From e81f01bfffe270cf35064fd29733f16553e6c066 Mon Sep 17 00:00:00 2001
From: ixxeL2097 <fredspiers@gmail.com>
Date: Wed, 13 May 2026 13:18:41 +0200
Subject: [PATCH 1/2] feat(crossplane/genmachine): add Authentik OIDC SSO to
 crossview
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Enable OIDC SSO via config.sso.oidc pointing to Authentik on genmachine
  issuer: authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/
  callbackURL: crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
- Reference OIDCClientSecret via secretKeyRef → crossview-oidc secret
- Add ExternalSecret crossview-oidc pulling CLIENT_SECRET from Vault at
  crossview/oidc/genmachine (separate from credentials secret)
- clientId left empty: fill in after creating the Authentik OAuth2 provider

Steps before sync:
  1. Create OAuth2/OIDC provider in Authentik (genmachine):
     - Application slug: fullstack-crossview
     - Redirect URI: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
  2. Add to Vault at crossview/oidc/genmachine: CLIENT_SECRET=<client_secret>
  3. Update clientId in this file with the generated client ID

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../genmachine/genmachine-values.yaml         | 15 ++++++++++++++
 .../genmachine/templates/externalsecret.yaml  | 20 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/gitops/manifests/crossplane/genmachine/genmachine-values.yaml b/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
index 0168fc3a1..6e2b24b14 100644
--- a/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
+++ b/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
@@ -39,6 +39,17 @@ crossview:
     server:
       cors:
         origin: https://crossview.talos-genmachine.fredcorp.com
+    sso:
+      oidc:
+        enabled: true
+        issuer: https://authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/
+        clientId: '' # fill in after creating the Authentik provider
+        callbackURL: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
+        scope: openid profile email
+        usernameAttribute: preferred_username
+        emailAttribute: email
+        firstNameAttribute: given_name
+        lastNameAttribute: family_name
 
   secrets:
     adminUsername:
@@ -57,6 +68,10 @@ crossview:
       secretKeyRef:
         name: crossview-credentials
         key: session-secret
+    OIDCClientSecret:
+      secretKeyRef:
+        name: crossview-oidc
+        key: client-secret
 
   ingress:
     enabled: true
diff --git a/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml b/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
index eead710bd..7afdc57d7 100644
--- a/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
+++ b/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
@@ -30,3 +30,23 @@ spec:
       remoteRef:
         key: crossview/credentials/genmachine
         property: SESSION_SECRET
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crossview-oidc
+  namespace: crossplane
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: admin
+  target:
+    name: crossview-oidc
+    creationPolicy: Owner
+    deletionPolicy: Retain
+  data:
+    - secretKey: client-secret
+      remoteRef:
+        key: crossview/oidc/genmachine
+        property: CLIENT_SECRET

From 5656af3aa4223320f43a4431d13ecd17d9a88036 Mon Sep 17 00:00:00 2001
From: ixxeL2097 <fredspiers@gmail.com>
Date: Wed, 13 May 2026 13:23:44 +0200
Subject: [PATCH 2/2] feat(crossplane/genmachine): crossview OIDC SSO with
 Authentik + blueprint

- Add Authentik blueprint 130-oidc-crossview.yaml: creates confidential
  OAuth2/OIDC provider genmachine-crossview, application slug fullstack-crossview,
  redirect URI crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
- Register blueprint in genmachine kustomization.yaml configMapGenerator
- Add client-id key to crossview-oidc ExternalSecret (crossview/oidc/genmachine)
- Inject OIDC_CLIENT_ID via app.extraEnv from crossview-oidc secret instead of
  plain ConfigMap value (chart routes clientId through ConfigMap only; extraEnv
  appended last in container spec overrides it at runtime)
- Remove clientId placeholder from config.sso.oidc (managed entirely from Vault)

After Authentik sync: retrieve client_id + client_secret from Authentik UI
and provision Vault at crossview/oidc/genmachine: CLIENT_ID, CLIENT_SECRET

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../blueprints/130-oidc-crossview.yaml        | 43 +++++++++++++++++++
 .../genmachine/blueprints/kustomization.yaml  |  1 +
 .../genmachine/genmachine-values.yaml         |  9 +++-
 .../genmachine/templates/externalsecret.yaml  |  4 ++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 gitops/manifests/authentik/genmachine/blueprints/130-oidc-crossview.yaml

diff --git a/gitops/manifests/authentik/genmachine/blueprints/130-oidc-crossview.yaml b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-crossview.yaml
new file mode 100644
index 000000000..c419e0ec4
--- /dev/null
+++ b/gitops/manifests/authentik/genmachine/blueprints/130-oidc-crossview.yaml
@@ -0,0 +1,43 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+# yamllint disable
+---
+version: 1
+metadata:
+  name: genmachine-crossview
+entries:
+  - id: provider
+    model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: genmachine-crossview
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+      client_type: confidential
+      redirect_uris:
+        - url: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
+          matching_mode: strict
+
+      access_code_validity: minutes=1
+      access_token_validity: hours=1
+      refresh_token_validity: hours=2
+
+      sub_mode: hashed_user_id
+      property_mappings:
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'openid'"]]
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'profile'"]]
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'email'"]]
+
+  - id: application
+    model: authentik_core.application
+    state: present
+    identifiers:
+      name: genmachine-crossview
+    attrs:
+      name: genmachine-crossview
+      group: Infrastructure
+      meta_description: crossview
+      provider: !Find [authentik_providers_oauth2.oauth2provider, [name, genmachine-crossview]]
+      policy_engine_mode: any
+      slug: fullstack-crossview
diff --git a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml
index 4a50196ff..ecbc4ee50 100644
--- a/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml
+++ b/gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml
@@ -21,3 +21,4 @@ configMapGenerator:
       - ./enrollment.yaml
       - ./010-users.yaml
       - ./110-embedded-outpost.yaml
+      - ./130-oidc-crossview.yaml
diff --git a/gitops/manifests/crossplane/genmachine/genmachine-values.yaml b/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
index 6e2b24b14..0749ef212 100644
--- a/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
+++ b/gitops/manifests/crossplane/genmachine/genmachine-values.yaml
@@ -43,7 +43,6 @@ crossview:
       oidc:
         enabled: true
         issuer: https://authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/
-        clientId: '' # fill in after creating the Authentik provider
         callbackURL: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
         scope: openid profile email
         usernameAttribute: preferred_username
@@ -51,6 +50,14 @@ crossview:
         firstNameAttribute: given_name
         lastNameAttribute: family_name
 
+  app:
+    extraEnv:
+      - name: OIDC_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            name: crossview-oidc
+            key: client-id
+
   secrets:
     adminUsername:
       secretKeyRef:
diff --git a/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml b/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
index 7afdc57d7..bc32e501b 100644
--- a/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
+++ b/gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml
@@ -46,6 +46,10 @@ spec:
     creationPolicy: Owner
     deletionPolicy: Retain
   data:
+    - secretKey: client-id
+      remoteRef:
+        key: crossview/oidc/genmachine
+        property: CLIENT_ID
     - secretKey: client-secret
       remoteRef:
         key: crossview/oidc/genmachine