George Onoufriou · George Onoufriou · 5e6990ae · 5e6990ae · 5e6990ae · 5e6990ae
--- a/docs/source/crds/akbp.rst
+++ b/docs/source/crds/akbp.rst
@@ -17,6 +17,8 @@ AkBlueprint

 |ak-fig|

+Currently only file-based blueprints are supported, direct-to-database blueprints are broadly implemented but a lot of quality of life is still missing like custom YAML tag support.
+
 Spec
 ----

@@ -36,7 +38,7 @@ Spec
      namespace: auth
    spec:
      file: /blueprints/operator/blueprint-sample.yml
-      blueprint:
+      blueprint: |
        version: 1
        metadata:
          labels:

--- a/operator/config/samples/raw_blueprints/README.md
+++ b/operator/config/samples/raw_blueprints/README.md
+# Raw Blueprints
+
+This directory holds example authentik raw blueprints. To use these with AKM simply indent and append them to the following snippet:
+
+```yaml
+
+apiVersion: akm.goauthentik.io/v1alpha1
+kind: AkBlueprint
+metadata:
+  name: <YOUR UNIQUE BLUPRINT NAME>
+  namespace: <AUTHNTIK NAMESPACE>
+spec:
+  file: /blueprints/custom/<YOUR UNIQUE BLUPRINT NAME>.yaml
+  blueprint: |
+	<YOUR INDENTED BLUEPRINT HERE>
+```
+
+See more wrapped examples in operator/config/samples directory.
--- a/operator/config/samples/raw_blueprints/default-auth-flow.yaml
+++ b/operator/config/samples/raw_blueprints/default-auth-flow.yaml
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: Default - Authentication flow
+entries:
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Password change flow
+    required: false
+- attrs:
+    designation: authentication
+    name: Welcome to authentik!
+    title: Welcome to authentik!
+    authentication: none
+  identifiers:
+    slug: default-authentication-flow
+  model: authentik_flows.flow
+  id: flow
+- attrs:
+    backends:
+    - authentik.core.auth.InbuiltBackend
+    - authentik.sources.ldap.auth.LDAPBackend
+    - authentik.core.auth.TokenBackend
+    configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
+  identifiers:
+    name: default-authentication-password
+  id: default-authentication-password
+  model: authentik_stages_password.passwordstage
+- identifiers:
+    name: default-authentication-mfa-validation
+  id: default-authentication-mfa-validation
+  model: authentik_stages_authenticator_validate.authenticatorvalidatestage
+- attrs:
+    user_fields:
+    - email
+    - username
+  identifiers:
+    name: default-authentication-identification
+  id: default-authentication-identification
+  model: authentik_stages_identification.identificationstage
+- identifiers:
+    name: default-authentication-login
+  id: default-authentication-login
+  model: authentik_stages_user_login.userloginstage
+- identifiers:
+    order: 10
+    stage: !KeyOf default-authentication-identification
+    target: !KeyOf flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 20
+    stage: !KeyOf default-authentication-password
+    target: !KeyOf flow
+  attrs:
+    re_evaluate_policies: true
+  id: default-authentication-flow-password-binding
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 30
+    stage: !KeyOf default-authentication-mfa-validation
+    target: !KeyOf flow
+  model: authentik_flows.flowstagebinding
+- identifiers:
+    order: 100
+    stage: !KeyOf default-authentication-login
+    target: !KeyOf flow
+  model: authentik_flows.flowstagebinding
+- model: authentik_policies_expression.expressionpolicy
+  id: default-authentication-flow-password-optional
+  identifiers:
+    name: default-authentication-flow-password-stage
+  attrs:
+    expression: |
+      flow_plan = request.context.get("flow_plan")
+      if not flow_plan:
+          return True
+      # If the user does not have a backend attached to it, they haven't
+      # been authenticated yet and we need the password stage
+      return not hasattr(flow_plan.context.get("pending_user"), "backend")
+- model: authentik_policies.policybinding
+  identifiers:
+    order: 10
+    target: !KeyOf default-authentication-flow-password-binding
+    policy: !KeyOf default-authentication-flow-password-optional
--- a/operator/config/samples/raw_blueprints/default-tenant.yaml
+++ b/operator/config/samples/raw_blueprints/default-tenant.yaml
+metadata:
+  name: Default - Tenant
+version: 1
+entries:
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Authentication flow
+    required: false
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - Invalidation flow
+    required: false
+- model: authentik_blueprints.metaapplyblueprint
+  attrs:
+    identifiers:
+      name: Default - User settings flow
+    required: false
+- attrs:
+    flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
+    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
+  identifiers:
+    domain: authentik-default
+    default: True
+  state: created
+  model: authentik_tenants.tenant