vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-04-05 17:51:26 +02:00
parent 8e3e12a7ef
commit 1d819f1d88
3 changed files with 301 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
share/authentik/datas.tf
View File

@@ -46,7 +46,7 @@ data "kustomization_overlay" "data" {
kind = "Deployment"
name = "authentik-server"
}
patch = <<-EOF
patch = join("", concat([<<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -55,23 +55,75 @@ data "kustomization_overlay" "data" {
template:
spec:
containers:
- name: authentik
image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}"
imagePullPolicy: "${var.images.app.pull_policy}"
env:
- name: "AUTHENTIK_POSTGRESQL__HOST"
value: "${var.instance}-${var.component}-pool.${var.namespace}.svc"
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: "${var.instance}-${var.component}-pg-app"
key: password
envFrom:
- secretRef:
name: ${var.component}
- configMapRef:
name: ${var.component}
- name: authentik
image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}"
imagePullPolicy: "${var.images.app.pull_policy}"
env:
- name: "AUTHENTIK_POSTGRESQL__HOST"
value: "${var.instance}-${var.component}-pool.${var.namespace}.svc"
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: "${var.instance}-${var.component}-pg-app"
key: password
envFrom:
- secretRef:
name: ${var.component}
- configMapRef:
name: ${var.component}
EOF
], var.customisation.configmap_name!="" && var.customisation.use_icon_left && var.customisation.use_custom_css?[<<-EOF
volumeMounts:
- name: custom-css
mountPath: /web/dist/custom.css
subPath: custom.css
- name: custom-left
mountPath: /web/dist/assets/icons/icon_left_brand.svg
subPath: icon_left_brand.svg
volumes:
- name: custom-css
configMap:
name: "${var.customisation.configmap_name}"
items:
- key: custom.css
path: custom.css
- name: custom-left
configMap:
name: "${var.customisation.configmap_name}"
items:
- key: icon_left_brand.svg
path: icon_left_brand.svg
EOF
]
:var.customisation.configmap_name!="" && var.customisation.use_icon_left && !var.customisation.use_custom_css?[<<-EOF
volumeMounts:
- name: custom-left
mountPath: /web/dist/assets/icons/icon_left_brand.svg
subPath: icon_left_brand.svg
volumes:
- name: custom-left
configMap:
name: "${var.customisation.configmap_name}"
items:
- key: icon_left_brand.svg
path: icon_left_brand.svg
EOF
]
:var.customisation.configmap_name!="" && !var.customisation.use_icon_left && var.customisation.use_custom_css?[<<-EOF
volumeMounts:
- name: custom-css
mountPath: /web/dist/custom.css
subPath: custom.css
volumes:
- name: custom-css
configMap:
name: "${var.customisation.configmap_name}"
items:
- key: custom.css
path: custom.css
EOF
]
:[""] ))
}
patches {
target {

