586f79e5d0
Some checks failed
CI/CD Pipeline / Notifications (push) Has been cancelled
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
377 lines
12 KiB
YAML
377 lines
12 KiB
YAML
# FILE: infra/base/authentik/bootstrap-prod.yaml
|
|
# Authentik Bootstrap for Production (app.harkon.co.uk)
|
|
|
|
version: 1
|
|
|
|
metadata:
|
|
name: AI Tax Agent — Production Bootstrap
|
|
|
|
entries:
|
|
# --- Groups first (so the admin user can reference them) -------------------
|
|
- model: authentik_core.group
|
|
state: present
|
|
identifiers:
|
|
name: "Administrators"
|
|
attrs:
|
|
is_superuser: true
|
|
|
|
- model: authentik_core.group
|
|
state: present
|
|
identifiers:
|
|
name: "Tax Reviewers"
|
|
attrs:
|
|
is_superuser: false
|
|
|
|
- model: authentik_core.group
|
|
state: present
|
|
identifiers:
|
|
name: "Accountants"
|
|
attrs:
|
|
is_superuser: false
|
|
|
|
- model: authentik_core.group
|
|
state: present
|
|
identifiers:
|
|
name: "Clients"
|
|
attrs:
|
|
is_superuser: false
|
|
|
|
# --- Admin user ------------------------------------------------------------
|
|
- model: authentik_core.user
|
|
state: present
|
|
identifiers:
|
|
username: admin
|
|
attrs:
|
|
name: "System Administrator"
|
|
email: admin@app.harkon.co.uk
|
|
is_active: true
|
|
is_staff: true
|
|
is_superuser: true
|
|
groups:
|
|
- !Find [authentik_core.group, [name, "Administrators"]]
|
|
|
|
# --- Scope mappings (find existing ones and get stable IDs) -----------------
|
|
- id: scope_groups
|
|
model: authentik_providers_oauth2.scopemapping
|
|
identifiers:
|
|
scope_name: groups
|
|
attrs:
|
|
name: "groups"
|
|
expression: |
|
|
return {
|
|
"groups": [group.name for group in request.user.ak_groups.all()]
|
|
}
|
|
|
|
# --- AI Tax Agent API (Production) -----------------------------------------
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
state: present
|
|
identifiers:
|
|
name: "AI Tax Agent API (Production)"
|
|
attrs:
|
|
client_id: "ai-tax-agent-api-prod"
|
|
client_secret: !Env [AUTHENTIK_API_CLIENT_SECRET, "changeme-api-secret"]
|
|
authorization_grant_type: "authorization-code"
|
|
client_type: "confidential"
|
|
issuer_mode: "per_provider"
|
|
sub_mode: "hashed_user_id"
|
|
include_claims_in_id_token: true
|
|
signing_key:
|
|
!Find [
|
|
authentik_crypto.certificatekeypair,
|
|
[name, "authentik Self-signed Certificate"],
|
|
]
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: "https://api.app.harkon.co.uk/auth/callback"
|
|
scope_mappings:
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-openid"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-profile"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-email"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[scope_name, "groups"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
|
|
]
|
|
authorization_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
|
|
|
|
- model: authentik_core.application
|
|
state: present
|
|
identifiers:
|
|
slug: "ai-tax-agent-api-prod"
|
|
attrs:
|
|
name: "AI Tax Agent API (Production)"
|
|
provider:
|
|
!Find [
|
|
authentik_providers_oauth2.oauth2provider,
|
|
[name, "AI Tax Agent API (Production)"],
|
|
]
|
|
meta_launch_url: "https://api.app.harkon.co.uk"
|
|
meta_description: "AI Tax Agent API Services (Production)"
|
|
meta_publisher: "AI Tax Agent"
|
|
policy_engine_mode: "any"
|
|
|
|
# --- MinIO (Production) ----------------------------------------------------
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
state: present
|
|
identifiers:
|
|
name: "MinIO (Production)"
|
|
attrs:
|
|
client_id: "minio-prod"
|
|
client_secret:
|
|
!Env [AUTHENTIK_MINIO_CLIENT_SECRET, "changeme-minio-secret"]
|
|
authorization_grant_type: "authorization-code"
|
|
client_type: "confidential"
|
|
issuer_mode: "per_provider"
|
|
sub_mode: "hashed_user_id"
|
|
include_claims_in_id_token: true
|
|
signing_key:
|
|
!Find [
|
|
authentik_crypto.certificatekeypair,
|
|
[name, "authentik Self-signed Certificate"],
|
|
]
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: "https://minio.app.harkon.co.uk/oauth_callback"
|
|
scope_mappings:
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-openid"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-profile"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-email"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[scope_name, "groups"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
|
|
]
|
|
authorization_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
|
|
|
|
- model: authentik_core.application
|
|
state: present
|
|
identifiers:
|
|
slug: "minio-prod"
|
|
attrs:
|
|
name: "MinIO (Production)"
|
|
provider:
|
|
!Find [
|
|
authentik_providers_oauth2.oauth2provider,
|
|
[name, "MinIO (Production)"],
|
|
]
|
|
meta_launch_url: "https://minio.app.harkon.co.uk"
|
|
meta_description: "Object storage console (Production)"
|
|
meta_publisher: "AI Tax Agent"
|
|
