diff --git a/apps/dolibarr/configmap.tf b/apps/dolibarr/configmap.tf index c17f688..5ce606c 100644 --- a/apps/dolibarr/configmap.tf +++ b/apps/dolibarr/configmap.tf @@ -159,7 +159,7 @@ resource "kubectl_manifest" "config" { namespace: "${var.namespace}" labels: ${jsonencode(local.common-labels)} data: - DOLI_DB_HOST: "${var.instance}-${var.component}.${var.namespace}.svc" + DOLI_DB_HOST: "${var.instance}-${var.component}-pg-rw.${var.namespace}.svc" DOLI_DB_USER: "${var.component}" DOLI_DB_NAME: "${var.component}" DOLI_DB_PORT: "5432" diff --git a/apps/dolibarr/deploy.tf b/apps/dolibarr/deploy.tf index 1469c97..b6e70b6 100644 --- a/apps/dolibarr/deploy.tf +++ b/apps/dolibarr/deploy.tf @@ -95,7 +95,7 @@ spec: valueFrom: secretKeyRef: key: password - name: "${var.component}.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do" + name: "${var.instance}-${var.component}-pg-app" envFrom: - configMapRef: name: "${kubectl_manifest.config.name}" diff --git a/apps/dolibarr/index.yaml b/apps/dolibarr/index.yaml index 9d9bde0..ee88979 100644 --- a/apps/dolibarr/index.yaml +++ b/apps/dolibarr/index.yaml @@ -6,11 +6,6 @@ metadata: name: dolibarr description: null options: - domain-name: - default: your_company.com - examples: - - your_company.com - type: string redis: default: exporter: @@ -44,86 +39,6 @@ options: default: 2Gi type: string type: object - domain: - default: your-company - examples: - - your-company - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - parameters: - default: - MAIN_LANG_DEFAULT: auto - examples: - - MAIN_LANG_DEFAULT: auto - properties: - MAIN_LANG_DEFAULT: - default: auto - type: string - type: object - storage: - default: - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem - examples: - - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem - properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string - type: - default: Filesystem - enum: - - Filesystem - - block - type: string - type: object - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - modules: - default: - - societe - examples: - - - societe - items: - type: string - type: array - sub-domain: - default: erp - examples: - - erp - type: string - user-groups: - default: - - admin: true - name: dolibarr-admin - examples: - - - admin: true - name: dolibarr-admin - items: - properties: - admin: - type: boolean - name: - type: string - type: object - type: array hpa: default: avg-cpu: 50 @@ -144,6 +59,125 @@ options: default: 1 type: integer type: object + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object + resources: + default: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 100Mi + examples: + - limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 100Mi + properties: + limits: + default: + cpu: 200m + memory: 256Mi + properties: + cpu: + default: 200m + type: string + memory: + default: 256Mi + type: string + type: object + requests: + default: + cpu: 50m + memory: 100Mi + properties: + cpu: + default: 50m + type: string + memory: + default: 100Mi + type: string + type: object + type: object + sub-domain: + default: erp + examples: + - erp + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + log-level: + default: 5 + examples: + - 5 + type: integer + ingress-class: + default: traefik + examples: + - traefik + type: string + modules: + default: + - societe + examples: + - - societe + items: + type: string + type: array + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + user-groups: + default: + - admin: true + name: dolibarr-admin + examples: + - - admin: true + name: dolibarr-admin + items: + properties: + admin: + type: boolean + name: + type: string + type: object + type: array + parameters: + default: + MAIN_LANG_DEFAULT: auto + examples: + - MAIN_LANG_DEFAULT: auto + properties: + MAIN_LANG_DEFAULT: + default: auto + type: string + type: object images: default: dolibarr: @@ -209,71 +243,37 @@ options: type: string type: object type: object - log-level: - default: 5 + domain: + default: your-company examples: - - 5 - type: integer - postgres: + - your-company + type: string + storage: default: - replicas: 1 - storage: 5Gi - version: '14' + accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem examples: - - replicas: 1 - storage: 5Gi - version: '14' + - accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany type: string - version: - default: '14' + size: + default: 10Gi + type: string + type: + default: Filesystem + enum: + - Filesystem + - block type: string - type: object - resources: - default: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 100Mi - examples: - - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 100Mi - properties: - limits: - default: - cpu: 200m - memory: 256Mi - properties: - cpu: - default: 200m - type: string - memory: - default: 256Mi - type: string - type: object - requests: - default: - cpu: 50m - memory: 100Mi - properties: - cpu: - default: 50m - type: string - memory: - default: 100Mi - type: string - type: object type: object dependencies: - dist: null @@ -287,7 +287,7 @@ dependencies: component: cert-manager-self-sign - dist: null category: dbo - component: postgresql + component: pg - dist: null category: dbo component: redis @@ -298,3 +298,4 @@ providers: postgresql: null restapi: true http: true +tfaddtype: null diff --git a/apps/dolibarr/postgresql.tf b/apps/dolibarr/postgresql.tf index eb9c3a2..9b8aa4d 100644 --- a/apps/dolibarr/postgresql.tf +++ b/apps/dolibarr/postgresql.tf @@ -1,5 +1,8 @@ locals { pg-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "pg" + }) + postgres-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "postgresql" }) } @@ -10,7 +13,7 @@ resource "kubectl_manifest" "dolibarr_postgresql" { metadata: name: "${var.instance}-${var.component}" namespace: "${var.namespace}" - labels: ${jsonencode(local.pg-labels)} + labels: ${jsonencode(local.postgres-labels)} spec: databases: ${var.component}: "${var.component}" @@ -29,3 +32,76 @@ resource "kubectl_manifest" "dolibarr_postgresql" { size: "${var.postgres.storage}" EOF } + +resource "kubectl_manifest" "prj_pre_migrate_pg" { + yaml_body = <<-EOF +apiVersion: batch/v1 +kind: Job +metadata: + name: "${var.instance}-remove-zalando-extensions" + namespace: "${var.namespace}" +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: clean + image: docker.io/postgres:15.3-bookworm + imagePullPolicy: IfNotPresent + env: + - name: USERNAME + valueFrom: + secretKeyRef: + key: username + name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do + - name: PASSWORD + valueFrom: + secretKeyRef: + key: password + name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do + - name: DBURL + value: "${var.instance}-${var.component}" + - name: DBNAME + value: "${var.component}" + command: + - /bin/bash + - "-c" + - "echo -ne 'drop view if exists metric_helpers.pg_stat_statements;\ndrop function if exists metric_helpers.pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_kcache;\nDROP EXTENSION IF EXISTS set_user;\n'| PGPASSWORD=\"$PASSWORD\" psql -U $USERNAME -d $DBNAME -h $DBURL" + EOF +} + +resource "kubectl_manifest" "prj_pg" { + depends_on = [kubectl_manifest.prj_pre_migrate_pg] + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + instances: ${var.postgres.replicas} + storage: + size: "${var.postgres.storage}" + bootstrap: + initdb: + database: ${var.component} + owner: ${var.component} + import: + type: microservice + databases: + - ${var.component} + source: + externalCluster: "${var.instance}-${var.component}" + externalClusters: + - name: "${var.instance}-${var.component}" + connectionParameters: + host: "${var.instance}-${var.component}" + user: postgres + dbname: postgres + sslmode: require + password: + name: "postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do" + key: password + EOF +} diff --git a/apps/gitea/index.yaml b/apps/gitea/index.yaml index cce2449..b32e50a 100644 --- a/apps/gitea/index.yaml +++ b/apps/gitea/index.yaml @@ -9,40 +9,125 @@ metadata: A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. options: - timezone: - default: Europe/Paris + release: + default: 8.3.0 examples: - - Europe/Paris + - 8.3.0 type: string - sub-domain: - default: git + disable-registration: + default: true examples: - - git + - true + type: boolean + admin: + default: + email: git-admin@git.your_company.com + name: gitea_admin + examples: + - email: git-admin@git.your_company.com + name: gitea_admin + properties: + email: + default: git-admin@git.your_company.com + type: string + name: + default: gitea_admin + type: string + type: object + ingress-class: + default: traefik + examples: + - traefik type: string ssh-port: default: 2222 examples: - 2222 type: integer - webhook: + theme: + default: gitea-modern + examples: + - gitea-modern + type: string + volume: default: - allowed-hosts: private - skip-tls-verify: false + size: 10Gi examples: - - allowed-hosts: private - skip-tls-verify: false + - size: 10Gi properties: - allowed-hosts: - default: private + size: + default: 10Gi type: string - skip-tls-verify: - default: false - type: boolean type: object - release: - default: 8.3.0 + domain: + default: your-company examples: - - 8.3.0 + - your-company + type: string + postgres: + default: + replicas: 1 + storage: 10Gi + version: '14' + examples: + - replicas: 1 + storage: 10Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 10Gi + type: string + version: + default: '14' + type: string + type: object + timezone: + default: Europe/Paris + examples: + - Europe/Paris + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + push-create: + default: + org: 'true' + private: 'false' + user: 'true' + examples: + - org: 'true' + private: 'false' + user: 'true' + properties: + org: + default: 'true' + type: string + private: + default: 'false' + type: string + user: + default: 'true' + type: string + type: object + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + replicas: + default: 1 + examples: + - 1 + type: integer + default-branch: + default: main + examples: + - main type: string images: default: @@ -107,35 +192,25 @@ options: type: string type: object type: object - ingress-class: - default: traefik + sub-domain: + default: git examples: - - traefik + - git type: string - replicas: - default: 1 - examples: - - 1 - type: integer - domain: - default: your-company - examples: - - your-company - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - volume: + webhook: default: - size: 10Gi + allowed-hosts: private + skip-tls-verify: false examples: - - size: 10Gi + - allowed-hosts: private + skip-tls-verify: false properties: - size: - default: 10Gi + allowed-hosts: + default: private type: string + skip-tls-verify: + default: false + type: boolean type: object load-balancer: default: @@ -147,81 +222,6 @@ options: default: '' type: string type: object - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - theme: - default: gitea-modern - examples: - - gitea-modern - type: string - default-branch: - default: main - examples: - - main - type: string - disable-registration: - default: true - examples: - - true - type: boolean - push-create: - default: - org: 'true' - private: 'false' - user: 'true' - examples: - - org: 'true' - private: 'false' - user: 'true' - properties: - org: - default: 'true' - type: string - private: - default: 'false' - type: string - user: - default: 'true' - type: string - type: object - admin: - default: - email: git-admin@git.your_company.com - name: gitea_admin - examples: - - email: git-admin@git.your_company.com - name: gitea_admin - properties: - email: - default: git-admin@git.your_company.com - type: string - name: - default: gitea_admin - type: string - type: object - postgres: - default: - replicas: 1 - storage: 10Gi - version: '14' - examples: - - replicas: 1 - storage: 10Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 10Gi - type: string - version: - default: '14' - type: string - type: object dependencies: - dist: null category: share diff --git a/apps/gitea/postgresql.tf b/apps/gitea/postgresql.tf index c8e39d5..0fc0c0d 100644 --- a/apps/gitea/postgresql.tf +++ b/apps/gitea/postgresql.tf @@ -78,6 +78,7 @@ resource "kubectl_manifest" "prj_pg" { metadata: name: "${var.instance}-${var.component}-pg" namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} spec: instances: ${var.postgres.replicas} storage: diff --git a/apps/nextcloud/index.yaml b/apps/nextcloud/index.yaml index a511683..15b10fc 100644 --- a/apps/nextcloud/index.yaml +++ b/apps/nextcloud/index.yaml @@ -6,51 +6,25 @@ metadata: name: nextcloud description: null options: - admin: + storage: default: - name: nextcloud_admin + accessMode: ReadWriteOnce + size: 10Gi examples: - - name: nextcloud_admin + - accessMode: ReadWriteOnce + size: 10Gi properties: - name: - default: nextcloud_admin + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi type: string type: object - domain: - default: your-company - examples: - - your-company - type: string - hpa: - default: - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - examples: - - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - properties: - avg-cpu: - default: 50 - type: integer - max-replicas: - default: 5 - type: integer - min-replicas: - default: 1 - type: integer - type: object - ingress-class: - default: traefik - examples: - - traefik - type: string - openid-name: - default: vynil - examples: - - vynil - type: string postgres: default: replicas: 1 @@ -71,34 +45,140 @@ options: default: '14' type: string type: object - storage: + apps: default: - accessMode: ReadWriteOnce - size: 10Gi + audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true examples: - - accessMode: ReadWriteOnce - size: 10Gi + - audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string + audioplayer: + default: false + type: boolean + bookmarks: + default: false + type: boolean + bpm: + default: false + type: boolean + calendar: + default: false + type: boolean + collabora: + default: false + type: boolean + contacts: + default: false + type: boolean + deck: + default: false + type: boolean + groupfolders: + default: true + type: boolean + mindmap: + default: false + type: boolean + music: + default: false + type: boolean + notes: + default: false + type: boolean + onlyoffice: + default: false + type: boolean + passman: + default: false + type: boolean + spreed: + default: false + type: boolean + tables: + default: false + type: boolean + tasks: + default: false + type: boolean + texteditor: + default: true + type: boolean type: object + hpa: + default: + avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 + examples: + - avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 + properties: + avg-cpu: + default: 50 + type: integer + max-replicas: + default: 5 + type: integer + min-replicas: + default: 1 + type: integer + type: object + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + sub-domain: + default: files + examples: + - files + type: string + openid-name: + default: vynil + examples: + - vynil + type: string domain-name: default: your_company.com examples: - your_company.com type: string - issuer: - default: letsencrypt-prod + domain: + default: your-company examples: - - letsencrypt-prod + - your-company type: string images: default: @@ -263,101 +343,6 @@ options: type: string type: object type: object - apps: - default: - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - examples: - - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - properties: - audioplayer: - default: false - type: boolean - bookmarks: - default: false - type: boolean - bpm: - default: false - type: boolean - calendar: - default: false - type: boolean - collabora: - default: false - type: boolean - contacts: - default: false - type: boolean - deck: - default: false - type: boolean - groupfolders: - default: true - type: boolean - mindmap: - default: false - type: boolean - music: - default: false - type: boolean - notes: - default: false - type: boolean - onlyoffice: - default: false - type: boolean - passman: - default: false - type: boolean - spreed: - default: false - type: boolean - tables: - default: false - type: boolean - tasks: - default: false - type: boolean - texteditor: - default: true - type: boolean - type: object - sub-domain: - default: files - examples: - - files - type: string redis: default: exporter: @@ -391,6 +376,21 @@ options: default: 2Gi type: string type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + admin: + default: + name: nextcloud_admin + examples: + - name: nextcloud_admin + properties: + name: + default: nextcloud_admin + type: string + type: object dependencies: - dist: null category: share diff --git a/apps/nextcloud/postgresql.tf b/apps/nextcloud/postgresql.tf index 201ce51..d2aca09 100644 --- a/apps/nextcloud/postgresql.tf +++ b/apps/nextcloud/postgresql.tf @@ -78,6 +78,7 @@ resource "kubectl_manifest" "prj_pg" { metadata: name: "${var.instance}-${var.component}-pg" namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} spec: instances: ${var.postgres.replicas} storage: diff --git a/share/authentik/datas.tf b/share/authentik/datas.tf index d2e2df1..803b104 100644 --- a/share/authentik/datas.tf +++ b/share/authentik/datas.tf @@ -40,7 +40,6 @@ data "kustomization_overlay" "data" { "AUTHENTIK_GEOIP=${var.geoip}", "AUTHENTIK_LOG_LEVEL=${var.loglevel}", "AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=${var.image.registry}/${var.image.project}/%(type)s:%(version)s", - "AUTHENTIK_POSTGRESQL__HOST=${var.instance}-${var.component}.