fix

2023-08-08 17:51:34 +02:00
parent 52e91f301b
commit 000830a718
2 changed files with 123 additions and 274 deletions
--- a/share/authentik/index.yaml
+++ b/share/authentik/index.yaml
@@ -6,114 +6,51 @@ metadata:
  name: authentik
  description: authentik is an open-source Identity Provider focused on flexibility and versatility
 options:
-  loglevel:
-    default: info
-    examples:
-    - info
-    type: string
-  admin:
-    default:
-      email: auth-admin
-    examples:
-    - email: auth-admin
-    properties:
-      email:
-        default: auth-admin
-        type: string
-    type: object
-  email:
-    default:
-      port: 587
-      timeout: 30
-      use_ssl: false
-      use_tls: false
-    examples:
-    - port: 587
-      timeout: 30
-      use_ssl: false
-      use_tls: false
-    properties:
-      port:
-        default: 587
-        type: integer
-      timeout:
-        default: 30
-        type: integer
-      use_ssl:
-        default: false
-        type: boolean
-      use_tls:
-        default: false
-        type: boolean
-    type: object
  domain-name:
    default: your_company.com
    examples:
    - your_company.com
    type: string
-  error_reporting:
+  image:
    default:
-      enabled: false
-      environment: k8s
-      send_pii: false
+      project: goauthentik
+      pullPolicy: IfNotPresent
+      registry: ghcr.io
+      repository: goauthentik/server
+      tag: 2023.5.4
    examples:
-    - enabled: false
-      environment: k8s
-      send_pii: false
+    - project: goauthentik
+      pullPolicy: IfNotPresent
+      registry: ghcr.io
+      repository: goauthentik/server
+      tag: 2023.5.4
    properties:
-      enabled:
-        default: false
-        type: boolean
-      environment:
-        default: k8s
+      project:
+        default: goauthentik
+        type: string
+      pullPolicy:
+        default: IfNotPresent
+        type: string
+      registry:
+        default: ghcr.io
+        type: string
+      repository:
+        default: goauthentik/server
+        type: string
+      tag:
+        default: 2023.5.4
        type: string
-      send_pii:
-        default: false
-        type: boolean
    type: object
-  ingress-class:
-    default: traefik
+  sub-domain:
+    default: auth
    examples:
-    - traefik
+    - auth
    type: string
  issuer:
    default: letsencrypt-prod
    examples:
    - letsencrypt-prod
    type: string
-  redis:
-    default:
-      exporter:
-        enabled: true
-        image: quay.io/opstree/redis-exporter:v1.44.0
-      image: quay.io/opstree/redis:v7.0.5
-      storage: 8Gi
-    examples:
-    - exporter:
-        enabled: true
-        image: quay.io/opstree/redis-exporter:v1.44.0
-      image: quay.io/opstree/redis:v7.0.5
-      storage: 8Gi
-    properties:
-      exporter:
-        default:
-          enabled: true
-          image: quay.io/opstree/redis-exporter:v1.44.0
-        properties:
-          enabled:
-            default: true
-            type: boolean
-          image:
-            default: quay.io/opstree/redis-exporter:v1.44.0
-            type: string
-        type: object
-      image:
-        default: quay.io/opstree/redis:v7.0.5
-        type: string
-      storage:
-        default: 8Gi
-        type: string
-    type: object
  postgres:
    default:
      cleanlogs:
@@ -152,51 +89,114 @@ options:
        default: '14'
        type: string
    type: object
-  image:
+  redis:
    default:
-      project: goauthentik
-      pullPolicy: IfNotPresent
-      registry: ghcr.io
-      repository: goauthentik/server
-      tag: 2023.5.4
+      exporter:
+        enabled: true
+        image: quay.io/opstree/redis-exporter:v1.44.0
+      image: quay.io/opstree/redis:v7.0.5
+      storage: 8Gi
    examples:
-    - project: goauthentik
-      pullPolicy: IfNotPresent
-      registry: ghcr.io
-      repository: goauthentik/server
-      tag: 2023.5.4
+    - exporter:
+        enabled: true
+        image: quay.io/opstree/redis-exporter:v1.44.0
