vynil/domain
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-05-29 17:16:33 +02:00
parent 3dfe5b4a69
commit 2c671da3f8
11 changed files with 113 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
apps/dbgate/configs.tf
View File

@@ -1,5 +1,6 @@
locals {
pg_vars = merge([for pg in var.pg: {
pg = concat(var.pg, var.detected.pgs)
pg_vars = merge([for pg in local.pg: {
join("_",["LABEL_pg", pg.namespace, pg.name, pg.dbname]) = join(" | ",[pg.namespace, pg.name, pg.dbname])
join("_",["ENGINE_pg", pg.namespace, pg.name, pg.dbname]) = "postgres@dbgate-plugin-postgres"
join("_",["SERVER_pg", pg.namespace, pg.name, pg.dbname]) = join(".",["${pg.name}-rw", pg.namespace, "svc"])
@@ -7,45 +8,48 @@ locals {
join("_",["DATABASE_pg", pg.namespace, pg.name, pg.dbname]) = pg.dbname
join("_",["USER_pg", pg.namespace, pg.name, pg.dbname]) = pg.username
}]...)
pg_secrets = merge([for index, pg in var.pg: {
pg_secrets = merge([for index, pg in local.pg: {
join("_",["PASSWORD_pg", pg.namespace, pg.name, pg.dbname]) = lookup(coalesce(data.kubernetes_secret_v1.pgs[index].data,{}),lookup(pg.secret,"key", "password"), "not-found")
}]...)
pg_conns = [for pg in var.pg: join("_",["pg", pg.namespace, pg.name, pg.dbname])]
pg_conns = [for pg in local.pg: join("_",["pg", pg.namespace, pg.name, pg.dbname])]
maria_vars = merge([for m in var.maria: {
join("_",["LABEL_maria", m.namespace, m.name]) = join(" | ",[m.namespace, m.name])
join("_",["ENGINE_maria", m.namespace, m.name]) = "mysql@dbgate-plugin-mysql"
join("_",["SERVER_maria", m.namespace, m.name]) = join(".",["${m.name}-svc", m.namespace, "svc"])
join("_",["PORT_maria", m.namespace, m.name]) = "3306"
join("_",["DATABASE_maria", m.namespace, m.name]) = m.dbname
join("_",["USER_maria", m.namespace, m.name]) = m.username
ndb = concat(var.ndb, var.detected.ndbs)
ndb_vars = merge([for m in local.ndb: {
join("_",["LABEL_ndb", m.namespace, m.name]) = join(" | ",[m.namespace, m.name])
join("_",["ENGINE_ndb", m.namespace, m.name]) = "mysql@dbgate-plugin-mysql"
join("_",["SERVER_ndb", m.namespace, m.name]) = join(".",["${m.name}-svc", m.namespace, "svc"])
join("_",["PORT_ndb", m.namespace, m.name]) = "3306"
join("_",["DATABASE_ndb", m.namespace, m.name]) = m.dbname
join("_",["USER_ndb", m.namespace, m.name]) = m.username
}]...)
maria_secrets = merge([for index, m in var.maria: {
join("_",["PASSWORD_maria", m.namespace, m.name]) = "unimplemented"
ndb_secrets = merge([for index, m in local.ndb: {
join("_",["PASSWORD_ndb", m.namespace, m.name]) = lookup(coalesce(data.kubernetes_secret_v1.ndbs[index].data,{}),lookup(m.secret,"key", "password"), "not-found")
}]...)
maria_conns = [for m in var.maria: join("_",["maria", m.namespace, m.name])]
ndb_conns = [for m in local.ndb: join("_",["ndb", m.namespace, m.name])]
redis_vars = merge([for m in var.redis: {
redis = concat(var.redis, var.detected.rediss)
redis_vars = merge([for m in local.redis: {
join("_",["LABEL_redis", m.namespace, m.name]) = join(" | ",[m.namespace, m.name])
join("_",["ENGINE_redis", m.namespace, m.name]) = "redis@dbgate-plugin-redis"
join("_",["SERVER_redis", m.namespace, m.name]) = join(".",[m.name, m.namespace, "svc"])
