vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2023-10-19 13:07:09 +02:00
parent fb3e9f56eb
commit a6ae543cfe
40 changed files with 963 additions and 1080 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
apps/code-server/index.yaml
View File

@@ -6,6 +6,61 @@ metadata:
name: code-server
description: null
options:
admin:
default:
cluster: false
namespace: false
examples:
- cluster: false
namespace: false
properties:
cluster:
default: false
type: boolean
namespace:
default: false
type: boolean
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
no-editor:
default: false
examples:
- false
type: boolean
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
app-group:
default: dev
examples:
- dev
type: string
sub-domain:
default: code
examples:
- code
type: string
domain:
default: your-company
examples:
- your-company
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
storage:
default:
accessMode: ReadWriteOnce
@@ -72,61 +127,6 @@ options:
type: number
type: object
type: object
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
no-editor:
default: false
examples:
- false
type: boolean
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
domain:
default: your-company
examples:
- your-company
type: string
app-group:
default: dev
examples:
- dev
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
sub-domain:
default: code
examples:
- code
type: string
admin:
default:
cluster: false
namespace: false
examples:
- cluster: false
namespace: false
properties:
cluster:
default: false
type: boolean
namespace:
default: false
type: boolean
type: object
dependencies:
- dist: null
category: share

4
apps/code-server/presentation.tf
View File

@@ -30,14 +30,14 @@ module "service" {
module "ingress" {
source = "/dist/modules/ingress"
component = var.component
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = ["${var.instance}-https", "forward-${local.app-name}"]
middlewares = ["forward-${local.app-name}"]
service = local.service
providers = {
kubectl = kubectl

156
apps/dbgate/index.yaml
View File

@@ -35,6 +35,40 @@ options:
type: string
type: object
type: array
use-oauth:
default: false
examples:
- false
type: boolean
pg:
default: []
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
images:
default:
dbgate:
@@ -74,50 +108,58 @@ options:
type: string
type: object
type: object
pg:
default: []
app-group:
default: dev
examples:
- []
items:
properties:
dbname:
default: ''
type: string
name:
default: ''
type: string
namespace:
default: ''
type: string
secret:
properties:
key:
default: ''
type: string
name:
default: ''
type: string
type: object
username:
default: ''
type: string
type: object
type: array
- dev
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
domain:
default: your-company
examples:
- your-company
type: string
sub-domain:
default: dbgate
examples:
- dbgate
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
storage:
default:
accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
maria:
default: []
examples:
@@ -147,52 +189,10 @@ options:
type: string
type: object
type: array
ingress-class:
default: traefik
domain-name:
default: your_company.com
examples:
- traefik
type: string
app-group:
default: dev
examples:
- dev
type: string
use-oauth:
default: false
examples:
- false
type: boolean
storage:
default:
accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 1Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 1Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
domain:
default: your-company
examples:
- your-company
- your_company.com
type: string
dependencies:
- dist: null

5
apps/dbgate/presentation.tf
View File

@@ -30,14 +30,14 @@ module "service" {
module "ingress" {
source = "/dist/modules/ingress"
component = var.component
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = concat(["${var.instance}-https"], var.use-oauth?[]:["forward-${local.app-name}"])
middlewares = var.use-oauth?[]:["forward-${local.app-name}"]
service = local.service
providers = {
kubectl = kubectl
@@ -66,6 +66,7 @@ module "oauth2" {
namespace = var.namespace
labels = local.common-labels
dns-name = local.dns-name
redirect-path = ""
providers = {
kubernetes = kubernetes
kubectl = kubectl