250
share/authentik/index.yaml
View File

@@ -6,82 +6,6 @@ metadata:
name: authentik
description: authentik is an open-source Identity Provider focused on flexibility and versatility
options:
loglevel:
default: info
examples:
- info
type: string
domain_name:
default: your_company.com
examples:
- your_company.com
type: string
redis:
default:
exporter:
enabled: true
examples:
- exporter:
enabled: true
properties:
exporter:
default:
enabled: true
properties:
enabled:
default: true
type: boolean
type: object
type: object
geoip:
default: /geoip/GeoLite2-City.mmdb
examples:
- /geoip/GeoLite2-City.mmdb
type: string
storage:
default:
postgres:
size: 8Gi
redis:
size: 8Gi
examples:
- postgres:
size: 8Gi
redis:
size: 8Gi
properties:
postgres:
default:
size: 8Gi
properties:
size:
default: 8Gi
type: string
type: object
redis:
default:
size: 8Gi
properties:
size:
default: 8Gi
type: string
type: object
type: object
sub_domain:
default: auth
examples:
- auth
type: string
postgres:
default:
replicas: 1
examples:
- replicas: 1
properties:
replicas:
default: 1
type: integer
type: object
admin:
default:
email: auth-admin
@@ -92,6 +16,26 @@ options:
default: auth-admin
type: string
type: object
error_reporting:
default:
enabled: false
environment: k8s
send_pii: false
examples:
- enabled: false
environment: k8s
send_pii: false
properties:
enabled:
default: false
type: boolean
environment:
default: k8s
type: string
send_pii:
default: false
type: boolean
type: object
backups:
default:
enable: false
@@ -151,6 +95,16 @@ options:
default: false
type: boolean
type: object
ingress_class:
default: traefik
examples:
- traefik
type: string
sub_domain:
default: auth
examples:
- auth
type: string
images:
default:
app:
@@ -159,6 +113,11 @@ options:
registry: ghcr.io
repository: goauthentik/server
tag: 2023.10.7
kubectl:
pull_policy: IfNotPresent
registry: docker.io
repository: sebt3/basic-toolbox-image
tag: 1.29.3
postgresql:
registry: ghcr.io
repository: cloudnative-pg/postgresql
@@ -180,6 +139,11 @@ options:
registry: ghcr.io
repository: goauthentik/server
tag: 2023.10.7
kubectl:
pull_policy: IfNotPresent
registry: docker.io
repository: sebt3/basic-toolbox-image
tag: 1.29.3
postgresql:
registry: ghcr.io
repository: cloudnative-pg/postgresql
@@ -223,6 +187,26 @@ options:
default: 2023.10.7
type: string
type: object
kubectl:
default:
pull_policy: IfNotPresent
registry: docker.io
repository: sebt3/basic-toolbox-image
tag: 1.29.3
properties:
pull_policy:
default: IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: sebt3/basic-toolbox-image
type: string
tag:
default: 1.29.3
type: string
type: object
postgresql:
default:
registry: ghcr.io
@@ -288,41 +272,68 @@ options:
type: string
type: object
type: object
ingress_class:
default: traefik
domain_name:
default: your_company.com
examples:
- traefik
- your_company.com
type: string
domain:
default: your-company
examples:
- your-company
type: string
error_reporting:
redis:
default:
enabled: false
environment: k8s
send_pii: false
exporter:
enabled: true
examples:
- enabled: false
environment: k8s
send_pii: false
- exporter:
enabled: true
properties:
enabled:
default: false
type: boolean
environment:
default: k8s
type: string
send_pii:
default: false
type: boolean
exporter:
default:
enabled: true
properties:
enabled:
default: true
type: boolean
type: object
type: object
postgres:
default:
replicas: 1
examples:
- replicas: 1
properties:
replicas:
default: 1
type: integer
type: object
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
domain:
default: your-company
examples:
- your-company
type: string
customisation:
default:
configmap_name: ''
use_custom_css: false
use_icon_left: false
examples:
- configmap_name: ''
use_custom_css: false
use_icon_left: false
properties:
configmap_name:
default: ''
type: string
use_custom_css:
default: false
type: boolean
use_icon_left:
default: false
type: boolean
type: object
email:
default:
port: 587
@@ -348,6 +359,45 @@ options:
default: false
type: boolean
type: object
loglevel:
default: info
examples:
- info
type: string
storage:
default:
postgres:
size: 8Gi
redis:
size: 8Gi
examples:
- postgres:
size: 8Gi
redis:
size: 8Gi
properties:
postgres:
default:
size: 8Gi
properties:
size:
default: 8Gi
type: string
type: object
redis:
default:
size: 8Gi
properties:
size:
default: 8Gi
type: string
type: object
type: object
geoip:
default: /geoip/GeoLite2-City.mmdb
examples:
- /geoip/GeoLite2-City.mmdb
type: string
dependencies:
- dist: null
category: core

83
share/authentik/secret.tf
View File

@@ -1,3 +1,11 @@
locals {
secrets-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "backup-secret"
})
secret-labels = merge(local.secrets-labels, {
"k8up.io/backup" = "true"
})
}
resource "kubectl_manifest" "authentik_secret" {
ignore_fields = ["metadata.annotations"]
@@ -7,7 +15,7 @@ resource "kubectl_manifest" "authentik_secret" {
metadata:
name: "${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
labels: ${jsonencode(local.secret-labels)}
spec:
forceRegenerate: false
fields:
@@ -21,3 +29,76 @@ resource "kubectl_manifest" "authentik_secret" {
length: "32"
EOF
}
resource "kubectl_manifest" "pre_backup_sa" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: backup-secret
namespace: "${var.namespace}"
EOF
}
resource "kubectl_manifest" "pre_backup_role" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: backup-secret
namespace: "${var.namespace}"
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
EOF
}
resource "kubectl_manifest" "pre_backup_rb" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: backup-secret
namespace: "${var.namespace}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: backup-secret
subjects:
- kind: ServiceAccount
name: backup-secret
namespace: "${var.namespace}"
EOF
}
resource "kubectl_manifest" "pre_backup_pod" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: k8up.io/v1
kind: PreBackupPod
metadata:
name: secret
namespace: "${var.namespace}"
spec:
backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
pod:
spec:
containers:
- command:
- cat
image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
imagePullPolicy: "${var.images.kubectl.pull_policy}"
name: secret
tty: true
serviceAccount: backup-secret
serviceAccountName: backup-secret
EOF
}