join("_",["PORT_redis", m.namespace, m.name]) = "6379"
}]...)
redis-privs = [for m in var.redis: merge({secret = lookup(m,"secret",{})},m) if contains(keys(m),"secret")]
redis-privs = [for m in local.redis: merge({secret = lookup(m,"secret",{})},m) if contains(keys(m),"secret")]
redis_secrets = merge([for index, m in local.redis-privs: {
join("_",["PASSWORD_redis", m.namespace, m.name]) = data.kubernetes_secret_v1.redis[index].data[lookup(m.secret,"key", "password")]
}]...)
redis_conns = [for m in var.redis: join("_",["redis", m.namespace, m.name])]
redis_conns = [for m in local.redis: join("_",["redis", m.namespace, m.name])]
mongo_vars = merge([for m in var.mongo: {
mongo = concat(var.mongo, var.detected.mongos)
mongo_vars = merge([for m in local.mongo: {
join("_",["LABEL_mongo", m.namespace, m.name]) = join(" | ",[m.namespace, m.name])
join("_",["ENGINE_mongo", m.namespace, m.name]) = "mongo@dbgate-plugin-mongo"
join("_",["DATABASE_mongo", m.namespace, m.name]) = m.dbname
}]...)
mongo_secrets = merge([for index, m in var.mongo: {
mongo_secrets = merge([for index, m in local.mongo: {
join("_",["URL_mongo", m.namespace, m.name]) = "mongodb://${m.username}:${urlencode(data.kubernetes_secret_v1.mongos[index].data[m.secret.key])}@${join(".",["${m.name}-svc", m.namespace, "svc"])}:27017/${m.dbname}"
}]...)
mongo_conns = [for m in var.mongo: join("_",["mongo", m.namespace, m.name])]
mongo_conns = [for m in local.mongo: join("_",["mongo", m.namespace, m.name])]
oauth_config = {
"OAUTH_AUTH" = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
"OAUTH_TOKEN" = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
@@ -54,8 +58,8 @@ locals {
"OAUTH_SCOPE" = "email"
"NODE_EXTRA_CA_CERTS" = "/etc/local-ca/ca.crt"
}
connections = join(",", concat(local.pg_conns, local.maria_conns, local.mongo_conns, local.redis_conns))
connection_vars = merge(local.pg_vars, local.maria_vars, local.mongo_vars, local.redis_vars)
connections = join(",", concat(local.pg_conns, local.ndb_conns, local.mongo_conns, local.redis_conns))
connection_vars = merge(local.pg_vars, local.ndb_vars, local.mongo_vars, local.redis_vars)
connection_secrets = merge(local.pg_secrets, local.mongo_secrets, local.redis_secrets)
}
@@ -81,18 +85,26 @@ resource "kubernetes_secret_v1" "dbgate-config-secret" {
data "kubernetes_secret_v1" "pgs" {
count = length(var.pg)
count = length(local.pg)
metadata {
name = "${var.pg[count.index].secret.name}"
namespace = "${var.pg[count.index].namespace}"
name = "${local.pg[count.index].secret.name}"
namespace = "${local.pg[count.index].namespace}"
}
}
data "kubernetes_secret_v1" "ndbs" {
count = length(local.ndb)
metadata {
name = "${local.ndb[count.index].secret.name}"
namespace = "${local.ndb[count.index].namespace}"
}
}
data "kubernetes_secret_v1" "mongos" {
count = length(var.mongo)
count = length(local.mongo)
metadata {
name = "${var.mongo[count.index].secret.name}"
namespace = "${var.mongo[count.index].namespace}"
name = "${local.mongo[count.index].secret.name}"
namespace = "${local.mongo[count.index].namespace}"
}
}
data "kubernetes_secret_v1" "redis" {

