first commit

apps/gitea/ldap.tf

@@ -0,0 +1,149 @@
+
+locals {
+  base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name))))
+  base-group-dn = format("ou=groups,%s", local.base-dn)
+  base-user-dn = format("ou=users,%s", local.base-dn)
+  authentik-token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
+  request_headers = {
+    "Content-Type"  = "application/json"
+    Authorization   = "Bearer ${local.authentik-token}"
+  }
+  ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
+  ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
+}
+resource "kubectl_manifest" "gitea_ldap" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${var.component}-ldap"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common-labels)}
+    spec:
+      forceRegenerate: false
+      data:
+        bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
+        user-search-base: "${local.base-user-dn}"
+        user-filter: "(&(|(memberof=cn=gitea_admin,${local.base-group-dn})(memberof=cn=gitea_users,${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
+        admin-filter: "(memberof=cn=gitea_admin,${local.base-group-dn})"
+        endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
+      fields:
+      - fieldName: "bindPassword"
+        length: "32"
+  EOF
+}
+data "kubernetes_secret_v1" "gitea_ldap_password" {
+  depends_on = [kubectl_manifest.gitea_ldap]
+  metadata {
+    name = kubectl_manifest.gitea_ldap.name
+    namespace = var.namespace
+  }
+}
+
+resource "authentik_user" "gitea_ldapsearch" {
+  username = "${var.component}-ldapsearch"
+  name     = "${var.component}-ldapsearch"
+}
+
+resource "authentik_group" "gitea_ldapsearch" {
+  name         = "${var.component}-ldapsearch"
+  users        = [authentik_user.gitea_ldapsearch.id]
+  is_superuser = true
+}
+
+
+data "http" "gitea_ldapsearch_password" {
+  url    = "http://authentik.${var.domain}-auth.svc/api/v3/core/users/${authentik_user.gitea_ldapsearch.id}/set_password/"
+  method = "POST"
+  request_headers = local.request_headers
+  request_body = jsonencode({password=data.kubernetes_secret_v1.gitea_ldap_password.data["bindPassword"]})
+  lifecycle {
+    postcondition {
+      condition     = contains([201, 204], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+data "authentik_flow" "ldap-authentication-flow" {
+  depends_on = [authentik_user.gitea_ldapsearch] # fake dependency so it is not evaluated at plan stage
+  slug       = "ldap-authentication-flow"
+}
+
+resource "authentik_provider_ldap" "gitea_provider_ldap" {
+  name         = "gitea-ldap-provider"
+  base_dn      = local.base-dn
+  search_group = authentik_group.gitea_ldapsearch.id
+  bind_flow    = data.authentik_flow.ldap-authentication-flow.id
+}
+
+resource "authentik_application" "gitea_application" {
+  name              = "gitea"
+  slug              = "gitea"
+  protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
+  meta_launch_url   = format("https://%s.%s", var.sub-domain, var.domain-name)
+  meta_icon         = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
+}
+
+resource "authentik_group" "gitea_users" {
+  name         = "gitea_users"
+}
+
+data "authentik_group" "vynil-admin" {
+  depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
+  name = "vynil-ldap-admins"
+}
+
+resource "authentik_group" "gitea_admin" {
+  name         = "gitea_admin"
+  parent       = authentik_group.gitea_users.id
+}
+
+resource "authentik_policy_binding" "gitea_access_users" {
+  target = authentik_application.gitea_application.uuid
+  group  = authentik_group.gitea_users.id
+  order  = 0
+}
+resource "authentik_policy_binding" "gitea_access_vynil" {
+  target = authentik_application.gitea_application.uuid
+  group  = data.authentik_group.vynil-admin.id
+  order  = 1
+}
+resource "authentik_policy_binding" "gitea_access_ldap" {
+  target = authentik_application.gitea_application.uuid
+  group  = authentik_group.gitea_ldapsearch.id
+  order  = 2
+}
+
+data "http" "get_ldap_outpost" {
+  depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
+  url    = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=ldap"
+  method = "GET"
+  request_headers = local.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+provider "restapi" {
+  uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
+  headers = local.request_headers
+  create_method = "PATCH"
+  update_method = "PATCH"
+  destroy_method = "PATCH"
+  write_returns_object = true
+  id_attribute = "name"
+}
+
+resource "restapi_object" "ldap_outpost_binding" {
+  path = "/outposts/instances/${local.ldap-outpost-pk}/"
+  data = jsonencode({
+    name = "ldap"
+    providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
+  })
+}
+