locals { secrets-labels = merge(local.common_labels, { "app.kubernetes.io/component" = "backup-secret" }) secret-labels = merge(local.secrets-labels, { "k8up.io/backup" = "true" }) } resource "kubectl_manifest" "authentik_secret" { ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1" kind: "StringSecret" metadata: name: "${var.component}" namespace: "${var.namespace}" labels: ${jsonencode(local.secret-labels)} spec: forceRegenerate: false fields: - fieldName: "AUTHENTIK_SECRET_KEY" length: "128" - fieldName: "AUTHENTIK_BOOTSTRAP_PASSWORD" length: "32" - fieldName: "AUTHENTIK_BOOTSTRAP_TOKEN" length: "64" - fieldName: "AUTHENTIK_REDIS__PASSWORD" length: "32" EOF } resource "kubectl_manifest" "cm" { yaml_body = <<-EOF apiVersion: v1 kind: ConfigMap metadata: name: "${var.instance}-${var.component}" namespace: "${var.namespace}" labels: ${jsonencode(local.common_labels)} data: AUTHENTIK_EMAIL__PORT: "${var.email.port}" AUTHENTIK_EMAIL__TIMEOUT: "${var.email.timeout}" AUTHENTIK_EMAIL__USE_TLS "${var.email.use_tls}" AUTHENTIK_EMAIL__USE_SSL: "${var.email.use_ssl}" AUTHENTIK_ERROR_REPORTING__ENABLED: "${var.error_reporting.enabled}" AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: "${var.error_reporting.environment}" AUTHENTIK_ERROR_REPORTING__SEND_PII: "${var.error_reporting.send_pii}" AUTHENTIK_GEOIP: "${var.geoip}" AUTHENTIK_LOG_LEVEL: "${var.loglevel}" AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: "${var.images.app.registry}/${var.images.app.project}/%(type)s:%(version)s" AUTHENTIK_POSTGRESQL__HOST: ${var.instance}-${var.component}-pool.${var.namespace}.svc AUTHENTIK_POSTGRESQL__NAME: "${var.component}" AUTHENTIK_POSTGRESQL__PORT: "5432" AUTHENTIK_POSTGRESQL__USER: "${var.component}" AUTHENTIK_REDIS__HOST: "${var.name}-${var.component}-redis" AUTHENTIK_BOOTSTRAP_EMAIL: "${var.admin.email}@${var.domain_name}" GUNICORN_CMD_ARGS: "--timeout=90" EOF } resource "kubectl_manifest" "pre_backup_sa" { count = var.backups.enable?1:0 ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: v1 kind: ServiceAccount metadata: name: backup-secret namespace: "${var.namespace}" labels: ${jsonencode(local.secrets-labels)} EOF } resource "kubectl_manifest" "pre_backup_role" { count = var.backups.enable?1:0 ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: backup-secret namespace: "${var.namespace}" labels: ${jsonencode(local.secrets-labels)} rules: - apiGroups: - "" resources: - secrets verbs: - get - list EOF } resource "kubectl_manifest" "pre_backup_rb" { count = var.backups.enable?1:0 ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: backup-secret namespace: "${var.namespace}" labels: ${jsonencode(local.secrets-labels)} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: backup-secret subjects: - kind: ServiceAccount name: backup-secret namespace: "${var.namespace}" EOF } resource "kubectl_manifest" "pre_backup_pod" { count = var.backups.enable?1:0 ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: k8up.io/v1 kind: PreBackupPod metadata: name: secret namespace: "${var.namespace}" labels: ${jsonencode(local.secrets-labels)} spec: backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true pod: spec: containers: - command: - cat image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}" imagePullPolicy: "${var.images.kubectl.pull_policy}" name: secret tty: true serviceAccount: backup-secret serviceAccountName: backup-secret EOF }