feat(authentik): Migrate remaining internal

szinn · Mar 30, 2024 · b75fe4e · b75fe4e
1 parent cdf0b51
commit b75fe4e
Show file tree

Hide file tree

Showing 9 changed files with 79 additions and 78 deletions.
diff --git a/kubernetes/main/apps/monitoring/grafana/app/grafana-secrets.yaml b/kubernetes/main/apps/monitoring/grafana/app/grafana-secrets.yaml
@@ -22,7 +22,7 @@ spec:
         # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
 
         # Authentik
-        GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ .AUTHENTIK_CLIENT_ID }}"
+        GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "grafana"
         GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .AUTHENTIK_CLIENT_SECRET }}"
 
         # Database configuration

diff --git a/terraform/authentik/app-grafana.tf b/terraform/authentik/app-grafana.tf
@@ -5,19 +5,25 @@ module "onepassword_grafana" {
 }
 
 module "grafana" {
-  source                 = "./modules/oidc-application"
-  name                   = "grafana"
-  domain                 = "grafana.${local.cluster_domain}"
-  group                  = "Monitoring"
-  client_id              = module.onepassword_grafana.fields.AUTHENTIK_CLIENT_ID
-  client_secret          = module.onepassword_grafana.fields.AUTHENTIK_CLIENT_SECRET
+  source = "./modules/oidc-application"
+  name   = "grafana"
+  domain = "grafana.${local.cluster_domain}"
+  group  = "Monitoring"
+
+  client_id     = "grafana"
+  client_secret = module.onepassword_grafana.fields.AUTHENTIK_CLIENT_SECRET
+
   authentication_flow_id = authentik_flow.authentication.uuid
   authorization_flow_id  = data.authentik_flow.default-provider-authorization-implicit-consent.id
-  redirect_uris          = ["https://grafana.${local.cluster_domain}/login/generic_oauth"]
-  access_token_validity  = "hours=4"
-  authentik_domain       = "sso.${local.cluster_domain}"
-  meta_icon              = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/grafana.png"
-  meta_launch_url        = "https://grafana.${local.cluster_domain}/login/generic_oauth"
+
+  redirect_uris = ["https://grafana.${local.cluster_domain}/login/generic_oauth"]
+
+  access_token_validity = "hours=4"
+
+  authentik_domain = local.authentik_domain
+  meta_icon        = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/grafana.png"
+  meta_launch_url  = "https://grafana.${local.cluster_domain}/login/generic_oauth"
+
   property_mappings = [
     data.authentik_scope_mapping.scope-email.id,
     data.authentik_scope_mapping.scope-profile.id,

diff --git a/terraform/authentik/app-hades.tf b/terraform/authentik/app-hades.tf
@@ -4,45 +4,40 @@ module "onepassword_hades" {
   item   = "hades"
 }
 
-resource "authentik_provider_oauth2" "hades" {
-  name                   = "Synology - Hades"
-  access_token_validity  = "hours=4"
-  refresh_token_validity = "days=365"
-
-  client_id     = module.onepassword_hades.fields.AUTHENTIK_CLIENT_ID
+module "hades" {
+  source = "./modules/oidc-application"
+  name   = "Synology - Hades"
+  slug   = "hades"
+  domain = "hades.${local.cluster_domain}"
+  group  = "Infrastructure"
+
+  client_id     = "hades"
   client_secret = module.onepassword_hades.fields.AUTHENTIK_CLIENT_SECRET
 
-  authentication_flow = authentik_flow.authentication.uuid
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
-
-  signing_key = data.authentik_certificate_key_pair.generated.id
+  authentication_flow_id = authentik_flow.authentication.uuid
+  authorization_flow_id  = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [module.onepassword_hades.fields.AUTHENTIK_REDIRECT_URL]
 
