From ec20837c0751cf5048758fcdc330f1a79cb1269c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Wed, 18 Oct 2023 17:06:25 +0200 Subject: [PATCH] fix --- apps/dbgate/application.tf | 51 +++++------ apps/dbgate/deploy.tf | 35 +++++--- apps/dbgate/index.yaml | 172 ++++++++++++++++++------------------- apps/dbgate/oauth2.tf | 69 --------------- 4 files changed, 134 insertions(+), 193 deletions(-) delete mode 100644 apps/dbgate/oauth2.tf diff --git a/apps/dbgate/application.tf b/apps/dbgate/application.tf index 51ae441..6dd2270 100644 --- a/apps/dbgate/application.tf +++ b/apps/dbgate/application.tf @@ -5,42 +5,45 @@ locals { module "ingress" { source = "../../modules/ingress" - "component" = var.component - "instance" = var.instance - "namespace" = var.namespace - "issuer" = var.issuer - "ingress-class" = var.ingress-class - "labels" = local.common-labels - "dns-names" = local.dns-names + component = var.component + instance = var.instance + namespace = var.namespace + issuer = var.issuer + ingress-class = var.ingress-class + labels = local.common-labels + dns-names = local.dns-names } module "application" { source = "../../modules/application" - "component" = var.component - "instance" = var.instance - "app-group" = var.app-group - "sub-domain" = var.sub-domain - "domain-name" = var.domain-name - "icon" = "logo192.png" - "protocol_provider" = var.use-oauth?module.oauth2.provider-id:module.forward.provider-id + component = var.component + instance = var.instance + app-group = var.app-group + sub-domain = var.sub-domain + domain-name = var.domain-name + icon = "logo192.png" + protocol_provider = var.use-oauth?module.oauth2.provider-id:module.forward.provider-id } module "oauth2" { count = var.use-oauth?1:0 source = "../../modules/oauth2" - "component" = var.component - "instance" = var.instance + component = var.component + instance = var.instance + namespace = var.namespace + labels = local.common-labels + dns-name = local.dns-name } module "forward" { count = var.use-oauth?0:1 source = "../../modules/forward" - "component" = var.component - "instance" = var.instance - "domain" = var.domain - "namespace" = var.namespace - "ingress-class" = var.ingress-class - "labels" = local.common-labels - "dns-names" = local.dns-names - "authentik-token" = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] + component = var.component + instance = var.instance + domain = var.domain + namespace = var.namespace + ingress-class = var.ingress-class + labels = local.common-labels + dns-names = local.dns-names + authentik-token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] } diff --git a/apps/dbgate/deploy.tf b/apps/dbgate/deploy.tf index c1fa4cb..4ce68f7 100644 --- a/apps/dbgate/deploy.tf +++ b/apps/dbgate/deploy.tf @@ -1,5 +1,24 @@ locals { - deploy-envs = merge({}, + deploy-envs = concat([{ + "name" = "CONNECTIONS" + "value" = local.connections + }],var.use-oauth?[{ + "name" = "OAUTH_CLIENT_ID" + "valueFrom" = { + "secretKeyRef" = { + "name" = "${var.component}-${var.instance}-id" + "key" = "client-id" + } + } + },{ + "name" = "OAUTH_CLIENT_SECRET" + "valueFrom" = { + "secretKeyRef" = { + "name" = "${var.component}-${var.instance}-secret" + "key" = "client-secret" + } + } + }]:[] } resource "kubectl_manifest" "deploy" { @@ -34,19 +53,7 @@ resource "kubectl_manifest" "deploy" { name: "${var.component}-${var.instance}" - configMapRef: name: "${var.component}-${var.instance}" - env: - - name: CONNECTIONS - value: ${local.connections} - - name: OAUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: "${var.component}-${var.instance}-id" - key: client-id - - name: OAUTH_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: "${var.component}-${var.instance}-secret" - key: client-secret + env: ${jsonencode(local.deploy-envs)} command: - "/bin/bash" - "/start.sh" diff --git a/apps/dbgate/index.yaml b/apps/dbgate/index.yaml index 961b7c4..8dcaa40 100644 --- a/apps/dbgate/index.yaml +++ b/apps/dbgate/index.yaml @@ -6,40 +6,6 @@ metadata: name: dbgate description: null options: - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - mongo: - default: [] - examples: - - [] - items: - properties: - dbname: - default: '' - type: string - name: - default: '' - type: string - namespace: - default: '' - type: string - secret: - properties: - key: - default: '' - type: string - name: - default: '' - type: string - type: object - username: - default: '' - type: string - type: object - type: array images: default: dbgate: @@ -79,55 +45,6 @@ options: type: string type: object type: object - sub-domain: - default: dbgate - examples: - - dbgate - type: string - use-oauth: - default: false - examples: - - false - type: boolean - domain: - default: your-company - examples: - - your-company - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - pg: - default: [] - examples: - - [] - items: - properties: - dbname: - default: '' - type: string - name: - default: '' - type: string - namespace: - default: '' - type: string - secret: - properties: - key: - default: '' - type: string - name: - default: '' - type: string - type: object - username: - default: '' - type: string - type: object - type: array maria: default: [] examples: @@ -184,15 +101,98 @@ options: - Block type: string type: object + app-group: + default: dev + examples: + - dev + type: string domain-name: default: your_company.com examples: - your_company.com type: string - app-group: - default: dev + sub-domain: + default: dbgate examples: - - dev + - dbgate + type: string + mongo: + default: [] + examples: + - [] + items: + properties: + dbname: + default: '' + type: string + name: + default: '' + type: string + namespace: + default: '' + type: string + secret: + properties: + key: + default: '' + type: string + name: + default: '' + type: string + type: object + username: + default: '' + type: string + type: object + type: array + domain: + default: your-company + examples: + - your-company + type: string + pg: + default: [] + examples: + - [] + items: + properties: + dbname: + default: '' + type: string + name: + default: '' + type: string + namespace: + default: '' + type: string + secret: + properties: + key: + default: '' + type: string + name: + default: '' + type: string + type: object + username: + default: '' + type: string + type: object + type: array + use-oauth: + default: false + examples: + - false + type: boolean + ingress-class: + default: traefik + examples: + - traefik + type: string + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod type: string dependencies: - dist: null diff --git a/apps/dbgate/oauth2.tf b/apps/dbgate/oauth2.tf deleted file mode 100644 index c22857c..0000000 --- a/apps/dbgate/oauth2.tf +++ /dev/null @@ -1,69 +0,0 @@ -resource "kubectl_manifest" "oauth2-secret" { - count = var.use-oauth?1:0 - ignore_fields = ["metadata.annotations"] - yaml_body = <<-EOF - apiVersion: "secretgenerator.mittwald.de/v1alpha1" - kind: "StringSecret" - metadata: - name: "${var.component}-${var.instance}-id" - namespace: "${var.namespace}" - labels: ${jsonencode(local.common-labels)} - spec: - forceRegenerate: false - fields: - - fieldName: "client-id" - length: "32" - EOF -} -data "kubernetes_secret_v1" "oauth2-client-id" { - count = var.use-oauth?1:0 - depends_on = [kubectl_manifest.oauth2-secret] - metadata { - name = kubectl_manifest.oauth2-secret.name - namespace = var.namespace - } -} - -data "authentik_certificate_key_pair" "ca" { - name = "authentik Self-signed Certificate" -} - -data "authentik_scope_mapping" "oauth2" { - managed_list = [ - "goauthentik.io/providers/oauth2/scope-email", - "goauthentik.io/providers/oauth2/scope-openid", - "goauthentik.io/providers/oauth2/scope-profile" - ] -} -data "authentik_flow" "default-authorization-flow" { - slug = "default-provider-authorization-implicit-consent" -} -data "authentik_flow" "default-authentication-flow" { - slug = "default-authentication-flow" -} - -resource "authentik_provider_oauth2" "oauth2" { - count = var.use-oauth?1:0 - name = "${var.component}-${var.instance}" - client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}" - authentication_flow = data.authentik_flow.default-authentication-flow.id - authorization_flow = data.authentik_flow.default-authorization-flow.id - client_type = "confidential" - sub_mode = "user_username" - signing_key = data.authentik_certificate_key_pair.ca.id - property_mappings = data.authentik_scope_mapping.oauth2.ids - redirect_uris = [ - "https://${local.dns-name}/" - ] -} - -resource "kubernetes_secret_v1" "oauth2-client-secret" { - count = var.use-oauth?1:0 - metadata { - name = "${var.component}-${var.instance}-secret" - namespace = var.namespace - } - data = { - client-secret = authentik_provider_oauth2.oauth2.client_secret - } -}