From 1d819f1d882d17bbf99c65b02ea7faf88588bbb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Fri, 5 Apr 2024 17:51:26 +0200 Subject: [PATCH] fix --- share/authentik/datas.tf | 86 ++++++++++--- share/authentik/index.yaml | 250 ++++++++++++++++++++++--------------- share/authentik/secret.tf | 83 +++++++++++- 3 files changed, 301 insertions(+), 118 deletions(-) diff --git a/share/authentik/datas.tf b/share/authentik/datas.tf index 868f2f9..c772644 100644 --- a/share/authentik/datas.tf +++ b/share/authentik/datas.tf @@ -46,7 +46,7 @@ data "kustomization_overlay" "data" { kind = "Deployment" name = "authentik-server" } - patch = <<-EOF + patch = join("", concat([<<-EOF apiVersion: apps/v1 kind: Deployment metadata: @@ -55,23 +55,75 @@ data "kustomization_overlay" "data" { template: spec: containers: - - name: authentik - image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}" - imagePullPolicy: "${var.images.app.pull_policy}" - env: - - name: "AUTHENTIK_POSTGRESQL__HOST" - value: "${var.instance}-${var.component}-pool.${var.namespace}.svc" - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: "${var.instance}-${var.component}-pg-app" - key: password - envFrom: - - secretRef: - name: ${var.component} - - configMapRef: - name: ${var.component} + - name: authentik + image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}" + imagePullPolicy: "${var.images.app.pull_policy}" + env: + - name: "AUTHENTIK_POSTGRESQL__HOST" + value: "${var.instance}-${var.component}-pool.${var.namespace}.svc" + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: "${var.instance}-${var.component}-pg-app" + key: password + envFrom: + - secretRef: + name: ${var.component} + - configMapRef: + name: ${var.component} EOF + ], var.customisation.configmap_name!="" && var.customisation.use_icon_left && var.customisation.use_custom_css?[<<-EOF + volumeMounts: + - name: custom-css + mountPath: /web/dist/custom.css + subPath: custom.css + - name: custom-left + mountPath: /web/dist/assets/icons/icon_left_brand.svg + subPath: icon_left_brand.svg + volumes: + - name: custom-css + configMap: + name: "${var.customisation.configmap_name}" + items: + - key: custom.css + path: custom.css + - name: custom-left + configMap: + name: "${var.customisation.configmap_name}" + items: + - key: icon_left_brand.svg + path: icon_left_brand.svg + EOF + ] + :var.customisation.configmap_name!="" && var.customisation.use_icon_left && !var.customisation.use_custom_css?[<<-EOF + volumeMounts: + - name: custom-left + mountPath: /web/dist/assets/icons/icon_left_brand.svg + subPath: icon_left_brand.svg + volumes: + - name: custom-left + configMap: + name: "${var.customisation.configmap_name}" + items: + - key: icon_left_brand.svg + path: icon_left_brand.svg + EOF + ] + :var.customisation.configmap_name!="" && !var.customisation.use_icon_left && var.customisation.use_custom_css?[<<-EOF + volumeMounts: + - name: custom-css + mountPath: /web/dist/custom.css + subPath: custom.css + volumes: + - name: custom-css + configMap: + name: "${var.customisation.configmap_name}" + items: + - key: custom.css + path: custom.css + EOF + ] + :[""] )) } patches { target { diff --git a/share/authentik/index.yaml b/share/authentik/index.yaml index 1eaa036..7f8ab83 100644 --- a/share/authentik/index.yaml +++ b/share/authentik/index.yaml @@ -6,82 +6,6 @@ metadata: name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility options: - loglevel: - default: info - examples: - - info - type: string - domain_name: - default: your_company.com - examples: - - your_company.com - type: string - redis: - default: - exporter: - enabled: true - examples: - - exporter: - enabled: true - properties: - exporter: - default: - enabled: true - properties: - enabled: - default: true - type: boolean - type: object - type: object - geoip: - default: /geoip/GeoLite2-City.mmdb - examples: - - /geoip/GeoLite2-City.mmdb - type: string - storage: - default: - postgres: - size: 8Gi - redis: - size: 8Gi - examples: - - postgres: - size: 8Gi - redis: - size: 8Gi - properties: - postgres: - default: - size: 8Gi - properties: - size: - default: 8Gi - type: string - type: object - redis: - default: - size: 8Gi - properties: - size: - default: 8Gi - type: string - type: object - type: object - sub_domain: - default: auth - examples: - - auth - type: string - postgres: - default: - replicas: 1 - examples: - - replicas: 1 - properties: - replicas: - default: 1 - type: integer - type: object admin: default: email: auth-admin @@ -92,6 +16,26 @@ options: default: auth-admin type: string type: object + error_reporting: + default: + enabled: false + environment: k8s + send_pii: false + examples: + - enabled: false + environment: k8s + send_pii: false + properties: + enabled: + default: false + type: boolean + environment: + default: k8s + type: string + send_pii: + default: false + type: boolean + type: object backups: default: enable: false @@ -151,6 +95,16 @@ options: default: false type: boolean type: object + ingress_class: + default: traefik + examples: + - traefik + type: string + sub_domain: + default: auth + examples: + - auth + type: string images: default: app: @@ -159,6 +113,11 @@ options: registry: ghcr.io repository: goauthentik/server tag: 2023.10.7 + kubectl: + pull_policy: IfNotPresent + registry: docker.io + repository: sebt3/basic-toolbox-image + tag: 1.29.3 postgresql: registry: ghcr.io repository: cloudnative-pg/postgresql @@ -180,6 +139,11 @@ options: registry: ghcr.io repository: goauthentik/server tag: 2023.10.7 + kubectl: + pull_policy: IfNotPresent + registry: docker.io + repository: sebt3/basic-toolbox-image + tag: 1.29.3 postgresql: registry: ghcr.io repository: cloudnative-pg/postgresql @@ -223,6 +187,26 @@ options: default: 2023.10.7 type: string type: object + kubectl: + default: + pull_policy: IfNotPresent + registry: docker.io + repository: sebt3/basic-toolbox-image + tag: 1.29.3 + properties: + pull_policy: + default: IfNotPresent + type: string + registry: + default: docker.io + type: string + repository: + default: sebt3/basic-toolbox-image + type: string + tag: + default: 1.29.3 + type: string + type: object postgresql: default: registry: ghcr.io @@ -288,41 +272,68 @@ options: type: string type: object type: object - ingress_class: - default: traefik + domain_name: + default: your_company.com examples: - - traefik + - your_company.com type: string - domain: - default: your-company - examples: - - your-company - type: string - error_reporting: + redis: default: - enabled: false - environment: k8s - send_pii: false + exporter: + enabled: true examples: - - enabled: false - environment: k8s - send_pii: false + - exporter: + enabled: true properties: - enabled: - default: false - type: boolean - environment: - default: k8s - type: string - send_pii: - default: false - type: boolean + exporter: + default: + enabled: true + properties: + enabled: + default: true + type: boolean + type: object + type: object + postgres: + default: + replicas: 1 + examples: + - replicas: 1 + properties: + replicas: + default: 1 + type: integer type: object issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string + domain: + default: your-company + examples: + - your-company + type: string + customisation: + default: + configmap_name: '' + use_custom_css: false + use_icon_left: false + examples: + - configmap_name: '' + use_custom_css: false + use_icon_left: false + properties: + configmap_name: + default: '' + type: string + use_custom_css: + default: false + type: boolean + use_icon_left: + default: false + type: boolean + type: object email: default: port: 587 @@ -348,6 +359,45 @@ options: default: false type: boolean type: object + loglevel: + default: info + examples: + - info + type: string + storage: + default: + postgres: + size: 8Gi + redis: + size: 8Gi + examples: + - postgres: + size: 8Gi + redis: + size: 8Gi + properties: + postgres: + default: + size: 8Gi + properties: + size: + default: 8Gi + type: string + type: object + redis: + default: + size: 8Gi + properties: + size: + default: 8Gi + type: string + type: object + type: object + geoip: + default: /geoip/GeoLite2-City.mmdb + examples: + - /geoip/GeoLite2-City.mmdb + type: string dependencies: - dist: null category: core diff --git a/share/authentik/secret.tf b/share/authentik/secret.tf index c030fbd..8715cc5 100644 --- a/share/authentik/secret.tf +++ b/share/authentik/secret.tf @@ -1,3 +1,11 @@ +locals { + secrets-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "backup-secret" + }) + secret-labels = merge(local.secrets-labels, { + "k8up.io/backup" = "true" + }) +} resource "kubectl_manifest" "authentik_secret" { ignore_fields = ["metadata.annotations"] @@ -7,7 +15,7 @@ resource "kubectl_manifest" "authentik_secret" { metadata: name: "${var.component}" namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} + labels: ${jsonencode(local.secret-labels)} spec: forceRegenerate: false fields: @@ -21,3 +29,76 @@ resource "kubectl_manifest" "authentik_secret" { length: "32" EOF } +resource "kubectl_manifest" "pre_backup_sa" { + count = var.backups.enable?1:0 + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: v1 + kind: ServiceAccount + metadata: + name: backup-secret + namespace: "${var.namespace}" + EOF +} +resource "kubectl_manifest" "pre_backup_role" { + count = var.backups.enable?1:0 + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: backup-secret + namespace: "${var.namespace}" + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + EOF +} +resource "kubectl_manifest" "pre_backup_rb" { + count = var.backups.enable?1:0 + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: backup-secret + namespace: "${var.namespace}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: backup-secret + subjects: + - kind: ServiceAccount + name: backup-secret + namespace: "${var.namespace}" + EOF +} +resource "kubectl_manifest" "pre_backup_pod" { + count = var.backups.enable?1:0 + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: k8up.io/v1 + kind: PreBackupPod + metadata: + name: secret + namespace: "${var.namespace}" + spec: + backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true + pod: + spec: + containers: + - command: + - cat + image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}" + imagePullPolicy: "${var.images.kubectl.pull_policy}" + name: secret + tty: true + serviceAccount: backup-secret + serviceAccountName: backup-secret + EOF +}