10
apps/dbgate/index.yaml
View File

@@ -12,9 +12,9 @@ options:
- dev
type: string
domain:
default: media
default: your-company
examples:
- media
- your-company
type: string
domain_name:
default: your_company.com
@@ -70,7 +70,7 @@ options:
examples:
- letsencrypt-prod
type: string
maria:
mongo:
default: []
examples:
- []
@@ -99,7 +99,7 @@ options:
type: string
type: object
type: array
mongo:
ndb:
default: []
examples:
- []
@@ -238,4 +238,4 @@ providers:
restapi: null
http: null
gitea: null
tfaddtype: null
tfaddtype: true

51
apps/dbgate/template.rhai
View File

@@ -1,16 +1,16 @@
const DEST=dest;
const DOMAIN = config.domain;
fn post_template() {
let nss = list_namespace().items.filter(|ns| ns.metadata.name.starts_with(global::DOMAIN)).map(|ns| ns.metadata.name);
let nss = list_namespace().items.filter(|ns| ns.metadata.name.starts_with(`${global::DOMAIN}-`)).map(|ns| ns.metadata.name);
let pgs = [];
let rediss = [];
let mongos = [];
let marias = [];
let ndbs = [];
for ns in nss {
let svcs = list_service(ns).items;
let secrets = list_secret(ns).items;
for svc in svcs {
if svc.metadata.name.ends_with("-pg-rw") {
if svc.metadata.name.ends_with("-pg-rw") && svc.spec.ports.some(|p| p.port==5432) {
let basename = svc.metadata.name-"-pg-rw";
let pg_secrets = secrets.filter(|s| s.metadata.name == `${basename}-pg-app`);
if pg_secrets.len>0 && basename.split("-").len>1 {
@@ -29,7 +29,7 @@ fn post_template() {
};
}
}
if svc.metadata.name.ends_with("-mongo-svc") {
if svc.metadata.name.ends_with("-mongo-svc") && svc.spec.ports.some(|p| p.port == 27017) {
let basename = svc.metadata.name-"-mongo-svc";
let mongo_secrets = secrets.filter(|s| s.metadata.name == `${basename}-mongo`);
if mongo_secrets.len>0 && basename.split("-").len>1 {
@@ -48,12 +48,53 @@ fn post_template() {
};
}
}
if svc.metadata.name.ends_with("-mysqld") && svc.spec.ports.some(|p| p.port == 3306) {
let basename = svc.metadata.name-"-mysqld";
let ndb_secrets = secrets.filter(|s| s.metadata.name == `${basename}-mysql-app`);
if ndb_secrets.len>0 && basename.split("-").len>1 {
let tmp = (basename-"-dataset").split("-");
let comp = tmp[tmp.len-1];
log_info(`Found a Mysql(NDB) database ${svc.metadata.namespace} ${basename}`);
ndbs += #{
name: svc.metadata.name,
dbname: comp,
username: comp,
namespace: svc.metadata.namespace,
secret: #{
name: `${basename}-mysql-app`,
key: "password"
}
};
}
}
if svc.metadata.name.ends_with("-redis") && svc.spec.ports.some(|p| p.port == 6379) {
let basename = svc.metadata.name-"-redis";
let ndb_secrets = secrets.filter(|s| s.metadata.name == `${basename}-mysql-app`);
let tmp = (basename-"-dataset").split("-");
let comp = tmp[tmp.len-1];
log_info(`Found a Redis database ${svc.metadata.namespace} ${basename}`);
if comp == "authentik" {
rediss += #{
name: svc.metadata.name,
namespace: svc.metadata.namespace,
secret: #{
name: comp,
key: "AUTHENTIK_REDIS__PASSWORD"
}
};
} else {
rediss += #{
name: svc.metadata.name,
namespace: svc.metadata.namespace
};
}
}
}
}
save_to_tf(`${global::DEST}/detected.tf`, "detected", #{
pgs: pgs,
mongos: mongos,
rediss: rediss,
marias: marias
ndbs: ndbs
});
}

2
apps/gramo/index.yaml
View File

@@ -103,4 +103,4 @@ providers:
restapi: true
http: true
gitea: null
tfaddtype: null
tfaddtype: true

