fix

2023-11-28 12:47:50 +01:00
parent a9ec93f1f9
commit 5e0ff76cae
2 changed files with 103 additions and 247 deletions
--- a/apps/gitea/index.yaml
+++ b/apps/gitea/index.yaml
@@ -9,11 +9,31 @@ metadata:
    A painless self-hosted Git service.
    Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
 options:
-  domain-name:
-    default: your_company.com
+  timezone:
+    default: Europe/Paris
    examples:
-    - your_company.com
+    - Europe/Paris
    type: string
+  push-create:
+    default:
+      org: 'true'
+      private: 'false'
+      user: 'true'
+    examples:
+    - org: 'true'
+      private: 'false'
+      user: 'true'
+    properties:
+      org:
+        default: 'true'
+        type: string
+      private:
+        default: 'false'
+        type: string
+      user:
+        default: 'true'
+        type: string
+    type: object
  volume:
    default:
      accessMode: ReadWriteOnce
@@ -53,40 +73,25 @@ options:
        default: '14'
        type: string
    type: object
-  webhook:
-    default:
-      allowed-hosts: private
-      skip-tls-verify: false
-    examples:
-    - allowed-hosts: private
-      skip-tls-verify: false
-    properties:
-      allowed-hosts:
-        default: private
-        type: string
-      skip-tls-verify:
-        default: false
-        type: boolean
-    type: object
  theme:
    default: gitea-modern
    examples:
    - gitea-modern
    type: string
-  sub-domain:
-    default: git
-    examples:
-    - git
-    type: string
  disable-registration:
    default: true
    examples:
    - true
    type: boolean
-  domain:
-    default: your-company
+  domain-name:
+    default: your_company.com
    examples:
-    - your-company
+    - your_company.com
+    type: string
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
    type: string
  load-balancer:
    default:
@@ -98,34 +103,52 @@ options:
        default: ''
        type: string
    type: object
-  replicas:
-    default: 1
+  domain:
+    default: your-company
    examples:
-    - 1
-    type: integer
-  ssh-port:
-    default: 2222
+    - your-company
+    type: string
+  sub-domain:
+    default: git
    examples:
-    - 2222
-    type: integer
-  push-create:
+    - git
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  redis:
    default:
-      org: 'true'
-      private: 'false'
-      user: 'true'
+      exporter:
+        enabled: true
+        image: quay.io/opstree/redis-exporter:v1.44.0
+      image: quay.io/opstree/redis:v7.0.12
+      storage: 2Gi
    examples:
-    - org: 'true'
-      private: 'false'
-      user: 'true'
+    - exporter:
+        enabled: true
+        image: quay.io/opstree/redis-exporter:v1.44.0
+      image: quay.io/opstree/redis:v7.0.12
+      storage: 2Gi
    properties:
-      org:
-        default: 'true'
+      exporter:
+        default:
+          enabled: true
+          image: quay.io/opstree/redis-exporter:v1.44.0
+        properties:
+          enabled:
+            default: true
+            type: boolean
+          image:
+            default: quay.io/opstree/redis-exporter:v1.44.0
+            type: string
+        type: object
+      image:
+        default: quay.io/opstree/redis:v7.0.12
        type: string
-      private:
-        default: 'false'
-        type: string
-      user:
-        default: 'true'
+      storage:
+        default: 2Gi
        type: string
    type: object
  admin:
@@ -143,6 +166,11 @@ options:
        default: gitea_admin
        type: string
    type: object
+  ssh-port:
+    default: 2222
+    examples:
+    - 2222
+    type: integer
  images:
    default:
      gitea:
@@ -288,59 +316,11 @@ options:
        default: false
        type: boolean
    type: object
-  app-group:
-    default: dev
+  replicas:
+    default: 1
    examples:
-    - dev
-    type: string
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
-  redis:
-    default:
-      exporter:
-        enabled: true
-        image: quay.io/opstree/redis-exporter:v1.44.0
-      image: quay.io/opstree/redis:v7.0.12
-      storage: 2Gi
-    examples:
-    - exporter:
-        enabled: true
-        image: quay.io/opstree/redis-exporter:v1.44.0
-      image: quay.io/opstree/redis:v7.0.12
-      storage: 2Gi
-    properties:
-      exporter:
-        default:
-          enabled: true
-          image: quay.io/opstree/redis-exporter:v1.44.0
-        properties:
-          enabled:
-            default: true
-            type: boolean
-          image:
-            default: quay.io/opstree/redis-exporter:v1.44.0
-            type: string
-        type: object
-      image:
-        default: quay.io/opstree/redis:v7.0.12
-        type: string
-      storage:
-        default: 2Gi
-        type: string
-    type: object
-  timezone:
-    default: Europe/Paris
-    examples:
-    - Europe/Paris
-    type: string
-  default-branch:
-    default: main
-    examples:
-    - main
-    type: string
+    - 1
+    type: integer
  release:
    default: 8.3.0
    examples:
@@ -351,10 +331,30 @@ options:
    examples:
    - git
    type: string
-  ingress-class:
-    default: traefik
+  app-group:
+    default: dev
    examples:
-    - traefik
+    - dev
+    type: string
+  webhook:
+    default:
+      allowed-hosts: private
+      skip-tls-verify: false
+    examples:
+    - allowed-hosts: private
+      skip-tls-verify: false
+    properties:
+      allowed-hosts:
+        default: private
+        type: string
+      skip-tls-verify:
+        default: false
+        type: boolean
+    type: object
