harkon/ai-tax-agent
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: working infra with sso
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
Details
CI/CD Pipeline / Policy Validation (push) Has been cancelled
Details
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Notifications (push) Has been cancelled
Details

Browse Source
This commit is contained in:
harkon
2025-12-04 12:49:43 +02:00
parent 67de982754
commit 7e54ee9099
13 changed files with 329 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
blueprints/grafana-sso-config.yaml
View File

@@ -1,85 +0,0 @@
# Authentik Configuration - Grafana SSO Integration
# Generated: 2025-09-20 07:25:00
# This file contains the Authentik configuration for Grafana OAuth2/OIDC integration
# Apply this blueprint to automate the setup of Grafana SSO with Authentik
version: 1
metadata:
name: AI Tax Agent Grafana SSO Integration
labels:
blueprints.goauthentik.io/generated: "true"
entries:
# Grafana OAuth2 Provider
- attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
name: grafana
client_type: confidential
client_id: grafana
client_secret: ${AUTHENTIK_GRAFANA_CLIENT_SECRET:-changeme-grafana-secret}
redirect_uris:
- https://grafana.${DOMAIN:-local.lan}/login/generic_oauth
sub_mode: hashed_user_id
include_claims_in_id_token: true
issuer_mode: per_provider
signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
- !KeyOf grafana-groups-mapping
conditions: []
identifiers:
name: grafana
model: authentik_providers_oauth2.oauth2provider
permissions: []
state: present
# Custom Groups Mapping for Grafana
- attrs:
name: Grafana Groups Mapping
description: Maps Authentik groups to Grafana roles
scope_name: groups
expression: |
# Map Authentik groups to Grafana roles
groups = []
user_groups = [group.name for group in request.user.ak_groups.all()]
# Admin role mapping
if "authentik Admins" in user_groups or "Administrators" in user_groups:
groups.append("Admin")
# Editor role mapping
if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
groups.append("Editor")
# Viewer role mapping (default for all authenticated users)
groups.append("Viewer")
return {
"groups": groups,
"role": groups[0] if groups else "Viewer" # Primary role
}
conditions: []
identifiers:
name: Grafana Groups Mapping
model: authentik_providers_oauth2.scopemapping
permissions: []
state: present
# Grafana Application
- attrs:
name: Grafana
slug: grafana
provider: !KeyOf grafana
policy_engine_mode: any
meta_description: Grafana monitoring and observability platform
meta_publisher: Grafana Labs
conditions: []
identifiers:
slug: grafana
model: authentik_core.application
permissions: []
state: present

109
blueprints/simple-bootstrap.yaml
View File

@@ -1,109 +0,0 @@
# Simple Authentik Bootstrap Configuration
# This file configures the basic Authentik setup for AI Tax Agent
version: 1
metadata:
name: AI Tax Agent Simple Bootstrap
entries:
# Create admin user
- model: authentik_core.user
identifiers:
username: admin
attrs:
name: "System Administrator"
email: admin@local.lan
is_active: true
is_staff: true
is_superuser: true
# Create user groups
- model: authentik_core.group
identifiers:
name: "Administrators"
attrs:
is_superuser: true
- model: authentik_core.group
identifiers:
name: "Tax Reviewers"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "Accountants"
attrs:
is_superuser: false
- model: authentik_core.group
identifiers:
name: "Clients"
attrs:
is_superuser: false
# Create OIDC Provider for API services
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "AI Tax Agent API"
attrs:
client_id: "ai-tax-agent-api"
client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"]
authorization_grant_type: "authorization-code"
client_type: "confidential"
redirect_uris: "https://api.local/auth/callback\nhttps://review.local/auth/callback"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
issuer_mode: "per_provider"
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
# Create OIDC Provider for Grafana
- model: authentik_providers_oauth2.oauth2provider
identifiers:
name: "Grafana"
attrs:
client_id: "grafana"
client_secret:
!Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"]
authorization_grant_type: "authorization-code"
client_type: "confidential"
redirect_uris: "https://grafana.local/login/generic_oauth"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
issuer_mode: "per_provider"
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
# Create Applications
- model: authentik_core.application
identifiers:
name: "AI Tax Agent API"
slug: "ai-tax-agent-api"
attrs:
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "AI Tax Agent API"],
]
meta_launch_url: "https://api.local"
meta_description: "AI Tax Agent API Services"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
- model: authentik_core.application
identifiers:
name: "Grafana"
slug: "grafana"
attrs:
provider:
!Find [authentik_providers_oauth2.oauth2provider, [name, "Grafana"]]
meta_launch_url: "https://grafana.local"
meta_description: "Monitoring and Observability Dashboard"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"