vynil/domain
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2023-11-28 12:47:50 +01:00
parent a9ec93f1f9
commit 5e0ff76cae
2 changed files with 103 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
apps/gitea/index.yaml
View File

@@ -9,11 +9,31 @@ metadata:
A painless self-hosted Git service. A painless self-hosted Git service.
Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license.
options: options:
domain-name: timezone:
default: your_company.com default: Europe/Paris
examples: examples:
- your_company.com - Europe/Paris
type: string type: string
push-create:
default:
org: 'true'
private: 'false'
user: 'true'
examples:
- org: 'true'
private: 'false'
user: 'true'
properties:
org:
default: 'true'
type: string
private:
default: 'false'
type: string
user:
default: 'true'
type: string
type: object
volume: volume:
default: default:
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
@@ -53,40 +73,25 @@ options:
default: '14' default: '14'
type: string type: string
type: object type: object
webhook:
default:
allowed-hosts: private
skip-tls-verify: false
examples:
- allowed-hosts: private
skip-tls-verify: false
properties:
allowed-hosts:
default: private
type: string
skip-tls-verify:
default: false
type: boolean
type: object
theme: theme:
default: gitea-modern default: gitea-modern
examples: examples:
- gitea-modern - gitea-modern
type: string type: string
sub-domain:
default: git
examples:
- git
type: string
disable-registration: disable-registration:
default: true default: true
examples: examples:
- true - true
type: boolean type: boolean
domain: domain-name:
default: your-company default: your_company.com
examples: examples:
- your-company - your_company.com
type: string
ingress-class:
default: traefik
examples:
- traefik
type: string type: string
load-balancer: load-balancer:
default: default:
@@ -98,34 +103,52 @@ options:
default: '' default: ''
type: string type: string
type: object type: object
replicas: domain:
default: 1 default: your-company
examples: examples:
- 1 - your-company
type: integer type: string
ssh-port: sub-domain:
default: 2222 default: git
examples: examples:
- 2222 - git
type: integer type: string
push-create: issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
redis:
default: default:
org: 'true' exporter:
private: 'false' enabled: true
user: 'true' image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
examples: examples:
- org: 'true' - exporter:
private: 'false' enabled: true
user: 'true' image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
properties: properties:
org: exporter:
default: 'true' default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.12
type: string type: string
private: storage:
default: 'false' default: 2Gi
type: string
user:
default: 'true'
type: string type: string
type: object type: object
admin: admin:
@@ -143,6 +166,11 @@ options:
default: gitea_admin default: gitea_admin
type: string type: string
type: object type: object
ssh-port:
default: 2222
examples:
- 2222
type: integer
images: images:
default: default:
gitea: gitea:
@@ -288,59 +316,11 @@ options:
default: false default: false
type: boolean type: boolean
type: object type: object
app-group: replicas:
default: dev default: 1
examples: examples:
- dev - 1
type: string type: integer
issuer:
default: letsencrypt-prod
examples:
- letsencrypt-prod
type: string
redis:
default:
exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
examples:
- exporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
image: quay.io/opstree/redis:v7.0.12
storage: 2Gi
properties:
exporter:
default:
enabled: true
image: quay.io/opstree/redis-exporter:v1.44.0
properties:
enabled:
default: true
type: boolean
image:
default: quay.io/opstree/redis-exporter:v1.44.0
type: string
type: object
image:
default: quay.io/opstree/redis:v7.0.12
type: string
storage:
default: 2Gi
type: string
type: object
timezone:
default: Europe/Paris
examples:
- Europe/Paris
type: string
default-branch:
default: main
examples:
- main
type: string
release: release:
default: 8.3.0 default: 8.3.0
examples: examples:
@@ -351,10 +331,30 @@ options:
examples: examples:
- git - git
type: string type: string
ingress-class: app-group:
default: traefik default: dev
examples: examples:
- traefik - dev
type: string
webhook:
default:
allowed-hosts: private
skip-tls-verify: false
examples:
- allowed-hosts: private
skip-tls-verify: false
properties:
allowed-hosts:
default: private
type: string
skip-tls-verify:
default: false
type: boolean
type: object
default-branch:
default: main
examples:
- main
type: string type: string
dependencies: dependencies:
- dist: null - dist: null

