feat(crossplane/genmachine): Authentik OIDC SSO for crossview

gitops/manifests/authentik/genmachine/blueprints/130-oidc-crossview.yaml

@@ -0,0 +1,43 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+# yamllint disable
+---
+version: 1
+metadata:
+  name: genmachine-crossview
+entries:
+  - id: provider
+    model: authentik_providers_oauth2.oauth2provider
+    state: present
+    identifiers:
+      name: genmachine-crossview
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+      client_type: confidential
+      redirect_uris:
+        - url: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
+          matching_mode: strict
+
+      access_code_validity: minutes=1
+      access_token_validity: hours=1
+      refresh_token_validity: hours=2
+
+      sub_mode: hashed_user_id
+      property_mappings:
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'openid'"]]
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'profile'"]]
+        - !Find [authentik_core.propertymapping, [name, "authentik default OAuth Mapping: OpenID 'email'"]]
+
+  - id: application
+    model: authentik_core.application
+    state: present
+    identifiers:
+      name: genmachine-crossview
+    attrs:
+      name: genmachine-crossview
+      group: Infrastructure
+      meta_description: crossview
+      provider: !Find [authentik_providers_oauth2.oauth2provider, [name, genmachine-crossview]]
+      policy_engine_mode: any
+      slug: fullstack-crossview

gitops/manifests/authentik/genmachine/blueprints/kustomization.yaml

@@ -21,3 +21,4 @@ configMapGenerator:
       - ./enrollment.yaml
       - ./010-users.yaml
       - ./110-embedded-outpost.yaml
+      - ./130-oidc-crossview.yaml

gitops/manifests/crossplane/genmachine/genmachine-values.yaml

@@ -39,6 +39,24 @@ crossview:
     server:
       cors:
         origin: https://crossview.talos-genmachine.fredcorp.com
+    sso:
+      oidc:
+        enabled: true
+        issuer: https://authentik.talos-genmachine.fredcorp.com/application/o/fullstack-crossview/
+        callbackURL: https://crossview.talos-genmachine.fredcorp.com/api/auth/oidc/callback
+        scope: openid profile email
+        usernameAttribute: preferred_username
+        emailAttribute: email
+        firstNameAttribute: given_name
+        lastNameAttribute: family_name
+
+  app:
+    extraEnv:
+      - name: OIDC_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            name: crossview-oidc
+            key: client-id
 
   secrets:
     adminUsername:
@@ -57,6 +75,10 @@ crossview:
       secretKeyRef:
         name: crossview-credentials
         key: session-secret
+    OIDCClientSecret:
+      secretKeyRef:
+        name: crossview-oidc
+        key: client-secret
 
   ingress:
     enabled: true

gitops/manifests/crossplane/genmachine/templates/externalsecret.yaml

@@ -30,3 +30,27 @@ spec:
       remoteRef:
         key: crossview/credentials/genmachine
         property: SESSION_SECRET
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crossview-oidc
+  namespace: crossplane
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: admin
+  target:
+    name: crossview-oidc
+    creationPolicy: Owner
+    deletionPolicy: Retain
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: crossview/oidc/genmachine
+        property: CLIENT_ID
+    - secretKey: client-secret
+      remoteRef:
+        key: crossview/oidc/genmachine
+        property: CLIENT_SECRET