feat(crossplane/genmachine): Authentik OIDC SSO for crossview#1739
Open
ixxeL2097 wants to merge 2 commits into
Open
feat(crossplane/genmachine): Authentik OIDC SSO for crossview#1739ixxeL2097 wants to merge 2 commits into
ixxeL2097 wants to merge 2 commits into
Conversation
- Enable OIDC SSO via config.sso.oidc pointing to Authentik on genmachine
issuer: authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/
callbackURL: crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
- Reference OIDCClientSecret via secretKeyRef → crossview-oidc secret
- Add ExternalSecret crossview-oidc pulling CLIENT_SECRET from Vault at
crossview/oidc/genmachine (separate from credentials secret)
- clientId left empty: fill in after creating the Authentik OAuth2 provider
Steps before sync:
1. Create OAuth2/OIDC provider in Authentik (genmachine):
- Application slug: fullstack-crossview
- Redirect URI: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
2. Add to Vault at crossview/oidc/genmachine: CLIENT_SECRET=<client_secret>
3. Update clientId in this file with the generated client ID
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
--- main/crossplane_gitops_manifests_crossplane_genmachine_manifest_main.yaml 2026-05-13 11:24:25.855353317 +0000
+++ pr/crossplane_gitops_manifests_crossplane_genmachine_manifest_pr.yaml 2026-05-13 11:24:24.768358884 +0000
@@ -113,27 +113,27 @@
DB_SSL_ROOT_CERT: ""
DB_SSL_CERT: ""
DB_SSL_KEY: ""
PORT: "3001"
AUTH_MODE: "session"
AUTH_TRUSTED_HEADER: "X-Auth-User"
AUTH_CREATE_USERS: "true"
AUTH_DEFAULT_ROLE: "viewer"
LOG_LEVEL: "info"
CORS_ORIGIN: "https://crossview.talos-genmachine.fredcorp.com"
- OIDC_ENABLED: "false"
- OIDC_ISSUER: "http://localhost:8080/realms/crossview"
+ OIDC_ENABLED: "true"
+ OIDC_ISSUER: "https://authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/"
OIDC_CLIENT_ID: "crossview-client"
OIDC_AUTHORIZATION_URL: ""
OIDC_TOKEN_URL: ""
OIDC_USERINFO_URL: ""
- OIDC_CALLBACK_URL: "http://localhost:3001/api/auth/oidc/callback"
+ OIDC_CALLBACK_URL: "https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback"
OIDC_SCOPE: "openid profile email"
OIDC_USERNAME_ATTRIBUTE: "preferred_username"
OIDC_EMAIL_ATTRIBUTE: "email"
OIDC_FIRSTNAME_ATTRIBUTE: "given_name"
OIDC_LASTNAME_ATTRIBUTE: "family_name"
SAML_ENABLED: "false"
SAML_ENTRY_POINT: "http://localhost:8080/realms/crossview/protocol/saml"
SAML_ISSUER: "crossview"
SAML_CALLBACK_URL: "http://localhost:3001/api/auth/saml/callback"
SAML_USERNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
@@ -1437,20 +1437,26 @@
- name: OIDC_ISSUER
valueFrom:
configMapKeyRef:
name: crossplane-crossview-config
key: OIDC_ISSUER
- name: OIDC_CLIENT_ID
valueFrom:
configMapKeyRef:
name: crossplane-crossview-config
key: OIDC_CLIENT_ID
+ - name: OIDC_CLIENT_SECRET
+
+ valueFrom:
+ secretKeyRef:
+ name: "crossview-oidc"
+ key: "client-secret"
- name: OIDC_AUTHORIZATION_URL
valueFrom:
configMapKeyRef:
name: crossplane-crossview-config
key: OIDC_AUTHORIZATION_URL
- name: OIDC_TOKEN_URL
valueFrom:
configMapKeyRef:
name: crossplane-crossview-config
key: OIDC_TOKEN_URL
@@ -1546,20 +1552,25 @@
valueFrom:
secretKeyRef:
name: "crossview-credentials"
key: "admin-password"
- name: SESSION_SECRET
valueFrom:
secretKeyRef:
name: "crossview-credentials"
key: "session-secret"
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: client-id
+ name: crossview-oidc
livenessProbe:
failureThreshold: 3
httpGet:
path: /api/health
port: 3001
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
@@ -1862,20 +1873,45 @@
property: ADMIN_PASSWORD
- secretKey: db-password
remoteRef:
key: crossview/credentials/genmachine
property: DB_PASSWORD
- secretKey: session-secret
remoteRef:
key: crossview/credentials/genmachine
property: SESSION_SECRET
---
+# Source: crossplane/templates/externalsecret.yaml