144
apps/gitea/ldap.tf
View File

@@ -1,139 +1,4 @@
locals {
# app-name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main-group = format("app-%s", local.app-name)
base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name))))
base-group-dn = format("ou=groups,%s", local.base-dn)
base-user-dn = format("ou=users,%s", local.base-dn)
authentik-token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
# request_headers = {
# "Content-Type" = "application/json"
# Authorization = "Bearer ${local.authentik-token}"
# }
ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
}
# resource "kubectl_manifest" "gitea_ldap" {
# ignore_fields = ["metadata.annotations"]
# yaml_body = <<-EOF
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
# kind: "StringSecret"
# metadata:
# name: "${var.component}-ldap"
# namespace: "${var.namespace}"
# labels: ${jsonencode(local.common-labels)}
# spec:
# forceRegenerate: false
# data:
# bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
# user-search-base: "${local.base-user-dn}"
# user-filter: "(&(|(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})(memberof=cn=${local.main-group},${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
# admin-filter: "(memberof=cn=${format("admin-%s", local.app-name)},${local.base-group-dn})"
# endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
# fields:
# - fieldName: "bindPassword"
# length: "32"
# EOF
# }
# resource "authentik_user" "gitea_ldapsearch" {
# username = "${var.component}-ldapsearch"
# name = "${var.component}-ldapsearch"
# }
# resource "authentik_group" "gitea_ldapsearch" {
# name = "${var.component}-ldapsearch"
# users = [authentik_user.gitea_ldapsearch.id]
# is_superuser = true
# }
data "http" "gitea_ldapsearch_password" {
url = "http://authentik.${var.domain}-auth.svc/api/v3/core/users/${authentik_user.gitea_ldapsearch.id}/set_password/"
method = "POST"
request_headers = local.request_headers
request_body = jsonencode({password=data.kubernetes_secret_v1.gitea_ldap_password.data["bindPassword"]})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
data "authentik_flow" "ldap-authentication-flow" {
#depends_on = [authentik_user.gitea_ldapsearch] # fake dependency so it is not evaluated at plan stage
slug = "ldap-authentication-flow"
}
# resource "authentik_provider_ldap" "gitea_provider_ldap" {
# name = "gitea-ldap-provider"
# base_dn = local.base-dn
# search_group = authentik_group.gitea_ldapsearch.id
# bind_flow = data.authentik_flow.ldap-authentication-flow.id
# }
# resource "authentik_application" "gitea_application" {
# name = "${var.instance}"
# slug = "${var.component}-${var.instance}-ldap"
# group = var.app-group
# protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
# meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
# meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
# }
# resource "authentik_group" "gitea_users" {
# name = local.main-group
# attributes = jsonencode({"${local.app-name}" = true})
# }
#data "authentik_group" "vynil-admin" {
# depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
# name = "vynil-ldap-admins"
#}
# resource "authentik_group" "gitea_admin" {
# name = format("admin-%s", local.app-name)
# parent = authentik_group.gitea_users.id
# attributes = jsonencode({"${local.app-name}" = true})
# }
# resource "authentik_policy_expression" "policy" {
# name = local.main-group
# expression = <<-EOF
# attr = request.user.group_attributes()
# return attr['${local.app-name}'] if '${local.app-name}' in attr else False
# EOF
# }
# resource "authentik_policy_binding" "gitea_access_users" {
# target = authentik_application.gitea_application.uuid
# policy = authentik_policy_expression.policy.id
# order = 0
# }
# resource "authentik_policy_binding" "gitea_access_vynil" {
# target = authentik_application.gitea_application.uuid
# group = data.authentik_group.vynil-admin.id
# order = 1
# }
# resource "authentik_policy_binding" "gitea_access_ldap" {
# target = authentik_application.gitea_application.uuid
# group = authentik_group.gitea_ldapsearch.id
# order = 2
# }
data "http" "get_ldap_outpost" {
#depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = local.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
provider "restapi" { provider "restapi" {
uri = "http://authentik.${var.domain}-auth.svc/api/v3/" uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
headers = local.request_headers headers = local.request_headers
@@ -143,12 +8,3 @@ provider "restapi" {
write_returns_object = true write_returns_object = true
id_attribute = "name" id_attribute = "name"
} }
# resource "restapi_object" "ldap_outpost_binding" {
# path = "/outposts/instances/${local.ldap-outpost-pk}/"
# data = jsonencode({
# name = "ldap"
# providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
# })
# }