+  access_token_validity = "hours=4"
+
+  authentik_domain = local.authentik_domain
+  meta_icon        = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/synology-drive-server.png"
+  meta_launch_url  = module.onepassword_hades.fields.AUTHENTIK_REDIRECT_URL
+
   property_mappings = [
     data.authentik_scope_mapping.scope-email.id,
     data.authentik_scope_mapping.scope-profile.id,
     data.authentik_scope_mapping.scope-openid.id,
   ]
 }
 
-resource "authentik_application" "hades" {
-  name              = "Synology - Hades"
-  slug              = "hades"
-  protocol_provider = authentik_provider_oauth2.hades.id
-  group             = authentik_group.infrastructure.name
-  open_in_new_tab   = true
-
-  meta_icon       = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/synology-drive-server.png"
-  meta_launch_url = module.onepassword_hades.fields.AUTHENTIK_REDIRECT_URL
-}
-
-resource "authentik_group" "hades_user" {
-  name = "Hades User"
+resource "authentik_group" "hades_users" {
+  name = "Hades Users"
 }
 
 resource "authentik_policy_binding" "hades-access-users" {
-  target = authentik_application.hades.uuid
-  group  = authentik_group.hades_user.id
+  target = module.hades.application_id
+  group  = authentik_group.hades_users.id
   order  = 0
 }
diff --git a/terraform/authentik/app-whoami.tf b/terraform/authentik/app-whoami.tf
@@ -8,12 +8,12 @@ module "whoami" {
   meta_icon               = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/libreoffice.png"
 }
 
-resource "authentik_group" "whoami_user" {
-  name = "WhoAmI User"
+resource "authentik_group" "whoami_users" {
+  name = "WhoAmI Users"
 }
 
 resource "authentik_policy_binding" "whoami-access-users" {
   target = module.whoami.application_id
-  group  = authentik_group.whoami_user.id
+  group  = authentik_group.whoami_users.id
   order  = 0
 }
diff --git a/terraform/authentik/app-wikijs.tf b/terraform/authentik/app-wikijs.tf
@@ -4,45 +4,39 @@ module "onepassword_wikijs" {
   item   = "wikijs"
 }
 
-resource "authentik_provider_oauth2" "wikijs" {
-  name                   = "Wiki"
-  access_token_validity  = "hours=4"
-  refresh_token_validity = "days=365"
+module "wikijs" {
+  source = "./modules/oidc-application"
+  name   = "wikijs"
+  domain = "grafana.${local.cluster_domain}"
+  group  = "Applications"
 
-  client_id     = module.onepassword_wikijs.fields.AUTHENTIK_CLIENT_ID
+  client_id     = "wikijs"
   client_secret = module.onepassword_wikijs.fields.AUTHENTIK_CLIENT_SECRET
 
-  authentication_flow = authentik_flow.authentication.uuid
-  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
-
-  signing_key = data.authentik_certificate_key_pair.generated.id
+  authentication_flow_id = authentik_flow.authentication.uuid
+  authorization_flow_id  = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
   redirect_uris = [module.onepassword_wikijs.fields.AUTHENTIK_CALLBACK_URL]
 
+  access_token_validity = "hours=4"
+
+  authentik_domain = local.authentik_domain
+  meta_icon        = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/wikijs.png"
+  meta_launch_url  = "https://wiki.${local.cluster_domain}/login"
+
   property_mappings = [
     data.authentik_scope_mapping.scope-email.id,
     data.authentik_scope_mapping.scope-profile.id,
     data.authentik_scope_mapping.scope-openid.id,
   ]
 }
 
