authentik, minio: initial integration with blueprints for admin policy

2024-12-21 00:42:22 -08:00
parent 1be4868f09
commit dbdd2cfe11
5 changed files with 155 additions and 111 deletions
--- a/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
@@ -12,6 +12,13 @@ entries:
      "ui_group": "Services",
      "allowed_for_groups": ["admins"],
    },
+    "Minio": {
+      "redirect_uri": "https://minio."~ domain ~"/oauth_callback",
+      "icon": "https://minio."~ domain ~"/logo192.png",
+      "client_secret": auth_minio_client_secret,
+      "ui_group": "Services",
+      "allowed_for_groups": ["admins"],
+    },
    "Gitea": {
      "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
      "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
@@ -42,9 +49,15 @@ entries:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+        {% if app == "Minio" -%}
+        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
+        {%- endif %}
+
      redirect_uris:
        - matching_mode: strict
          url: {{ apps[app]["redirect_uri"] }}
+      # Necessary for JWKS to be generated correctly
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]

  - identifiers:
      slug: {{ app | lower }}
--- a/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
+++ b/roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2
@@ -8,6 +8,8 @@ entries:
      name: "admins"
    model: authentik_core.group
    id: "admins"
+    attrs:
+      is_superuser: true

  - identifiers:
      name: "users"
@@ -21,3 +23,18 @@ entries:
    attrs:
      arrstack_username: "arr"
      arrstack_password: "{{ arrstack_password }}"
+
+  - identifiers:
+      scope_name: "minio"
+    model: authentik_providers_oauth2.scopemapping
+    id: "scope-minio"
+    attrs:
+      name: "Minio Policy"
+      expression: |
+        policy = "default"
+        if ak_is_group_member(request.user, name="admins"):
+            policy = "consoleAdmin"
+
+        return {
+          "policy": policy,
+        }
--- a/roles/alpina/templates/services/minio/.env.minio.j2
+++ b/roles/alpina/templates/services/minio/.env.minio.j2
@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
 MINIO_SERVER_URL=https://s3.{{ domain }}
 MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}

-#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
-#MINIO_IDENTITY_OPENID_CLIENT_ID=
-#MINIO_IDENTITY_OPENID_CLIENT_SECRET=
-#MINIO_IDENTITY_OPENID_CLAIM_NAME=
-#MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
-#MINIO_IDENTITY_OPENID_SCOPES=
-#MINIO_IDENTITY_OPENID_REDIRECT_URI=
+# https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
+MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
+MINIO_IDENTITY_OPENID_CLIENT_ID=minio
+MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
+# defaults to "policy"
+#MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
+MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
+# no need to specify scopes,
+# as it defaults to the ones advertised at the discovery url
+#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
+#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
+#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
 #MINIO_IDENTITY_OPENID_COMMENT=