ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI

Browse Source 
- Pin the helm-controller chart version (unset = silent latest upgrades) and
  move the image tag under global.image per the 2026.5 chart layout.
- Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list
  rejected every authorize request. Allow authorization_code + refresh_token
  for portal and operator providers.
- Fix the portal redirect URI to the nuxt-oidc-auth callback path.
- Serve the auth ingress on :80 with a per-router HTTPS redirect so the
  cert-manager HTTP-01 solver keeps working.
This commit is contained in:
Ronni Baslund
2026-06-10 07:53:49 +02:00
parent c814bfdf3b
commit d02eb5ec50
5 changed files with 58 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/production/fleet/authentik/blueprints/operator-application.yaml
+6
View File
@@ -44,6 +44,12 @@ entries:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]] - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id sub_mode: hashed_user_id
issuer_mode: per_provider issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: operator-application - id: operator-application
model: authentik_core.application model: authentik_core.application
infrastructure/production/fleet/authentik/blueprints/portal-application.yaml
+7 -1
View File
@@ -32,13 +32,19 @@ entries:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]] !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris: redirect_uris:
- matching_mode: strict - matching_mode: strict
url: https://app.dezky.eu/api/auth/callback url: https://app.dezky.eu/auth/oidc/callback
property_mappings: property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]] - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]] - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]] - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id sub_mode: hashed_user_id
issuer_mode: per_provider issuer_mode: per_provider
# Authentik 2026.5+ enforces a per-provider grant_types allowlist; an empty
# list rejects every authorize request ("Invalid grant_type for provider").
# authorization_code = login; refresh_token = offline_access silent refresh.
grant_types:
- authorization_code
- refresh_token
- id: portal-application - id: portal-application
model: authentik_core.application model: authentik_core.application
infrastructure/production/fleet/authentik/helmchart.yaml
+14 -3
View File
@@ -1,6 +1,6 @@
# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml # Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
# (keep them in sync). Version intentionally unpinned for the first install — # (keep them in sync). valuesContent here is the LIVE source — values.yaml is
# PIN the resolved chart version here once it's up (see RUNBOOK.md). # just a human-readable mirror, not consumed by helm-controller.
# #
# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries # The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom). # AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
@@ -12,12 +12,18 @@ metadata:
spec: spec:
repo: https://charts.goauthentik.io repo: https://charts.goauthentik.io
chart: authentik chart: authentik
# Pinned: helm-controller reconciles on a loop and pulls the LATEST chart when
# version is unset — a successful reconcile would then silently upgrade
# authentik. Keep == the deployed version.
version: 2026.5.2
targetNamespace: dezky-auth targetNamespace: dezky-auth
createNamespace: true createNamespace: true
valuesContent: |- valuesContent: |-
global:
# Image moved under global.image in chart 2026.5.x; the old top-level
# `image:` key now hard-fails the chart's deprecation guard (deprectations.yaml).
image: image:
tag: "2026.5.2" tag: "2026.5.2"
global:
envFrom: envFrom:
- secretRef: - secretRef:
name: authentik-secret name: authentik-secret
@@ -45,6 +51,11 @@ spec:
ingressClassName: traefik ingressClassName: traefik
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
# Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer
# on port 80 at renewal; redirect-https bounces other traffic to HTTPS.
# (Middleware lives in authentik/redirect-middleware.yaml.)
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
hosts: hosts:
- auth.dezky.eu - auth.dezky.eu
paths: paths:
infrastructure/production/fleet/authentik/redirect-middleware.yaml
+21
View File
@@ -0,0 +1,21 @@
# HTTP→HTTPS redirect for the authentik ingress (auth.dezky.eu), in the
# dezky-auth namespace so it can be referenced by the Helm-rendered ingress.
#
# Replaces the former global Traefik entrypoint redirect, which broke ACME
# HTTP-01 (see ../traefik/helmchartconfig.yaml). Attached to the authentik
# router via values.yaml ingress.annotations so the cert-manager solver can
# still answer the challenge on :80 at renewal.
#
# Referenced from the Ingress as: dezky-auth-redirect-https@kubernetescrd
#
# NOTE: applied out-of-band (kubectl apply -f), not part of the authentik Helm
# release — the chart only renders the Deployment/Service/Ingress.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: dezky-auth
spec:
redirectScheme:
scheme: https
permanent: true
infrastructure/production/fleet/authentik/values.yaml
+9 -3
View File
@@ -8,10 +8,11 @@
# pulls latest). After it's up, pin the installed chart + image versions here + # pulls latest). After it's up, pin the installed chart + image versions here +
# in RUNBOOK.md for reproducibility. # in RUNBOOK.md for reproducibility.
image:
tag: "2026.5.2" # deployed version (latest chart as of 2026-06-08)
global: global:
# Image moved under global.image in chart 2026.5.x; the old top-level `image:`
# key now hard-fails the chart's deprecation guard.
image:
tag: "2026.5.2" # deployed version; pinned == spec.version in helmchart.yaml
# AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD, # AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
# AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN # AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
envFrom: envFrom:
@@ -45,6 +46,11 @@ server:
ingressClassName: traefik ingressClassName: traefik
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
# Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
# port 80 at renewal; redirect-https bounces other traffic to HTTPS.
# (Middleware lives in authentik/redirect-middleware.yaml.)
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
hosts: hosts:
- auth.dezky.eu - auth.dezky.eu
paths: paths: