blueprints: OCI registry support (#3500)

* blueprints: add ability to load blueprints via OCI Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix inheritance check for meta models Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add oci tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-30 14:08:26 +02:00
parent b5ee81f4de
commit abca435337
13 changed files with 326 additions and 128 deletions
--- a/website/developer-docs/blueprints/index.md
+++ b/website/developer-docs/blueprints/index.md
@ -17,7 +17,7 @@ Blueprints are yaml files, whose format is described further in [File structure]

 Starting with authentik 2022.8, blueprints are used to manage authentik default flows and other system objects. These blueprints can be disabled/replaced with custom blueprints in certain circumstances.

-## Usage
+## Storage - Local

 The authentik container by default looks for blueprints in `/blueprints`. Underneath this directory, there are a couple default subdirectories:

@ -28,3 +28,19 @@ The authentik container by default looks for blueprints in `/blueprints`. Undern
 Any additional `.yaml` file in `/blueprints` will be discovered and automatically instantiated, depending on their labels.

 To disable existing blueprints, an empty file can be mounted over the existing blueprint.
+
+## Storage - OCI
+
+Blueprints can also be stored in remote [OCI](https://opencontainers.org/) compliant registries. This includes GitHub Container Registry, Docker hub and many other registries.
+
+To download a blueprint via OCI, set the path to `https://ghcr.io/<username>/<package-name>:<ref>`. This will fetch the blueprint from an OCI package hosted on GHCR.
+
+To fetch blueprints from a private registry with authentication, credentials can be embedded into the URL.
+
+Blueprints are re-fetched each execution, so when using changing tags, blueprints will automatically be updated.
+
+To push a blueprint to an OCI-compatible registry, [ORAS](https://oras.land/) can be used with this command
+
+```
+oras push ghcr.io/<username>/blueprint/<blueprint name>:latest <yaml file>:application/vnd.goauthentik.blueprint.v1+yaml
+```
--- a/website/developer-docs/blueprints/v1/meta.md
+++ b/website/developer-docs/blueprints/v1/meta.md
@ -0,0 +1,23 @@
+# Meta models
+
+Since blueprints have a pretty strict mapping of each entry mapping to an instance of a model in the database, _meta models_ have been added to trigger other actions within authentik that don't directly map to a model.
+
+### `authentik_blueprints.metaapplyblueprint`
+
+This meta model can be used to apply another blueprint instance within a blueprint instance. This allows for dependency management and ensuring related objects are created.
+
+#### Attributes
+
+-   `identifiers`: Key-value attributes used to match the blueprint instance
+
+    Example:
+
+    ```yaml
+    attrs:
+        identifiers:
+            name: Default - Password change flow
+    ```
+
+-   `required`: (Default: `true`) Configure if the blueprint instance must exist
+
+    If this is set to `true` and no blueprint instance matches the query above, an error will be thrown. Otherwise, execution will continue without applying anything extra.