vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2023-11-28 12:39:01 +01:00
parent 1a023a18e5
commit 76db355a8b
22 changed files with 1074 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/gitea/apps_v1_Deployment_gitea.yaml
View File

@@ -27,7 +27,7 @@ spec:
metadata:
annotations:
checksum/config: ad2ce0a245d17a13676e98bfc6d1833351e36e913af45f98b89299cc83f3fc11
checksum/ldap_0: d9e7446d3ea8b10f29ff9cb1e1a885db73ccb22f3d1a9e054611607e1c168226
checksum/oauth_0: f0f765c091d516960342092cbf7ed9ed3ef8de0ca140d33f6eadbec60df69d3b
labels:
helm.sh/chart: gitea-9.5.0
app: gitea
@@ -127,16 +127,16 @@ spec:
value: /tmp/gitea
- name: HOME
value: /data/gitea/git
- name: GITEA_LDAP_BIND_DN_0
- name: GITEA_OAUTH_KEY_0
valueFrom:
secretKeyRef:
key: bindDn
name: gitea-ldap
- name: GITEA_LDAP_PASSWORD_0
key: key
name: gitea-oauth-secret
- name: GITEA_OAUTH_SECRET_0
valueFrom:
secretKeyRef:
key: bindPassword
name: gitea-ldap
key: secret
name: gitea-oauth-secret
- name: GITEA_ADMIN_USERNAME
valueFrom:
secretKeyRef:

12
apps/gitea/datas.tf
View File

@@ -64,6 +64,18 @@ data "kustomization_overlay" "data" {
image: "${var.images.gitea.registry}/${var.images.gitea.repository}:${var.images.gitea.tag}"
imagePullPolicy: IfNotPresent
env:
- name: VYNIL_OAUTH_DISCOVERY
value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration"
- name: GITEA_OAUTH_KEY_0
valueFrom:
secretKeyRef:
name: "${var.component}-${var.instance}-id"
key: client-id
- name: GITEA_OAUTH_SECRET_0
valueFrom:
secretKeyRef:
name: "${var.component}-${var.instance}-secret"
key: client-secret
- name: LDAP_USER_SEARCH_BASE
valueFrom:
secretKeyRef:

289
apps/gitea/index.yaml
View File

@@ -9,71 +9,16 @@ metadata:
A painless self-hosted Git service.
Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
options:
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
domain:
default: your-company
examples:
- your-company
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
sub-domain:
default: git
examples:
- git
type: string
load-balancer:
default:
ip: ''
examples:
- ip: ''
properties:
ip:
default: ''
type: string
type: object
release:
default: 8.3.0
examples:
- 8.3.0
type: string
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
disable-registration:
default: true
examples:
- true
type: boolean
push-create:
default:
org: 'true'
private: 'false'
user: 'true'
examples:
- org: 'true'
private: 'false'
user: 'true'
properties:
org:
default: 'true'
type: string
private:
default: 'false'
type: string
user:
default: 'true'
type: string
type: object
replicas:
default: 1
examples:
- 1
type: integer
backups:
default:
enable: false
@@ -180,21 +125,51 @@ options:
default: false
type: boolean
type: object
replicas:
default: 1
examples:
- 1
type: integer
admin:
default:
email: git-admin@git.your_company.com
name: gitea_admin
examples:
- email: git-admin@git.your_company.com
name: gitea_admin
properties:
email:
default: git-admin@git.your_company.com
type: string
name:
default: gitea_admin
type: string
type: object
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
sub-domain:
default: git
examples:
- git
type: string
disable-registration:
default: true
examples:
- true
type: boolean
default-branch:
default: main
examples:
- main
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
app-group:
default: dev
examples:
- dev
type: string
webhook:
default:
allowed-hosts: private
@@ -210,6 +185,21 @@ options:
default: false
type: boolean
type: object
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
theme:
default: gitea-modern
examples:
- gitea-modern
type: string
ssh-sub-domain:
default: git
examples:
- git
type: string
postgres:
default:
replicas: 1
@@ -230,21 +220,88 @@ options:
default: '14'
type: string
type: object
admin:
push-create:
default:
email: git-admin@git.your_company.com
name: gitea_admin
org: 'true'
private: 'false'
user: 'true'
examples:
- email: git-admin@git.your_company.com
name: gitea_admin
- org: 'true'
private: 'false'
user: 'true'
properties:
email:
default: git-admin@git.your_company.com
org:
default: 'true'
type: string
name:
default: gitea_admin
private:
default: 'false'
type: string
user:
default: 'true'
type: string
type: object
volume:
default:
accessMode: ReadWriteOnce
size: 10Gi
examples:
- accessMode: ReadWriteOnce
size: 10Gi
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
type: string
type: object
redis:
default:
exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
examples:
- exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
properties:
exporter:
default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.12
type: string
storage:
default: 2Gi
type: string
type: object
ssh-port:
default: 2222
examples:
- 2222
type: integer
app-group:
default: dev
examples:
- dev
type: string
images:
default:
gitea:
@@ -284,73 +341,21 @@ options:
type: string
type: object
type: object
redis:
default:
exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
release:
default: 8.3.0
examples:
- exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
- 8.3.0
type: string
load-balancer:
default:
ip: ''
examples:
- ip: ''
properties:
exporter:
default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.12
type: string
storage:
default: 2Gi
ip:
default: ''
type: string
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
theme:
default: gitea-modern
examples:
- gitea-modern
type: string
volume:
default:
accessMode: ReadWriteOnce
size: 10Gi
examples:
- accessMode: ReadWriteOnce
size: 10Gi
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
type: string
type: object
ssh-port:
default: 2222
examples:
- 2222
type: integer
dependencies:
- dist: null
category: share

