fix

modules/application/application.tf

@@ -0,0 +1,45 @@
+locals {
+  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main-group = format("app-%s", local.app-name)
+}
+data "authentik_group" "akadmin" {
+  name = "authentik Admins"
+}
+resource "authentik_group" "groups" {
+  name         = local.main-group
+  attributes   = jsonencode({"${local.app-name}" = true})
+}
+
+resource "authentik_group" "subgroup" {
+  count = length(var.sub-groups)
+  name         = format("%s-%s", local.app-name, var.sub-groups[count.index])
+  parent       = authentik_group.prj_users.id
+}
+
+resource "authentik_application" "prj_app" {
+  name              = "${var.instance}"
+  slug              = "${var.component}-${var.instance}"
+  group             = var.app-group
+  protocol_provider = var.protocol_provider
+  meta_launch_url   = format("https://%s.%s", var.sub-domain, var.domain-name)
+  meta_icon         = format("https://%s.%s/%s", var.sub-domain, var.domain-name, var.icon)
+}
+
+resource "authentik_policy_expression" "policy" {
+  name       = local.main-group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app-name}'] if '${local.app-name}' in attr else False
+  EOF
+}
+
+resource "authentik_policy_binding" "prj_access_users" {
+  target = authentik_application.prj_app.uuid
+  policy = authentik_policy_expression.policy.id
+  order  = 0
+}
+resource "authentik_policy_binding" "prj_access_vynil" {
+  target = authentik_application.prj_app.uuid
+  group  = data.authentik_group.akadmin.id
+  order  = 1
+}

modules/application/variables.tf

@@ -0,0 +1,25 @@
+variable "component" {
+  type        = string
+}
+variable "instance" {
+  type        = string
+}
+variable "icon" {
+  type        = string
+}
+variable "app-group" {
+  type        = string
+}
+variable "protocol_provider" {
+  type        = number
+}
+variable "sub-domain" {
+  type        = string
+}
+variable "domain-name" {
+  type        = string
+}
+variable "sub-groups" {
+  type        = list(string)
+  default     = []
+}

modules/forward/forward.tf

@@ -0,0 +1,125 @@
+locals {
+  request_headers = {
+    "Content-Type"  = "application/json"
+    Authorization   = "Bearer ${var.authentik-token}"
+  }
+  forward-outpost-providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
+  forward-outpost-pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
+  app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main-group = format("app-%s", local.app-name)
+  external-url = format("https://%s", var.dns-names[0])
+  rules-icons = [ for v in var.dns-names : {
+      "host" = "${v}"
+      "http" = {
+        "paths" = [{
+          "backend"  = {
+            "service" = local.service
+          }
+          "path"     = "/${var.icon}"
+          "pathType" = "Prefix"
+        }]
+      }
+    }]
+}
+
+resource "kubectl_manifest" "prj_ingress_icon" {
+  force_conflicts = true
+  yaml_body  = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${var.instance}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+      ingressClassName: "${var.ingress-class}"
+      rules: ${jsonencode(local.rules-icons)}
+      tls:
+      - hosts: ${jsonencode(var.dns-names)}
+        secretName: "${var.instance}-cert"
+  EOF
+}
+
+data "authentik_flow" "default-authorization-flow" {
+  depends_on = [authentik_group.prj_users]
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+resource "authentik_provider_proxy" "prj_forward" {
+  name               = local.app-name
+  external_host      = local.external-url
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  mode               = "forward_single"
+  access_token_validity = var.access-token-validity
+}
+
+
+
+resource "authentik_policy_binding" "prj_access_users" {
+  target = authentik_application.prj_application.uuid
+  policy = authentik_policy_expression.policy.id
+  order  = 0
+}
+resource "authentik_policy_binding" "prj_access_vynil" {
+  target = authentik_application.prj_application.uuid
+  group  = data.authentik_group.vynil-admin.id
+  order  = 1
+}
+
+data "http" "get_forward_outpost" {
+  depends_on = [authentik_provider_proxy.prj_forward]
+  url    = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  method = "GET"
+  request_headers = local.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+provider "restapi" {
+  uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
+  headers = local.request_headers
+  create_method = "PATCH"
+  update_method = "PATCH"
+  destroy_method = "PATCH"
+  write_returns_object = true
+  id_attribute = "name"
+}
+
+resource "restapi_object" "forward_outpost_binding" {
+  path = "/outposts/instances/${local.forward-outpost-pk}/"
+  data = jsonencode({
+    name = "forward"
+    providers = contains(local.forward-outpost-providers, authentik_provider_proxy.prj_forward.id) ? local.forward-outpost-providers : concat(local.forward-outpost-providers, [authentik_provider_proxy.prj_forward.id])
+  })
+}
+
+resource "kubectl_manifest" "prj_middleware" {
+  yaml_body  = <<-EOF
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+        name: "forward-${local.app-name}"
+        namespace: "${var.namespace}"
+        labels: ${jsonencode(var.labels)}
+    spec:
+      forwardAuth:
+        address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+        #   - X-authentik-groups
+        #   - X-authentik-email
+        #   - X-authentik-name
+        #   - X-authentik-uid
+        #   - X-authentik-jwt
+        #   - X-authentik-meta-jwks
+        #   - X-authentik-meta-outpost
+        #   - X-authentik-meta-provider
+        #   - X-authentik-meta-app
+        #   - X-authentik-meta-version
+  EOF
+}

