +1,47 @@
{{- $bindPolicyID := get . "bindPolicyID" }}
{{- with get . "root" }}
{{- if (not (kindIs "slice" .Values.blueprint.groups)) }}
- model: authentik_core.group
id: "app: {{ .Values.blueprint.application.slug }}"
identifiers:
name: "app: {{ .Values.blueprint.application.slug }}"
state: "present"
attrs:
name: "app: {{ .Values.blueprint.application.slug }}"
- model: authentik_policies.PolicyBinding
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
identifiers:
pk: {{ $bindPolicyID | quote }}
attrs:
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
order: 10
target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
{{- end }}
{{- range $group := .Values.blueprint.groups }}
- model: authentik_core.group
id: {{ $group.slug | quote }}
identifiers:
name: {{ $group.slug | quote }}
state: {{ $group.state | default "present" | quote }}
attrs:
name: {{ $group.slug | quote }}
{{- with $group.parent }}
parent: !Find [authentik_core.group, [name, {{ . | quote }}]]
{{- else}}
parent: null
{{- end }}
- model: authentik_policies.PolicyBinding
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
identifiers:
pk: {{ $group.bindID | quote }}
attrs:
group: !KeyOf {{ $group.slug | quote}}
order: 10
target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
{{- end }}
{{- end }}{{/* end with of get-root */}}

29
authentik-application/files/provider/oidc.yaml.gotmpl Normal file
View file

@ -0,0 +1,29 @@
{{- $clientID := get . "clientID" }}
{{- $clientSecret := get . "clientSecret" }}
{{- with get . "root" }}
- model: authentik_providers_oauth2.OAuth2Provider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
state: present
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
{{- with .Values.blueprint.provider.oidc }}
client_type: {{ .clientType | quote }}
client_id: {{ $clientID | quote }}
client_secret: {{ $clientSecret | quote }}
redirect_uris: {{ .redirectURL }}
{{- with .tokenDuration }}
access_token_validity: {{ . | quote }}
{{- end }}
{{- with .signingKey }}
signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
{{- end }}
{{- with .scopes }}
property_mappings:
{{- range . }}
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
{{- end }}
{{- end }}
{{- end }}
{{- end }}{{/* end with of get-root */}}

15
authentik-application/files/provider/proxy.yaml.gotmpl Normal file
View file

@ -0,0 +1,15 @@
{{- with get . "root" }}
- model: authentik_providers_proxy.ProxyProvider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
state: present
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
mode: "forward_single"
{{- with .Values.blueprint.provider.proxy }}
external_host: {{ .externalHost | quote }}
skip_path_regex: {{ .skipPathRegex | quote }}
cookie_domain: {{ .cookieDomain | quote }}
{{- end }}
{{- end }}{{/* end with of get-root */}}

16
authentik-application/templates/_helpers.tpl
View file

@ -60,3 +60,19 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }} {{- default "default" .Values.serviceAccount.name }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{/*
needs argument:
root: $.Values
name:
default:
overwrite:
*/}}
{{- define "authentik-application.staticValue" -}}
{{- $ := get . "root" }}
{{- $secretName := $.Values.secret.name | default (include "authentik-application.fullname" $) }}
{{- $secretObj := (lookup "v1" "Secret" $.Release.Namespace $secretName) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $valueCoded := (get $secretData .name) | default (.default | b64enc) }}
{{- .overwrite | default ($valueCoded | b64dec) }}
{{- end }}

