vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2023-10-18 16:57:40 +02:00
parent 9b172c24ae
commit 8661e6bef9
15 changed files with 520 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
apps/dbgate/application.tf
View File

@@ -1,39 +1,46 @@
locals { locals {
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) dns-name = "${var.sub-domain}.${var.domain-name}"
main-group = format("app-%s", local.app-name) dns-names = [local.dns-name]
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
}
resource "authentik_group" "groups" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
} }
resource "authentik_application" "prj_app" { module "ingress" {
name = "${var.instance}" source = "../../modules/ingress"
slug = "${var.component}-${var.instance}" "component" = var.component
group = var.app-group "instance" = var.instance
protocol_provider = authentik_provider_oauth2.oauth2.id "namespace" = var.namespace
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name) "issuer" = var.issuer
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "logo192.png") "ingress-class" = var.ingress-class
"labels" = local.common-labels
"dns-names" = local.dns-names
} }
resource "authentik_policy_expression" "policy" { module "application" {
name = local.main-group source = "../../modules/application"
expression = <<-EOF "component" = var.component
attr = request.user.group_attributes() "instance" = var.instance
return attr['${local.app-name}'] if '${local.app-name}' in attr else False "app-group" = var.app-group
EOF "sub-domain" = var.sub-domain
"domain-name" = var.domain-name
"icon" = "logo192.png"
"protocol_provider" = var.use-oauth?module.oauth2.provider-id:module.forward.provider-id
} }
resource "authentik_policy_binding" "prj_access_users" { module "oauth2" {
target = authentik_application.prj_app.uuid count = var.use-oauth?1:0
policy = authentik_policy_expression.policy.id source = "../../modules/oauth2"
order = 0 "component" = var.component
"instance" = var.instance
} }
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_app.uuid module "forward" {
group = data.authentik_group.akadmin.id count = var.use-oauth?0:1
order = 1 source = "../../modules/forward"
"component" = var.component
"instance" = var.instance
"domain" = var.domain
"namespace" = var.namespace
"ingress-class" = var.ingress-class
"labels" = local.common-labels
"dns-names" = local.dns-names
"authentik-token" = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
} }

21
apps/dbgate/configs.tf
View File

@@ -51,27 +51,6 @@ locals {
connection_secrets = merge(local.pg_secrets,local.mongo_secrets) connection_secrets = merge(local.pg_secrets,local.mongo_secrets)
} }
resource "kubectl_manifest" "dbgate-init" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.component}-${var.instance}-init"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
data:
start.sh: |-
if [ -e /etc/local-ca/ca.crt ];then
cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
fi
exec /bin/su node -c /home/dbgate-docker/entrypoint.sh "$@"
EOF
}
resource "kubectl_manifest" "dbgate-config" { resource "kubectl_manifest" "dbgate-config" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: v1 apiVersion: v1

4
apps/dbgate/deploy.tf
View File

@@ -1,3 +1,7 @@
locals {
deploy-envs = merge({},
}
resource "kubectl_manifest" "deploy" { resource "kubectl_manifest" "deploy" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: apps/v1 apiVersion: apps/v1

229
apps/dbgate/index.yaml
View File

@@ -6,117 +6,12 @@ metadata:
name: dbgate name: dbgate
description: null description: null
options: options:
mongo:
default: []
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
issuer: issuer:
default: letsencrypt-prod default: letsencrypt-prod
examples: examples:
- letsencrypt-prod - letsencrypt-prod
type: string type: string
ingress-class: mongo:
default: traefik
examples:
- traefik
type: string
storage:
default:
accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
pg:
default: []
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
sub-domain:
default: dbgate
examples:
- dbgate
type: string
domain:
default: your-company
examples:
- your-company
type: string
maria:
default: [] default: []
examples: examples:
- [] - []
@@ -151,20 +46,20 @@ options:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
registry: docker.io registry: docker.io
repository: dbgate/dbgate repository: dbgate/dbgate
tag: 5.2.7 tag: 5.2.7-alpine
examples: examples:
- dbgate: - dbgate:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
registry: docker.io registry: docker.io
repository: dbgate/dbgate repository: dbgate/dbgate
tag: 5.2.7 tag: 5.2.7-alpine
properties: properties:
dbgate: dbgate:
default: default:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
registry: docker.io registry: docker.io
repository: dbgate/dbgate repository: dbgate/dbgate
tag: 5.2.7 tag: 5.2.7-alpine
properties: properties:
pullPolicy: pullPolicy:
default: IfNotPresent default: IfNotPresent
@@ -180,10 +75,120 @@ options:
default: dbgate/dbgate default: dbgate/dbgate
type: string type: string
tag: tag:
default: 5.2.7 default: 5.2.7-alpine
type: string type: string
type: object type: object
type: object type: object
sub-domain:
default: dbgate
examples:
- dbgate
type: string
use-oauth:
default: false
examples:
- false
type: boolean
domain:
default: your-company
examples:
- your-company
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
pg:
default: []
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
maria:
default: []
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
storage:
default:
accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
app-group: app-group:
default: dev default: dev
examples: examples:
@@ -201,7 +206,7 @@ providers:
authentik: true authentik: true
kubectl: true kubectl: true
postgresql: null postgresql: null
restapi: null restapi: true
http: null http: true
gitea: null gitea: null
tfaddtype: null tfaddtype: null

