redeploy authentic policies as code.

This commit is contained in:
2026-03-21 14:00:37 -05:00
parent 9ad585681f
commit c087f32355
26 changed files with 1408 additions and 240 deletions

View File

@@ -0,0 +1,45 @@
# ──────────────────────────────────────────────────────────────────────────────
# Blueprint: Proxmox VE — OIDC Provider + Application
# ──────────────────────────────────────────────────────────────────────────────
version: 1
metadata:
name: mk-labs-proxmox
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- model: authentik_providers_oauth2.oauth2provider
id: proxmox-provider
state: present
identifiers:
name: "Provider for Proxmox VE"
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential
client_id: !Env PROXMOX_OIDC_CLIENT_ID
client_secret: !Env PROXMOX_OIDC_CLIENT_SECRET
redirect_uris:
- url: "https://main-street-usa.local.mk-labs.cloud:8006"
matching_mode: strict
- url: "https://tomorrowland.local.mk-labs.cloud:8006"
matching_mode: strict
- url: "https://fantasyland.local.mk-labs.cloud:8006"
matching_mode: strict
sub_mode: hashed_user_id
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
- model: authentik_core.application
id: proxmox-application
state: present
identifiers:
slug: proxmox
attrs:
name: "Proxmox VE"
provider: !KeyOf proxmox-provider
group: "Infrastructure"
meta_launch_url: "https://main-street-usa.local.mk-labs.cloud:8006"
policy_engine_mode: any

View File

@@ -0,0 +1,40 @@
# ──────────────────────────────────────────────────────────────────────────────
# Blueprint: step-ca — OIDC Provider + Application
# ──────────────────────────────────────────────────────────────────────────────
version: 1
metadata:
name: mk-labs-step-ca
labels:
blueprints.goauthentik.io/instantiate: "true"
entries:
- model: authentik_providers_oauth2.oauth2provider
id: step-ca-provider
state: present
identifiers:
name: "Provider for step-ca"
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential
client_id: !Env STEPCA_OIDC_CLIENT_ID
client_secret: !Env STEPCA_OIDC_CLIENT_SECRET
redirect_uris:
- url: "http://127.0.0.1:10000"
matching_mode: strict
sub_mode: hashed_user_id
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
- model: authentik_core.application
id: step-ca-application
state: present
identifiers:
slug: step-ca
attrs:
name: "step-ca"
provider: !KeyOf step-ca-provider
group: "Infrastructure"
policy_engine_mode: any