+      image: quay.io/opstree/redis:v7.0.5
+      storage: 8Gi
    properties:
-      project:
-        default: goauthentik
+      exporter:
+        default:
+          enabled: true
+          image: quay.io/opstree/redis-exporter:v1.44.0
+        properties:
+          enabled:
+            default: true
+            type: boolean
+          image:
+            default: quay.io/opstree/redis-exporter:v1.44.0
+            type: string
+        type: object
+      image:
+        default: quay.io/opstree/redis:v7.0.5
        type: string
-      pullPolicy:
-        default: IfNotPresent
-        type: string
-      registry:
-        default: ghcr.io
-        type: string
-      repository:
-        default: goauthentik/server
-        type: string
-      tag:
-        default: 2023.5.4
+      storage:
+        default: 8Gi
        type: string
    type: object
-  geoip:
-    default: /geoip/GeoLite2-City.mmdb
-    examples:
-    - /geoip/GeoLite2-City.mmdb
-    type: string
  domain:
    default: your-company
    examples:
    - your-company
    type: string
-  sub-domain:
-    default: auth
+  loglevel:
+    default: info
    examples:
-    - auth
+    - info
    type: string
+  email:
+    default:
+      port: 587
+      timeout: 30
+      use_ssl: false
+      use_tls: false
+    examples:
+    - port: 587
+      timeout: 30
+      use_ssl: false
+      use_tls: false
+    properties:
+      port:
+        default: 587
+        type: integer
+      timeout:
+        default: 30
+        type: integer
+      use_ssl:
+        default: false
+        type: boolean
+      use_tls:
+        default: false
+        type: boolean
+    type: object
+  admin:
+    default:
+      email: auth-admin
+    examples:
+    - email: auth-admin
+    properties:
+      email:
+        default: auth-admin
+        type: string
+    type: object
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  geoip:
+    default: /geoip/GeoLite2-City.mmdb
+    examples:
+    - /geoip/GeoLite2-City.mmdb
+    type: string
+  error_reporting:
+    default:
+      enabled: false
+      environment: k8s
+      send_pii: false
+    examples:
+    - enabled: false
+      environment: k8s
+      send_pii: false
+    properties:
+      enabled:
+        default: false
+        type: boolean
+      environment:
+        default: k8s
+        type: string
+      send_pii:
+        default: false
+        type: boolean
+    type: object
 dependencies:
 - dist: null
  category: core
--- a/share/authentik/postgresql.tf
+++ b/share/authentik/postgresql.tf
@@ -5,137 +5,6 @@ locals {
  pool-labels = merge(local.common-labels, {
    "app.kubernetes.io/component" = "pg-pool"
  })
-  postgres-labels = merge(local.common-labels, {
-    "app.kubernetes.io/component" = "postgresql"
-  })
-}
-resource "kubectl_manifest" "authentik_postgresql" {
-  yaml_body  = <<-EOF
-    apiVersion: "acid.zalan.do/v1"
-    kind: "postgresql"
-    metadata:
-      name: "${var.instance}-${var.component}"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.postgres-labels)}
-    spec:
-      databases:
-        ${var.component}: "${var.component}"
-      numberOfInstances: ${var.postgres.replicas}
-      podAnnotations:
-        "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
-        "k8up.io/file-extension": ".sql"
-      postgresql:
-        version: "${var.postgres.version}"
-      teamId: "${var.instance}"
-      users:
-        ${var.component}:
-          - "superuser"
-          - "createdb"
-      volume:
-        size: "${var.postgres.storage}"
-  EOF
-}
-
-// Since each authentik worker create a new connection to the DB
-// lots of logs are created mesuring in GBs of junk
-// So a dayly cleanup make sense
-resource "kubectl_manifest" "authentik_cleanup_logs_script" {
-  yaml_body  = <<-EOF
-    apiVersion: v1
-    kind: ConfigMap
-    metadata:
-      name: "${var.instance}-${var.component}-cleanlogs"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.common-labels)}
-    data:
-      "clean.sh": |-
-        #!/bin/ash
