put

2026-02-27 02:57:37 +00:00
commit f98b15fe73
16 changed files with 2385 additions and 0 deletions
--- a/elk-k8s-deployment/scripts/configure-authentik-oidc.sh
+++ b/elk-k8s-deployment/scripts/configure-authentik-oidc.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# =============================================================================
+# configure-authentik-oidc.sh
+# Configures Authentik with an OIDC Provider and Application for Kibana SSO
+# Run AFTER Authentik is fully started and accessible
+# =============================================================================
+set -euo pipefail
+
+AUTHENTIK_URL="${1:-http://localhost:9000}"
+BOOTSTRAP_TOKEN="${2:-bootstrap-token-elk-lab-2024}"
+KIBANA_URL="https://kibana.elk.local:30443"
+
+AUTH_HEADER="Authorization: Bearer ${BOOTSTRAP_TOKEN}"
+CT="Content-Type: application/json"
+
+echo "=== Configuring Authentik OIDC for Kibana ==="
+echo "Authentik URL: ${AUTHENTIK_URL}"
+
+# Wait for Authentik
+echo ">>> Waiting for Authentik API..."
+until curl -sf "${AUTHENTIK_URL}/-/health/ready/" > /dev/null 2>&1; do
+  echo "  Waiting..."
+  sleep 5
+done
+echo "  Authentik is ready!"
+
+# --- Step 1: Create a Certificate-Key Pair (optional, for signed JWTs) ---
+echo ">>> Creating certificate key pair..."
+CERT_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/crypto/certificatekeypairs/generate/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d '{
+    "common_name": "kibana-oidc-signing",
+    "subject_alt_name": "kibana.elk.local",
+    "validity_days": 365
+  }' 2>/dev/null || echo '{}')
+CERT_ID=$(echo "$CERT_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
+echo "  Certificate ID: ${CERT_ID:-skipped}"
+
+# --- Step 2: Create Scope Mappings (if not already present) ---
+echo ">>> Checking scope mappings..."
+SCOPES_RESP=$(curl -sf "${AUTHENTIK_URL}/api/v3/propertymappings/scope/?ordering=scope_name" \
+  -H "${AUTH_HEADER}" 2>/dev/null || echo '{"results":[]}')
+
+# --- Step 3: Create OIDC Provider ---
+echo ">>> Creating OIDC Provider for Kibana..."
+PROVIDER_BODY=$(cat <<PROVIDER_JSON
+{
+  "name": "Kibana OIDC Provider",
+  "authorization_flow": "default-provider-authorization-implicit-consent",
+  "client_type": "confidential",
+  "client_id": "kibana",
+  "client_secret": "kibana-client-secret-2024",
+  "redirect_uris": "${KIBANA_URL}/api/security/oidc/callback",
+  "signing_key": ${CERT_ID:+\"$CERT_ID\"}${CERT_ID:-null},
+  "sub_mode": "user_username",
+  "issuer_mode": "per_provider",
+  "access_code_validity": "minutes=1",
+  "access_token_validity": "minutes=5",
+  "refresh_token_validity": "days=30"
+}
+PROVIDER_JSON
+)
+
+PROVIDER_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/providers/oauth2/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d "${PROVIDER_BODY}" 2>/dev/null || echo '{}')
+PROVIDER_ID=$(echo "$PROVIDER_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('pk',''))" 2>/dev/null || echo "")
+
+if [ -z "$PROVIDER_ID" ]; then
+  echo "  Provider may already exist, looking it up..."
+  PROVIDER_ID=$(curl -sf "${AUTHENTIK_URL}/api/v3/providers/oauth2/?search=Kibana" \
+    -H "${AUTH_HEADER}" | python3 -c "import sys,json; r=json.load(sys.stdin)['results']; print(r[0]['pk'] if r else '')" 2>/dev/null || echo "")
+fi
+echo "  Provider ID: ${PROVIDER_ID}"
+
+# --- Step 4: Create Application ---
+echo ">>> Creating Kibana Application..."
+APP_RESP=$(curl -sf -X POST "${AUTHENTIK_URL}/api/v3/core/applications/" \
+  -H "${AUTH_HEADER}" -H "${CT}" \
+  -d "{
+    \"name\": \"Kibana\",
+    \"slug\": \"kibana\",
+    \"provider\": ${PROVIDER_ID},
+    \"meta_launch_url\": \"${KIBANA_URL}\",
+    \"meta_description\": \"ELK Stack - Kibana Dashboard\",
+    \"policy_engine_mode\": \"any\"
+  }" 2>/dev/null || echo '{}')
+APP_SLUG=$(echo "$APP_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('slug',''))" 2>/dev/null || echo "")
+
+if [ -z "$APP_SLUG" ]; then
+  echo "  Application may already exist."
+  APP_SLUG="kibana"
+fi
+echo "  Application slug: ${APP_SLUG}"
+
+echo ""
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║          Authentik OIDC Configuration Complete!             ║"
+echo "╠══════════════════════════════════════════════════════════════╣"
+echo "║                                                            ║"
+echo "║  OIDC Provider:  Kibana OIDC Provider                     ║"
+echo "║  Client ID:      kibana                                   ║"
+echo "║  Client Secret:  kibana-client-secret-2024                ║"
+echo "║  Application:    kibana                                   ║"
+echo "║                                                            ║"
+echo "║  Issuer URL:                                               ║"
+echo "║    ${AUTHENTIK_URL}/application/o/kibana/                  ║"
+echo "║                                                            ║"
+echo "║  Endpoints:                                                ║"
+echo "║    Authorization: .../application/o/authorize/             ║"
+echo "║    Token:         .../application/o/token/                 ║"
+echo "║    UserInfo:      .../application/o/userinfo/              ║"
+echo "║    JWKS:          .../application/o/kibana/jwks/           ║"
+echo "║                                                            ║"
+echo "╚══════════════════════════════════════════════════════════════╝"