modules/forward/outputs.tf

@@ -0,0 +1,3 @@
+output "provider-id" {
+  value       = authentik_provider_proxy.prj_forward.id
+}

modules/forward/variables.tf

@@ -0,0 +1,33 @@
+variable "component" {
+  type        = string
+}
+variable "instance" {
+  type        = string
+}
+variable "domain" {
+  type        = string
+}
+variable "namespace" {
+  type        = string
+}
+variable "ingress-class" {
+  type        = string
+}
+
+
+variable "labels" {
+  type        = map(string)
+}
+
+variable "authentik-token" {
+  type        = string
+}
+variable "dns-names" {
+  type        = list(string)
+}
+variable "access-token-validity" {
+  type        = string
+  default     = "hours=10" // ;minutes=10
+}
+
+

modules/ingress/ingress.tf

@@ -0,0 +1,68 @@
+
+locals {
+    rules = [ for v in var.dns-names : {
+      "host" = "${v}"
+      "http" = {
+        "paths" = [{
+          "backend"  = {
+            "service" = var.service
+          }
+          "path"     = "/"
+          "pathType" = "Prefix"
+        }]
+      }
+    }]
+}
+
+resource "kubectl_manifest" "prj_certificate" {
+  yaml_body  = <<-EOF
+    apiVersion: "cert-manager.io/v1"
+    kind: "Certificate"
+    metadata:
+      name: "${var.instance}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+        secretName: "${var.instance}-cert"
+        dnsNames: ${jsonencode(var.dns-names)}
+        issuerRef:
+          name: "${var.issuer}"
+          kind: "ClusterIssuer"
+          group: "cert-manager.io"
+  EOF
+}
+
+resource "kubectl_manifest" "prj_https_redirect" {
+  yaml_body  = <<-EOF
+    apiVersion: "traefik.containo.us/v1alpha1"
+    kind: "Middleware"
+    metadata:
+      name: "${var.instance}-https"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+      redirectScheme:
+        scheme: "https"
+        permanent: true
+  EOF
+}
+
+resource "kubectl_manifest" "prj_ingress" {
+  force_conflicts = true
+  yaml_body  = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${var.instance}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+      annotations:
+        "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in var.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
+    spec:
+      ingressClassName: "${var.ingress-class}"
+      rules: ${jsonencode(local.rules)}
+      tls:
+      - hosts: ${jsonencode(var.dns-names)}
+        secretName: "${var.instance}-cert"
+  EOF
+}

modules/ingress/variables.tf

@@ -0,0 +1,35 @@
+variable "component" {
+  type        = string
+}
+variable "instance" {
+  type        = string
+}
+variable "namespace" {
+  type        = string
+}
+variable "issuer" {
+  type        = string
+}
+variable "ingress-class" {
+  type        = string
+}
+
+variable "labels" {
+  type        = map(string)
+}
+variable "dns-names" {
+  type        = list(string)
+}
+variable "middlewares" {
+  type        = list(string)
+  default     = ["${var.instance}-https"]
+}
+variable "service" {
+  default     = {
+      "name"  = "${var.component}-${var.instance}"
+      "port" = {
+        "number" = 80
+      }
+    }
+}
+

modules/oauth2/oauth2.tf

@@ -0,0 +1,66 @@
+resource "kubectl_manifest" "oauth2-secret" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${var.component}-${var.instance}-id"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "client-id"
+        length: "32"
+  EOF
+}
+data "kubernetes_secret_v1" "oauth2-client-id" {
+  depends_on = [kubectl_manifest.oauth2-secret]
+  metadata {
+    name = kubectl_manifest.oauth2-secret.name
+    namespace = var.namespace
+  }
+}
+
+data "authentik_certificate_key_pair" "ca" {
+  name = "authentik Self-signed Certificate"
+}
+
+data "authentik_scope_mapping" "oauth2" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
+}
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+data "authentik_flow" "default-authentication-flow" {
+  slug = "default-authentication-flow"
+}
+
+resource "authentik_provider_oauth2" "oauth2" {
+  name                = "${var.component}-${var.instance}"
+  client_id           = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
+  authentication_flow = data.authentik_flow.default-authentication-flow.id
+  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  client_type         = "confidential"
+  sub_mode            = "user_username"
+  signing_key         = data.authentik_certificate_key_pair.ca.id
+  property_mappings   = data.authentik_scope_mapping.oauth2.ids
+  redirect_uris       = [
+    "https://${var.dns-name}/"
+  ]
+}
+
+resource "kubernetes_secret_v1" "oauth2-client-secret" {
+  metadata {
+    name = "${var.component}-${var.instance}-secret"
+    namespace = var.namespace
+    labels = var.labels
+  }
+  data = {
+    client-secret = authentik_provider_oauth2.oauth2.client_secret
+  }
+}

modules/oauth2/outputs.tf

@@ -0,0 +1,3 @@
+output "provider-id" {
+  value       = authentik_provider_oauth2.oauth2.id
+}

modules/oauth2/variables.tf

@@ -0,0 +1,15 @@
+variable "component" {
+  type        = string
+}
+variable "instance" {
+  type        = string
+}
+variable "namespace" {
+  type        = string
+}
+variable "labels" {
+  type        = map(string)
+}
+variable "dns-name" {
+  type        = string
+}