75
apps/gitea/ingress.tf
View File

@@ -1,75 +0,0 @@
locals {
dns-names = ["${var.sub-domain}.${var.domain-name}"]
middlewares = ["${var.instance}-https"]
service = {
"name" = "gitea-http"
"port" = {
"number" = 3000
}
}
rules = [ for v in local.dns-names : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = local.service
}
"path" = "/"
"pathType" = "Prefix"
}]
}
}]
}
resource "kubectl_manifest" "prj_certificate" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
secretName: "${var.instance}-cert"
dnsNames: ${jsonencode(local.dns-names)}
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "prj_https_redirect" {
yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1"
kind: "Middleware"
metadata:
name: "${var.instance}-https"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
redirectScheme:
scheme: "https"
permanent: true
EOF
}
resource "kubectl_manifest" "prj_ingress" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(local.dns-names)}
secretName: "${var.instance}-cert"
EOF
}

5
apps/gitea/inline-config.tf
View File

@@ -20,7 +20,7 @@ CONN_STR=redis://:@${var.instance}-${var.component}-redis-headless.${var.namespa
TYPE=redis
EOF
session = <<-EOF
PROVIDER=db
PROVIDER=redis
PROVIDER_CONFIG=redis://:@${var.instance}-${var.component}-redis-headless.${var.namespace}.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
EOF
indexer = <<-EOF
@@ -49,8 +49,9 @@ HTTP_PORT=3000
PROTOCOL=http
ROOT_URL=https://${var.sub-domain}.${var.domain-name}
SSH_DOMAIN=${var.sub-domain}.${var.domain-name}
SSH_LISTEN_PORT=${var.ssh-port}
SSH_LISTEN_PORT=2222
SSH_PORT=${var.ssh-port}
SSH_DOMAIN=${var.ssh-sub-domain}.${var.domain-name}
START_SSH_SERVER=true
EOF
ui = <<-EOF