245
apps/dolibarr/index.yaml
View File

@@ -6,41 +6,62 @@ metadata:
name: dolibarr
description: null
options:
postgres:
default:
replicas: 1
storage: 5Gi
version: '14'
domain:
default: your-company
examples:
- replicas: 1
storage: 5Gi
version: '14'
properties:
replicas:
default: 1
type: integer
storage:
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
app-group:
default: ''
examples:
- ''
- your-company
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
sub-domain:
default: erp
redis:
default:
exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.5
storage: 2Gi
examples:
- erp
- exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.5
storage: 2Gi
properties:
exporter:
default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.5
type: string
storage:
default: 2Gi
type: string
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
modules:
default:
- societe
examples:
- - societe
items:
type: string
type: array
resources:
default:
limits:
@@ -82,42 +103,61 @@ options:
type: string
type: object
type: object
log-level:
default: 5
examples:
- 5
type: integer
redis:
postgres:
default:
exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.5
storage: 2Gi
replicas: 1
storage: 5Gi
version: '14'
examples:
- exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.5
storage: 2Gi
- replicas: 1
storage: 5Gi
version: '14'
properties:
exporter:
default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.5
type: string
replicas:
default: 1
type: integer
storage:
default: 2Gi
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
storage:
default:
accessMode: ReadWriteOnce
size: 10Gi
type: Filesystem
examples:
- accessMode: ReadWriteOnce
size: 10Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- block
type: string
type: object
parameters:
default:
MAIN_LANG_DEFAULT: auto
examples:
- MAIN_LANG_DEFAULT: auto
properties:
MAIN_LANG_DEFAULT:
default: auto
type: string
type: object
hpa:
@@ -246,29 +286,16 @@ options:
default: false
type: boolean
type: object
modules:
default:
- societe
log-level:
default: 5
examples:
- - societe
items:
type: string
type: array
user-groups:
default:
- admin: true
name: dolibarr-admin
- 5
type: integer
sub-domain:
default: erp
examples:
- - admin: true
name: dolibarr-admin
items:
properties:
admin:
type: boolean
name:
type: string
type: object
type: array
- erp
type: string
issuer:
default: letsencrypt-prod
examples:
@@ -339,53 +366,26 @@ options:
type: string
type: object
type: object
domain:
default: your-company
app-group:
default: ''
examples:
- your-company
- ''
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
storage:
user-groups:
default:
accessMode: ReadWriteOnce
size: 10Gi
type: Filesystem
- admin: true
name: dolibarr-admin
examples:
- accessMode: ReadWriteOnce
size: 10Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- block
type: string
type: object
parameters:
default:
MAIN_LANG_DEFAULT: auto
examples:
- MAIN_LANG_DEFAULT: auto
properties:
MAIN_LANG_DEFAULT:
default: auto
type: string
type: object
- - admin: true
name: dolibarr-admin
items:
properties:
admin:
type: boolean
name:
type: string
type: object
type: array
dependencies:
- dist: null
category: share
@@ -409,4 +409,5 @@ providers:
postgresql: null
restapi: true
http: true
gitea: null
tfaddtype: null

329
apps/gitea/index.yaml
View File

@@ -9,61 +9,6 @@ metadata:
A painless self-hosted Git service.
Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
options:
admin:
default:
email: git-admin@git.your_company.com
name: gitea_admin
examples:
- email: git-admin@git.your_company.com
name: gitea_admin
properties:
email:
default: git-admin@git.your_company.com
type: string
name:
default: gitea_admin
type: string
type: object
default-branch:
default: main
examples:
- main
type: string
sub-domain:
default: git
examples:
- git
type: string
release:
default: 8.3.0
examples:
- 8.3.0
type: string
domain:
default: your-company
examples:
- your-company
type: string
replicas:
default: 1
examples:
- 1
type: integer
ssh-port:
default: 2222
examples:
- 2222
type: integer
ingress-class:
default: traefik
examples:
- traefik
type: string
disable-registration:
default: true
examples:
- true
type: boolean
push-create:
default:
org: 'true'
@@ -84,104 +29,16 @@ options:
default: 'true'
type: string
type: object
images:
default:
gitea:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
memcached:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
theme:
default: gitea-modern
examples:
- gitea:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
memcached:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
properties:
gitea:
default:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: gitea/gitea
type: string
tag:
default: 1.19.3
type: string
type: object
memcached:
default:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
properties:
registry:
default: docker.io
type: string
repository:
default: bitnami/memcached
type: string
tag:
default: 1.6.19-debian-11-r7
type: string
type: object
type: object
webhook:
default:
allowed-hosts: private
skip-tls-verify: false
examples:
- allowed-hosts: private
skip-tls-verify: false
properties:
allowed-hosts:
default: private
type: string
skip-tls-verify:
default: false
type: boolean
type: object
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
- gitea-modern
type: string
app-group:
default: dev
domain-name:
default: your_company.com
examples:
- dev
- your_company.com
type: string
load-balancer:
default:
ip: ''
examples:
- ip: ''
properties:
ip:
default: ''
type: string
type: object
backups:
default:
enable: false
@@ -288,6 +145,41 @@ options:
default: false
type: boolean
type: object
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
release:
default: 8.3.0
examples:
- 8.3.0
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
replicas:
default: 1
examples:
- 1
type: integer
webhook:
default:
allowed-hosts: private
skip-tls-verify: false
examples:
- allowed-hosts: private
skip-tls-verify: false
properties:
allowed-hosts:
default: private
type: string
skip-tls-verify:
default: false
type: boolean
type: object
postgres:
default:
replicas: 1
@@ -308,21 +200,6 @@ options:
default: '14'
type: string
type: object
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
theme:
default: gitea-modern
examples:
- gitea-modern
type: string
volume:
default:
size: 10Gi
@@ -333,6 +210,129 @@ options:
default: 10Gi
type: string
type: object
app-group:
default: dev
examples:
- dev
type: string
domain:
default: your-company
examples:
- your-company
type: string
default-branch:
default: main
examples:
- main
type: string
ssh-port:
default: 2222
examples:
- 2222
type: integer
load-balancer:
default:
ip: ''
examples:
- ip: ''
properties:
ip:
default: ''
type: string
type: object
sub-domain:
default: git
examples:
- git
type: string
disable-registration:
default: true
examples:
- true
type: boolean
ingress-class:
default: traefik
examples:
- traefik
type: string
images:
default:
gitea:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
memcached:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
examples:
- gitea:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
memcached:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
properties:
gitea:
default:
pullPolicy: IfNotPresent
registry: docker.io
repository: gitea/gitea
tag: 1.19.3
properties:
pullPolicy:
default: IfNotPresent
enum:
- Always
- Never
- IfNotPresent
type: string
registry:
default: docker.io
type: string
repository:
default: gitea/gitea
type: string
tag:
default: 1.19.3
type: string
type: object
memcached:
default:
registry: docker.io
repository: bitnami/memcached
tag: 1.6.19-debian-11-r7
properties:
registry:
default: docker.io
type: string
repository:
default: bitnami/memcached
type: string
tag:
default: 1.6.19-debian-11-r7
type: string
type: object
type: object
admin:
default:
email: git-admin@git.your_company.com
name: gitea_admin
examples:
- email: git-admin@git.your_company.com
name: gitea_admin
properties:
email:
default: git-admin@git.your_company.com
type: string
name:
default: gitea_admin
type: string
type: object
dependencies:
- dist: null
category: share
@@ -350,4 +350,5 @@ providers:
postgresql: null
restapi: true
http: true
gitea: null
tfaddtype: null

