resource "kubectl_manifest" "oauth2-secret" { ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1" kind: "StringSecret" metadata: name: "${var.component}-${var.instance}-id" namespace: "${var.namespace}" labels: ${jsonencode(var.labels)} spec: forceRegenerate: false fields: - fieldName: "client-id" length: "32" EOF } data "kubernetes_secret_v1" "oauth2-client-id" { depends_on = [kubectl_manifest.oauth2-secret] metadata { name = kubectl_manifest.oauth2-secret.name namespace = var.namespace } } data "authentik_certificate_key_pair" "ca" { name = "authentik Self-signed Certificate" } data "authentik_scope_mapping" "oauth2" { managed_list = [ "goauthentik.io/providers/oauth2/scope-email", "goauthentik.io/providers/oauth2/scope-openid", "goauthentik.io/providers/oauth2/scope-profile" ] } data "authentik_flow" "default-authorization-flow" { slug = "default-provider-authorization-implicit-consent" } data "authentik_flow" "default-authentication-flow" { slug = "default-authentication-flow" } resource "authentik_provider_oauth2" "oauth2" { name = "${var.component}-${var.instance}" client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}" authentication_flow = data.authentik_flow.default-authentication-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id client_type = "confidential" sub_mode = "user_username" signing_key = data.authentik_certificate_key_pair.ca.id property_mappings = data.authentik_scope_mapping.oauth2.ids redirect_uris = [ "https://${var.dns_name}/${var.redirect_path}" ] } resource "kubernetes_secret_v1" "oauth2-client-secret" { metadata { name = "${var.component}-${var.instance}-secret" namespace = var.namespace labels = var.labels } data = { client-secret = authentik_provider_oauth2.oauth2.client_secret } }