From 8f6562f4bd068962bf6389af93fff338855ab384 Mon Sep 17 00:00:00 2001 From: harkon Date: Mon, 1 Dec 2025 21:35:48 +0200 Subject: [PATCH] feat: configure production authentik and re-enable auth middleware --- infra/base/authentik/bootstrap-prod.yaml | 250 +++++++++++++++++++++++ infra/base/infrastructure.yaml | 2 + infra/base/services.yaml | 2 +- 3 files changed, 253 insertions(+), 1 deletion(-) create mode 100644 infra/base/authentik/bootstrap-prod.yaml diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml new file mode 100644 index 0000000..e99482b --- /dev/null +++ b/infra/base/authentik/bootstrap-prod.yaml @@ -0,0 +1,250 @@ +# FILE: infra/base/authentik/bootstrap-prod.yaml +# Authentik Bootstrap for Production (app.harkon.co.uk) + +version: 1 + +metadata: + name: AI Tax Agent — Production Bootstrap + +entries: + # --- AI Tax Agent API (Production) ----------------------------------------- + - model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: "AI Tax Agent API (Production)" + attrs: + client_id: "ai-tax-agent-api-prod" + client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"] + authorization_grant_type: "authorization-code" + client_type: "confidential" + issuer_mode: "per_provider" + sub_mode: "hashed_user_id" + include_claims_in_id_token: true + signing_key: + !Find [ + authentik_crypto.certificatekeypair, + [name, "authentik Self-signed Certificate"], + ] + redirect_uris: + - matching_mode: strict + url: "https://api.app.harkon.co.uk/auth/callback" + scope_mappings: + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "openid"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "profile"], + ] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "groups"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "offline_access"], + ] + authorization_flow: + !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] + invalidation_flow: + !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] + + - model: authentik_core.application + state: present + identifiers: + slug: "ai-tax-agent-api-prod" + attrs: + name: "AI Tax Agent API (Production)" + provider: + !Find [ + authentik_providers_oauth2.oauth2provider, + [name, "AI Tax Agent API (Production)"], + ] + meta_launch_url: "https://api.app.harkon.co.uk" + meta_description: "AI Tax Agent API Services (Production)" + meta_publisher: "AI Tax Agent" + policy_engine_mode: "any" + + # --- MinIO (Production) ---------------------------------------------------- + - model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: "MinIO (Production)" + attrs: + client_id: "minio-prod" + client_secret: + !Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme-minio-secret"] + authorization_grant_type: "authorization-code" + client_type: "confidential" + issuer_mode: "per_provider" + sub_mode: "hashed_user_id" + include_claims_in_id_token: true + signing_key: + !Find [ + authentik_crypto.certificatekeypair, + [name, "authentik Self-signed Certificate"], + ] + redirect_uris: + - matching_mode: strict + url: "https://minio.app.harkon.co.uk/oauth_callback" + scope_mappings: + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "openid"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "profile"], + ] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "groups"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "offline_access"], + ] + authorization_flow: + !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] + invalidation_flow: + !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] + + - model: authentik_core.application + state: present + identifiers: + slug: "minio-prod" + attrs: + name: "MinIO (Production)" + provider: + !Find [ + authentik_providers_oauth2.oauth2provider, + [name, "MinIO (Production)"], + ] + meta_launch_url: "https://minio.app.harkon.co.uk" + meta_description: "Object storage console (Production)" + meta_publisher: "AI Tax Agent" + policy_engine_mode: "any" + + # --- Vault (Production) ---------------------------------------------------- + - model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: "Vault (Production)" + attrs: + client_id: "vault-prod" + client_secret: + !Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme-vault-secret"] + authorization_grant_type: "authorization-code" + client_type: "confidential" + issuer_mode: "per_provider" + sub_mode: "hashed_user_id" + include_claims_in_id_token: true + signing_key: + !Find [ + authentik_crypto.certificatekeypair, + [name, "authentik Self-signed Certificate"], + ] + redirect_uris: + - matching_mode: strict + url: "https://vault.app.harkon.co.uk/ui/vault/auth/oidc/oidc/callback" + - matching_mode: strict + url: "https://vault.app.harkon.co.uk/oidc/callback" + scope_mappings: + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "openid"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "profile"], + ] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "groups"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "offline_access"], + ] + authorization_flow: + !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] + invalidation_flow: + !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] + + - model: authentik_core.application + state: present + identifiers: + slug: "vault-prod" + attrs: + name: "Vault (Production)" + provider: + !Find [ + authentik_providers_oauth2.oauth2provider, + [name, "Vault (Production)"], + ] + meta_launch_url: "https://vault.app.harkon.co.uk" + meta_description: "Secrets management (Vault) (Production)" + meta_publisher: "AI Tax Agent" + policy_engine_mode: "any" + + # --- Grafana (Production) -------------------------------------------------- + - model: authentik_providers_oauth2.oauth2provider + state: present + identifiers: + name: "Grafana (Production)" + attrs: + client_id: "grafana-prod" + client_secret: + !Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"] + client_type: "confidential" + redirect_uris: "https://grafana.app.harkon.co.uk/login/generic_oauth" + sub_mode: "hashed_user_id" + include_claims_in_id_token: true + issuer_mode: "per_provider" + signing_key: + !Find [ + authentik_crypto.certificatekeypair, + [name, "authentik Self-signed Certificate"], + ] + property_mappings: + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "openid"], + ] + - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "profile"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [scope_name, "groups"], + ] + - !Find [ + authentik_providers_oauth2.scopemapping, + [name, "Grafana Role Mapping"], + ] + authorization_flow: + !Find [authentik_flows.flow, [slug, "default-authentication-flow"]] + invalidation_flow: + !Find [authentik_flows.flow, [slug, "default-invalidation-flow"]] + + - model: authentik_core.application + state: present + identifiers: + slug: "grafana-prod" + attrs: + name: "Grafana (Production)" + provider: + !Find [ + authentik_providers_oauth2.oauth2provider, + [name, "Grafana (Production)"], + ] + meta_launch_url: "https://grafana.app.harkon.co.uk" + meta_description: "Grafana monitoring (Production)" + meta_publisher: "Grafana Labs" + policy_engine_mode: "any" diff --git a/infra/base/infrastructure.yaml b/infra/base/infrastructure.yaml index f00e9c5..5a4a790 100644 --- a/infra/base/infrastructure.yaml +++ b/infra/base/infrastructure.yaml @@ -130,6 +130,8 @@ services: depends_on: - apa-authentik-db - apa-authentik-redis + volumes: + - ./authentik:/templates apa-authentik-outpost: image: ghcr.io/goauthentik/proxy:2025.8.3 diff --git a/infra/base/services.yaml b/infra/base/services.yaml index 974da98..2fddf43 100644 --- a/infra/base/services.yaml +++ b/infra/base/services.yaml @@ -42,7 +42,7 @@ services: - "traefik.http.routers.svc-ingestion.entrypoints=websecure" - "traefik.http.routers.svc-ingestion.tls=true" - "traefik.http.routers.svc-ingestion.tls.certresolver=godaddy" - - "traefik.http.routers.svc-ingestion.middlewares=rate-limit@file,strip-api-prefixes@file" + - "traefik.http.routers.svc-ingestion.middlewares=authentik-forwardauth@file,rate-limit@file,strip-api-prefixes@file" - "traefik.http.services.svc-ingestion.loadbalancer.server.port=8000" # Data Extraction Service