192 lines
7.7 KiB
YAML
192 lines
7.7 KiB
YAML
{{- $clientID := .Values.blueprint.provider.oidc.clientID }}
|
|
{{- $clientSecret := .Values.blueprint.provider.oidc.clientSecret }}
|
|
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
|
|
{{- if or (and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "oidc") (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
|
|
---
|
|
{{- $secretName := .Values.secret.name | default (include "authentik-application.fullname" .) }}
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ $secretName }}
|
|
labels:
|
|
{{- include "authentik-application.labels" . | nindent 4 }}
|
|
{{- with .Values.secret.labels }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
stringData:
|
|
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
|
|
{{- $secretData := (get $secretObj "data") | default dict }}
|
|
|
|
{{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
|
|
{{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
|
|
bindPolicyID: {{ $bindPolicyID | quote }}
|
|
|
|
{{- if .Values.blueprint.provider.enabled }}
|
|
issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}
|
|
|
|
{{- with .Values.blueprint.provider.oidc }}
|
|
{{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
|
|
{{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
|
|
clientID: {{ $clientID | quote }}
|
|
|
|
{{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
|
|
{{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
|
|
clientSecret: {{ $clientSecret | quote }}
|
|
|
|
redirectURL: {{ .redirectURL }}
|
|
|
|
{{- with .tokenDuration }}
|
|
tokenDuration: {{ . | quote }}
|
|
{{- end }}
|
|
|
|
{{- with .scopes }}
|
|
customScopes: {{ . | join "," | quote }}
|
|
{{- end }}
|
|
|
|
{{- with .claimUsername }}
|
|
claimUsername: {{ . | quote }}
|
|
{{- end }}
|
|
|
|
{{- with .claimGroups }}
|
|
claimGroups: {{ . | quote }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}{{/* end when-oidc */}}
|
|
{{- end }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ include "authentik-application.fullname" . }}-blueprint
|
|
labels:
|
|
{{- include "authentik-application.labels" . | nindent 4 }}
|
|
{{- with .Values.blueprint.labels }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
stringData:
|
|
blueprint.yaml: |-
|
|
version: 1
|
|
metadata:
|
|
name: {{ include "authentik-application.fullname" . }}
|
|
entries:
|
|
|
|
{{- if .Values.blueprint.provider.enabled }}
|
|
{{- if (eq .Values.blueprint.provider.type "oidc") }}
|
|
- model: authentik_providers_oauth2.OAuth2Provider
|
|
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
|
identifiers:
|
|
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
|
state: present
|
|
attrs:
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
|
|
{{- with .Values.blueprint.provider.oidc }}
|
|
client_type: {{ .clientType | quote }}
|
|
client_id: {{ $clientID | quote }}
|
|
client_secret: {{ $clientSecret | quote }}
|
|
redirect_uris: {{ .redirectURL }}
|
|
{{- with .tokenDuration }}
|
|
access_token_validity: {{ . | quote }}
|
|
{{- end }}
|
|
{{- with .signingKey }}
|
|
signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
|
|
{{- end }}
|
|
{{- with .scopes }}
|
|
property_mappings:
|
|
{{- range . }}
|
|
- !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}{{/* with-oidc */}}
|
|
{{- end }}{{/* if-oidc */}}
|
|
|
|
{{- if (eq .Values.blueprint.provider.type "proxy") }}
|
|
- model: authentik_providers_proxy.ProxyProvider
|
|
id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
|
identifiers:
|
|
name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
|
state: present
|
|
attrs:
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
|
|
mode: "forward_single"
|
|
{{- with .Values.blueprint.provider.proxy }}
|
|
external_host: {{ .externalHost | quote }}
|
|
skip_path_regex: {{ .skipPathRegex | quote }}
|
|
cookie_domain: {{ .cookieDomain | quote }}
|
|
{{- end }}{{/* with-proxy */}}
|
|
{{- end }}{{/* if-proxy */}}
|
|
{{- end }}
|
|
|
|
- model: authentik_core.Application
|
|
id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
|
identifiers:
|
|
slug: {{ .Values.blueprint.application.slug }}
|
|
state: present
|
|
attrs:
|
|
name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
|
|
slug: {{ .Values.blueprint.application.slug }}
|
|
{{- if .Values.blueprint.provider.enabled }}
|
|
provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
|
|
{{- end }}
|
|
policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
|
|
{{- with .Values.blueprint.application.group }}
|
|
group: {{ . | quote }}
|
|
{{- end }}
|
|
{{- with .Values.blueprint.application.launchURL }}
|
|
meta_launch_url: {{ . | quote }}
|
|
{{- end }}
|
|
open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
|
|
{{- with .Values.blueprint.application.icon }}
|
|
icon: {{ . | quote }}
|
|
{{- end }}
|
|
{{- with .Values.blueprint.application.description }}
|
|
meta_description: {{ . | quote }}
|
|
{{- end }}
|
|
{{- with .Values.blueprint.application.publisher }}
|
|
meta_publisher: {{ . | quote }}
|
|
{{- end }}
|
|
|
|
{{- if (eq (len .Values.blueprint.groups) 0) }}
|
|
|
|
- model: authentik_core.group
|
|
id: "app: {{ .Values.blueprint.application.slug }}"
|
|
identifiers:
|
|
name: "app: {{ .Values.blueprint.application.slug }}"
|
|
state: "present"
|
|
attrs:
|
|
name: "app: {{ .Values.blueprint.application.slug }}"
|
|
|
|
- model: authentik_policies.PolicyBinding
|
|
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
|
|
identifiers:
|
|
pk: {{ $bindPolicyID | quote }}
|
|
attrs:
|
|
group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
|
|
order: 10
|
|
target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
|
|
{{- end }}
|
|
|
|
{{- range $group := .Values.blueprint.groups }}
|
|
|
|
- model: authentik_core.group
|
|
id: {{ $group.slug | quote }}
|
|
identifiers:
|
|
name: {{ $group.slug | quote }}
|
|
state: {{ $group.state | default "present" | quote }}
|
|
attrs:
|
|
name: {{ $group.slug | quote }}
|
|
{{- with $group.parent }}
|
|
parent: !Find [authentik_core.group, [name, {{ . | quote }}]]
|
|
{{- else}}
|
|
parent: null
|
|
{{- end }}
|
|
|
|
- model: authentik_policies.PolicyBinding
|
|
id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
|
|
identifiers:
|
|
pk: {{ $group.bindID | quote }}
|
|
attrs:
|
|
group: !KeyOf {{ $group.slug | quote}}
|
|
order: 10
|
|
target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
|
|
{{- end }}
|
|
|