policy_engine_mode: "any"
|
|
|
|
# --- Vault (Production) ----------------------------------------------------
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
state: present
|
|
identifiers:
|
|
name: "Vault (Production)"
|
|
attrs:
|
|
client_id: "vault-prod"
|
|
client_secret:
|
|
!Env [AUTHENTIK_VAULT_CLIENT_SECRET, "changeme-vault-secret"]
|
|
authorization_grant_type: "authorization-code"
|
|
client_type: "confidential"
|
|
issuer_mode: "per_provider"
|
|
sub_mode: "hashed_user_id"
|
|
include_claims_in_id_token: true
|
|
signing_key:
|
|
!Find [
|
|
authentik_crypto.certificatekeypair,
|
|
[name, "authentik Self-signed Certificate"],
|
|
]
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: "https://vault.app.harkon.co.uk/ui/vault/auth/oidc/oidc/callback"
|
|
- matching_mode: strict
|
|
url: "https://vault.app.harkon.co.uk/oidc/callback"
|
|
scope_mappings:
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-openid"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-profile"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-email"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[scope_name, "groups"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-offline_access"],
|
|
]
|
|
authorization_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
|
|
|
|
- model: authentik_core.application
|
|
state: present
|
|
identifiers:
|
|
slug: "vault-prod"
|
|
attrs:
|
|
name: "Vault (Production)"
|
|
provider:
|
|
!Find [
|
|
authentik_providers_oauth2.oauth2provider,
|
|
[name, "Vault (Production)"],
|
|
]
|
|
meta_launch_url: "https://vault.app.harkon.co.uk"
|
|
meta_description: "Secrets management (Vault) (Production)"
|
|
meta_publisher: "AI Tax Agent"
|
|
policy_engine_mode: "any"
|
|
|
|
# --- Grafana (Production) --------------------------------------------------
|
|
- model: authentik_providers_oauth2.oauth2provider
|
|
state: present
|
|
identifiers:
|
|
name: "Grafana (Production)"
|
|
attrs:
|
|
client_id: "grafana-prod"
|
|
client_secret:
|
|
!Env [AUTHENTIK_GRAFANA_CLIENT_SECRET, "changeme-grafana-secret"]
|
|
client_type: "confidential"
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: "https://grafana.app.harkon.co.uk/login/generic_oauth"
|
|
sub_mode: "hashed_user_id"
|
|
include_claims_in_id_token: true
|
|
issuer_mode: "per_provider"
|
|
signing_key:
|
|
!Find [
|
|
authentik_crypto.certificatekeypair,
|
|
[name, "authentik Self-signed Certificate"],
|
|
]
|
|
property_mappings:
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-openid"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-email"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[managed, "goauthentik.io/providers/oauth2/scope-profile"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[scope_name, "groups"],
|
|
]
|
|
- !Find [
|
|
authentik_providers_oauth2.scopemapping,
|
|
[name, "Grafana Role Mapping"],
|
|
]
|
|
authorization_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-authentication-flow"]]
|
|
invalidation_flow:
|
|
!Find [authentik_flows.flow, [slug, "default-invalidation-flow"]]
|
|
|
|
- model: authentik_core.application
|
|
state: present
|
|
identifiers:
|
|
slug: "grafana-prod"
|
|
attrs:
|
|
name: "Grafana (Production)"
|
|
provider:
|
|
!Find [
|
|
authentik_providers_oauth2.oauth2provider,
|
|
[name, "Grafana (Production)"],
|
|
]
|
|
meta_launch_url: "https://grafana.app.harkon.co.uk"
|
|
meta_description: "Grafana monitoring (Production)"
|
|
meta_publisher: "Grafana Labs"
|
|
policy_engine_mode: "any"
|
|
|
|
# --- Policies --------------------------------------------------------------
|
|
- model: authentik_policies_expression.expressionpolicy
|
|
state: present
|
|
identifiers:
|
|
name: "Always Allow"
|
|
attrs:
|
|
expression: "return True"
|
|
|
|
- model: authentik_policies.policybinding
|
|
state: present
|
|
identifiers:
|
|
policy:
|
|
!Find [
|
|
authentik_policies_expression.expressionpolicy,
|
|
[name, "Always Allow"],
|
|
]
|
|
target:
|
|
!Find [authentik_core.application, [slug, "ai-tax-agent-api-prod"]]
|
|
attrs:
|
|
order: 0
|
|
|
|
- model: authentik_policies.policybinding
|
|
state: present
|
|
identifiers:
|
|
policy:
|
|
!Find [
|
|
authentik_policies_expression.expressionpolicy,
|
|
[name, "Always Allow"],
|
|
]
|
|
target: !Find [authentik_core.application, [slug, "minio-prod"]]
|
|
attrs:
|
|
order: 0
|
|
|
|
- model: authentik_policies.policybinding
|
|
state: present
|
|
identifiers:
|
|
policy:
|
|
!Find [
|
|
authentik_policies_expression.expressionpolicy,
|
|
[name, "Always Allow"],
|
|
]
|
|
target: !Find [authentik_core.application, [slug, "vault-prod"]]
|
|
attrs:
|
|
order: 0
|
|
|
|
- model: authentik_policies.policybinding
|
|
state: present
|
|
identifiers:
|
|
policy:
|
|
!Find [
|
|
authentik_policies_expression.expressionpolicy,
|
|
[name, "Always Allow"],
|
|
]
|
|
target: !Find [authentik_core.application, [slug, "grafana-prod"]]
|
|
attrs:
|
|
order: 0
|