-resource "authentik_application" "wikijs" {
-  name              = "Wiki"
-  slug              = "wikijs"
-  protocol_provider = authentik_provider_oauth2.wikijs.id
-  group             = authentik_group.applications.name
-  open_in_new_tab   = true
-
-  meta_icon       = "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/wikijs.png"
-  meta_launch_url = "https://wiki.${local.cluster_domain}/login"
-}
-
-resource "authentik_group" "wikijs_family" {
-  name = "Family"
+resource "authentik_group" "wikijs_users" {
+  name = "Wiki Users"
 }
 
 resource "authentik_policy_binding" "wikijs-access-users" {
-  target = authentik_application.wikijs.uuid
-  group  = authentik_group.wikijs_family.id
+  target = module.wikijs.application_id
+  group  = authentik_group.wikijs_users.id
   order  = 0
 }
diff --git a/terraform/authentik/directory.tf b/terraform/authentik/directory.tf
@@ -32,9 +32,9 @@ resource "authentik_user" "scotte" {
     data.authentik_group.admins.id,
     authentik_group.users.id,
     authentik_group.grafana_admins.id,
-    authentik_group.wikijs_family.id,
-    authentik_group.hades_user.id,
-    authentik_group.whoami_user.id,
+    authentik_group.wikijs_users.id,
+    authentik_group.hades_users.id,
+    authentik_group.whoami_users.id,
   ]
 }
 
@@ -51,6 +51,6 @@ resource "authentik_user" "sophie" {
   password = module.onepassword_sophie.fields.password
   groups = [
     authentik_group.users.id,
-    authentik_group.wikijs_family.id,
+    authentik_group.wikijs_users.id,
   ]
 }
diff --git a/terraform/authentik/locals.tf b/terraform/authentik/locals.tf
@@ -1,4 +1,5 @@
 
 locals {
-  cluster_domain = module.onepassword_authentik.fields.CLUSTER_DOMAIN
+  cluster_domain   = module.onepassword_authentik.fields.CLUSTER_DOMAIN
+  authentik_domain = "sso.${local.cluster_domain}"
 }
diff --git a/terraform/authentik/modules/oidc-application/main.tf b/terraform/authentik/modules/oidc-application/main.tf
@@ -67,8 +67,13 @@ variable "client_id" {
 }
 
 variable "client_secret" {
-  type        = string
-  sensitive   = true
+  type      = string
+  sensitive = true
+}
+
+variable "signing_key_id" {
+  type    = string
+  default = null
 }
 
 variable "client_type" {
@@ -87,6 +92,10 @@ variable "property_mappings" {
   default = null
 }
 
+data "authentik_certificate_key_pair" "generated" {
+  name = "authentik Self-signed Certificate"
+}
+
 resource "authentik_provider_oauth2" "main" {
   name                   = var.name
   client_id              = var.client_id
@@ -98,6 +107,7 @@ resource "authentik_provider_oauth2" "main" {
   access_token_validity  = var.access_token_validity
   refresh_token_validity = var.refresh_token_validity
   property_mappings      = var.property_mappings
+  signing_key            = coalesce(var.signing_key_id, data.authentik_certificate_key_pair.generated.id)
   lifecycle {
     ignore_changes = [
       signing_key
@@ -109,8 +119,9 @@ resource "authentik_application" "main" {
   name               = title(var.name)
   slug               = coalesce(var.slug, var.name)
   group              = var.group
+  open_in_new_tab    = true
   policy_engine_mode = var.policy_engine_mode
-  meta_launch_url    = var.meta_launch_url
+  meta_launch_url    = coalesce(var.meta_launch_url, "${var.domain}")
   meta_icon          = var.meta_icon
   meta_description   = var.meta_description
   protocol_provider  = authentik_provider_oauth2.main.id

diff --git a/terraform/authentik/system.tf b/terraform/authentik/system.tf
@@ -1,5 +1,3 @@
-# Create/manage a default brand
-
 resource "authentik_brand" "home" {
   domain           = module.onepassword_authentik.fields.CLUSTER_DOMAIN
   branding_title   = "WilZinn World"
@@ -10,7 +8,3 @@ resource "authentik_brand" "home" {
   flow_invalidation   = authentik_flow.invalidation.uuid
   flow_user_settings  = authentik_flow.user-settings.uuid
 }
-
-data "authentik_certificate_key_pair" "generated" {
-  name = "authentik Self-signed Certificate"
-}