+  default-branch:
+    default: main
+    examples:
+    - main
    type: string
 dependencies:
 - dist: null
--- a/apps/gitea/ldap.tf
+++ b/apps/gitea/ldap.tf
@@ -1,139 +1,4 @@

-locals {
-#  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
-  main-group = format("app-%s", local.app-name)
-  base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name))))
-  base-group-dn = format("ou=groups,%s", local.base-dn)
-  base-user-dn = format("ou=users,%s", local.base-dn)
-  authentik-token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
-  # request_headers = {
-  #   "Content-Type"  = "application/json"
-  #   Authorization   = "Bearer ${local.authentik-token}"
-  # }
-  ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
-  ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
-}
-# resource "kubectl_manifest" "gitea_ldap" {
-#   ignore_fields = ["metadata.annotations"]
-#   yaml_body  = <<-EOF
-#     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-#     kind: "StringSecret"
-#     metadata:
-#       name: "${var.component}-ldap"
-#       namespace: "${var.namespace}"
-#       labels: ${jsonencode(local.common-labels)}
-#     spec:
-#       forceRegenerate: false
-#       data:
-#         bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
-#         user-search-base: "${local.base-user-dn}"
-#         user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
-#         admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
-#         endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
-#       fields:
-#       - fieldName: "bindPassword"
-#         length: "32"
-#   EOF
-# }
-# resource "authentik_user" "gitea_ldapsearch" {
-#   username = "${var.component}-ldapsearch"
-#   name     = "${var.component}-ldapsearch"
-# }
-
-# resource "authentik_group" "gitea_ldapsearch" {
-#   name         = "${var.component}-ldapsearch"
-#   users        = [authentik_user.gitea_ldapsearch.id]
-#   is_superuser = true
-# }
-
-
-data "http" "gitea_ldapsearch_password" {
-  url    = "http://authentik.${var.domain}-auth.svc/api/v3/core/users/${authentik_user.gitea_ldapsearch.id}/set_password/"
-  method = "POST"
-  request_headers = local.request_headers
-  request_body = jsonencode({password=data.kubernetes_secret_v1.gitea_ldap_password.data["bindPassword"]})
-  lifecycle {
-    postcondition {
-      condition     = contains([201, 204], self.status_code)
-      error_message = "Status code invalid"
-    }
-  }
-}
-
-data "authentik_flow" "ldap-authentication-flow" {
-  #depends_on = [authentik_user.gitea_ldapsearch] # fake dependency so it is not evaluated at plan stage
-  slug       = "ldap-authentication-flow"
-}
-
-# resource "authentik_provider_ldap" "gitea_provider_ldap" {
-#   name         = "gitea-ldap-provider"
-#   base_dn      = local.base-dn
-#   search_group = authentik_group.gitea_ldapsearch.id
-#   bind_flow    = data.authentik_flow.ldap-authentication-flow.id
-# }
-
-# resource "authentik_application" "gitea_application" {
-#   name              = "${var.instance}"
-#   slug              = "${var.component}-${var.instance}-ldap"
-#   group             = var.app-group
-#   protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
-#   meta_launch_url   = format("https://%s.%s", var.sub-domain, var.domain-name)
-#   meta_icon         = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
-# }
-
-# resource "authentik_group" "gitea_users" {
-#   name         = local.main-group
-#   attributes   = jsonencode({"${local.app-name}" = true})
-# }
-
-#data "authentik_group" "vynil-admin" {
-#  depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
-#  name = "vynil-ldap-admins"
-#}
-
-# resource "authentik_group" "gitea_admin" {
-#   name         = format("admin-%s", local.app-name)
-#   parent       = authentik_group.gitea_users.id
-#   attributes   = jsonencode({"${local.app-name}" = true})
-# }
-
-# resource "authentik_policy_expression" "policy" {
-#   name       = local.main-group
-#   expression = <<-EOF
-#     attr = request.user.group_attributes()
-#     return attr['${local.app-name}'] if '${local.app-name}' in attr else False
-#   EOF
-# }
-
-# resource "authentik_policy_binding" "gitea_access_users" {
-#   target = authentik_application.gitea_application.uuid
-#   policy = authentik_policy_expression.policy.id
-#   order  = 0
-# }
-# resource "authentik_policy_binding" "gitea_access_vynil" {
-#   target = authentik_application.gitea_application.uuid
-#   group  = data.authentik_group.vynil-admin.id
-#   order  = 1
-# }
-# resource "authentik_policy_binding" "gitea_access_ldap" {
-#   target = authentik_application.gitea_application.uuid
-#   group  = authentik_group.gitea_ldapsearch.id
-#   order  = 2
-# }
-
-data "http" "get_ldap_outpost" {
-  #depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
-  url    = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=ldap"
-  method = "GET"
-  request_headers = local.request_headers
-  lifecycle {
-    postcondition {
-      condition     = contains([200], self.status_code)
-      error_message = "Status code invalid"
-    }
-  }
-}
-
 provider "restapi" {
  uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
  headers = local.request_headers
@@ -143,12 +8,3 @@ provider "restapi" {
  write_returns_object = true
  id_attribute = "name"
 }
-
-# resource "restapi_object" "ldap_outpost_binding" {
-#   path = "/outposts/instances/${local.ldap-outpost-pk}/"
-#   data = jsonencode({
-#     name = "ldap"
-#     providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
-#   })
-# }
-