--- apiVersion: v1 kind: ConfigMap metadata: name: authentik-blueprints namespace: authentik data: common.yaml: | version: 1 metadata: name: BlumeOps Common Identity labels: blueprints.goauthentik.io/description: "Shared groups and identity resources" entries: # admins group — gates access to admin-only applications - model: authentik_core.group id: admins-group identifiers: name: admins attrs: name: admins mfa.yaml: | version: 1 metadata: name: BlumeOps MFA Enforcement labels: blueprints.goauthentik.io/description: "Require MFA on default authentication flow" entries: # Require MFA — force_setup prompts users without MFA to enroll. - model: authentik_stages_authenticator_validate.authenticatorvalidatestage identifiers: name: default-authentication-mfa-validation attrs: not_configured_action: configure device_classes: - totp - webauthn - static configuration_stages: - !Find [authentik_stages_authenticator_totp.authenticatortotpstage, [name, default-authenticator-totp-setup]] - !Find [authentik_stages_authenticator_static.authenticatorstaticstage, [name, default-authenticator-static-setup]] grafana.yaml: | version: 1 metadata: name: BlumeOps Grafana SSO labels: blueprints.goauthentik.io/description: "Grafana OIDC provider and application" entries: # OAuth2 provider for Grafana - model: authentik_providers_oauth2.oauth2provider id: grafana-provider identifiers: name: Grafana attrs: name: Grafana authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] client_type: confidential client_id: grafana client_secret: !Env AUTHENTIK_GRAFANA_CLIENT_SECRET redirect_uris: - matching_mode: strict url: https://grafana.ops.eblu.me/login/generic_oauth - matching_mode: strict url: https://grafana.tail8d86e.ts.net/login/generic_oauth signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] sub_mode: hashed_user_id include_claims_in_id_token: true # Grafana application — linked to the OAuth2 provider - model: authentik_core.application id: grafana-app identifiers: slug: grafana attrs: name: Grafana slug: grafana provider: !KeyOf grafana-provider meta_launch_url: https://grafana.ops.eblu.me policy_engine_mode: any # Policy binding — restrict Grafana to admins group - model: authentik_policies.policybinding identifiers: order: 0 target: !KeyOf grafana-app group: !Find [authentik_core.group, [name, admins]] attrs: target: !KeyOf grafana-app group: !Find [authentik_core.group, [name, admins]] order: 0 enabled: true negate: false timeout: 30 forgejo.yaml: | version: 1 metadata: name: BlumeOps Forgejo SSO labels: blueprints.goauthentik.io/description: "Forgejo OIDC provider and application" entries: # OAuth2 provider for Forgejo - model: authentik_providers_oauth2.oauth2provider id: forgejo-provider identifiers: name: Forgejo attrs: name: Forgejo authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] client_type: confidential client_id: forgejo client_secret: !Env AUTHENTIK_FORGEJO_CLIENT_SECRET redirect_uris: - matching_mode: strict url: https://forge.ops.eblu.me/user/oauth2/authentik/callback signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] sub_mode: hashed_user_id include_claims_in_id_token: true # Forgejo application — linked to the OAuth2 provider - model: authentik_core.application id: forgejo-app identifiers: slug: forgejo attrs: name: Forgejo slug: forgejo provider: !KeyOf forgejo-provider meta_launch_url: https://forge.ops.eblu.me policy_engine_mode: any # Policy binding — restrict Forgejo to admins group - model: authentik_policies.policybinding identifiers: order: 0 target: !KeyOf forgejo-app group: !Find [authentik_core.group, [name, admins]] attrs: target: !KeyOf forgejo-app group: !Find [authentik_core.group, [name, admins]] order: 0 enabled: true negate: false timeout: 30 zot.yaml: | version: 1 metadata: name: BlumeOps Zot SSO labels: blueprints.goauthentik.io/description: "Zot OIDC provider, application, and CI identity" entries: # artifact-workloads group (CI push identity) - model: authentik_core.group id: artifact-workloads-group identifiers: name: artifact-workloads attrs: name: artifact-workloads # Service account for CI push (admin sets password via UI after deploy) - model: authentik_core.user id: zot-ci-user identifiers: username: zot-ci attrs: username: zot-ci name: Zot CI Service Account type: service_account is_active: true groups: - !KeyOf artifact-workloads-group # OAuth2 provider for Zot - model: authentik_providers_oauth2.oauth2provider id: zot-provider identifiers: name: Zot attrs: name: Zot authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] client_type: confidential client_id: zot client_secret: !Env AUTHENTIK_ZOT_CLIENT_SECRET redirect_uris: - matching_mode: strict url: https://registry.ops.eblu.me/zot/auth/callback/oidc signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] sub_mode: hashed_user_id include_claims_in_id_token: true # Zot application — linked to the OAuth2 provider - model: authentik_core.application id: zot-app identifiers: slug: zot attrs: name: Zot Registry slug: zot provider: !KeyOf zot-provider meta_launch_url: https://registry.ops.eblu.me policy_engine_mode: any # Policy binding — allow admins group access to Zot - model: authentik_policies.policybinding identifiers: order: 0 target: !KeyOf zot-app group: !Find [authentik_core.group, [name, admins]] attrs: target: !KeyOf zot-app group: !Find [authentik_core.group, [name, admins]] order: 0 enabled: true negate: false timeout: 30 # Policy binding — allow artifact-workloads group access to Zot (CI push) - model: authentik_policies.policybinding identifiers: order: 1 target: !KeyOf zot-app group: !KeyOf artifact-workloads-group attrs: target: !KeyOf zot-app group: !KeyOf artifact-workloads-group order: 1 enabled: true negate: false timeout: 30