blumeops/argocd/manifests/authentik/configmap-blueprint.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-blueprints
  namespace: authentik
data:
  grafana.yaml: |
    version: 1
    metadata:
      name: BlumeOps Grafana SSO
      labels:
        blueprints.goauthentik.io/description: "Grafana OIDC provider and application"
    entries:
      # admins group — gates access to admin-only applications
      - model: authentik_core.group
        id: admins-group
        identifiers:
          name: admins
        attrs:
          name: admins

      # OAuth2 provider for Grafana
      - model: authentik_providers_oauth2.oauth2provider
        id: grafana-provider
        identifiers:
          name: Grafana
        attrs:
          name: Grafana
          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
          client_type: confidential
          client_id: grafana
          client_secret: !Env AUTHENTIK_GRAFANA_CLIENT_SECRET
          redirect_uris:
            - matching_mode: strict
              url: https://grafana.ops.eblu.me/login/generic_oauth
            - matching_mode: strict
              url: https://grafana.tail8d86e.ts.net/login/generic_oauth
          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
          property_mappings:
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
          sub_mode: hashed_user_id
          include_claims_in_id_token: true

      # Grafana application — linked to the OAuth2 provider
      - model: authentik_core.application
        id: grafana-app
        identifiers:
          slug: grafana
        attrs:
          name: Grafana
          slug: grafana
          provider: !KeyOf grafana-provider
          meta_launch_url: https://grafana.ops.eblu.me
          policy_engine_mode: any

      # Policy binding — restrict Grafana to admins group
      - model: authentik_policies.policybinding
        identifiers:
          order: 0
          target: !KeyOf grafana-app
          group: !KeyOf admins-group
        attrs:
          target: !KeyOf grafana-app
          group: !KeyOf admins-group
          order: 0
          enabled: true
          negate: false
          timeout: 30
Deploy Authentik identity provider (C2 Mikado) (#227) ## Summary C2 Mikado chain for deploying Authentik as the SSO identity provider, replacing Dex. This PR will evolve over multiple sessions. Each iteration adds documentation (prerequisite cards) and eventually code as leaf nodes are resolved. ## Current Mikado State - Goal: `deploy-authentik` (active) - Leaf prerequisites: - `build-authentik-container` — Build Nix container image - `provision-authentik-database` — Create PostgreSQL database on CNPG cluster - `create-authentik-secrets` — Create 1Password item with credentials ## Process refinements - Updated agent-change-process with lessons from first attempt: reset code before committing cards, open PRs early ## Test plan - [ ] `mise run docs-mikado` shows correct dependency chain - [ ] Leaf nodes can be worked independently - [ ] Container builds on ringtail - [ ] Authentik starts and reaches healthy state - [ ] Forgejo OAuth2 connector works Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/227 2026-02-20 12:55:59 -08:00			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: authentik-blueprints`
			`namespace: authentik`
			`data:`
			`grafana.yaml: \|`
			`version: 1`
			`metadata:`
			`name: BlumeOps Grafana SSO`
			`labels:`
			`blueprints.goauthentik.io/description: "Grafana OIDC provider and application"`
			`entries:`
			`# admins group — gates access to admin-only applications`
			`- model: authentik_core.group`
			`id: admins-group`
			`identifiers:`
			`name: admins`
			`attrs:`
			`name: admins`

			`# OAuth2 provider for Grafana`
			`- model: authentik_providers_oauth2.oauth2provider`
			`id: grafana-provider`
			`identifiers:`
			`name: Grafana`
			`attrs:`
			`name: Grafana`
			`authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]`
			`invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]`
			`client_type: confidential`
			`client_id: grafana`
			`client_secret: !Env AUTHENTIK_GRAFANA_CLIENT_SECRET`
			`redirect_uris:`
			`- matching_mode: strict`
			`url: https://grafana.ops.eblu.me/login/generic_oauth`
			`- matching_mode: strict`
			`url: https://grafana.tail8d86e.ts.net/login/generic_oauth`
			`signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]`
			`property_mappings:`
			`- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]`
			`- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]`
			`- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]`
			`sub_mode: hashed_user_id`
			`include_claims_in_id_token: true`

			`# Grafana application — linked to the OAuth2 provider`
			`- model: authentik_core.application`
			`id: grafana-app`
			`identifiers:`
			`slug: grafana`
			`attrs:`
			`name: Grafana`
			`slug: grafana`
			`provider: !KeyOf grafana-provider`
			`meta_launch_url: https://grafana.ops.eblu.me`
			`policy_engine_mode: any`

			`# Policy binding — restrict Grafana to admins group`
			`- model: authentik_policies.policybinding`
			`identifiers:`
			`order: 0`
			`target: !KeyOf grafana-app`
			`group: !KeyOf admins-group`
			`attrs:`
			`target: !KeyOf grafana-app`
			`group: !KeyOf admins-group`
			`order: 0`
			`enabled: true`
			`negate: false`
			`timeout: 30`