24
apps/k8s-api/index.yaml
View File

@@ -6,31 +6,31 @@ metadata:
name: k8s-api
description: Access to the kubernetes api
options:
sub-domain:
default: api
ingress-class:
default: traefik
examples:
- api
- traefik
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
issuer:
default: letsencrypt-prod
sub-domain:
default: api
examples:
- letsencrypt-prod
type: string
ingress-class:
default: traefik
examples:
- traefik
- api
type: string
domain:
default: your-company
examples:
- your-company
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
dependencies:
- dist: null
category: share
@@ -42,3 +42,5 @@ providers:
postgresql: null
restapi: true
http: true
gitea: null
tfaddtype: null

39
apps/nextcloud/application.tf
View File

@@ -1,39 +0,0 @@
locals {
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app-name)
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
}
resource "authentik_group" "groups" {
name = local.main-group
attributes = jsonencode({"${local.app-name}" = true})
}
resource "authentik_application" "prj_app" {
name = "${var.instance}"
slug = "${var.component}-${var.instance}"
group = var.app-group
protocol_provider = authentik_provider_oauth2.oauth2.id
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "apps/theming/favicon")
}
resource "authentik_policy_expression" "policy" {
name = local.main-group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app-name}'] if '${local.app-name}' in attr else False
EOF
}
resource "authentik_policy_binding" "prj_access_users" {
target = authentik_application.prj_app.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_app.uuid
group = data.authentik_group.akadmin.id
order = 1
}

2
apps/nextcloud/apps_v1_Deployment_nextcloud-metrics.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud-metrics
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics

4
apps/nextcloud/apps_v1_Deployment_nextcloud.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: app
@@ -31,7 +31,7 @@ spec:
spec:
containers:
- name: nextcloud
image: nextcloud:27.0.2-apache
image: nextcloud:27.1.2-apache
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_HOST

2
apps/nextcloud/autoscaling_v1_HorizontalPodAutoscaler_nextcloud.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: app