2
apps/gramo/rbac.tf
View File

@@ -1,5 +1,5 @@
locals {
sorted-namespaces = reverse(distinct(sort(var.namespaces)))
sorted-namespaces = reverse(distinct(sort(concat(var.namespaces,var.detected.namespaces))))
}
resource "kubectl_manifest" "gramo_sa" {
yaml_body = <<-EOF

7
apps/gramo/template.rhai Normal file
View File

@@ -0,0 +1,7 @@
const DEST=dest;
const DOMAIN = config.domain;
fn post_template() {
save_to_tf(`${global::DEST}/detected.tf`, "detected", #{
namespaces: list_namespace().items.filter(|ns| ns.metadata.name.starts_with(`${global::DOMAIN}-`)).map(|ns| ns.metadata.name)+[global::DOMAIN]
});
}

2
apps/okd/index.yaml
View File

@@ -103,4 +103,4 @@ providers:
restapi: true
http: true
gitea: null
tfaddtype: null
tfaddtype: true

2
apps/okd/rbac.tf
View File

@@ -1,5 +1,5 @@
locals {
sorted-namespaces = reverse(distinct(sort(var.namespaces)))
sorted-namespaces = reverse(distinct(sort(concat(var.namespaces,var.detected.namespaces))))
}
resource "kubectl_manifest" "okd_sa" {
yaml_body = <<-EOF

7
apps/okd/template.rhai Normal file
View File

@@ -0,0 +1,7 @@
const DEST=dest;
const DOMAIN = config.domain;
fn post_template() {
save_to_tf(`${global::DEST}/detected.tf`, "detected", #{
namespaces: list_namespace().items.filter(|ns| ns.metadata.name.starts_with(`${global::DOMAIN}-`)).map(|ns| ns.metadata.name)+[global::DOMAIN]
});
}