166
apps/gitea/ldap.tf
View File

@@ -13,28 +13,28 @@ locals {
ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
}
resource "kubectl_manifest" "gitea_ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-ldap"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
forceRegenerate: false
data:
bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
user-search-base: "${local.base-user-dn}"
user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
fields:
- fieldName: "bindPassword"
length: "32"
EOF
}
# resource "kubectl_manifest" "gitea_ldap" {
# ignore_fields = ["metadata.annotations"]
# yaml_body = <<-EOF
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
# kind: "StringSecret"
# metadata:
# name: "${var.component}-ldap"
# namespace: "${var.namespace}"
# labels: ${jsonencode(local.common-labels)}
# spec:
# forceRegenerate: false
# data:
# bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
# user-search-base: "${local.base-user-dn}"
# user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
# admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
# endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
# fields:
# - fieldName: "bindPassword"
# length: "32"
# EOF
# }
data "kubernetes_secret_v1" "gitea_ldap_password" {
depends_on = [kubectl_manifest.gitea_ldap]
metadata {
@@ -43,16 +43,16 @@ data "kubernetes_secret_v1" "gitea_ldap_password" {
}
}
resource "authentik_user" "gitea_ldapsearch" {
username = "${var.component}-ldapsearch"
name = "${var.component}-ldapsearch"
}
# resource "authentik_user" "gitea_ldapsearch" {
# username = "${var.component}-ldapsearch"
# name = "${var.component}-ldapsearch"
# }
resource "authentik_group" "gitea_ldapsearch" {
name = "${var.component}-ldapsearch"
users = [authentik_user.gitea_ldapsearch.id]
is_superuser = true
}
# resource "authentik_group" "gitea_ldapsearch" {
# name = "${var.component}-ldapsearch"
# users = [authentik_user.gitea_ldapsearch.id]
# is_superuser = true
# }
data "http" "gitea_ldapsearch_password" {
@@ -73,61 +73,61 @@ data "authentik_flow" "ldap-authentication-flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "gitea_provider_ldap" {
name = "gitea-ldap-provider"
base_dn = local.base-dn
search_group = authentik_group.gitea_ldapsearch.id
bind_flow = data.authentik_flow.ldap-authentication-flow.id
}
# resource "authentik_provider_ldap" "gitea_provider_ldap" {
# name = "gitea-ldap-provider"
# base_dn = local.base-dn
# search_group = authentik_group.gitea_ldapsearch.id
# bind_flow = data.authentik_flow.ldap-authentication-flow.id
# }
resource "authentik_application" "gitea_application" {
name = "${var.instance}"
slug = "${var.component}-${var.instance}-ldap"
group = var.app-group
protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
}
# resource "authentik_application" "gitea_application" {
# name = "${var.instance}"
# slug = "${var.component}-${var.instance}-ldap"
# group = var.app-group
# protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
# meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
# meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
# }
resource "authentik_group" "gitea_users" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
}
# resource "authentik_group" "gitea_users" {
# name = local.main-group
# attributes = jsonencode({"${local.app-name}" = true})
# }
data "authentik_group" "vynil-admin" {
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
name = "vynil-ldap-admins"
}
resource "authentik_group" "gitea_admin" {
name = format("admin-%s", local.app-name)
parent = authentik_group.gitea_users.id
attributes = jsonencode({"${local.app-name}" = true})
}
# resource "authentik_group" "gitea_admin" {
# name = format("admin-%s", local.app-name)
# parent = authentik_group.gitea_users.id
# attributes = jsonencode({"${local.app-name}" = true})
# }
resource "authentik_policy_expression" "policy" {
name = local.main-group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app-name}'] if '${local.app-name}' in attr else False
EOF
}
# resource "authentik_policy_expression" "policy" {
# name = local.main-group
# expression = <<-EOF
# attr = request.user.group_attributes()
# return attr['${local.app-name}'] if '${local.app-name}' in attr else False
# EOF
# }
resource "authentik_policy_binding" "gitea_access_users" {
target = authentik_application.gitea_application.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "gitea_access_vynil" {
target = authentik_application.gitea_application.uuid
group = data.authentik_group.vynil-admin.id
order = 1
}
resource "authentik_policy_binding" "gitea_access_ldap" {
target = authentik_application.gitea_application.uuid
group = authentik_group.gitea_ldapsearch.id
order = 2
}
# resource "authentik_policy_binding" "gitea_access_users" {
# target = authentik_application.gitea_application.uuid
# policy = authentik_policy_expression.policy.id
# order = 0
# }
# resource "authentik_policy_binding" "gitea_access_vynil" {
# target = authentik_application.gitea_application.uuid
# group = data.authentik_group.vynil-admin.id
# order = 1
# }
# resource "authentik_policy_binding" "gitea_access_ldap" {
# target = authentik_application.gitea_application.uuid
# group = authentik_group.gitea_ldapsearch.id
# order = 2
# }
data "http" "get_ldap_outpost" {
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
@@ -152,11 +152,11 @@ provider "restapi" {
id_attribute = "name"
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap-outpost-pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
})
}
# resource "restapi_object" "ldap_outpost_binding" {
# path = "/outposts/instances/${local.ldap-outpost-pk}/"
# data = jsonencode({
# name = "ldap"
# providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
# })
# }

