harkon/ai-tax-agent
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: configure production authentik and re-enable auth middleware
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
Details
CI/CD Pipeline / Policy Validation (push) Has been cancelled
Details
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
Details
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
Details
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Notifications (push) Has been cancelled
Details

Browse Source
This commit is contained in:
harkon
2025-12-01 21:35:48 +02:00
parent 18a4496719
commit 8f6562f4bd
3 changed files with 253 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

250
infra/base/authentik/bootstrap-prod.yaml Normal file
View File

@@ -0,0 +1,250 @@
# FILE: infra/base/authentik/bootstrap-prod.yaml
# Authentik Bootstrap for Production (app.harkon.co.uk)
version: 1
metadata:
name: AI Tax Agent — Production Bootstrap
entries:
# --- AI Tax Agent API (Production) -----------------------------------------
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
name: "AI Tax Agent API (Production)"
attrs:
client_id: "ai-tax-agent-api-prod"
client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"]
authorization_grant_type: "authorization-code"
client_type: "confidential"
issuer_mode: "per_provider"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- matching_mode: strict
url: "https://api.app.harkon.co.uk/auth/callback"
scope_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "openid"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "profile"],
]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "groups"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "offline_access"],
]
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
- model: authentik_core.application
state: present
identifiers:
slug: "ai-tax-agent-api-prod"
attrs:
name: "AI Tax Agent API (Production)"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "AI Tax Agent API (Production)"],
]
meta_launch_url: "https://api.app.harkon.co.uk"
meta_description: "AI Tax Agent API Services (Production)"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- MinIO (Production) ----------------------------------------------------
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
name: "MinIO (Production)"
attrs:
client_id: "minio-prod"
client_secret:
!Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme-minio-secret"]
authorization_grant_type: "authorization-code"
client_type: "confidential"
issuer_mode: "per_provider"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- matching_mode: strict
url: "https://minio.app.harkon.co.uk/oauth_callback"
scope_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "openid"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "profile"],
]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "groups"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "offline_access"],
]
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
- model: authentik_core.application
state: present
identifiers:
slug: "minio-prod"
attrs:
name: "MinIO (Production)"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "MinIO (Production)"],
]
meta_launch_url: "https://minio.app.harkon.co.uk"
meta_description: "Object storage console (Production)"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Vault (Production) ----------------------------------------------------
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
name: "Vault (Production)"
attrs:
client_id: "vault-prod"
client_secret:
!Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme-vault-secret"]
authorization_grant_type: "authorization-code"
client_type: "confidential"
issuer_mode: "per_provider"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
redirect_uris:
- matching_mode: strict
url: "https://vault.app.harkon.co.uk/ui/vault/auth/oidc/oidc/callback"
- matching_mode: strict
url: "https://vault.app.harkon.co.uk/oidc/callback"
scope_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "openid"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "profile"],
]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "groups"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "offline_access"],
]
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
- model: authentik_core.application
state: present
identifiers:
slug: "vault-prod"
attrs:
name: "Vault (Production)"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "Vault (Production)"],
]
meta_launch_url: "https://vault.app.harkon.co.uk"
meta_description: "Secrets management (Vault) (Production)"
meta_publisher: "AI Tax Agent"
policy_engine_mode: "any"
# --- Grafana (Production) --------------------------------------------------
- model: authentik_providers_oauth2.oauth2provider
state: present
identifiers:
name: "Grafana (Production)"
attrs:
client_id: "grafana-prod"
client_secret:
!Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"]
client_type: "confidential"
redirect_uris: "https://grafana.app.harkon.co.uk/login/generic_oauth"
sub_mode: "hashed_user_id"
include_claims_in_id_token: true
issuer_mode: "per_provider"
signing_key:
!Find [
authentik_crypto.certificatekeypair,
[name, "authentik Self-signed Certificate"],
]
property_mappings:
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "openid"],
]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "profile"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[scope_name, "groups"],
]
- !Find [
authentik_providers_oauth2.scopemapping,
[name, "Grafana Role Mapping"],
]
authorization_flow:
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
invalidation_flow:
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
- model: authentik_core.application
state: present
identifiers:
slug: "grafana-prod"
attrs:
name: "Grafana (Production)"
provider:
!Find [
authentik_providers_oauth2.oauth2provider,
[name, "Grafana (Production)"],
]
meta_launch_url: "https://grafana.app.harkon.co.uk"
meta_description: "Grafana monitoring (Production)"
meta_publisher: "Grafana Labs"
policy_engine_mode: "any"

2
infra/base/infrastructure.yaml
View File

@@ -130,6 +130,8 @@ services:
depends_on:
- apa-authentik-db
- apa-authentik-redis
volumes:
- ./authentik:/templates
apa-authentik-outpost:
image: ghcr.io/goauthentik/proxy:2025.8.3

2
infra/base/services.yaml
View File

@@ -42,7 +42,7 @@ services:
- "traefik.http.routers.svc-ingestion.entrypoints=websecure"
- "traefik.http.routers.svc-ingestion.tls=true"
- "traefik.http.routers.svc-ingestion.tls.certresolver=godaddy"
- "traefik.http.routers.svc-ingestion.middlewares=rate-limit@file,strip-api-prefixes@file"
- "traefik.http.routers.svc-ingestion.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file"
- "traefik.http.services.svc-ingestion.loadbalancer.server.port=8000"
# Data Extraction Service