diff --git a/share/organisation/gitea-user.tf b/share/organisation/gitea-user.tf new file mode 100644 index 0000000..8383fad --- /dev/null +++ b/share/organisation/gitea-user.tf @@ -0,0 +1,118 @@ +locals { + needUser = length(local.sorted-stages)>0 && var.haveGitea +} + +data "kubernetes_secret_v1" "gitea" { + metadata { + name = "gitea-admin-user" + namespace = "${var.domain}-ci" + } +} + +data "kubernetes_ingress_v1" "gitea" { + metadata { + name = "gitea" + namespace = "${var.domain}-ci" + } +} + +data "kubernetes_service" "gitea-ssh" { + metadata { + name = "gitea-ssh" + namespace = "${var.domain}-ci" + } +} + +resource "null_resource" "get_known" { + count = local.needUser?1:0 + triggers = { always_run = "${timestamp()}" } + provisioner "local-exec" { + command = "ssh-keyscan -p ${data.kubernetes_service.gitea-ssh.spec.0.port.0.port} ${data.kubernetes_ingress_v1.gitea.spec[0].rule[0].host} > ${path.module}/known_host.txt" + } +} + +data "local_file" "known_host" { + count = local.needUser?1:0 + filename = "${path.module}/known_host.txt" + depends_on = ["null_resource.get_known"] +} + +resource "kubectl_manifest" "ssh-creds" { + depends_on = [kubernetes_namespace_v1.ns] + count = local.needUser?length(local.sorted-stages):0 + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "SSHKeyPair" + metadata: + name: "ssh-credentials" + namespace: "${local.sorted-stages[count.index].namespace}" + labels: ${jsonencode(local.common-labels)} + spec: + length: "40" + forceRegenerate: false + data: + known_hosts: "${data.local_file.known_host[0].content}" + EOF +} + +data "kubernetes_secret_v1" "ssh-creds-read" { + depends_on = [kubectl_manifest.ssh-creds] + count = local.needUser?length(local.sorted-stages):0 + metadata { + name = "ssh-credentials" + namespace = "${local.sorted-stages[count.index].namespace}" + } +} + +resource "random_password" "password" { + length = 16 + special = true + override_special = "!#$%&*()-_=+[]{}<>:?" +} + +resource "gitea_user" "user-ci" { + count = local.needUser?1:0 + username = "${var.instance}-ci" + login_name = "${var.instance}-ci" + password = random_password.password.result + email = "${var.instance}-ci@${var.domain-name}" + must_change_password = true +} + +resource "gitea_public_key" "user-ci-keys" { + count = local.needUser?length(local.sorted-stages):0 + title = "Stage ${local.sorted-stages[count.index].name} for organisation ${var.instance}" + username = gitea_user.user-ci[0].username + key = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-publickey"] +} + +resource "gitea_org" "orga" { + count = var.haveGitea?1:0 + name = "${var.instance}" +} + +resource "gitea_repository" "deploy" { + count = local.needUser?1:0 + username = gitea_org.orga[0].name + name = "deploy" + private = true +} + +resource "gitea_team" "ci-team" { + count = local.needUser?1:0 + name = "Automation" + organisation = gitea_org.orga[0].name + description = "Automation" + permission = "write" + members = [gitea_user.user-ci[0].username] + include_all_repositories = false + repositories = [gitea_repository.deploy[0].name] +} + +resource "gitea_team" "dev-team" { + count = var.haveGitea?1:0 + name = "Devs" + organisation = gitea_org.orga[0].name + description = "Dev Team" + permission = "write" +} diff --git a/share/organisation/index.yaml b/share/organisation/index.yaml index e4c3827..3b2370d 100644 --- a/share/organisation/index.yaml +++ b/share/organisation/index.yaml @@ -6,36 +6,11 @@ metadata: name: organisation description: null options: - distributions: - default: - core: core - domain: domain - examples: - - core: core - domain: domain - properties: - core: - default: core - type: string - domain: - default: domain - type: string - type: object - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string haveGitea: default: false examples: - false type: boolean - domain: - default: your-company - examples: - - your-company - type: string datasets: default: [] items: @@ -48,11 +23,40 @@ options: type: string type: object type: array + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + stages: + default: [] + items: + properties: + name: + default: prod + type: string + type: object + type: array app-group: default: dev examples: - dev type: string + domain: + default: your-company + examples: + - your-company + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string backups: default: enable: false @@ -83,25 +87,21 @@ options: default: backup-settings type: string type: object - stages: - default: [] - items: - properties: - name: - default: prod - type: string - type: object - type: array - ingress-class: - default: traefik + distributions: + default: + core: core + domain: domain examples: - - traefik - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string + - core: core + domain: domain + properties: + core: + default: core + type: string + domain: + default: domain + type: string + type: object dependencies: [] providers: kubernetes: true @@ -110,5 +110,5 @@ providers: postgresql: null restapi: null http: null - gitea: null + gitea: true tfaddtype: null diff --git a/share/organisation/stages.tf b/share/organisation/stages.tf index 455d210..99f4885 100644 --- a/share/organisation/stages.tf +++ b/share/organisation/stages.tf @@ -33,6 +33,7 @@ locals { ]) ]) } + resource "kubernetes_namespace_v1" "ns" { count = length(local.sorted-stages) metadata {