root: migrate bootstrap to blueprints (#6433)

* remove old bootstrap

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add meta model to set user password

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ensure KeyOf works with objects in the state of created that already exist

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* migrate

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add support for shorter form !If tag

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* allow !Context to resolve other yaml tags

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* don't require serializer to be valid for deleting an object

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix check if a model is being created

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove duplicate way to set password

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate token

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only change what is required with migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add description

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix admin status

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* expand tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* don't require bootstrap in events to fix ci?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

blueprints/default/events-default.yaml

@@ -2,6 +2,12 @@ version: 1
 metadata:
   name: Default - Events Transport & Rules
 entries:
+# Run bootstrap blueprint first to ensure we have the group created
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      path: system/bootstrap.yaml
+    required: false
 - model: authentik_events.notificationtransport
   id: default-email-transport
   attrs:
@@ -16,6 +22,7 @@ entries:
     name: default-local-transport
 - model: authentik_core.group
   id: group
+  state: created
   identifiers:
     name: authentik Admins
 

blueprints/migrations/migrate-prompt-name.yaml

@@ -1,8 +1,8 @@
 version: 1
 metadata:
+  name: Migration - Remove old prompt fields
   labels:
     blueprints.goauthentik.io/description: Migrate to 2023.2, remove unused prompt fields
-  name: Migration - Remove old prompt fields
 entries:
   - model: authentik_stages_prompt.prompt
     identifiers:

blueprints/system/bootstrap.yaml

@@ -0,0 +1,49 @@
+version: 1
+metadata:
+  name: authentik Bootstrap
+  labels:
+    blueprints.goauthentik.io/system-bootstrap: "true"
+    blueprints.goauthentik.io/system: "true"
+    blueprints.goauthentik.io/description: |
+      This blueprint configures the default admin user and group, and configures them for the [Automated install](https://goauthentik.io/docs/installation/automated-install).
+context:
+  username: akadmin
+  group_name: authentik Admins
+  email: !Env [AUTHENTIK_BOOTSTRAP_EMAIL, "root@example.com"]
+  password: !Env [AUTHENTIK_BOOTSTRAP_PASSWORD, null]
+  token: !Env [AUTHENTIK_BOOTSTRAP_TOKEN, null]
+entries:
+  - model: authentik_core.group
+    state: created
+    identifiers:
+      name: !Context group_name
+    attrs:
+      is_superuser: true
+    id: admin-group
+  - model: authentik_core.user
+    state: created
+    id: admin-user
+    identifiers:
+      username: !Context username
+    attrs:
+      name: authentik Default Admin
+      email: !Context email
+      groups:
+        - !KeyOf admin-group
+      password: !Context password
+  - model: authentik_core.token
+    state: created
+    conditions:
+      - !If [!Context token]
+    identifiers:
+      identifier: authentik-bootstrap-token
+      intent: api
+      expiring: false
+      key: !Context token
+      user: !KeyOf admin-user
+  - model: authentik_blueprints.blueprintinstance
+    identifiers:
+      metadata:
+        labels:
+          blueprints.goauthentik.io/system-bootstrap: "true"
+    state: absent