134
meta/domain-devspaces/apps.tf
View File

@@ -49,147 +49,19 @@ locals {
"domain_name" = "devtools.${var.domain_name}"
"app_group" = "dev"
})
okd = merge(local.global-apps,{
"namespaces" = concat([
for station in local.sorted-station-names: "${var.domain}-devspaces-${station}"
],flatten([
for org in local.sorted-organisations:[
for stage in reverse(distinct(sort([for s in lookup(org, "stages", []): s.name]))): "${var.domain}-org-${org.name}-${stage}"
]
])
)
}, { for k, v in var.apps.okd : k => v if !contains(["enable","storage","backups"],k) },{
okd = merge(local.global-apps, { for k, v in var.apps.okd : k => v if !contains(["enable","storage","backups"],k) },{
backups = merge(local.global-backups, lookup(var.apps.okd, "backups", {}))
storage = merge({ for k, v in lookup(var.apps.okd, "storage", {}) : k => v if !contains(["volume"],k) }, {
volume = merge(local.global-volume, lookup(lookup(var.apps.okd, "storage", {}), "volume", {}))
})
})
gramo = merge(local.global-apps, {
"namespaces" = concat([
for station in local.sorted-station-names: "${var.domain}-devspaces-${station}"
],flatten([
for org in local.sorted-organisations:[
for stage in reverse(distinct(sort([for s in lookup(org, "stages", []): s.name]))): "${var.domain}-org-${org.name}-${stage}"
]
])
)
}, { for k, v in var.apps.gramo : k => v if !contains(["enable","storage","backups"],k) },{
gramo = merge(local.global-apps, { for k, v in var.apps.gramo : k => v if !contains(["enable","storage","backups"],k) },{
backups = merge(local.global-backups, lookup(var.apps.gramo, "backups", {}))
storage = merge({ for k, v in lookup(var.apps.gramo, "storage", {}) : k => v if !contains(["volume"],k) }, {
volume = merge(local.global-volume, lookup(lookup(var.apps.gramo, "storage", {}), "volume", {}))
})
})
dbgate = merge(local.global-apps, {
"namespaces" = concat([
for station in local.sorted-station-names: "${var.domain}-devspaces-${station}"
],flatten([
for org in local.sorted-organisations:[
for stage in reverse(distinct(sort([for s in lookup(org, "stages", []): s.name]))): "${var.domain}-org-${org.name}-${stage}"
]
])
)
}, {
"pg" = concat(
flatten([for ds in local.sorted-datasets: [for db in lookup(ds, "databases", []): {
"name" = "${ds.name}-dataset-pg"
"namespace" = ds.namespace
"dbname" = db.name
"username" = db.name
"secret" = {
"name" = "${ds.name}-dataset-pg-${db.name}"
"key" = "POSGRESQL_PASSWORD"
}
}] if ds.engine=="pg"]),
flatten([for ds in local.sorted-datasets: {
"name" = "${ds.name}-dataset-pg"
"namespace" = ds.namespace
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-pg-app"
"key" = "password"
}
} if ds.engine=="pg"]),
flatten([for org in local.sorted-organisations: flatten([for stage in lookup(org, "stages", []): flatten([for ds in org.datasets: [for db in lookup(ds, "databases", []):{
"name" = "${ds.name}-dataset-pg"
"namespace" = "${var.domain}-org-${org.name}-${stage.name}"
"dbname" = db.name
"username" = db.name
"secret" = {
"name" = "${ds.name}-dataset-pg-${db.name}"
"key" = "POSGRESQL_PASSWORD"
}
}] if ds.engine=="pg"])])]),
flatten([for org in local.sorted-organisations: flatten([for stage in lookup(org, "stages", []): flatten([for ds in org.datasets: {
"name" = "${ds.name}-dataset-pg"
"namespace" = "${var.domain}-org-${org.name}-${stage.name}"
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-pg-app"
"key" = "password"
}
} if ds.engine=="pg"])])]),
var.external-pgs
)
"maria" = concat(
flatten([for ds in local.sorted-datasets: {
"name" = "${ds.name}-dataset-maria"
"namespace" = ds.namespace
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-maria"
"key" = "password"
}
} if ds.engine=="maria"]),
flatten([for org in local.sorted-organisations: flatten([for stage in lookup(org, "stages", []): [for ds in org.datasets: {
"name" = "${ds.name}-dataset-maria"
"namespace" = "${var.domain}-org-${org.name}-${stage.name}"
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-maria"
"key" = "password"
}
} if ds.engine=="maria"]])]),
var.external-marias
)
"mongo" = concat(
flatten([for ds in local.sorted-datasets: {
"name" = "${ds.name}-dataset-mongo"
"namespace" = ds.namespace
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-mongo"
"key" = "password"
}
} if ds.engine=="mongo"]),
flatten([for org in local.sorted-organisations: flatten([for stage in lookup(org, "stages", []): [for ds in org.datasets: {
"name" = "${ds.name}-dataset-mongo"
"namespace" = "${var.domain}-org-${org.name}-${stage.name}"
"dbname" = ds.name
"username" = ds.name
"secret" = {
"name" = "${ds.name}-dataset-mongo"
"key" = "password"
}
} if ds.engine=="mongo"]])]),
var.external-mongos
)
"redis" = concat(
flatten([for ds in local.sorted-datasets: {
"name" = "${ds.name}-dataset-redis"
"namespace" = ds.namespace
} if ds.engine=="mongo"]),
flatten([for org in local.sorted-organisations: flatten([for stage in lookup(org, "stages", []): [for ds in org.datasets: {
"name" = "${ds.name}-dataset-redis"
"namespace" = "${var.domain}-org-${org.name}-${stage.name}"
} if ds.engine=="mongo"]])]),
var.external-redis
)
}, { for k, v in var.apps.dbgate : k => v if !contains(["enable","storage","backups"],k) },{
dbgate = merge(local.global-apps, { for k, v in var.apps.dbgate : k => v if !contains(["enable","storage","backups"],k) },{
backups = merge(local.global-backups, lookup(var.apps.dbgate, "backups", {}))
storage = merge({ for k, v in lookup(var.apps.dbgate, "storage", {}) : k => v if !contains(["volume"],k) }, {
volume = merge(local.global-volume, lookup(lookup(var.apps.dbgate, "storage", {}), "volume", {}))