${var.namespace}.svc", "AUTHENTIK_POSTGRESQL__NAME=${var.component}", "AUTHENTIK_POSTGRESQL__PORT=5432", "AUTHENTIK_POSTGRESQL__USER=${var.component}", @@ -66,10 +65,12 @@ data "kustomization_overlay" "data" { image: "${var.image.registry}/${var.image.repository}:${var.image.tag}" imagePullPolicy: "${var.image.pullPolicy}" env: + - name: "AUTHENTIK_POSTGRESQL__HOST" + value: "${var.instance}-${var.component}-pg-rw.${var.namespace}.svc" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: - name: ${var.component}.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do + name: "${var.instance}-${var.component}-pg-app" key: password envFrom: - secretRef: @@ -96,10 +97,12 @@ data "kustomization_overlay" "data" { image: "${var.image.registry}/${var.image.repository}:${var.image.tag}" imagePullPolicy: "${var.image.pullPolicy}" env: + - name: "AUTHENTIK_POSTGRESQL__HOST" + value: "${var.instance}-${var.component}-pg-rw.${var.namespace}.svc" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: - name: ${var.component}.${var.name}-${var.component}.credentials.postgresql.acid.zalan.do + name: "${var.instance}-${var.component}-pg-app" key: password envFrom: - secretRef: diff --git a/share/authentik/index.yaml b/share/authentik/index.yaml index 2e1536a..fecca23 100644 --- a/share/authentik/index.yaml +++ b/share/authentik/index.yaml @@ -6,46 +6,16 @@ metadata: name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility options: - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - error_reporting: + admin: default: - enabled: false - environment: k8s - send_pii: false + email: auth-admin examples: - - enabled: false - environment: k8s - send_pii: false + - email: auth-admin properties: - enabled: - default: false - type: boolean - environment: - default: k8s + email: + default: auth-admin type: string - send_pii: - default: false - type: boolean type: object - loglevel: - default: info - examples: - - info - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string email: default: port: 587 @@ -71,26 +41,6 @@ options: default: false type: boolean type: object - geoip: - default: /geoip/GeoLite2-City.mmdb - examples: - - /geoip/GeoLite2-City.mmdb - type: string - sub-domain: - default: auth - examples: - - auth - type: string - admin: - default: - email: auth-admin - examples: - - email: auth-admin - properties: - email: - default: auth-admin - type: string - type: object postgres: default: cleanlogs: @@ -129,11 +79,61 @@ options: default: '14' type: string type: object + image: + default: + project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 + examples: + - project: goauthentik + pullPolicy: IfNotPresent + registry: ghcr.io + repository: goauthentik/server + tag: 2023.5.4 + properties: + project: + default: goauthentik + type: string + pullPolicy: + default: IfNotPresent + type: string + registry: + default: ghcr.io + type: string + repository: + default: goauthentik/server + type: string + tag: + default: 2023.5.4 + type: string + type: object domain: default: your-company examples: - your-company type: string + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + sub-domain: + default: auth + examples: + - auth + type: string + loglevel: + default: info + examples: + - info + type: string redis: default: exporter: @@ -167,36 +167,36 @@ options: default: 8Gi type: string type: object - image: + error_reporting: default: - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 + enabled: false + environment: k8s + send_pii: false examples: - - project: goauthentik - pullPolicy: IfNotPresent - registry: ghcr.io - repository: goauthentik/server - tag: 2023.5.4 + - enabled: false + environment: k8s + send_pii: false properties: - project: - default: goauthentik - type: string - pullPolicy: - default: IfNotPresent - type: string - registry: - default: ghcr.io - type: string - repository: - default: goauthentik/server - type: string - tag: - default: 2023.5.4 + enabled: + default: false + type: boolean + environment: + default: k8s type: string + send_pii: + default: false + type: boolean type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + geoip: + default: /geoip/GeoLite2-City.mmdb + examples: + - /geoip/GeoLite2-City.mmdb + type: string dependencies: - dist: null category: core @@ -212,7 +212,7 @@ dependencies: component: traefik - dist: null category: dbo - component: postgresql + component: pg - dist: null category: dbo component: redis @@ -223,3 +223,4 @@ providers: postgresql: null restapi: null http: null +tfaddtype: null diff --git a/share/authentik/postgresql.tf b/share/authentik/postgresql.tf index 20d2175..d0e51df 100644 --- a/share/authentik/postgresql.tf +++ b/share/authentik/postgresql.tf @@ -1,3 +1,14 @@ +locals { + pg-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "pg" + }) + pool-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "pg-pool" + }) + postgres-labels = merge(local.common-labels, { + "app.kubernetes.io/component" = "postgresql" + }) +} resource "kubectl_manifest" "authentik_postgresql" { yaml_body = <<-EOF apiVersion: "acid.zalan.do/v1" @@ -5,7 +16,7 @@ resource "kubectl_manifest" "authentik_postgresql" { metadata: name: "${var.instance}-${var.component}" namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} + labels: ${jsonencode(local.postgres-labels)} spec: databases: ${var.component}: "${var.component}" @@ -89,3 +100,99 @@ resource "kubectl_manifest" "authentik_cleanup_logs_job" { successfulJobsHistoryLimit: 3 EOF } + +resource "kubectl_manifest" "prj_pre_migrate_pg" { + yaml_body = <<-EOF +apiVersion: batch/v1 +kind: Job +metadata: + name: "${var.instance}-remove-zalando-extensions" + namespace: "${var.namespace}" +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: clean + image: docker.io/postgres:15.3-bookworm + imagePullPolicy: IfNotPresent + env: + - name: USERNAME + valueFrom: + secretKeyRef: + key: username + name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do + - name: PASSWORD + valueFrom: + secretKeyRef: + key: password + name: postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do + - name: DBURL + value: "${var.instance}-${var.component}" + - name: DBNAME + value: "${var.component}" + command: + - /bin/bash + - "-c" + - "echo -ne 'drop view if exists metric_helpers.pg_stat_statements;\ndrop function if exists metric_helpers.pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_statements;\nDROP EXTENSION IF EXISTS pg_stat_kcache;\nDROP EXTENSION IF EXISTS set_user;\n'| PGPASSWORD=\"$PASSWORD\" psql -U $USERNAME -d $DBNAME -h $DBURL" + EOF +} + +resource "kubectl_manifest" "prj_pg" { + depends_on = [kubectl_manifest.prj_pre_migrate_pg] + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + instances: ${var.postgres.replicas} + storage: + size: "${var.postgres.storage}" + bootstrap: + initdb: + database: ${var.component} + owner: ${var.component} + import: + type: microservice + databases: + - ${var.component} + source: + externalCluster: "${var.instance}-${var.component}" + externalClusters: + - name: "${var.instance}-${var.component}" + connectionParameters: + host: "${var.instance}-${var.component}" + user: postgres + dbname: postgres + sslmode: require + password: + name: "postgres.${var.instance}-${var.component}.credentials.postgresql.acid.zalan.do" + key: password + EOF +} + + +resource "kubectl_manifest" "prj_pg_pool" { + depends_on = [kubectl_manifest.prj_pg] + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: Pooler + metadata: + name: "${var.instance}-${var.component}-pool" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pool-labels)} + spec: + cluster: + name: "${var.instance}-${var.component}-pg" + instances: 1 + type: rw + pgbouncer: + poolMode: session + parameters: + max_client_conn: "1000" + default_pool_size: "10" + EOF +} diff --git a/share/authentik/v1_ServiceAccount_authentik.yaml b/share/authentik/v1_ServiceAccount_authentik.yaml index 941cac7..ea23891 100644 --- a/share/authentik/v1_ServiceAccount_authentik.yaml +++ b/share/authentik/v1_ServiceAccount_authentik.yaml @@ -1,3 +1,4 @@ +--- # Source: authentik/charts/serviceAccount/templates/service-account.yaml apiVersion: v1 kind: ServiceAccount