feat(infra): Authentik blueprints (portal+operator OIDC, dezky brand)

Mirror the dev Authentik config in prod via blueprints, applied & successful on node1: - brand.yaml: dezky branding on the default brand (title + signal-green custom CSS) — login page now in dezky colors. - portal-application.yaml / operator-application.yaml: dezky-portal & dezky-operator OIDC apps/providers (prod redirect URLs) + the dezky-platform-admins group & operator access policy. Two 2026.5 gotchas handled + documented in README: - invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find). - ConfigMap mounts are symlinks (discovery can't read them) → worker uses an initContainer that copies them to an emptyDir as real files. (chart worker.volumes didn't apply on this version; patch reverts on helm upgrade — noted as a durability TODO.) Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret; the apps must reuse them.
2026-06-08 19:46:48 +02:00
parent 406e2ca78b
commit db1354a151
6 changed files with 215 additions and 10 deletions
@@ -0,0 +1,77 @@
+# Prod operator OIDC application + dezky-platform-admins access policy.
+# Mirrors infrastructure/docker-compose/configs/authentik/blueprints/
+# operator-application.yaml, with .local → .eu URLs. Applied by the
+# authentik-worker (mounts /blueprints/custom; reads OPERATOR_OIDC_* from env).
+#
+# Provider/app are state:created (never clobber a hand-made live provider);
+# group/policy/binding are state:present (reconcile + enforce on every env).
+version: 1
+metadata:
+  name: dezky-operator-application
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+
+entries:
+  - model: authentik_core.group
+    state: present
+    identifiers:
+      name: dezky-platform-admins
+    attrs:
+      name: dezky-platform-admins
+
+  - id: operator-oauth2-provider
+    model: authentik_providers_oauth2.oauth2provider
+    state: created
+    identifiers:
+      client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
+    attrs:
+      name: dezky-operator
+      client_type: confidential
+      client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
+      client_secret: !Env OPERATOR_OIDC_CLIENT_SECRET
+      authorization_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      signing_key:
+        !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
+      redirect_uris:
+        - matching_mode: strict
+          url: https://operator.dezky.eu/auth/oidc/callback
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
+      sub_mode: hashed_user_id
+      issuer_mode: per_provider
+
+  - id: operator-application
+    model: authentik_core.application
+    state: created
+    identifiers:
+      slug: dezky-operator
+    attrs:
+      name: Dezky Operator
+      slug: dezky-operator
+      provider: !KeyOf operator-oauth2-provider
+      meta_launch_url: https://operator.dezky.eu
+      meta_description: Internal Dezky operator control plane. Platform admins only.
+
+  - id: operator-require-platform-admin
+    model: authentik_policies_expression.expressionpolicy
+    state: present
+    identifiers:
+      name: operator-require-platform-admin
+    attrs:
+      name: operator-require-platform-admin
+      expression: |
+        return ak_is_group_member(request.user, name="dezky-platform-admins")
+
+  - model: authentik_policies.policybinding
+    state: present
+    identifiers:
+      target: !KeyOf operator-application
+      policy: !KeyOf operator-require-platform-admin
+    attrs:
+      enabled: true
+      order: 0