feat: multi-instance Authentik credentials with test_user support

Add -a <instance> flag to all Authentik wrapper scripts, matching the existing multi-instance pattern used by Woodpecker and Cloudflare. credentials.json now supports per-instance Authentik config: authentik.<instance>.url — instance URL authentik.<instance>.token — API token (admin wrappers) authentik.<instance>.test_user — username/password (Playwright/agent tests) authentik.default — default instance name Legacy flat structure (authentik.url) still works as fallback. Token cache is now per-instance (~/.cache/mosaic/authentik-token-<name>). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 17:46:15 -06:00
parent 09786ee6e0
commit 21afb58b33
8 changed files with 152 additions and 70 deletions
--- a/tools/_lib/credentials.sh
+++ b/tools/_lib/credentials.sh
@@ -61,7 +61,8 @@ Usage: load_credentials <service>
 Services and exported variables:
  portainer         → PORTAINER_URL, PORTAINER_API_KEY
  coolify           → COOLIFY_URL, COOLIFY_TOKEN
-  authentik         → AUTHENTIK_URL, AUTHENTIK_TOKEN, AUTHENTIK_USERNAME, AUTHENTIK_PASSWORD
+  authentik         → AUTHENTIK_URL, AUTHENTIK_TOKEN, AUTHENTIK_TEST_USER, AUTHENTIK_TEST_PASSWORD (uses default instance)
+  authentik-<name>  → AUTHENTIK_URL, AUTHENTIK_TOKEN, AUTHENTIK_TEST_USER, AUTHENTIK_TEST_PASSWORD (specific instance, e.g. authentik-usc)
  glpi              → GLPI_URL, GLPI_APP_TOKEN, GLPI_USER_TOKEN
  github            → GITHUB_TOKEN
  gitea-mosaicstack → GITEA_URL, GITEA_TOKEN
@@ -91,13 +92,38 @@ EOF
      [[ -n "$COOLIFY_URL" ]] || { echo "Error: coolify.url not found" >&2; return 1; }
      [[ -n "$COOLIFY_TOKEN" ]] || { echo "Error: coolify.app_token not found" >&2; return 1; }
      ;;
-    authentik)
-      export AUTHENTIK_URL="${AUTHENTIK_URL:-$(_mosaic_read_cred '.authentik.url')}"
-      export AUTHENTIK_TOKEN="${AUTHENTIK_TOKEN:-$(_mosaic_read_cred '.authentik.token')}"
-      export AUTHENTIK_USERNAME="${AUTHENTIK_USERNAME:-$(_mosaic_read_cred '.authentik.username')}"
-      export AUTHENTIK_PASSWORD="${AUTHENTIK_PASSWORD:-$(_mosaic_read_cred '.authentik.password')}"
+    authentik-*)
+      local ak_instance="${service#authentik-}"
+      export AUTHENTIK_URL="$(_mosaic_read_cred ".authentik.${ak_instance}.url")"
+      export AUTHENTIK_TOKEN="$(_mosaic_read_cred ".authentik.${ak_instance}.token")"
+      export AUTHENTIK_TEST_USER="$(_mosaic_read_cred ".authentik.${ak_instance}.test_user.username")"
+      export AUTHENTIK_TEST_PASSWORD="$(_mosaic_read_cred ".authentik.${ak_instance}.test_user.password")"
+      export AUTHENTIK_INSTANCE="$ak_instance"
      AUTHENTIK_URL="${AUTHENTIK_URL%/}"
-      [[ -n "$AUTHENTIK_URL" ]] || { echo "Error: authentik.url not found" >&2; return 1; }
+      [[ -n "$AUTHENTIK_URL" ]] || { echo "Error: authentik.${ak_instance}.url not found" >&2; return 1; }
+      ;;
+    authentik)
+      local ak_default
+      ak_default="${AUTHENTIK_INSTANCE:-$(_mosaic_read_cred '.authentik.default')}"
+      if [[ -z "$ak_default" ]]; then
+        # Fallback: try legacy flat structure (.authentik.url)
+        local legacy_url
+        legacy_url="$(_mosaic_read_cred '.authentik.url')"
+        if [[ -n "$legacy_url" ]]; then
+          export AUTHENTIK_URL="${AUTHENTIK_URL:-$legacy_url}"
+          export AUTHENTIK_TOKEN="${AUTHENTIK_TOKEN:-$(_mosaic_read_cred '.authentik.token')}"
+          export AUTHENTIK_TEST_USER="${AUTHENTIK_TEST_USER:-$(_mosaic_read_cred '.authentik.test_user.username')}"
+          export AUTHENTIK_TEST_PASSWORD="${AUTHENTIK_TEST_PASSWORD:-$(_mosaic_read_cred '.authentik.test_user.password')}"
+          AUTHENTIK_URL="${AUTHENTIK_URL%/}"
+          [[ -n "$AUTHENTIK_URL" ]] || { echo "Error: authentik.url not found" >&2; return 1; }
+        else
+          echo "Error: authentik.default not set and no AUTHENTIK_INSTANCE env var" >&2
+          echo "Available instances: $(jq -r '.authentik | keys | join(", ")' "$MOSAIC_CREDENTIALS_FILE" 2>/dev/null)" >&2
+          return 1
+        fi
+      else
+        load_credentials "authentik-${ak_default}"
+      fi
      ;;
    glpi)
      export GLPI_URL="${GLPI_URL:-$(_mosaic_read_cred '.glpi.url')}"
@@ -177,7 +203,7 @@ EOF
      ;;
    *)
      echo "Error: Unknown service '$service'" >&2
-      echo "Supported: portainer, coolify, authentik, glpi, github, gitea-mosaicstack, gitea-usc, woodpecker[-<name>], cloudflare[-<name>]" >&2
+      echo "Supported: portainer, coolify, authentik[-<name>], glpi, github, gitea-mosaicstack, gitea-usc, woodpecker[-<name>], cloudflare[-<name>]" >&2
      return 1
      ;;
  esac