73
apps/gitea/presentation.tf Normal file
View File

@@ -0,0 +1,73 @@
locals {
dns-name = "${var.sub-domain}.${var.domain-name}"
dns-names = [local.dns-name]
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
icon = "logo192.png"
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]}"
}
service = {
"name" = "gitea-http"
"port" = {
"number" = 3000
}
}
}
# module "service" {
# source = "/dist/modules/service"
# component = var.component
# instance = var.instance
# namespace = var.namespace
# labels = local.common-labels
# target = "http"
# port = local.service.port.number
# providers = {
# kubectl = kubectl
# }
# }
module "ingress" {
source = "/dist/modules/ingress"
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = []
service = local.service
providers = {
kubectl = kubectl
}
}
module "application" {
source = "/dist/modules/application"
component = var.component
instance = var.instance
app-group = var.app-group
dns-name = local.dns-name
icon = local.icon
protocol_provider = module.oauth2.provider-id
providers = {
authentik = authentik
}
}
module "oauth2" {
source = "/dist/modules/oauth2"
component = var.component
instance = var.instance
namespace = var.namespace
labels = local.common-labels
dns-name = local.dns-name
redirect-path = ""
providers = {
kubernetes = kubernetes
kubectl = kubectl
authentik = authentik
}
}

26
apps/gitea/v1_Secret_gitea-init.yaml
View File

@@ -63,24 +63,24 @@ stringData:
configure_admin_user
function configure_ldap() {
local LDAP_NAME='vynil'
local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name "${LDAP_NAME}". Installing it now..."
gitea admin auth add-ldap --admin-filter "${LDAP_ADMIN_FILTER}" --avatar-attribute 'jpegPhoto' --bind-dn "${GITEA_LDAP_BIND_DN_0}" --bind-password "${GITEA_LDAP_PASSWORD_0}" --email-attribute 'mail' --firstname-attribute 'givenname' --host "${LDAP_HOST}" --name 'vynil' --port 389 --security-protocol 'unencrypted' --surname-attribute 'name' --user-filter "${LDAP_USER_FILTER}" --user-search-base "${LDAP_USER_SEARCH_BASE}" --username-attribute 'cn'
echo '...installed.'
else
echo "Existing ldap configuration with name "${LDAP_NAME}": '${GITEA_AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" --admin-filter "${LDAP_ADMIN_FILTER}" --avatar-attribute 'jpegPhoto' --bind-dn "${GITEA_LDAP_BIND_DN_0}" --bind-password "${GITEA_LDAP_PASSWORD_0}" --email-attribute 'mail' --firstname-attribute 'givenname' --host "${LDAP_HOST}" --name 'vynil' --port 389 --security-protocol 'unencrypted' --surname-attribute 'name' --user-filter "${LDAP_USER_FILTER}" --user-search-base "${LDAP_USER_SEARCH_BASE}" --username-attribute 'cn'
echo '...sync settings done.'
fi
echo 'no ldap configuration... skipping.'
}
configure_ldap
function configure_oauth() {
echo 'no oauth configuration... skipping.'
local OAUTH_NAME='vynil'
local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${AUTH_ID}" ]]; then
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
gitea admin auth add-oauth --auto-discover-url "${VYNIL_OAUTH_DISCOVERY}" --key "${GITEA_OAUTH_KEY_0}" --name "vynil" --provider "openidConnect" --secret "${GITEA_OAUTH_SECRET_0}"
echo '...installed.'
else
echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-oauth --id "${AUTH_ID}" --auto-discover-url "${VYNIL_OAUTH_DISCOVERY}" --key "${GITEA_OAUTH_KEY_0}" --name "vynil" --provider "openidConnect" --secret "${GITEA_OAUTH_SECRET_0}"
echo '...sync settings done.'
fi
}
configure_oauth