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+ name: crossview-oidc
+ namespace: crossplane
+spec:
+ refreshInterval: 1h
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: admin
+ target:
+ name: crossview-oidc
+ creationPolicy: Owner
+ deletionPolicy: Retain
+ data:
+ - secretKey: client-id
+ remoteRef:
+ key: crossview/oidc/genmachine
+ property: CLIENT_ID
+ - secretKey: client-secret
+ remoteRef:
+ key: crossview/oidc/genmachine
+ property: CLIENT_SECRET
+---
# Source: crossplane/charts/crossview/templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
name: "crossplane-crossview-test-connection"
labels:
helm.sh/chart: crossview-4.3.0
app.kubernetes.io/name: crossview
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "v4.3.0"
|
…print - Add Authentik blueprint 130-oidc-crossview.yaml: creates confidential OAuth2/OIDC provider genmachine-crossview, application slug fullstack-crossview, redirect URI crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback - Register blueprint in genmachine kustomization.yaml configMapGenerator - Add client-id key to crossview-oidc ExternalSecret (crossview/oidc/genmachine) - Inject OIDC_CLIENT_ID via app.extraEnv from crossview-oidc secret instead of plain ConfigMap value (chart routes clientId through ConfigMap only; extraEnv appended last in container spec overrides it at runtime) - Remove clientId placeholder from config.sso.oidc (managed entirely from Vault) After Authentik sync: retrieve client_id + client_secret from Authentik UI and provision Vault at crossview/oidc/genmachine: CLIENT_ID, CLIENT_SECRET Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ixxeL2097
force-pushed
the
main
branch
3 times, most recently
from
5248ff3 to
5c29049
Compare
ixxeL2097
added a commit
that referenced
this pull request
May 14, 2026
… cards (#1777) All 4 services are accessible via external URL without Authentik proxy: - Hubble (Networking Talos): Cilium network observability UI - Renovate (Infrastructure Talos): automated dependency updates operator - Crossview (Infrastructure Talos): Crossplane UI (OIDC via Authentik, PR #1739) - Komoplane (Infrastructure Talos): Crossplane dashboard by Komodorio No dedicated Homepage widgets exist for any of these — siteMonitor-only cards. Icons: renovate.png + cilium.png (walkxcode); mdi- fallback for crossview/komoplane. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Authentik OIDC SSO to crossview on genmachine, with the Authentik provider created declaratively via blueprint.
Changes
authentik/genmachine/blueprints/130-oidc-crossview.yaml(new)Blueprint Authentik qui crée le provider OAuth2/OIDC
genmachine-crossview:/api/auth/oidc/callbackfullstack-crossview(correspond à l'issuer URL configurée)kustomization.yaml→ intégré au ConfigMapauthentik-blueprintscrossplane/genmachine/templates/externalsecret.yamlExternalSecret
crossview-oidccomplété avecclient-id(en plus declient-secret), les deux tirés depuis Vault àcrossview/oidc/genmachine.crossplane/genmachine/genmachine-values.yamlconfig.sso.oidc: OIDC activé, issuer/callbackURL/scope/attributs configurés — sansclientIdhardcodéapp.extraEnv: injecteOIDC_CLIENT_IDdepuis le secretcrossview-oidc— le chart routeclientIduniquement via ConfigMap,extraEnvest positionné en dernier dans la spec du container et override la valeur au runtimesecrets.OIDCClientSecret: toujours viasecretKeyRef→crossview-oidcFlux d'auth
Steps before syncing
1. Laisser ArgoCD syncer le blueprint Authentik
Le blueprint crée le provider automatiquement avec un client_id et client_secret générés.
2. Récupérer les credentials dans Authentik UI
authentik.talos-genmachine.fredcorp.com→ Applications →genmachine-crossview→ copier client_id et client_secret.3. Provisionner Vault
4. ArgoCD sync crossplane → ESO crée
crossview-oidcsecret → crossview démarre avec OIDC activé.🤖 Generated with Claude Code