86
apps/nextcloud/collabora.tf
View File

@@ -1,27 +1,7 @@
locals {
collabora-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "collabora"
})
dns-collabora = "collabora.${local.dns-name}"
collabora-middlewares = ["${var.instance}-https"]
collabora-service = {
"name" = "${var.instance}-collabora"
"port" = {
"number" = 80
}
}
collabora-rules = [ for v in [local.dns-collabora] : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = local.collabora-service
}
"path" = "/"
"pathType" = "Prefix"
}]
}
}]
collabora-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "collabora"
})
}
resource "kubectl_manifest" "collabora_deploy" {
@@ -96,63 +76,3 @@ resource "kubectl_manifest" "collabora_deploy" {
- SYS_ADMIN
EOF
}
resource "kubectl_manifest" "collabora_svc" {
count = var.apps.collabora ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: "${var.instance}-collabora"
namespace: "${var.namespace}"
labels: ${jsonencode(local.collabora-labels)}
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 9980
protocol: TCP
name: http
selector: ${jsonencode(local.collabora-labels)}
EOF
}
resource "kubectl_manifest" "collabora_certificate" {
count = var.apps.collabora ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}-collabora"
namespace: "${var.namespace}"
labels: ${jsonencode(local.collabora-labels)}
spec:
secretName: "${var.instance}-collabora-cert"
dnsNames: [${jsonencode(local.dns-collabora)}]
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "collabora_ing" {
count = var.apps.collabora ? 1 : 0
yaml_body = <<-EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "${var.instance}-collabora"
namespace: "${var.namespace}"
labels: ${jsonencode(local.collabora-labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.collabora-middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.collabora-rules)}
tls:
- hosts: [${local.dns-collabora}]
secretName: "${var.instance}-collabora-cert"
EOF
}

351
apps/nextcloud/index.yaml
View File

@@ -6,111 +6,6 @@ metadata:
name: nextcloud
description: null
options:
apps:
default:
audioplayer: false
bookmarks: false
bpm: false
calendar: false
collabora: false
contacts: false
deck: false
groupfolders: true
mindmap: false
music: false
notes: false
onlyoffice: false
passman: false
spreed: false
tables: false
tasks: false
texteditor: true
examples:
- audioplayer: false
bookmarks: false
bpm: false
calendar: false
collabora: false
contacts: false
deck: false
groupfolders: true
mindmap: false
music: false
notes: false
onlyoffice: false
passman: false
spreed: false
tables: false
tasks: false
texteditor: true
properties:
audioplayer:
default: false
type: boolean
bookmarks:
default: false
type: boolean
bpm:
default: false
type: boolean
calendar:
default: false
type: boolean
collabora:
default: false
type: boolean
contacts:
default: false
type: boolean
deck:
default: false
type: boolean
groupfolders:
default: true
type: boolean
mindmap:
default: false
type: boolean
music:
default: false
type: boolean
notes:
default: false
type: boolean
onlyoffice:
default: false
type: boolean
passman:
default: false
type: boolean
spreed:
default: false
type: boolean
tables:
default: false
type: boolean
tasks:
default: false
type: boolean
texteditor:
default: true
type: boolean
type: object
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
domain:
default: your-company
examples:
- your-company
type: string
sub-domain:
default: files
examples:
- files
type: string
images:
default:
collabora:
@@ -274,23 +169,39 @@ options:
type: string
type: object
type: object
storage:
default:
accessMode: ReadWriteOnce
size: 10Gi
ingress-class:
default: traefik
examples:
- accessMode: ReadWriteOnce
size: 10Gi
- traefik
type: string
hpa:
default:
avg-cpu: 50
max-replicas: 5
min-replicas: 1
examples:
- avg-cpu: 50
max-replicas: 5
min-replicas: 1
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
avg-cpu:
default: 50
type: integer
max-replicas:
default: 5
type: integer
min-replicas:
default: 1
type: integer
type: object
admin:
default:
name: nextcloud_admin
examples:
- name: nextcloud_admin
properties:
name:
default: nextcloud_admin
type: string
type: object
app-group:
@@ -298,6 +209,31 @@ options:
examples:
- ''
type: string
postgres:
default:
replicas: 1
storage: 5Gi
version: '14'
examples:
- replicas: 1
storage: 5Gi
version: '14'
properties:
replicas:
default: 1
type: integer
storage:
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
domain:
default: your-company
examples:
- your-company
type: string
backups:
default:
enable: false
@@ -404,11 +340,125 @@ options:
default: false
type: boolean
type: object
storage:
default:
accessMode: ReadWriteOnce
size: 10Gi
examples:
- accessMode: ReadWriteOnce
size: 10Gi
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
size:
default: 10Gi
type: string
type: object
sub-domain:
default: files
examples:
- files
type: string
openid-name:
default: vynil
examples:
- vynil
type: string
apps:
default:
audioplayer: false
bookmarks: false
bpm: false
calendar: false
collabora: false
contacts: false
deck: false
groupfolders: true
mindmap: false
music: false
notes: false
onlyoffice: false
passman: false
spreed: false
tables: false
tasks: false
texteditor: true
examples:
- audioplayer: false
bookmarks: false
bpm: false
calendar: false
collabora: false
contacts: false
deck: false
groupfolders: true
mindmap: false
music: false
notes: false
onlyoffice: false
passman: false
spreed: false
tables: false
tasks: false
texteditor: true
properties:
audioplayer:
default: false
type: boolean
bookmarks:
default: false
type: boolean
bpm:
default: false
type: boolean
calendar:
default: false
type: boolean
collabora:
default: false
type: boolean
contacts:
default: false
type: boolean
deck:
default: false
type: boolean
groupfolders:
default: true
type: boolean
mindmap:
default: false
type: boolean
music:
default: false
type: boolean
notes:
default: false
type: boolean
onlyoffice:
default: false
type: boolean
passman:
default: false
type: boolean
spreed:
default: false
type: boolean
tables:
default: false
type: boolean
tasks:
default: false
type: boolean
texteditor:
default: true
type: boolean
type: object
redis:
default:
exporter:
@@ -442,66 +492,16 @@ options:
default: 2Gi
type: string
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
hpa:
default:
avg-cpu: 50
max-replicas: 5
min-replicas: 1
examples:
- avg-cpu: 50
max-replicas: 5
min-replicas: 1
properties:
avg-cpu:
default: 50
type: integer
max-replicas:
default: 5
type: integer
min-replicas:
default: 1
type: integer
type: object
admin:
default:
name: nextcloud_admin
examples:
- name: nextcloud_admin
properties:
name:
default: nextcloud_admin
type: string
type: object
postgres:
default:
replicas: 1
storage: 5Gi
version: '14'
examples:
- replicas: 1
storage: 5Gi
version: '14'
properties:
replicas:
default: 1
type: integer
storage:
default: 5Gi
type: string
version:
default: '14'
type: string
type: object
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
dependencies:
- dist: null
category: share
@@ -519,4 +519,5 @@ providers:
postgresql: null
restapi: null
http: null
gitea: null
tfaddtype: null

