diff --git a/apps/code-server/index.yaml b/apps/code-server/index.yaml index feae84e..a0fd50d 100644 --- a/apps/code-server/index.yaml +++ b/apps/code-server/index.yaml @@ -6,6 +6,61 @@ metadata: name: code-server description: null options: + admin: + default: + cluster: false + namespace: false + examples: + - cluster: false + namespace: false + properties: + cluster: + default: false + type: boolean + namespace: + default: false + type: boolean + type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + no-editor: + default: false + examples: + - false + type: boolean + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + timezone: + default: Europe/Paris + examples: + - Europe/Paris + type: string + app-group: + default: dev + examples: + - dev + type: string + sub-domain: + default: code + examples: + - code + type: string + domain: + default: your-company + examples: + - your-company + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string storage: default: accessMode: ReadWriteOnce @@ -72,61 +127,6 @@ options: type: number type: object type: object - timezone: - default: Europe/Paris - examples: - - Europe/Paris - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - no-editor: - default: false - examples: - - false - type: boolean - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - domain: - default: your-company - examples: - - your-company - type: string - app-group: - default: dev - examples: - - dev - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - sub-domain: - default: code - examples: - - code - type: string - admin: - default: - cluster: false - namespace: false - examples: - - cluster: false - namespace: false - properties: - cluster: - default: false - type: boolean - namespace: - default: false - type: boolean - type: object dependencies: - dist: null category: share diff --git a/apps/code-server/presentation.tf b/apps/code-server/presentation.tf index 26a476c..b7d035e 100644 --- a/apps/code-server/presentation.tf +++ b/apps/code-server/presentation.tf @@ -30,14 +30,14 @@ module "service" { module "ingress" { source = "/dist/modules/ingress" - component = var.component + component = "" instance = var.instance namespace = var.namespace issuer = var.issuer ingress-class = var.ingress-class labels = local.common-labels dns-names = local.dns-names - middlewares = ["${var.instance}-https", "forward-${local.app-name}"] + middlewares = ["forward-${local.app-name}"] service = local.service providers = { kubectl = kubectl diff --git a/apps/dbgate/index.yaml b/apps/dbgate/index.yaml index beb7274..7aca075 100644 --- a/apps/dbgate/index.yaml +++ b/apps/dbgate/index.yaml @@ -35,6 +35,40 @@ options: type: string type: object type: array + use-oauth: + default: false + examples: + - false + type: boolean + pg: + default: [] + examples: + - [] + items: + properties: + dbname: + default: '' + type: string + name: + default: '' + type: string + namespace: + default: '' + type: string + secret: + properties: + key: + default: '' + type: string + name: + default: '' + type: string + type: object + username: + default: '' + type: string + type: object + type: array images: default: dbgate: @@ -74,50 +108,58 @@ options: type: string type: object type: object - pg: - default: [] + app-group: + default: dev examples: - - [] - items: - properties: - dbname: - default: '' - type: string - name: - default: '' - type: string - namespace: - default: '' - type: string - secret: - properties: - key: - default: '' - type: string - name: - default: '' - type: string - type: object - username: - default: '' - type: string - type: object - type: array + - dev + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string + domain: + default: your-company + examples: + - your-company + type: string sub-domain: default: dbgate examples: - dbgate type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string + storage: + default: + accessMode: ReadWriteOnce + size: 1Gi + type: Filesystem + examples: + - accessMode: ReadWriteOnce + size: 1Gi + type: Filesystem + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 1Gi + type: string + type: + default: Filesystem + enum: + - Filesystem + - Block + type: string + type: object maria: default: [] examples: @@ -147,52 +189,10 @@ options: type: string type: object type: array - ingress-class: - default: traefik + domain-name: + default: your_company.com examples: - - traefik - type: string - app-group: - default: dev - examples: - - dev - type: string - use-oauth: - default: false - examples: - - false - type: boolean - storage: - default: - accessMode: ReadWriteOnce - size: 1Gi - type: Filesystem - examples: - - accessMode: ReadWriteOnce - size: 1Gi - type: Filesystem - properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 1Gi - type: string - type: - default: Filesystem - enum: - - Filesystem - - Block - type: string - type: object - domain: - default: your-company - examples: - - your-company + - your_company.com type: string dependencies: - dist: null diff --git a/apps/dbgate/presentation.tf b/apps/dbgate/presentation.tf index d6dd716..568065a 100644 --- a/apps/dbgate/presentation.tf +++ b/apps/dbgate/presentation.tf @@ -30,14 +30,14 @@ module "service" { module "ingress" { source = "/dist/modules/ingress" - component = var.component + component = "" instance = var.instance namespace = var.namespace issuer = var.issuer ingress-class = var.ingress-class labels = local.common-labels dns-names = local.dns-names - middlewares = concat(["${var.instance}-https"], var.use-oauth?[]:["forward-${local.app-name}"]) + middlewares = var.use-oauth?[]:["forward-${local.app-name}"] service = local.service providers = { kubectl = kubectl @@ -66,6 +66,7 @@ module "oauth2" { namespace = var.namespace labels = local.common-labels dns-name = local.dns-name + redirect-path = "" providers = { kubernetes = kubernetes kubectl = kubectl diff --git a/apps/dolibarr/index.yaml b/apps/dolibarr/index.yaml index ac8a179..3744fd8 100644 --- a/apps/dolibarr/index.yaml +++ b/apps/dolibarr/index.yaml @@ -6,41 +6,62 @@ metadata: name: dolibarr description: null options: - postgres: - default: - replicas: 1 - storage: 5Gi - version: '14' + domain: + default: your-company examples: - - replicas: 1 - storage: 5Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi - type: string - version: - default: '14' - type: string - type: object - app-group: - default: '' - examples: - - '' + - your-company type: string domain-name: default: your_company.com examples: - your_company.com type: string - sub-domain: - default: erp + redis: + default: + exporter: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + image: quay.io/opstree/redis:v7.0.5 + storage: 2Gi examples: - - erp + - exporter: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + image: quay.io/opstree/redis:v7.0.5 + storage: 2Gi + properties: + exporter: + default: + enabled: true + image: quay.io/opstree/redis-exporter:v1.44.0 + properties: + enabled: + default: true + type: boolean + image: + default: quay.io/opstree/redis-exporter:v1.44.0 + type: string + type: object + image: + default: quay.io/opstree/redis:v7.0.5 + type: string + storage: + default: 2Gi + type: string + type: object + ingress-class: + default: traefik + examples: + - traefik type: string + modules: + default: + - societe + examples: + - - societe + items: + type: string + type: array resources: default: limits: @@ -82,42 +103,61 @@ options: type: string type: object type: object - log-level: - default: 5 - examples: - - 5 - type: integer - redis: + postgres: default: - exporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - image: quay.io/opstree/redis:v7.0.5 - storage: 2Gi + replicas: 1 + storage: 5Gi + version: '14' examples: - - exporter: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - image: quay.io/opstree/redis:v7.0.5 - storage: 2Gi + - replicas: 1 + storage: 5Gi + version: '14' properties: - exporter: - default: - enabled: true - image: quay.io/opstree/redis-exporter:v1.44.0 - properties: - enabled: - default: true - type: boolean - image: - default: quay.io/opstree/redis-exporter:v1.44.0 - type: string - type: object - image: - default: quay.io/opstree/redis:v7.0.5 - type: string + replicas: + default: 1 + type: integer storage: - default: 2Gi + default: 5Gi + type: string + version: + default: '14' + type: string + type: object + storage: + default: + accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem + examples: + - accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi + type: string + type: + default: Filesystem + enum: + - Filesystem + - block + type: string + type: object + parameters: + default: + MAIN_LANG_DEFAULT: auto + examples: + - MAIN_LANG_DEFAULT: auto + properties: + MAIN_LANG_DEFAULT: + default: auto type: string type: object hpa: @@ -246,29 +286,16 @@ options: default: false type: boolean type: object - modules: - default: - - societe + log-level: + default: 5 examples: - - - societe - items: - type: string - type: array - user-groups: - default: - - admin: true - name: dolibarr-admin + - 5 + type: integer + sub-domain: + default: erp examples: - - - admin: true - name: dolibarr-admin - items: - properties: - admin: - type: boolean - name: - type: string - type: object - type: array + - erp + type: string issuer: default: letsencrypt-prod examples: @@ -339,53 +366,26 @@ options: type: string type: object type: object - domain: - default: your-company + app-group: + default: '' examples: - - your-company + - '' type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - storage: + user-groups: default: - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem + - admin: true + name: dolibarr-admin examples: - - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem - properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string - type: - default: Filesystem - enum: - - Filesystem - - block - type: string - type: object - parameters: - default: - MAIN_LANG_DEFAULT: auto - examples: - - MAIN_LANG_DEFAULT: auto - properties: - MAIN_LANG_DEFAULT: - default: auto - type: string - type: object + - - admin: true + name: dolibarr-admin + items: + properties: + admin: + type: boolean + name: + type: string + type: object + type: array dependencies: - dist: null category: share @@ -409,4 +409,5 @@ providers: postgresql: null restapi: true http: true + gitea: null tfaddtype: null diff --git a/apps/gitea/index.yaml b/apps/gitea/index.yaml index 0a362a8..dda7ca0 100644 --- a/apps/gitea/index.yaml +++ b/apps/gitea/index.yaml @@ -9,61 +9,6 @@ metadata: A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. options: - admin: - default: - email: git-admin@git.your_company.com - name: gitea_admin - examples: - - email: git-admin@git.your_company.com - name: gitea_admin - properties: - email: - default: git-admin@git.your_company.com - type: string - name: - default: gitea_admin - type: string - type: object - default-branch: - default: main - examples: - - main - type: string - sub-domain: - default: git - examples: - - git - type: string - release: - default: 8.3.0 - examples: - - 8.3.0 - type: string - domain: - default: your-company - examples: - - your-company - type: string - replicas: - default: 1 - examples: - - 1 - type: integer - ssh-port: - default: 2222 - examples: - - 2222 - type: integer - ingress-class: - default: traefik - examples: - - traefik - type: string - disable-registration: - default: true - examples: - - true - type: boolean push-create: default: org: 'true' @@ -84,104 +29,16 @@ options: default: 'true' type: string type: object - images: - default: - gitea: - pullPolicy: IfNotPresent - registry: docker.io - repository: gitea/gitea - tag: 1.19.3 - memcached: - registry: docker.io - repository: bitnami/memcached - tag: 1.6.19-debian-11-r7 + theme: + default: gitea-modern examples: - - gitea: - pullPolicy: IfNotPresent - registry: docker.io - repository: gitea/gitea - tag: 1.19.3 - memcached: - registry: docker.io - repository: bitnami/memcached - tag: 1.6.19-debian-11-r7 - properties: - gitea: - default: - pullPolicy: IfNotPresent - registry: docker.io - repository: gitea/gitea - tag: 1.19.3 - properties: - pullPolicy: - default: IfNotPresent - enum: - - Always - - Never - - IfNotPresent - type: string - registry: - default: docker.io - type: string - repository: - default: gitea/gitea - type: string - tag: - default: 1.19.3 - type: string - type: object - memcached: - default: - registry: docker.io - repository: bitnami/memcached - tag: 1.6.19-debian-11-r7 - properties: - registry: - default: docker.io - type: string - repository: - default: bitnami/memcached - type: string - tag: - default: 1.6.19-debian-11-r7 - type: string - type: object - type: object - webhook: - default: - allowed-hosts: private - skip-tls-verify: false - examples: - - allowed-hosts: private - skip-tls-verify: false - properties: - allowed-hosts: - default: private - type: string - skip-tls-verify: - default: false - type: boolean - type: object - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod + - gitea-modern type: string - app-group: - default: dev + domain-name: + default: your_company.com examples: - - dev + - your_company.com type: string - load-balancer: - default: - ip: '' - examples: - - ip: '' - properties: - ip: - default: '' - type: string - type: object backups: default: enable: false @@ -288,6 +145,41 @@ options: default: false type: boolean type: object + timezone: + default: Europe/Paris + examples: + - Europe/Paris + type: string + release: + default: 8.3.0 + examples: + - 8.3.0 + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + replicas: + default: 1 + examples: + - 1 + type: integer + webhook: + default: + allowed-hosts: private + skip-tls-verify: false + examples: + - allowed-hosts: private + skip-tls-verify: false + properties: + allowed-hosts: + default: private + type: string + skip-tls-verify: + default: false + type: boolean + type: object postgres: default: replicas: 1 @@ -308,21 +200,6 @@ options: default: '14' type: string type: object - timezone: - default: Europe/Paris - examples: - - Europe/Paris - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - theme: - default: gitea-modern - examples: - - gitea-modern - type: string volume: default: size: 10Gi @@ -333,6 +210,129 @@ options: default: 10Gi type: string type: object + app-group: + default: dev + examples: + - dev + type: string + domain: + default: your-company + examples: + - your-company + type: string + default-branch: + default: main + examples: + - main + type: string + ssh-port: + default: 2222 + examples: + - 2222 + type: integer + load-balancer: + default: + ip: '' + examples: + - ip: '' + properties: + ip: + default: '' + type: string + type: object + sub-domain: + default: git + examples: + - git + type: string + disable-registration: + default: true + examples: + - true + type: boolean + ingress-class: + default: traefik + examples: + - traefik + type: string + images: + default: + gitea: + pullPolicy: IfNotPresent + registry: docker.io + repository: gitea/gitea + tag: 1.19.3 + memcached: + registry: docker.io + repository: bitnami/memcached + tag: 1.6.19-debian-11-r7 + examples: + - gitea: + pullPolicy: IfNotPresent + registry: docker.io + repository: gitea/gitea + tag: 1.19.3 + memcached: + registry: docker.io + repository: bitnami/memcached + tag: 1.6.19-debian-11-r7 + properties: + gitea: + default: + pullPolicy: IfNotPresent + registry: docker.io + repository: gitea/gitea + tag: 1.19.3 + properties: + pullPolicy: + default: IfNotPresent + enum: + - Always + - Never + - IfNotPresent + type: string + registry: + default: docker.io + type: string + repository: + default: gitea/gitea + type: string + tag: + default: 1.19.3 + type: string + type: object + memcached: + default: + registry: docker.io + repository: bitnami/memcached + tag: 1.6.19-debian-11-r7 + properties: + registry: + default: docker.io + type: string + repository: + default: bitnami/memcached + type: string + tag: + default: 1.6.19-debian-11-r7 + type: string + type: object + type: object + admin: + default: + email: git-admin@git.your_company.com + name: gitea_admin + examples: + - email: git-admin@git.your_company.com + name: gitea_admin + properties: + email: + default: git-admin@git.your_company.com + type: string + name: + default: gitea_admin + type: string + type: object dependencies: - dist: null category: share @@ -350,4 +350,5 @@ providers: postgresql: null restapi: true http: true + gitea: null tfaddtype: null diff --git a/apps/k8s-api/index.yaml b/apps/k8s-api/index.yaml index 4a0e46b..26f4a0f 100644 --- a/apps/k8s-api/index.yaml +++ b/apps/k8s-api/index.yaml @@ -6,31 +6,31 @@ metadata: name: k8s-api description: Access to the kubernetes api options: - sub-domain: - default: api + ingress-class: + default: traefik examples: - - api + - traefik type: string domain-name: default: your_company.com examples: - your_company.com type: string - issuer: - default: letsencrypt-prod + sub-domain: + default: api examples: - - letsencrypt-prod - type: string - ingress-class: - default: traefik - examples: - - traefik + - api type: string domain: default: your-company examples: - your-company type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string dependencies: - dist: null category: share @@ -42,3 +42,5 @@ providers: postgresql: null restapi: true http: true + gitea: null +tfaddtype: null diff --git a/apps/nextcloud/application.tf b/apps/nextcloud/application.tf deleted file mode 100644 index 1d837dd..0000000 --- a/apps/nextcloud/application.tf +++ /dev/null @@ -1,39 +0,0 @@ -locals { - app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) - main-group = format("app-%s", local.app-name) -} -data "authentik_group" "akadmin" { - name = "authentik Admins" -} -resource "authentik_group" "groups" { - name = local.main-group - attributes = jsonencode({"${local.app-name}" = true}) -} - -resource "authentik_application" "prj_app" { - name = "${var.instance}" - slug = "${var.component}-${var.instance}" - group = var.app-group - protocol_provider = authentik_provider_oauth2.oauth2.id - meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name) - meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "apps/theming/favicon") -} - -resource "authentik_policy_expression" "policy" { - name = local.main-group - expression = <<-EOF - attr = request.user.group_attributes() - return attr['${local.app-name}'] if '${local.app-name}' in attr else False - EOF -} - -resource "authentik_policy_binding" "prj_access_users" { - target = authentik_application.prj_app.uuid - policy = authentik_policy_expression.policy.id - order = 0 -} -resource "authentik_policy_binding" "prj_access_vynil" { - target = authentik_application.prj_app.uuid - group = data.authentik_group.akadmin.id - order = 1 -} diff --git a/apps/nextcloud/apps_v1_Deployment_nextcloud-metrics.yaml b/apps/nextcloud/apps_v1_Deployment_nextcloud-metrics.yaml index 8216466..7e81ed2 100644 --- a/apps/nextcloud/apps_v1_Deployment_nextcloud-metrics.yaml +++ b/apps/nextcloud/apps_v1_Deployment_nextcloud-metrics.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud-metrics labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: metrics diff --git a/apps/nextcloud/apps_v1_Deployment_nextcloud.yaml b/apps/nextcloud/apps_v1_Deployment_nextcloud.yaml index b6e1944..b268913 100644 --- a/apps/nextcloud/apps_v1_Deployment_nextcloud.yaml +++ b/apps/nextcloud/apps_v1_Deployment_nextcloud.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: app @@ -31,7 +31,7 @@ spec: spec: containers: - name: nextcloud - image: nextcloud:27.0.2-apache + image: nextcloud:27.1.2-apache imagePullPolicy: IfNotPresent env: - name: POSTGRES_HOST diff --git a/apps/nextcloud/autoscaling_v1_HorizontalPodAutoscaler_nextcloud.yaml b/apps/nextcloud/autoscaling_v1_HorizontalPodAutoscaler_nextcloud.yaml index 0e6c660..08d6228 100644 --- a/apps/nextcloud/autoscaling_v1_HorizontalPodAutoscaler_nextcloud.yaml +++ b/apps/nextcloud/autoscaling_v1_HorizontalPodAutoscaler_nextcloud.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: app diff --git a/apps/nextcloud/collabora.tf b/apps/nextcloud/collabora.tf index dc2d68f..7142fd1 100644 --- a/apps/nextcloud/collabora.tf +++ b/apps/nextcloud/collabora.tf @@ -1,27 +1,7 @@ locals { - collabora-labels = merge(local.common-labels, { - "app.kubernetes.io/component" = "collabora" - }) - dns-collabora = "collabora.${local.dns-name}" - collabora-middlewares = ["${var.instance}-https"] - collabora-service = { - "name" = "${var.instance}-collabora" - "port" = { - "number" = 80 - } - } - collabora-rules = [ for v in [local.dns-collabora] : { - "host" = "${v}" - "http" = { - "paths" = [{ - "backend" = { - "service" = local.collabora-service - } - "path" = "/" - "pathType" = "Prefix" - }] - } - }] + collabora-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "collabora" + }) } resource "kubectl_manifest" "collabora_deploy" { @@ -96,63 +76,3 @@ resource "kubectl_manifest" "collabora_deploy" { - SYS_ADMIN EOF } - -resource "kubectl_manifest" "collabora_svc" { - count = var.apps.collabora ? 1 : 0 - yaml_body = <<-EOF - apiVersion: v1 - kind: Service - metadata: - name: "${var.instance}-collabora" - namespace: "${var.namespace}" - labels: ${jsonencode(local.collabora-labels)} - spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9980 - protocol: TCP - name: http - selector: ${jsonencode(local.collabora-labels)} - EOF -} - -resource "kubectl_manifest" "collabora_certificate" { - count = var.apps.collabora ? 1 : 0 - yaml_body = <<-EOF - apiVersion: "cert-manager.io/v1" - kind: "Certificate" - metadata: - name: "${var.instance}-collabora" - namespace: "${var.namespace}" - labels: ${jsonencode(local.collabora-labels)} - spec: - secretName: "${var.instance}-collabora-cert" - dnsNames: [${jsonencode(local.dns-collabora)}] - issuerRef: - name: "${var.issuer}" - kind: "ClusterIssuer" - group: "cert-manager.io" - EOF -} - -resource "kubectl_manifest" "collabora_ing" { - count = var.apps.collabora ? 1 : 0 - yaml_body = <<-EOF - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: "${var.instance}-collabora" - namespace: "${var.namespace}" - labels: ${jsonencode(local.collabora-labels)} - annotations: - "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.collabora-middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" - spec: - ingressClassName: "${var.ingress-class}" - rules: ${jsonencode(local.collabora-rules)} - tls: - - hosts: [${local.dns-collabora}] - secretName: "${var.instance}-collabora-cert" - EOF -} - diff --git a/apps/nextcloud/index.yaml b/apps/nextcloud/index.yaml index a381f19..14822a8 100644 --- a/apps/nextcloud/index.yaml +++ b/apps/nextcloud/index.yaml @@ -6,111 +6,6 @@ metadata: name: nextcloud description: null options: - apps: - default: - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - examples: - - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - properties: - audioplayer: - default: false - type: boolean - bookmarks: - default: false - type: boolean - bpm: - default: false - type: boolean - calendar: - default: false - type: boolean - collabora: - default: false - type: boolean - contacts: - default: false - type: boolean - deck: - default: false - type: boolean - groupfolders: - default: true - type: boolean - mindmap: - default: false - type: boolean - music: - default: false - type: boolean - notes: - default: false - type: boolean - onlyoffice: - default: false - type: boolean - passman: - default: false - type: boolean - spreed: - default: false - type: boolean - tables: - default: false - type: boolean - tasks: - default: false - type: boolean - texteditor: - default: true - type: boolean - type: object - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - domain: - default: your-company - examples: - - your-company - type: string - sub-domain: - default: files - examples: - - files - type: string images: default: collabora: @@ -274,23 +169,39 @@ options: type: string type: object type: object - storage: - default: - accessMode: ReadWriteOnce - size: 10Gi + ingress-class: + default: traefik examples: - - accessMode: ReadWriteOnce - size: 10Gi + - traefik + type: string + hpa: + default: + avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 + examples: + - avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi + avg-cpu: + default: 50 + type: integer + max-replicas: + default: 5 + type: integer + min-replicas: + default: 1 + type: integer + type: object + admin: + default: + name: nextcloud_admin + examples: + - name: nextcloud_admin + properties: + name: + default: nextcloud_admin type: string type: object app-group: @@ -298,6 +209,31 @@ options: examples: - '' type: string + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object + domain: + default: your-company + examples: + - your-company + type: string backups: default: enable: false @@ -404,11 +340,125 @@ options: default: false type: boolean type: object + storage: + default: + accessMode: ReadWriteOnce + size: 10Gi + examples: + - accessMode: ReadWriteOnce + size: 10Gi + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi + type: string + type: object + sub-domain: + default: files + examples: + - files + type: string openid-name: default: vynil examples: - vynil type: string + apps: + default: + audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true + examples: + - audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true + properties: + audioplayer: + default: false + type: boolean + bookmarks: + default: false + type: boolean + bpm: + default: false + type: boolean + calendar: + default: false + type: boolean + collabora: + default: false + type: boolean + contacts: + default: false + type: boolean + deck: + default: false + type: boolean + groupfolders: + default: true + type: boolean + mindmap: + default: false + type: boolean + music: + default: false + type: boolean + notes: + default: false + type: boolean + onlyoffice: + default: false + type: boolean + passman: + default: false + type: boolean + spreed: + default: false + type: boolean + tables: + default: false + type: boolean + tasks: + default: false + type: boolean + texteditor: + default: true + type: boolean + type: object redis: default: exporter: @@ -442,66 +492,16 @@ options: default: 2Gi type: string type: object - ingress-class: - default: traefik - examples: - - traefik - type: string - hpa: - default: - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - examples: - - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - properties: - avg-cpu: - default: 50 - type: integer - max-replicas: - default: 5 - type: integer - min-replicas: - default: 1 - type: integer - type: object - admin: - default: - name: nextcloud_admin - examples: - - name: nextcloud_admin - properties: - name: - default: nextcloud_admin - type: string - type: object - postgres: - default: - replicas: 1 - storage: 5Gi - version: '14' - examples: - - replicas: 1 - storage: 5Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi - type: string - version: - default: '14' - type: string - type: object issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string + domain-name: + default: your_company.com + examples: + - your_company.com + type: string dependencies: - dist: null category: share @@ -519,4 +519,5 @@ providers: postgresql: null restapi: null http: null + gitea: null tfaddtype: null diff --git a/apps/nextcloud/ingress.tf b/apps/nextcloud/ingress.tf deleted file mode 100644 index 09b5a32..0000000 --- a/apps/nextcloud/ingress.tf +++ /dev/null @@ -1,75 +0,0 @@ -locals { - dns-names = [local.dns-name] - middlewares = ["${var.instance}-https","${var.instance}-sslenforce","${var.instance}-redirectdav","${var.instance}-redirectindex"] - service = { - "name" = "${var.component}" - "port" = { - "number" = 80 - } - } - rules = [ for v in local.dns-names : { - "host" = "${v}" - "http" = { - "paths" = [{ - "backend" = { - "service" = local.service - } - "path" = "/" - "pathType" = "Prefix" - }] - } - }] -} - -resource "kubectl_manifest" "prj_certificate" { - yaml_body = <<-EOF - apiVersion: "cert-manager.io/v1" - kind: "Certificate" - metadata: - name: "${var.instance}" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - spec: - secretName: "${var.instance}-cert" - dnsNames: ${jsonencode(local.dns-names)} - issuerRef: - name: "${var.issuer}" - kind: "ClusterIssuer" - group: "cert-manager.io" - EOF -} - -resource "kubectl_manifest" "prj_https_redirect" { - yaml_body = <<-EOF - apiVersion: "traefik.containo.us/v1alpha1" - kind: "Middleware" - metadata: - name: "${var.instance}-https" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - spec: - redirectScheme: - scheme: "https" - permanent: true - EOF -} - -resource "kubectl_manifest" "prj_ingress" { - force_conflicts = true - yaml_body = <<-EOF - apiVersion: "networking.k8s.io/v1" - kind: "Ingress" - metadata: - name: "${var.instance}" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - annotations: - "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" - spec: - ingressClassName: "${var.ingress-class}" - rules: ${jsonencode(local.rules)} - tls: - - hosts: ${jsonencode(local.dns-names)} - secretName: "${var.instance}-cert" - EOF -} diff --git a/apps/nextcloud/middlewares.tf b/apps/nextcloud/middlewares.tf index 500d2e2..73081df 100644 --- a/apps/nextcloud/middlewares.tf +++ b/apps/nextcloud/middlewares.tf @@ -13,6 +13,7 @@ spec: replacement: "https://$${1}/remote.php/dav/" EOF } + resource "kubectl_manifest" "redirectindex" { yaml_body = <<-EOF apiVersion: traefik.containo.us/v1alpha1 diff --git a/apps/nextcloud/monitoring.coreos.com_v1_ServiceMonitor_nextcloud.yaml b/apps/nextcloud/monitoring.coreos.com_v1_ServiceMonitor_nextcloud.yaml index a5ed6a6..f0b51a4 100644 --- a/apps/nextcloud/monitoring.coreos.com_v1_ServiceMonitor_nextcloud.yaml +++ b/apps/nextcloud/monitoring.coreos.com_v1_ServiceMonitor_nextcloud.yaml @@ -6,7 +6,7 @@ metadata: namespace: "vynil-cloud" labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: metrics diff --git a/apps/nextcloud/oauth2.tf b/apps/nextcloud/oauth2.tf deleted file mode 100644 index d107ed2..0000000 --- a/apps/nextcloud/oauth2.tf +++ /dev/null @@ -1,65 +0,0 @@ -resource "kubectl_manifest" "oauth2-secret" { - ignore_fields = ["metadata.annotations"] - yaml_body = <<-EOF - apiVersion: "secretgenerator.mittwald.de/v1alpha1" - kind: "StringSecret" - metadata: - name: "${var.component}-${var.instance}-id" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - spec: - forceRegenerate: false - fields: - - fieldName: "client-id" - length: "32" - EOF -} -data "kubernetes_secret_v1" "oauth2-client-id" { - depends_on = [kubectl_manifest.oauth2-secret] - metadata { - name = kubectl_manifest.oauth2-secret.name - namespace = var.namespace - } -} - -data "authentik_certificate_key_pair" "ca" { - name = "authentik Self-signed Certificate" -} - -data "authentik_scope_mapping" "oauth2" { - managed_list = [ - "goauthentik.io/providers/oauth2/scope-email", - "goauthentik.io/providers/oauth2/scope-openid", - "goauthentik.io/providers/oauth2/scope-profile" - ] -} -data "authentik_flow" "default-authorization-flow" { - slug = "default-provider-authorization-implicit-consent" -} -data "authentik_flow" "default-authentication-flow" { - slug = "default-authentication-flow" -} - -resource "authentik_provider_oauth2" "oauth2" { - name = "${var.component}-${var.instance}" - client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}" - authentication_flow = data.authentik_flow.default-authentication-flow.id - authorization_flow = data.authentik_flow.default-authorization-flow.id - client_type = "confidential" - sub_mode = "user_username" - signing_key = data.authentik_certificate_key_pair.ca.id - property_mappings = data.authentik_scope_mapping.oauth2.ids - redirect_uris = [ - "https://${local.dns-name}/apps/user_oidc/code" - ] -} - -resource "kubernetes_secret_v1" "oauth2-client-secret" { - metadata { - name = "${var.component}-${var.instance}-secret" - namespace = var.namespace - } - data = { - client-secret = authentik_provider_oauth2.oauth2.client_secret - } -} diff --git a/apps/nextcloud/onlyoffice.tf b/apps/nextcloud/onlyoffice.tf index e5254b7..ccfc92a 100644 --- a/apps/nextcloud/onlyoffice.tf +++ b/apps/nextcloud/onlyoffice.tf @@ -1,27 +1,7 @@ locals { - onlyoffice-labels = merge(local.common-labels, { - "app.kubernetes.io/component" = "onlyoffice" - }) - dns-onlyoffice = "onlyoffice.${local.dns-name}" - onlyoffice-middlewares = ["${var.instance}-https"] - onlyoffice-service = { - "name" = "${var.instance}-onlyoffice" - "port" = { - "number" = 80 - } - } - onlyoffice-rules = [ for v in [local.dns-onlyoffice] : { - "host" = "${v}" - "http" = { - "paths" = [{ - "backend" = { - "service" = local.onlyoffice-service - } - "path" = "/" - "pathType" = "Prefix" - }] - } - }] + onlyoffice-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "onlyoffice" + }) } resource "kubectl_manifest" "onlyoffice_deploy" { @@ -81,63 +61,3 @@ resource "kubectl_manifest" "onlyoffice_deploy" { protocol: TCP EOF } - -resource "kubectl_manifest" "onlyoffice_svc" { - count = var.apps.onlyoffice ? 1 : 0 - yaml_body = <<-EOF - apiVersion: v1 - kind: Service - metadata: - name: "${var.instance}-onlyoffice" - namespace: "${var.namespace}" - labels: ${jsonencode(local.onlyoffice-labels)} - spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: ${jsonencode(local.onlyoffice-labels)} - EOF -} - -resource "kubectl_manifest" "onlyoffice_certificate" { - count = var.apps.onlyoffice ? 1 : 0 - yaml_body = <<-EOF - apiVersion: "cert-manager.io/v1" - kind: "Certificate" - metadata: - name: "${var.instance}-onlyoffice" - namespace: "${var.namespace}" - labels: ${jsonencode(local.onlyoffice-labels)} - spec: - secretName: "${var.instance}-onlyoffice-cert" - dnsNames: [${jsonencode(local.dns-onlyoffice)}] - issuerRef: - name: "${var.issuer}" - kind: "ClusterIssuer" - group: "cert-manager.io" - EOF -} - -resource "kubectl_manifest" "onlyoffice_ing" { - count = var.apps.onlyoffice ? 1 : 0 - yaml_body = <<-EOF - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: "${var.instance}-onlyoffice" - namespace: "${var.namespace}" - labels: ${jsonencode(local.onlyoffice-labels)} - annotations: - "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in local.onlyoffice-middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" - spec: - ingressClassName: "${var.ingress-class}" - rules: ${jsonencode(local.onlyoffice-rules)} - tls: - - hosts: [${local.dns-onlyoffice}] - secretName: "${var.instance}-onlyoffice-cert" - EOF -} - diff --git a/apps/nextcloud/presentation.tf b/apps/nextcloud/presentation.tf new file mode 100644 index 0000000..5039668 --- /dev/null +++ b/apps/nextcloud/presentation.tf @@ -0,0 +1,134 @@ +locals { + dns-name = "${var.sub-domain}.${var.domain-name}" + dns-collabora = "collabora.${local.dns-name}" + dns-onlyoffice = "onlyoffice.${local.dns-name}" + dns-names = [local.dns-name] + app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) + icon = "apps/theming/favicon" + service = { + "name" = "${var.component}" + "port" = { + "number" = 80 + } + } + collabora-service = { + "name" = "${var.instance}-collabora" + "port" = { + "number" = 80 + } + } + onlyoffice-service = { + "name" = "${var.instance}-onlyoffice" + "port" = { + "number" = 80 + } + } +} + +module "ingress" { + source = "/dist/modules/ingress" + component = "" + instance = var.instance + namespace = var.namespace + issuer = var.issuer + ingress-class = var.ingress-class + labels = local.common-labels + dns-names = local.dns-names + middlewares = ["${var.instance}-sslenforce", "${var.instance}-redirectdav", "${var.instance}-redirectindex"] + service = local.service + providers = { + kubectl = kubectl + } +} + +module "application" { + source = "/dist/modules/application" + component = var.component + instance = var.instance + app-group = var.app-group + sub-domain = var.sub-domain + domain-name = var.domain-name + icon = local.icon + protocol_provider = module.oauth2.provider-id + providers = { + authentik = authentik + } +} + +module "oauth2" { + source = "/dist/modules/oauth2" + component = var.component + instance = var.instance + namespace = var.namespace + labels = local.common-labels + dns-name = local.dns-name + redirect-path = "apps/user_oidc/code" + providers = { + kubernetes = kubernetes + kubectl = kubectl + authentik = authentik + } +} + +module "collabora-service" { + count = var.apps.collabora ? 1 : 0 + source = "/dist/modules/service" + component = "collabora" + instance = var.instance + namespace = var.namespace + labels = local.collabora-labels + target = "http" + port = local.collabora-service.port.number + providers = { + kubectl = kubectl + } +} + +module "collabora-ingress" { + count = var.apps.collabora ? 1 : 0 + source = "/dist/modules/ingress" + component = "collabora" + instance = var.instance + namespace = var.namespace + issuer = var.issuer + ingress-class = var.ingress-class + labels = local.collabora-labels + dns-names = [local.dns-collabora] + middlewares = [] + service = local.service + providers = { + kubectl = kubectl + } +} + +module "onlyoffice-service" { + count = var.apps.onlyoffice ? 1 : 0 + source = "/dist/modules/service" + component = "onlyoffice" + instance = var.instance + namespace = var.namespace + labels = local.onlyoffice-labels + target = "http" + port = local.onlyoffice-service.port.number + providers = { + kubectl = kubectl + } +} + +module "onlyoffice-ingress" { + count = var.apps.onlyoffice ? 1 : 0 + source = "/dist/modules/ingress" + component = "onlyoffice" + instance = var.instance + namespace = var.namespace + issuer = var.issuer + ingress-class = var.ingress-class + labels = local.onlyoffice-labels + dns-names = [local.dns-onlyoffice] + middlewares = [] + service = local.service + providers = { + kubectl = kubectl + } +} + diff --git a/apps/nextcloud/v1_ConfigMap_nextcloud-config.yaml b/apps/nextcloud/v1_ConfigMap_nextcloud-config.yaml index 65c283b..ca0ea82 100644 --- a/apps/nextcloud/v1_ConfigMap_nextcloud-config.yaml +++ b/apps/nextcloud/v1_ConfigMap_nextcloud-config.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud-config labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm data: diff --git a/apps/nextcloud/v1_ConfigMap_nextcloud-nginxconfig.yaml b/apps/nextcloud/v1_ConfigMap_nextcloud-nginxconfig.yaml index f48f77b..df16dd4 100644 --- a/apps/nextcloud/v1_ConfigMap_nextcloud-nginxconfig.yaml +++ b/apps/nextcloud/v1_ConfigMap_nextcloud-nginxconfig.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud-nginxconfig labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm data: diff --git a/apps/nextcloud/v1_PersistentVolumeClaim_nextcloud-nextcloud.yaml b/apps/nextcloud/v1_PersistentVolumeClaim_nextcloud-nextcloud.yaml index 4a86645..a68775b 100644 --- a/apps/nextcloud/v1_PersistentVolumeClaim_nextcloud-nextcloud.yaml +++ b/apps/nextcloud/v1_PersistentVolumeClaim_nextcloud-nextcloud.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud-nextcloud labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: app diff --git a/apps/nextcloud/v1_Service_nextcloud-metrics.yaml b/apps/nextcloud/v1_Service_nextcloud-metrics.yaml index 590bb6b..cddff8b 100644 --- a/apps/nextcloud/v1_Service_nextcloud-metrics.yaml +++ b/apps/nextcloud/v1_Service_nextcloud-metrics.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud-metrics labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: metrics diff --git a/apps/nextcloud/v1_Service_nextcloud.yaml b/apps/nextcloud/v1_Service_nextcloud.yaml index 5ed037b..4e78856 100644 --- a/apps/nextcloud/v1_Service_nextcloud.yaml +++ b/apps/nextcloud/v1_Service_nextcloud.yaml @@ -5,7 +5,7 @@ metadata: name: nextcloud labels: app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.3.1 + helm.sh/chart: nextcloud-4.3.5 app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: app diff --git a/apps/okd/index.yaml b/apps/okd/index.yaml index 0220347..6380565 100644 --- a/apps/okd/index.yaml +++ b/apps/okd/index.yaml @@ -6,16 +6,6 @@ metadata: name: okd description: null options: - sub-domain: - default: okd - examples: - - okd - type: string - app-group: - default: infra - examples: - - infra - type: string images: default: okd: @@ -64,31 +54,41 @@ options: examples: - your_company.com type: string + sub-domain: + default: okd + examples: + - okd + type: string cluster-admin: default: false examples: - false type: boolean - namespaces: - default: [] - items: - type: string - type: array - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string ingress-class: default: traefik examples: - traefik type: string + namespaces: + default: [] + items: + type: string + type: array domain: default: your-company examples: - your-company type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + app-group: + default: infra + examples: + - infra + type: string dependencies: - dist: null category: share diff --git a/apps/okd/presentation.tf b/apps/okd/presentation.tf index b504fd7..e1772a8 100644 --- a/apps/okd/presentation.tf +++ b/apps/okd/presentation.tf @@ -30,14 +30,14 @@ module "service" { module "ingress" { source = "/dist/modules/ingress" - component = var.component + component = "" instance = var.instance namespace = var.namespace issuer = var.issuer ingress-class = var.ingress-class labels = local.common-labels dns-names = local.dns-names - middlewares = ["${var.instance}-https", "forward-${local.app-name}"] + middlewares = ["forward-${local.app-name}"] service = local.service providers = { kubectl = kubectl diff --git a/apps/traefik-ui/index.yaml b/apps/traefik-ui/index.yaml index 9cc8cfe..364356a 100644 --- a/apps/traefik-ui/index.yaml +++ b/apps/traefik-ui/index.yaml @@ -6,36 +6,36 @@ metadata: name: traefik-ui description: Access to the Traefik UI options: - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - app-group: - default: infra - examples: - - infra - type: string - domain: - default: your-company - examples: - - your-company - type: string sub-domain: default: traefik examples: - traefik type: string - ingress-class: - default: traefik - examples: - - traefik - type: string issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string + ingress-class: + default: traefik + examples: + - traefik + type: string + app-group: + default: infra + examples: + - infra + type: string + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + domain: + default: your-company + examples: + - your-company + type: string dependencies: - dist: null category: share diff --git a/apps/traefik-ui/presentation.tf b/apps/traefik-ui/presentation.tf index fb30b46..a61baf8 100644 --- a/apps/traefik-ui/presentation.tf +++ b/apps/traefik-ui/presentation.tf @@ -17,14 +17,14 @@ locals { module "ingress" { source = "/dist/modules/ingress" - component = var.component + component = "" instance = var.instance namespace = var.namespace issuer = var.issuer ingress-class = var.ingress-class labels = local.common-labels dns-names = local.dns-names - middlewares = ["${var.instance}-https", "forward-${local.app-name}"] + middlewares = ["forward-${local.app-name}"] service = local.service providers = { kubectl = kubectl diff --git a/apps/woodpecker/datas.tf b/apps/woodpecker/datas.tf index 6027aee..5be4f20 100644 --- a/apps/woodpecker/datas.tf +++ b/apps/woodpecker/datas.tf @@ -139,6 +139,8 @@ data "kustomization_overlay" "data" { image: "${var.images.server.registry}/${var.images.server.repository}:${var.images.server.tag}" imagePullPolicy: "${var.images.server.pullPolicy}" env: + - name: WOODPECKER_HOST + value: "https://${var.sub-domain}.${var.domain-name}" - name: WOODPECKER_HOST value: "https://${var.sub-domain}.${var.domain-name}" envFrom: diff --git a/apps/woodpecker/index.yaml b/apps/woodpecker/index.yaml index 6ca29fc..067b179 100644 --- a/apps/woodpecker/index.yaml +++ b/apps/woodpecker/index.yaml @@ -26,11 +26,6 @@ options: default: 'false' type: string type: object - ingress-class: - default: traefik - examples: - - traefik - type: string timeouts: default: default: '60' @@ -51,21 +46,16 @@ options: examples: - your-company type: string - domain-name: - default: your_company.com + issuer: + default: letsencrypt-prod examples: - - your_company.com + - letsencrypt-prod type: string sub-domain: default: ci examples: - ci type: string - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string storage-server: default: accessMode: ReadWriteOnce @@ -85,6 +75,16 @@ options: default: 10Gi type: string type: object + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string images: default: agent: @@ -182,12 +182,19 @@ options: type: string type: object type: object -dependencies: [] +dependencies: +- dist: null + category: apps + component: gitea +- dist: null + category: core + component: secret-generator providers: kubernetes: true - authentik: true - kubectl: null + authentik: null + kubectl: true postgresql: null restapi: null http: null + gitea: true tfaddtype: null diff --git a/apps/woodpecker/presentation.tf b/apps/woodpecker/presentation.tf new file mode 100644 index 0000000..1c42688 --- /dev/null +++ b/apps/woodpecker/presentation.tf @@ -0,0 +1,26 @@ +locals { + dns-name = "${var.sub-domain}.${var.domain-name}" + dns-names = [local.dns-name] + service = { + "name" = "${var.component}-server" + "port" = { + "number" = 80 + } + } +} + +module "ingress" { + source = "/dist/modules/ingress" + component = "" + instance = var.instance + namespace = var.namespace + issuer = var.issuer + ingress-class = var.ingress-class + labels = local.common-labels + dns-names = local.dns-names + middlewares = [] + service = local.service + providers = { + kubectl = kubectl + } +} diff --git a/apps/woodpecker/providers.tf b/apps/woodpecker/providers.tf deleted file mode 100644 index 5f8f20b..0000000 --- a/apps/woodpecker/providers.tf +++ /dev/null @@ -1,49 +0,0 @@ - -terraform { - required_providers { - gitea = { - source = "Lerentis/gitea" - version = "~> 0.16.0" - } - kustomization = { - source = "kbst/kustomization" - version = "~> 0.9.2" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.20.0" - } - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14.0" - } - authentik = { - source = "goauthentik/authentik" - version = "~> 2023.5.0" - } - } -} - -provider "gitea" { - base_url = "http://gitea-http.${var.domain}-ci.svc:3000/" - username = data.kubernetes_secret_v1.gitea.data["username"] - password = data.kubernetes_secret_v1.gitea.data["password"] -} -provider "kustomization" { - kubeconfig_incluster = true -} -provider "kubernetes" { - host = "https://kubernetes.default.svc" - token = "${file("/run/secrets/kubernetes.io/serviceaccount/token")}" - cluster_ca_certificate = "${file("/run/secrets/kubernetes.io/serviceaccount/ca.crt")}" -} -provider "kubectl" { - host = "https://kubernetes.default.svc" - token = "${file("/run/secrets/kubernetes.io/serviceaccount/token")}" - cluster_ca_certificate = "${file("/run/secrets/kubernetes.io/serviceaccount/ca.crt")}" - load_config_file = false -} -provider "authentik" { - url = "http://authentik.${var.domain}-auth.svc" - token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] -} diff --git a/modules/ingress/ingress.tf b/modules/ingress/ingress.tf index 20e847f..98efd32 100644 --- a/modules/ingress/ingress.tf +++ b/modules/ingress/ingress.tf @@ -19,11 +19,11 @@ resource "kubectl_manifest" "prj_certificate" { apiVersion: "cert-manager.io/v1" kind: "Certificate" metadata: - name: "${var.instance}" + name: "${var.instance}${var.component==""?:"":"-"}${var.component}" namespace: "${var.namespace}" labels: ${jsonencode(var.labels)} spec: - secretName: "${var.instance}-cert" + secretName: "${var.instance}${var.component==""?:"":"-"}${var.component}-cert" dnsNames: ${jsonencode(var.dns-names)} issuerRef: name: "${var.issuer}" @@ -33,6 +33,7 @@ resource "kubectl_manifest" "prj_certificate" { } resource "kubectl_manifest" "prj_https_redirect" { + count = var.component==""?1:0 yaml_body = <<-EOF apiVersion: "traefik.containo.us/v1alpha1" kind: "Middleware" @@ -53,16 +54,16 @@ resource "kubectl_manifest" "prj_ingress" { apiVersion: "networking.k8s.io/v1" kind: "Ingress" metadata: - name: "${var.instance}" + name: "${var.instance}${var.component==""?:"":"-"}${var.component}" namespace: "${var.namespace}" labels: ${jsonencode(var.labels)} annotations: - "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in var.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" + "traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in concat(["${var.instance}-https"],var.middlewares) : format("%s-%s@kubernetescrd", var.namespace, m)])}" spec: ingressClassName: "${var.ingress-class}" rules: ${jsonencode(local.rules)} tls: - hosts: ${jsonencode(var.dns-names)} - secretName: "${var.instance}-cert" + secretName: "${var.instance}${var.component==""?:"":"-"}${var.component}-cert" EOF } diff --git a/modules/ingress/variables.tf b/modules/ingress/variables.tf index 4091211..1ae73fb 100644 --- a/modules/ingress/variables.tf +++ b/modules/ingress/variables.tf @@ -22,7 +22,7 @@ variable "dns-names" { } variable "middlewares" { type = list(string) + default = [] } variable "service" { } - diff --git a/modules/oauth2/oauth2.tf b/modules/oauth2/oauth2.tf index 70a71e0..bb63495 100644 --- a/modules/oauth2/oauth2.tf +++ b/modules/oauth2/oauth2.tf @@ -50,7 +50,7 @@ resource "authentik_provider_oauth2" "oauth2" { signing_key = data.authentik_certificate_key_pair.ca.id property_mappings = data.authentik_scope_mapping.oauth2.ids redirect_uris = [ - "https://${var.dns-name}/" + "https://${var.dns-name}/${var.redirect-path}" ] } diff --git a/modules/oauth2/variables.tf b/modules/oauth2/variables.tf index e0ccbf0..4b3b303 100644 --- a/modules/oauth2/variables.tf +++ b/modules/oauth2/variables.tf @@ -13,3 +13,7 @@ variable "labels" { variable "dns-name" { type = string } +variable "redirect-path" { + type = string + default = "" +} diff --git a/modules/saml/outputs.tf b/modules/saml/outputs.tf new file mode 100644 index 0000000..851a91b --- /dev/null +++ b/modules/saml/outputs.tf @@ -0,0 +1,3 @@ +output "provider-id" { + value = authentik_provider_saml.prj.id +} \ No newline at end of file diff --git a/modules/saml/providers.tf b/modules/saml/providers.tf new file mode 100644 index 0000000..2e19c92 --- /dev/null +++ b/modules/saml/providers.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + authentik = { + source = "goauthentik/authentik" + version = "~> 2023.5.0" + } + } +} diff --git a/modules/saml/saml.tf b/modules/saml/saml.tf new file mode 100644 index 0000000..7c87579 --- /dev/null +++ b/modules/saml/saml.tf @@ -0,0 +1,56 @@ +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +data "authentik_property_mapping_saml" "saml_maps" { + managed_list = [ + "goauthentik.io/providers/saml/email", + "goauthentik.io/providers/saml/groups", + "goauthentik.io/providers/saml/name", + "goauthentik.io/providers/saml/upn", + "goauthentik.io/providers/saml/uid", + "goauthentik.io/providers/saml/username", + "goauthentik.io/providers/saml/ms-windowsaccountname", + ] +} + +data "authentik_property_mapping_saml" "saml_name" { + managed = "goauthentik.io/providers/saml/username" +} + +data "authentik_certificate_key_pair" "generated" { + name = "authentik Self-signed Certificate" +} + +resource "kubectl_manifest" "saml_certificate" { + yaml_body = <<-EOF + apiVersion: "cert-manager.io/v1" + kind: "Certificate" + metadata: + name: "${var.instance}-${var.component}-saml" + namespace: "${var.namespace}" + labels: ${jsonencode(var.labels)} + spec: + secretName: "${var.instance}-${var.component}-saml" + dnsNames: ${jsonencode(var.dns-names)} + issuerRef: + name: "self-sign" + kind: "ClusterIssuer" + group: "cert-manager.io" + EOF +} + +resource "authentik_provider_saml" "prj" { + name = "${var.component}-${var.instance}-saml" + authentication_flow = data.authentik_flow.default-authentication-flow.id + authorization_flow = data.authentik_flow.default-authorization-flow.id + acs_url = "https://${var.dns-names[0]}/${var.acs-path}" + property_mappings = data.authentik_property_mapping_saml.saml_maps.ids + name_id_mapping = data.authentik_property_mapping_saml.saml_name.id + signing_kp = data.authentik_certificate_key_pair.generated.id + sp_binding = var.binding +} + diff --git a/modules/saml/variables.tf b/modules/saml/variables.tf new file mode 100644 index 0000000..fce1570 --- /dev/null +++ b/modules/saml/variables.tf @@ -0,0 +1,19 @@ +variable "component" { + type = string +} +variable "instance" { + type = string +} +variable "dns-names" { + type = list(string) +} +variable "acs-path" { + type = string +} +variable "binding" { + type = string + default = "post" +} +variable "labels" { + type = map(string) +}