Ronni Baslund
db1354a151
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 6s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Mirror the dev Authentik config in prod via blueprints, applied & successful on node1: - brand.yaml: dezky branding on the default brand (title + signal-green custom CSS) — login page now in dezky colors. - portal-application.yaml / operator-application.yaml: dezky-portal & dezky-operator OIDC apps/providers (prod redirect URLs) + the dezky-platform-admins group & operator access policy. Two 2026.5 gotchas handled + documented in README: - invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find). - ConfigMap mounts are symlinks (discovery can't read them) → worker uses an initContainer that copies them to an emptyDir as real files. (chart worker.volumes didn't apply on this version; patch reverts on helm upgrade — noted as a durability TODO.) Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret; the apps must reuse them.
54 lines
2.3 KiB
YAML
54 lines
2.3 KiB
YAML
# Prod customer-portal OIDC application. In dev this provider was made by hand
|
|
# (docs/AUTHENTIK-SETUP.md §3.3); captured here as code for prod. Same shape as
|
|
# the operator provider (implicit-consent flow, self-signed signing key,
|
|
# openid/email/profile, hashed sub, per-provider issuer) but open to ALL users
|
|
# (no platform-admin policy) and with the portal's redirect URI.
|
|
#
|
|
# state:created so a hand-made live provider is never clobbered. The
|
|
# authentik-worker reads PORTAL_OIDC_CLIENT_SECRET from env; the SAME secret
|
|
# must be given to the portal app (portal-secrets.NUXT_OIDC_CLIENT_SECRET).
|
|
version: 1
|
|
metadata:
|
|
name: dezky-portal-application
|
|
labels:
|
|
blueprints.goauthentik.io/instantiate: "true"
|
|
|
|
entries:
|
|
- id: portal-oauth2-provider
|
|
model: authentik_providers_oauth2.oauth2provider
|
|
state: created
|
|
identifiers:
|
|
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
|
|
attrs:
|
|
name: dezky-portal
|
|
client_type: confidential
|
|
client_id: !Env [PORTAL_OIDC_CLIENT_ID, dezky-portal]
|
|
client_secret: !Env PORTAL_OIDC_CLIENT_SECRET
|
|
authorization_flow:
|
|
!Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
|
signing_key:
|
|
!Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://app.dezky.eu/api/auth/callback
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-openid"]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-email"]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [managed, "goauthentik.io/providers/oauth2/scope-profile"]]
|
|
sub_mode: hashed_user_id
|
|
issuer_mode: per_provider
|
|
|
|
- id: portal-application
|
|
model: authentik_core.application
|
|
state: created
|
|
identifiers:
|
|
slug: dezky-portal
|
|
attrs:
|
|
name: Dezky Portal
|
|
slug: dezky-portal
|
|
provider: !KeyOf portal-oauth2-provider
|
|
meta_launch_url: https://app.dezky.eu
|
|
meta_description: Your dezky workspace — mail, files, calendar and more.
|