vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2023-11-28 12:39:01 +01:00
parent 1a023a18e5
commit 76db355a8b
22 changed files with 1074 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
apps/gitea/ldap.tf
View File

@@ -13,28 +13,28 @@ locals {
ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
}
resource "kubectl_manifest" "gitea_ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-ldap"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
forceRegenerate: false
data:
bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
user-search-base: "${local.base-user-dn}"
user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
fields:
- fieldName: "bindPassword"
length: "32"
EOF
}
# resource "kubectl_manifest" "gitea_ldap" {
# ignore_fields = ["metadata.annotations"]
# yaml_body = <<-EOF
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
# kind: "StringSecret"
# metadata:
# name: "${var.component}-ldap"
# namespace: "${var.namespace}"
# labels: ${jsonencode(local.common-labels)}
# spec:
# forceRegenerate: false
# data:
# bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
# user-search-base: "${local.base-user-dn}"
# user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
# admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
# endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
# fields:
# - fieldName: "bindPassword"
# length: "32"
# EOF
# }
data "kubernetes_secret_v1" "gitea_ldap_password" {
depends_on = [kubectl_manifest.gitea_ldap]
metadata {
@@ -43,16 +43,16 @@ data "kubernetes_secret_v1" "gitea_ldap_password" {
}
}
resource "authentik_user" "gitea_ldapsearch" {
username = "${var.component}-ldapsearch"
name = "${var.component}-ldapsearch"
}
# resource "authentik_user" "gitea_ldapsearch" {
# username = "${var.component}-ldapsearch"
# name = "${var.component}-ldapsearch"
# }
resource "authentik_group" "gitea_ldapsearch" {
name = "${var.component}-ldapsearch"
users = [authentik_user.gitea_ldapsearch.id]
is_superuser = true
}
# resource "authentik_group" "gitea_ldapsearch" {
# name = "${var.component}-ldapsearch"
# users = [authentik_user.gitea_ldapsearch.id]
# is_superuser = true
# }
data "http" "gitea_ldapsearch_password" {
@@ -73,61 +73,61 @@ data "authentik_flow" "ldap-authentication-flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "gitea_provider_ldap" {
name = "gitea-ldap-provider"
base_dn = local.base-dn
search_group = authentik_group.gitea_ldapsearch.id
bind_flow = data.authentik_flow.ldap-authentication-flow.id
}
# resource "authentik_provider_ldap" "gitea_provider_ldap" {
# name = "gitea-ldap-provider"
# base_dn = local.base-dn
# search_group = authentik_group.gitea_ldapsearch.id
# bind_flow = data.authentik_flow.ldap-authentication-flow.id
# }
resource "authentik_application" "gitea_application" {
name = "${var.instance}"
slug = "${var.component}-${var.instance}-ldap"
group = var.app-group
protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
}
# resource "authentik_application" "gitea_application" {
# name = "${var.instance}"
# slug = "${var.component}-${var.instance}-ldap"
# group = var.app-group
# protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
# meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
# meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
# }
resource "authentik_group" "gitea_users" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
}
# resource "authentik_group" "gitea_users" {
# name = local.main-group
# attributes = jsonencode({"${local.app-name}" = true})
# }
data "authentik_group" "vynil-admin" {
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
name = "vynil-ldap-admins"
}
resource "authentik_group" "gitea_admin" {
name = format("admin-%s", local.app-name)
parent = authentik_group.gitea_users.id
attributes = jsonencode({"${local.app-name}" = true})
}
# resource "authentik_group" "gitea_admin" {
# name = format("admin-%s", local.app-name)
# parent = authentik_group.gitea_users.id
# attributes = jsonencode({"${local.app-name}" = true})
# }
resource "authentik_policy_expression" "policy" {
name = local.main-group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app-name}'] if '${local.app-name}' in attr else False
EOF
}
# resource "authentik_policy_expression" "policy" {
# name = local.main-group
# expression = <<-EOF
# attr = request.user.group_attributes()
# return attr['${local.app-name}'] if '${local.app-name}' in attr else False
# EOF
# }
resource "authentik_policy_binding" "gitea_access_users" {
target = authentik_application.gitea_application.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "gitea_access_vynil" {
target = authentik_application.gitea_application.uuid
group = data.authentik_group.vynil-admin.id
order = 1
}
resource "authentik_policy_binding" "gitea_access_ldap" {
target = authentik_application.gitea_application.uuid
group = authentik_group.gitea_ldapsearch.id
order = 2
}
# resource "authentik_policy_binding" "gitea_access_users" {
# target = authentik_application.gitea_application.uuid
# policy = authentik_policy_expression.policy.id
# order = 0
# }
# resource "authentik_policy_binding" "gitea_access_vynil" {
# target = authentik_application.gitea_application.uuid
# group = data.authentik_group.vynil-admin.id
# order = 1
# }
# resource "authentik_policy_binding" "gitea_access_ldap" {
# target = authentik_application.gitea_application.uuid
# group = authentik_group.gitea_ldapsearch.id
# order = 2
# }
data "http" "get_ldap_outpost" {
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
@@ -152,11 +152,11 @@ provider "restapi" {
id_attribute = "name"
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap-outpost-pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
})
}
# resource "restapi_object" "ldap_outpost_binding" {
# path = "/outposts/instances/${local.ldap-outpost-pk}/"
# data = jsonencode({
# name = "ldap"
# providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
# })
# }