147
authentik-application/templates/secrets.yaml
View file

@ -1,36 +1,24 @@
{{- $clientID := .Values.blueprint.provider.oidc.clientID }} {{- $clientID := include "authentik-application.staticValue" (dict "root" $ "name" "clientID" "default" (randAlphaNum 32) "overwrite" .Values.blueprint.provider.oidc.clientID) }}
{{- $clientSecret := .Values.blueprint.provider.oidc.clientSecret }} {{- $clientSecret := include "authentik-application.staticValue" (dict "root" $ "name" "clientSecret" "default" (randAlphaNum 32) "overwrite" .Values.blueprint.provider.oidc.clientSecret) }}
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }} {{- $bindPolicyID := include "authentik-application.staticValue" (dict "root" $ "name" "bindPolicyID" "default" (uuidv4) "overwrite" .Values.blueprint.application.bindPolicyID) }}
{{- if or (and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "oidc") (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
--- ---
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ $secretName }} name: {{ include "authentik-application.fullname" . }}
labels: labels:
{{- include "authentik-application.labels" . | nindent 4 }} {{- include "authentik-application.labels" . | nindent 4 }}
{{- with .Values.secret.labels }} {{- with .Values.secret.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
stringData: stringData:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
{{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
bindPolicyID: {{ $bindPolicyID | quote }} bindPolicyID: {{ $bindPolicyID | quote }}
{{- if .Values.blueprint.provider.enabled }} {{- if .Values.blueprint.provider.enabled }}
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }} issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
{{- with .Values.blueprint.provider.oidc }} {{- with .Values.blueprint.provider.oidc }}
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
{{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
clientID: {{ $clientID | quote }} clientID: {{ $clientID | quote }}
{{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
{{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
clientSecret: {{ $clientSecret | quote }} clientSecret: {{ $clientSecret | quote }}
redirectURL: {{ .redirectURL }} redirectURL: {{ .redirectURL }}
@ -50,9 +38,8 @@ stringData:
{{- with .claimGroups }} {{- with .claimGroups }}
claimGroups: {{ . | quote }} claimGroups: {{ . | quote }}
{{- end }} {{- end }}
{{- end }} {{- end }}{{/* end with oidc */}}
{{- end }}{{/* end when-oidc */}} {{- end }}{{/* end if provider */}}
{{- end }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -69,124 +56,10 @@ stringData:
metadata: metadata:
name: {{ include "authentik-application.fullname" . }} name: {{ include "authentik-application.fullname" . }}
entries: entries:
{{- $tplValues := (dict "root" $ "Template" .Template "bindPolicyID" $bindPolicyID "clientID" $clientID "clientSecret" $clientSecret) }}
{{- if .Values.blueprint.provider.enabled }} {{- if .Values.blueprint.provider.enabled }}
{{- if (eq .Values.blueprint.provider.type "oidc") }} {{- tpl (.Files.Get (printf "files/provider/%s.yaml.gotmpl" .Values.blueprint.provider.type)) $tplValues | nindent 6 }}
- model: authentik_providers_oauth2.OAuth2Provider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
state: present
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
{{- with .Values.blueprint.provider.oidc }}
client_type: {{ .clientType | quote }}
client_id: {{ $clientID | quote }}
client_secret: {{ $clientSecret | quote }}
redirect_uris: {{ .redirectURL }}
{{- with .tokenDuration }}
access_token_validity: {{ . | quote }}
{{- end }}
{{- with .signingKey }}
signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
{{- end }}
{{- with .scopes }}
property_mappings:
{{- range . }}
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
{{- end }}
{{- end }}
{{- end }}{{/* with-oidc */}}
{{- end }}{{/* if-oidc */}}
{{- if (eq .Values.blueprint.provider.type "proxy") }}
- model: authentik_providers_proxy.ProxyProvider
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
identifiers:
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
state: present
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
mode: "forward_single"
{{- with .Values.blueprint.provider.proxy }}
external_host: {{ .externalHost | quote }}
skip_path_regex: {{ .skipPathRegex | quote }}
cookie_domain: {{ .cookieDomain | quote }}
{{- end }}{{/* with-proxy */}}
{{- end }}{{/* if-proxy */}}
{{- end }}
- model: authentik_core.Application
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
identifiers:
slug: {{ .Values.blueprint.application.slug }}
state: present
attrs:
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
slug: {{ .Values.blueprint.application.slug }}
{{- if .Values.blueprint.provider.enabled }}
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
{{- end }}
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
{{- with .Values.blueprint.application.group }}
group: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.launchURL }}
meta_launch_url: {{ . | quote }}
{{- end }}
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
{{- with .Values.blueprint.application.icon }}
icon: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.description }}
meta_description: {{ . | quote }}
{{- end }}
{{- with .Values.blueprint.application.publisher }}
meta_publisher: {{ . | quote }}
{{- end }}
{{- if (not (kindIs "slice" .Values.blueprint.groups)) }}
- model: authentik_core.group
id: "app: {{ .Values.blueprint.application.slug }}"
identifiers:
name: "app: {{ .Values.blueprint.application.slug }}"
state: "present"
attrs:
name: "app: {{ .Values.blueprint.application.slug }}"
- model: authentik_policies.PolicyBinding
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
identifiers:
pk: {{ $bindPolicyID | quote }}
attrs:
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
order: 10
target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
{{- end }}
{{- range $group := .Values.blueprint.groups }}
- model: authentik_core.group
id: {{ $group.slug | quote }}
identifiers:
name: {{ $group.slug | quote }}
state: {{ $group.state | default "present" | quote }}
attrs:
name: {{ $group.slug | quote }}
{{- with $group.parent }}
parent: !Find [authentik_core.group, [name, {{ . | quote }}]]
{{- else}}
parent: null
{{- end }}
- model: authentik_policies.PolicyBinding
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
identifiers:
pk: {{ $group.bindID | quote }}
attrs:
group: !KeyOf {{ $group.slug | quote}}
order: 10
target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
{{- end }} {{- end }}
{{- tpl (.Files.Get "files/application.yaml.gotmpl") $tplValues | nindent 6 }}
{{- tpl (.Files.Get "files/groups.yaml.gotmpl") $tplValues | nindent 6 }}

5
authentik-application/values.yaml
View file

@ -16,8 +16,8 @@ blueprint:
enabled: true enabled: true
name: "" name: ""
authorizationFlow: "default-provider-authorization-implicit-consent" authorizationFlow: "default-provider-authorization-implicit-consent"
# -- type of application connection, current support: oidc and proxy # -- type of application connection, current support: oidc, saml and proxy
type: "oidc" # or proxy type: "oidc"
oidc: oidc:
clientType: "confidential" clientType: "confidential"
# -- client id - generated if secret enabled # -- client id - generated if secret enabled
@ -29,6 +29,7 @@ blueprint:
signingKey: "" signingKey: ""
# -- Scope # -- Scope
scopes: scopes:
saml:
proxy: proxy:
externalHost: externalHost:
skipPathRegex: "" skipPathRegex: ""