75
apps/nextcloud/ingress.tf
View File

@@ -1,75 +0,0 @@
locals {
dns-names = [local.dns-name]
middlewares = ["${var.instance}-https","${var.instance}-sslenforce","${var.instance}-redirectdav","${var.instance}-redirectindex"]
service = {
"name" = "${var.component}"
"port" = {
"number" = 80
}
}
rules = [ for v in local.dns-names : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = local.service
}
"path" = "/"
"pathType" = "Prefix"
}]
}
}]
}
resource "kubectl_manifest" "prj_certificate" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
secretName: "${var.instance}-cert"
dnsNames: ${jsonencode(local.dns-names)}
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "prj_https_redirect" {
yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1"
kind: "Middleware"
metadata:
name: "${var.instance}-https"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
redirectScheme:
scheme: "https"
permanent: true
EOF
}
resource "kubectl_manifest" "prj_ingress" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(local.dns-names)}
secretName: "${var.instance}-cert"
EOF
}

1
apps/nextcloud/middlewares.tf
View File

@@ -13,6 +13,7 @@ spec:
replacement: "https://$${1}/remote.php/dav/"
EOF
}
resource "kubectl_manifest" "redirectindex" {
yaml_body = <<-EOF
apiVersion: traefik.containo.us/v1alpha1

2
apps/nextcloud/monitoring.coreos.com_v1_ServiceMonitor_nextcloud.yaml
View File

@@ -6,7 +6,7 @@ metadata:
namespace: "vynil-cloud"
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics

65
apps/nextcloud/oauth2.tf
View File

@@ -1,65 +0,0 @@
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-${var.instance}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common-labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
}
}
data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate"
}
data "authentik_scope_mapping" "oauth2" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}"
client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential"
sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${local.dns-name}/apps/user_oidc/code"
]
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
namespace = var.namespace
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}

86
apps/nextcloud/onlyoffice.tf
View File

@@ -1,27 +1,7 @@
locals {
onlyoffice-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "onlyoffice"
})
dns-onlyoffice = "onlyoffice.${local.dns-name}"
onlyoffice-middlewares = ["${var.instance}-https"]
onlyoffice-service = {
"name" = "${var.instance}-onlyoffice"
"port" = {
"number" = 80
}
}
onlyoffice-rules = [ for v in [local.dns-onlyoffice] : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = local.onlyoffice-service
}
"path" = "/"
"pathType" = "Prefix"
}]
}
}]
onlyoffice-labels = merge(local.common-labels, {
"app.kubernetes.io/component" = "onlyoffice"
})
}
resource "kubectl_manifest" "onlyoffice_deploy" {
@@ -81,63 +61,3 @@ resource "kubectl_manifest" "onlyoffice_deploy" {
protocol: TCP
EOF
}
resource "kubectl_manifest" "onlyoffice_svc" {
count = var.apps.onlyoffice ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: "${var.instance}-onlyoffice"
namespace: "${var.namespace}"
labels: ${jsonencode(local.onlyoffice-labels)}
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector: ${jsonencode(local.onlyoffice-labels)}
EOF
}
resource "kubectl_manifest" "onlyoffice_certificate" {
count = var.apps.onlyoffice ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}-onlyoffice"
namespace: "${var.namespace}"
labels: ${jsonencode(local.onlyoffice-labels)}
spec:
secretName: "${var.instance}-onlyoffice-cert"
dnsNames: [${jsonencode(local.dns-onlyoffice)}]
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "onlyoffice_ing" {
count = var.apps.onlyoffice ? 1 : 0
yaml_body = <<-EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "${var.instance}-onlyoffice"
namespace: "${var.namespace}"
labels: ${jsonencode(local.onlyoffice-labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.onlyoffice-middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.onlyoffice-rules)}
tls:
- hosts: [${local.dns-onlyoffice}]
secretName: "${var.instance}-onlyoffice-cert"
EOF
}

134
apps/nextcloud/presentation.tf Normal file
View File

@@ -0,0 +1,134 @@
locals {
dns-name = "${var.sub-domain}.${var.domain-name}"
dns-collabora = "collabora.${local.dns-name}"
dns-onlyoffice = "onlyoffice.${local.dns-name}"
dns-names = [local.dns-name]
app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
icon = "apps/theming/favicon"
service = {
"name" = "${var.component}"
"port" = {
"number" = 80
}
}
collabora-service = {
"name" = "${var.instance}-collabora"
"port" = {
"number" = 80
}
}
onlyoffice-service = {
"name" = "${var.instance}-onlyoffice"
"port" = {
"number" = 80
}
}
}
module "ingress" {
source = "/dist/modules/ingress"
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = ["${var.instance}-sslenforce", "${var.instance}-redirectdav", "${var.instance}-redirectindex"]
service = local.service
providers = {
kubectl = kubectl
}
}
module "application" {
source = "/dist/modules/application"
component = var.component
instance = var.instance
app-group = var.app-group
sub-domain = var.sub-domain
domain-name = var.domain-name
icon = local.icon
protocol_provider = module.oauth2.provider-id
providers = {
authentik = authentik
}
}
module "oauth2" {
source = "/dist/modules/oauth2"
component = var.component
instance = var.instance
namespace = var.namespace
labels = local.common-labels
dns-name = local.dns-name
redirect-path = "apps/user_oidc/code"
providers = {
kubernetes = kubernetes
kubectl = kubectl
authentik = authentik
}
}
module "collabora-service" {
count = var.apps.collabora ? 1 : 0
source = "/dist/modules/service"
component = "collabora"
instance = var.instance
namespace = var.namespace
labels = local.collabora-labels
target = "http"
port = local.collabora-service.port.number
providers = {
kubectl = kubectl
}
}
module "collabora-ingress" {
count = var.apps.collabora ? 1 : 0
source = "/dist/modules/ingress"
component = "collabora"
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.collabora-labels
dns-names = [local.dns-collabora]
middlewares = []
service = local.service
providers = {
kubectl = kubectl
}
}
module "onlyoffice-service" {
count = var.apps.onlyoffice ? 1 : 0
source = "/dist/modules/service"
component = "onlyoffice"
instance = var.instance
namespace = var.namespace
labels = local.onlyoffice-labels
target = "http"
port = local.onlyoffice-service.port.number
providers = {
kubectl = kubectl
}
}
module "onlyoffice-ingress" {
count = var.apps.onlyoffice ? 1 : 0
source = "/dist/modules/ingress"
component = "onlyoffice"
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.onlyoffice-labels
dns-names = [local.dns-onlyoffice]
middlewares = []
service = local.service
providers = {
kubectl = kubectl
}
}

2
apps/nextcloud/v1_ConfigMap_nextcloud-config.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud-config
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
data:

2
apps/nextcloud/v1_ConfigMap_nextcloud-nginxconfig.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud-nginxconfig
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
data:

2
apps/nextcloud/v1_PersistentVolumeClaim_nextcloud-nextcloud.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud-nextcloud
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: app

2
apps/nextcloud/v1_Service_nextcloud-metrics.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud-metrics
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics

2
apps/nextcloud/v1_Service_nextcloud.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: nextcloud
labels:
app.kubernetes.io/name: nextcloud
helm.sh/chart: nextcloud-4.3.1
helm.sh/chart: nextcloud-4.3.5
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: app

40
apps/okd/index.yaml
View File

@@ -6,16 +6,6 @@ metadata:
name: okd
description: null
options:
sub-domain:
default: okd
examples:
- okd
type: string
app-group:
default: infra
examples:
- infra
type: string
images:
default:
okd:
@@ -64,31 +54,41 @@ options:
examples:
- your_company.com
type: string
sub-domain:
default: okd
examples:
- okd
type: string
cluster-admin:
default: false
examples:
- false
type: boolean
namespaces:
default: []
items:
type: string
type: array
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
namespaces:
default: []
items:
type: string
type: array
domain:
default: your-company
examples:
- your-company
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
app-group:
default: infra
examples:
- infra
type: string
dependencies:
- dist: null
category: share

4
apps/okd/presentation.tf
View File

@@ -30,14 +30,14 @@ module "service" {
module "ingress" {
source = "/dist/modules/ingress"
component = var.component
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = ["${var.instance}-https", "forward-${local.app-name}"]
middlewares = ["forward-${local.app-name}"]
service = local.service
providers = {
kubectl = kubectl

40
apps/traefik-ui/index.yaml
View File

@@ -6,36 +6,36 @@ metadata:
name: traefik-ui
description: Access to the Traefik UI
options:
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
app-group:
default: infra
examples:
- infra
type: string
domain:
default: your-company
examples:
- your-company
type: string
sub-domain:
default: traefik
examples:
- traefik
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
app-group:
default: infra
examples:
- infra
type: string
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
domain:
default: your-company
examples:
- your-company
type: string
dependencies:
- dist: null
category: share

4
apps/traefik-ui/presentation.tf
View File

@@ -17,14 +17,14 @@ locals {
module "ingress" {
source = "/dist/modules/ingress"
component = var.component
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = ["${var.instance}-https", "forward-${local.app-name}"]
middlewares = ["forward-${local.app-name}"]
service = local.service
providers = {
kubectl = kubectl

2
apps/woodpecker/datas.tf
View File

@@ -139,6 +139,8 @@ data "kustomization_overlay" "data" {
image: "${var.images.server.registry}/${var.images.server.repository}:${var.images.server.tag}"
imagePullPolicy: "${var.images.server.pullPolicy}"
env:
- name: WOODPECKER_HOST
value: "https://${var.sub-domain}.${var.domain-name}"
- name: WOODPECKER_HOST
value: "https://${var.sub-domain}.${var.domain-name}"
envFrom:

39
apps/woodpecker/index.yaml
View File

@@ -26,11 +26,6 @@ options:
default: 'false'
type: string
type: object
ingress-class:
default: traefik
examples:
- traefik
type: string
timeouts:
default:
default: '60'
@@ -51,21 +46,16 @@ options:
examples:
- your-company
type: string
domain-name:
default: your_company.com
issuer:
default: letsencrypt-prod
examples:
- your_company.com
- letsencrypt-prod
type: string
sub-domain:
default: ci
examples:
- ci
type: string
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
storage-server:
default:
accessMode: ReadWriteOnce
@@ -85,6 +75,16 @@ options:
default: 10Gi
type: string
type: object
domain-name:
default: your_company.com
examples:
- your_company.com
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string
images:
default:
agent:
@@ -182,12 +182,19 @@ options:
type: string
type: object
type: object
dependencies: []
dependencies:
- dist: null
category: apps
component: gitea
- dist: null
category: core
component: secret-generator
providers:
kubernetes: true
authentik: true
kubectl: null
authentik: null
kubectl: true
postgresql: null
restapi: null
http: null
gitea: true
tfaddtype: null

26
apps/woodpecker/presentation.tf Normal file
View File

@@ -0,0 +1,26 @@
locals {
dns-name = "${var.sub-domain}.${var.domain-name}"
dns-names = [local.dns-name]
service = {
"name" = "${var.component}-server"
"port" = {
"number" = 80
}
}
}
module "ingress" {
source = "/dist/modules/ingress"
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress-class = var.ingress-class
labels = local.common-labels
dns-names = local.dns-names
middlewares = []
service = local.service
providers = {
kubectl = kubectl
}
}

49
apps/woodpecker/providers.tf
View File

@@ -1,49 +0,0 @@
terraform {
required_providers {
gitea = {
source = "Lerentis/gitea"
version = "~> 0.16.0"
}
kustomization = {
source = "kbst/kustomization"
version = "~> 0.9.2"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
}
}
provider "gitea" {
base_url = "http://gitea-http.${var.domain}-ci.svc:3000/"
username = data.kubernetes_secret_v1.gitea.data["username"]
password = data.kubernetes_secret_v1.gitea.data["password"]
}
provider "kustomization" {
kubeconfig_incluster = true
}
provider "kubernetes" {
host = "https://kubernetes.default.svc"
token = "${file("/run/secrets/kubernetes.io/serviceaccount/token")}"
cluster_ca_certificate = "${file("/run/secrets/kubernetes.io/serviceaccount/ca.crt")}"
}
provider "kubectl" {
host = "https://kubernetes.default.svc"
token = "${file("/run/secrets/kubernetes.io/serviceaccount/token")}"
cluster_ca_certificate = "${file("/run/secrets/kubernetes.io/serviceaccount/ca.crt")}"
load_config_file = false
}
provider "authentik" {
url = "http://authentik.${var.domain}-auth.svc"
token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
}

11
modules/ingress/ingress.tf
View File

@@ -19,11 +19,11 @@ resource "kubectl_manifest" "prj_certificate" {
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}"
name: "${var.instance}${var.component==""?:"":"-"}${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
secretName: "${var.instance}-cert"
secretName: "${var.instance}${var.component==""?:"":"-"}${var.component}-cert"
dnsNames: ${jsonencode(var.dns-names)}
issuerRef:
name: "${var.issuer}"
@@ -33,6 +33,7 @@ resource "kubectl_manifest" "prj_certificate" {
}
resource "kubectl_manifest" "prj_https_redirect" {
count = var.component==""?1:0
yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1"
kind: "Middleware"
@@ -53,16 +54,16 @@ resource "kubectl_manifest" "prj_ingress" {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}"
name: "${var.instance}${var.component==""?:"":"-"}${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in var.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in concat(["${var.instance}-https"],var.middlewares) : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress-class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(var.dns-names)}
secretName: "${var.instance}-cert"
secretName: "${var.instance}${var.component==""?:"":"-"}${var.component}-cert"
EOF
}

2
modules/ingress/variables.tf
View File

@@ -22,7 +22,7 @@ variable "dns-names" {
}
variable "middlewares" {
type = list(string)
default = []
}
variable "service" {
}

2
modules/oauth2/oauth2.tf
View File

@@ -50,7 +50,7 @@ resource "authentik_provider_oauth2" "oauth2" {
signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${var.dns-name}/"
"https://${var.dns-name}/${var.redirect-path}"
]
}

4
modules/oauth2/variables.tf
View File

@@ -13,3 +13,7 @@ variable "labels" {
variable "dns-name" {
type = string
}
variable "redirect-path" {
type = string
default = ""
}

3
modules/saml/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "provider-id" {
value = authentik_provider_saml.prj.id
}

12
modules/saml/providers.tf Normal file
View File

@@ -0,0 +1,12 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
}
}

56
modules/saml/saml.tf Normal file
View File

@@ -0,0 +1,56 @@
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_property_mapping_saml" "saml_maps" {
managed_list = [
"goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/groups",
"goauthentik.io/providers/saml/name",
"goauthentik.io/providers/saml/upn",
"goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname",
]
}
data "authentik_property_mapping_saml" "saml_name" {
managed = "goauthentik.io/providers/saml/username"
}
data "authentik_certificate_key_pair" "generated" {
name = "authentik Self-signed Certificate"
}
resource "kubectl_manifest" "saml_certificate" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}-${var.component}-saml"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
secretName: "${var.instance}-${var.component}-saml"
dnsNames: ${jsonencode(var.dns-names)}
issuerRef:
name: "self-sign"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "authentik_provider_saml" "prj" {
name = "${var.component}-${var.instance}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
acs_url = "https://${var.dns-names[0]}/${var.acs-path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
signing_kp = data.authentik_certificate_key_pair.generated.id
sp_binding = var.binding
}

19
modules/saml/variables.tf Normal file
View File

@@ -0,0 +1,19 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "dns-names" {
type = list(string)
}
variable "acs-path" {
type = string
}
variable "binding" {
type = string
default = "post"
}
variable "labels" {
type = map(string)
}