-        grep log /pgdata/pgroot/data/postgresql.conf|grep conn
-        echo "$(date '+%T') - Enforcing configuration"
-        sed -i "s/^log_connections.*/log_connections = 'off'/;s/^log_disconnections.*/log_disconnections = 'off'/" /pgdata/pgroot/data/postgresql.conf
-        grep log /pgdata/pgroot/data/postgresql.conf|grep conn
-        for i in /pgdata/pgroot/pg_log/*csv;do echo "$(date '+%T') - Cleaning $i";sed -i '/connection/d' "$i";done
-        df -h /pgdata/pgroot
-  EOF
-}
-resource "kubectl_manifest" "authentik_cleanup_logs_job" {
-  yaml_body  = <<-EOF
-    apiVersion: batch/v1
-    kind: CronJob
-    metadata:
-      name: "${var.instance}-${var.component}-cleanlogs"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.common-labels)}
-    spec:
-      concurrencyPolicy: Forbid
-      failedJobsHistoryLimit: 1
-      jobTemplate:
-        spec:
-          template:
-            spec:
-              restartPolicy: OnFailure
-              containers:
-              - image: "${var.postgres.cleanlogs.image}"
-                imagePullPolicy: IfNotPresent
-                name: cleanlogs
-                command: ["/bin/ash"]
-                args: ["/script/clean.sh"]
-                volumeMounts:
-                - mountPath: /pgdata
-                  name: pgdata
-                - mountPath: /script
-                  name: script
-              securityContext:
-                fsGroup: 100
-                runAsGroup: 100
-                runAsUser: 101
-              volumes:
-              - name: script
-                configMap:
-                  name: ${kubectl_manifest.authentik_cleanup_logs_script.name}
-              - name: pgdata
-                persistentVolumeClaim:
-                  claimName: pgdata-${var.instance}-${var.component}-0
-      schedule: "${var.postgres.cleanlogs.schedule}"
-      successfulJobsHistoryLimit: 3
-  EOF
-}
-
-resource "kubectl_manifest" "prj_pre_migrate_pg" {
-  yaml_body  = <<-EOF
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "${var.instance}-remove-zalando-extensions"
-  namespace: "${var.namespace}"
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      containers:
-      - name: clean
-        image: docker.io/postgres:15.3-bookworm
-        imagePullPolicy: IfNotPresent
-        env:
-        - name: USERNAME
-          valueFrom:
-            secretKeyRef:
-              key:  username
-              name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do
-        - name: PASSWORD
-          valueFrom:
-            secretKeyRef:
-              key:  password
-              name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do
-        - name: DBURL
-          value: "${var.instance}-${var.component}"
-        - name: DBNAME
-          value: "${var.component}"
-        command:
-        - /bin/bash
-        - "-c"
-        - "echo -ne 'drop view if exists metric_helpers.pg_stat_statements;\ndrop function if exists metric_helpers.pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_kcache;\nDROP EXTENSION IF EXISTS set_user;\n'| PGPASSWORD=\"$PASSWORD\" psql -U $USERNAME -d $DBNAME -h $DBURL"
-  EOF
 }

 resource "kubectl_manifest" "prj_pg" {
@@ -151,26 +20,6 @@ resource "kubectl_manifest" "prj_pg" {
      instances: ${var.postgres.replicas}
      storage:
        size: "${var.postgres.storage}"
-      bootstrap:
-        initdb:
-          database: ${var.component}
-          owner: ${var.component}
-          import:
-            type: microservice
-            databases:
-            - ${var.component}
-            source:
-              externalCluster: "${var.instance}-${var.component}"
-      externalClusters:
-        - name: "${var.instance}-${var.component}"
-          connectionParameters:
-            host: "${var.instance}-${var.component}"
-            user: postgres
-            dbname: postgres
-            sslmode: require
-          password:
-            name: "postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do"
-            key: password
  EOF
 }