ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
99cd86cd3a843293791ecfa0ad49660459705b08
dezky/infrastructure/production/fleet/authentik/blueprints/operator-application.yaml
T
Ronni Baslund db1354a151
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 6s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
feat(infra): Authentik blueprints (portal+operator OIDC, dezky brand) 
Mirror the dev Authentik config in prod via blueprints, applied & successful on
node1:
- brand.yaml: dezky branding on the default brand (title + signal-green custom
  CSS) — login page now in dezky colors.
- portal-application.yaml / operator-application.yaml: dezky-portal &
  dezky-operator OIDC apps/providers (prod redirect URLs) + the
  dezky-platform-admins group & operator access policy.

Two 2026.5 gotchas handled + documented in README:
- invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find).
- ConfigMap mounts are symlinks (discovery can't read them) → worker uses an
  initContainer that copies them to an emptyDir as real files. (chart
  worker.volumes didn't apply on this version; patch reverts on helm upgrade —
  noted as a durability TODO.)

Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret;
the apps must reuse them.
2026-06-08 19:46:48 +02:00

78 lines
2.9 KiB
YAML
Raw Blame History

# Prod operator OIDC application + dezky-platform-admins access policy.
# Mirrors infrastructure/docker-compose/configs/authentik/blueprints/
# operator-application.yaml, with .local → .eu URLs. Applied by the
# authentik-worker (mounts /blueprints/custom; reads OPERATOR_OIDC_* from env).
#
# Provider/app are state:created (never clobber a hand-made live provider);
# group/policy/binding are state:present (reconcile + enforce on every env).
version: 1
metadata:
name: dezky-operator-application
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- model: authentik_core.group
state: present
identifiers:
name: dezky-platform-admins
attrs:
name: dezky-platform-admins
- id: operator-oauth2-provider
model: authentik_providers_oauth2.oauth2provider
state: created
identifiers:
client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
attrs:
name: dezky-operator
client_type: confidential
client_id: !Env [OPERATOR_OIDC_CLIENT_ID, dezky-operator]
client_secret: !Env OPERATOR_OIDC_CLIENT_SECRET
authorization_flow:
!Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
signing_key:
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
redirect_uris:
- matching_mode: strict
url: https://operator.dezky.eu/auth/oidc/callback
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
sub_mode: hashed_user_id
issuer_mode: per_provider
- id: operator-application
model: authentik_core.application
state: created
identifiers:
slug: dezky-operator
attrs:
name: Dezky Operator
slug: dezky-operator
provider: !KeyOf operator-oauth2-provider
meta_launch_url: https://operator.dezky.eu
meta_description: Internal Dezky operator control plane. Platform admins only.
- id: operator-require-platform-admin
model: authentik_policies_expression.expressionpolicy
state: present
identifiers:
name: operator-require-platform-admin
attrs:
name: operator-require-platform-admin
expression: |
return ak_is_group_member(request.user, name="dezky-platform-admins")
- model: authentik_policies.policybinding
state: present
identifiers:
target: !KeyOf operator-application
policy: !KeyOf operator-require-platform-admin
attrs:
enabled: true
order: 0
Reference in New Issue View Git Blame Copy Permalink