4
apps/dbgate/oauth2.tf
View File

@@ -1,4 +1,5 @@
resource "kubectl_manifest" "oauth2-secret" { resource "kubectl_manifest" "oauth2-secret" {
count = var.use-oauth?1:0
ignore_fields = ["metadata.annotations"] ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1" apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -15,6 +16,7 @@ resource "kubectl_manifest" "oauth2-secret" {
EOF EOF
} }
data "kubernetes_secret_v1" "oauth2-client-id" { data "kubernetes_secret_v1" "oauth2-client-id" {
count = var.use-oauth?1:0
depends_on = [kubectl_manifest.oauth2-secret] depends_on = [kubectl_manifest.oauth2-secret]
metadata { metadata {
name = kubectl_manifest.oauth2-secret.name name = kubectl_manifest.oauth2-secret.name
@@ -41,6 +43,7 @@ data "authentik_flow" "default-authentication-flow" {
} }
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
count = var.use-oauth?1:0
name = "${var.component}-${var.instance}" name = "${var.component}-${var.instance}"
client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}" client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default-authentication-flow.id
@@ -55,6 +58,7 @@ resource "authentik_provider_oauth2" "oauth2" {
} }
resource "kubernetes_secret_v1" "oauth2-client-secret" { resource "kubernetes_secret_v1" "oauth2-client-secret" {
count = var.use-oauth?1:0
metadata { metadata {
name = "${var.component}-${var.instance}-secret" name = "${var.component}-${var.instance}-secret"
namespace = var.namespace namespace = var.namespace

45
modules/application/application.tf Normal file
View File

@@ -0,0 +1,45 @@
locals {
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app-name)
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
}
resource "authentik_group" "groups" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
}
resource "authentik_group" "subgroup" {
count = length(var.sub-groups)
name = format("%s-%s", local.app-name, var.sub-groups[count.index])
parent = authentik_group.prj_users.id
}
resource "authentik_application" "prj_app" {
name = "${var.instance}"
slug = "${var.component}-${var.instance}"
group = var.app-group
protocol_provider = var.protocol_provider
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, var.icon)
}
resource "authentik_policy_expression" "policy" {
name = local.main-group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app-name}'] if '${local.app-name}' in attr else False
EOF
}
resource "authentik_policy_binding" "prj_access_users" {
target = authentik_application.prj_app.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_app.uuid
group = data.authentik_group.akadmin.id
order = 1
}

25
modules/application/variables.tf Normal file
View File

@@ -0,0 +1,25 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "icon" {
type = string
}
variable "app-group" {
type = string
}
variable "protocol_provider" {
type = number
}
variable "sub-domain" {
type = string
}
variable "domain-name" {
type = string
}
variable "sub-groups" {
type = list(string)
default = []
}

125
modules/forward/forward.tf Normal file
View File

@@ -0,0 +1,125 @@
locals {
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${var.authentik-token}"
}
forward-outpost-providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward-outpost-pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app-name)
external-url = format("https://%s", var.dns-names[0])
rules-icons = [ for v in var.dns-names : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = local.service
}
"path" = "/${var.icon}"
"pathType" = "Prefix"
}]
}
}]
}
resource "kubectl_manifest" "prj_ingress_icon" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.rules-icons)}
tls:
- hosts: ${jsonencode(var.dns-names)}
secretName: "${var.instance}-cert"
EOF
}
data "authentik_flow" "default-authorization-flow" {
depends_on = [authentik_group.prj_users]
slug = "default-provider-authorization-implicit-consent"
}
resource "authentik_provider_proxy" "prj_forward" {
name = local.app-name
external_host = local.external-url
authorization_flow = data.authentik_flow.default-authorization-flow.id
mode = "forward_single"
access_token_validity = var.access-token-validity
}
resource "authentik_policy_binding" "prj_access_users" {
target = authentik_application.prj_application.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_application.uuid
group = data.authentik_group.vynil-admin.id
order = 1
}
data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.prj_forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET"
request_headers = local.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
provider "restapi" {
uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
headers = local.request_headers
create_method = "PATCH"
update_method = "PATCH"
destroy_method = "PATCH"
write_returns_object = true
id_attribute = "name"
}
resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward-outpost-pk}/"
data = jsonencode({
name = "forward"
providers = contains(local.forward-outpost-providers, authentik_provider_proxy.prj_forward.id) ? local.forward-outpost-providers : concat(local.forward-outpost-providers, [authentik_provider_proxy.prj_forward.id])
})
}
resource "kubectl_manifest" "prj_middleware" {
yaml_body = <<-EOF
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: "forward-${local.app-name}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forwardAuth:
address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
# - X-authentik-groups
# - X-authentik-email
# - X-authentik-name
# - X-authentik-uid
# - X-authentik-jwt
# - X-authentik-meta-jwks
# - X-authentik-meta-outpost
# - X-authentik-meta-provider
# - X-authentik-meta-app
# - X-authentik-meta-version
EOF
}