71
meta/domain/installs.tf
View File

@@ -71,7 +71,7 @@ locals {
})
# Force install authentik and it's modules when any are needed
use-ldap = (var.ci.enable && var.ci.gitea.enable) || (var.erp.enable && var.erp.dolibarr.enable)
use-ldap = var.erp.enable && var.erp.dolibarr.enable
use-forward = var.infra.enable && var.infra.traefik.enable
use-other-auth = false
added-auth-ldap = local.use-ldap?{
@@ -100,73 +100,6 @@ locals {
"divisions" = []
}
}
devspaces-custom = {
external-pgs = concat(var.erp.enable&&var.erp.dolibarr.enable?[{
"name" = "dolibarr-dolibarr-pg"
"dbname" = "dolibarr"
"username" = "dolibarr"
"namespace" = "${var.namespace}-erp"
"secret" = {
"name" = "dolibarr-dolibarr-pg-app"
"key" = "password"
}
}]:[], var.apps.enable&&var.apps.nextcloud.enable?[{
"name" = "nextcloud-nextcloud-pg"
"dbname" = "nextcloud"
"username" = "nextcloud"
"namespace" = "${var.namespace}-files"
"secret" = {
"name" = "nextcloud-nextcloud-pg-app"
"key" = "password"
}
}]:[], var.auth.enable&&lookup(lookup(merge(var.auth,local.added-auth), "authentik",{}),"enable",false)?[{
"name" = "authentik-authentik-pg"
"dbname" = "authentik"
"username" = "authentik"
"namespace" = "${var.namespace}-auth"
"secret" = {
"name" = "authentik-authentik-pg-app"
"key" = "password"
}
}]:[], var.ci.enable&&var.ci.gitea.enable?[{
"name" = "gitea-gitea-pg"
"dbname" = "gitea"
"username" = "gitea"
"namespace" = "${var.namespace}-ci"
"secret" = {
"name" = "gitea-gitea-pg-app"
"key" = "password"
}
}]:[], lookup(var.devspaces, "external-pgs", []))
external-mongos = concat(var.mail.enable&&var.mail.wildduck.enable?[{
"name" = "wildduck-wildduck-mongo"
"dbname" = "wildduck"
"username" = "wildduck"
"namespace" = "${var.namespace}-mail"
"secret" = {
"name" = "wildduck-wildduck-mongo"
"key" = "password"
}
}]:[], lookup(var.devspaces, "external-mongos", []))
external-redis = concat(var.mail.enable&&var.mail.wildduck.enable?[{
"name" = "wildduck-wildduck-redis"
"namespace" = "${var.namespace}-mail"
}]:[], var.auth.enable&&lookup(lookup(merge(var.auth,local.added-auth), "authentik",{}),"enable",false)?[{
"name" = "authentik-authentik-redis"
"namespace" = "${var.namespace}-auth"
"secret" = {
"name" = "authentik"
"key" = "AUTHENTIK_REDIS__PASSWORD"
}
}]:[], var.erp.enable&&var.erp.dolibarr.enable?[{
"name" = "dolibarr-dolibarr-redis"
"namespace" = "${var.namespace}-erp"
}]:[], var.apps.enable&&var.apps.nextcloud.enable?[{
"name" = "nextcloud-nextcloud-redis"
"namespace" = "${var.namespace}-files"
}]:[], lookup(var.devspaces, "external-redis", []))
"haveGitea" = var.ci.enable && var.ci.gitea.enable
}
}
resource "kubectl_manifest" "auth" {
@@ -294,6 +227,6 @@ resource "kubectl_manifest" "devspaces" {
distrib: "${var.distributions.domain}"
category: "meta"
component: "domain-devspaces"
options: ${jsonencode(merge(local.devspaces, local.devspaces-custom))}
options: ${jsonencode(local.devspaces)}
EOF
}