3
modules/forward/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "provider-id" {
value = authentik_provider_proxy.prj_forward.id
}

33
modules/forward/variables.tf Normal file
View File

@@ -0,0 +1,33 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "ingress-class" {
type = string
}
variable "labels" {
type = map(string)
}
variable "authentik-token" {
type = string
}
variable "dns-names" {
type = list(string)
}
variable "access-token-validity" {
type = string
default = "hours=10" // ;minutes=10
}

25
apps/dbgate/ingress.tf → modules/ingress/ingress.tf
View File

@@ -1,20 +1,11 @@
locals { locals {
dns-name = "${var.sub-domain}.${var.domain-name}" rules = [ for v in var.dns-names : {
dns-names = [local.dns-name]
middlewares = ["${var.instance}-https"]
service = {
"name" = "${var.component}-${var.instance}"
"port" = {
"number" = 80
}
}
rules = [ for v in local.dns-names : {
"host" = "${v}" "host" = "${v}"
"http" = { "http" = {
"paths" = [{ "paths" = [{
"backend" = { "backend" = {
"service" = local.service "service" = var.service
} }
"path" = "/" "path" = "/"
"pathType" = "Prefix" "pathType" = "Prefix"
@@ -30,10 +21,10 @@ resource "kubectl_manifest" "prj_certificate" {
metadata: metadata:
name: "${var.instance}" name: "${var.instance}"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)} labels: ${jsonencode(var.labels)}
spec: spec:
secretName: "${var.instance}-cert" secretName: "${var.instance}-cert"
dnsNames: ${jsonencode(local.dns-names)} dnsNames: ${jsonencode(var.dns-names)}
issuerRef: issuerRef:
name: "${var.issuer}" name: "${var.issuer}"
kind: "ClusterIssuer" kind: "ClusterIssuer"
@@ -48,7 +39,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
metadata: metadata:
name: "${var.instance}-https" name: "${var.instance}-https"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)} labels: ${jsonencode(var.labels)}
spec: spec:
redirectScheme: redirectScheme:
scheme: "https" scheme: "https"
@@ -64,14 +55,14 @@ resource "kubectl_manifest" "prj_ingress" {
metadata: metadata:
name: "${var.instance}" name: "${var.instance}"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)} labels: ${jsonencode(var.labels)}
annotations: annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in var.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec: spec:
ingressClassName: "${var.ingress-class}" ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.rules)} rules: ${jsonencode(local.rules)}
tls: tls:
- hosts: ${jsonencode(local.dns-names)} - hosts: ${jsonencode(var.dns-names)}
secretName: "${var.instance}-cert" secretName: "${var.instance}-cert"
EOF EOF
} }

35
modules/ingress/variables.tf Normal file
View File

@@ -0,0 +1,35 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "issuer" {
type = string
}
variable "ingress-class" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns-names" {
type = list(string)
}
variable "middlewares" {
type = list(string)
default = ["${var.instance}-https"]
}
variable "service" {
default = {
"name" = "${var.component}-${var.instance}"
"port" = {
"number" = 80
}
}
}

66
modules/oauth2/oauth2.tf Normal file
View File

@@ -0,0 +1,66 @@
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-${var.instance}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
}
}
data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate"
}
data "authentik_scope_mapping" "oauth2" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}"
client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential"
sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${var.dns-name}/"
]
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
namespace = var.namespace
labels = var.labels
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}

3
modules/oauth2/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "provider-id" {
value = authentik_provider_oauth2.oauth2.id
}

15
modules/oauth2/variables.tf Normal file
View File

@@ -0,0 +1,15 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns-name" {
type = string
}