locals { authentik_url = "http://authentik.${var.domain}-auth.svc" authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] common-labels = { "vynil.solidite.fr/owner-name" = var.instance "vynil.solidite.fr/owner-namespace" = var.namespace "vynil.solidite.fr/owner-category" = var.category "vynil.solidite.fr/owner-component" = var.component "app.kubernetes.io/managed-by" = "vynil" "app.kubernetes.io/name" = var.component "app.kubernetes.io/instance" = var.instance } } data "kubernetes_secret_v1" "authentik" { metadata { name = "authentik" namespace = var.namespace } } data "kustomization_overlay" "data" { namespace = var.namespace common_labels = local.common-labels resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"] images { name = "ghcr.io/goauthentik/server" new_name = "${var.images.app.registry}/${var.images.app.repository}" new_tag = "${var.images.app.tag}" } config_map_generator { name = var.component behavior = "create" literals = [ "AUTHENTIK_EMAIL__PORT=${var.email.port}", "AUTHENTIK_EMAIL__TIMEOUT=${var.email.timeout}", "AUTHENTIK_EMAIL__USE_TLS=${var.email.use_tls}", "AUTHENTIK_EMAIL__USE_SSL=${var.email.use_ssl}", "AUTHENTIK_ERROR_REPORTING__ENABLED=${var.error_reporting.enabled}", "AUTHENTIK_ERROR_REPORTING__ENVIRONMENT=${var.error_reporting.environment}", "AUTHENTIK_ERROR_REPORTING__SEND_PII=${var.error_reporting.send_pii}", "AUTHENTIK_GEOIP=${var.geoip}", "AUTHENTIK_LOG_LEVEL=${var.loglevel}", "AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=${var.images.app.registry}/${var.images.app.project}/%(type)s:%(version)s", "AUTHENTIK_POSTGRESQL__NAME=${var.component}", "AUTHENTIK_POSTGRESQL__PORT=5432", "AUTHENTIK_POSTGRESQL__USER=${var.component}", "AUTHENTIK_REDIS__HOST=${var.name}-${var.component}-redis", "AUTHENTIK_BOOTSTRAP_EMAIL=${var.admin.email}@${var.domain_name}", ] } patches { target { kind = "Deployment" name = "authentik-server" } patch = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server spec: template: spec: containers: - name: authentik image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}" imagePullPolicy: "${var.images.app.pullPolicy}" env: - name: "AUTHENTIK_POSTGRESQL__HOST" value: "${var.instance}-${var.component}-pool.${var.namespace}.svc" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: "${var.instance}-${var.component}-pg-app" key: password envFrom: - secretRef: name: ${var.component} - configMapRef: name: ${var.component} EOF } patches { target { kind = "Deployment" name = "authentik-worker" } patch = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: authentik-worker spec: template: spec: containers: - name: authentik image: "${var.images.app.registry}/${var.images.app.repository}:${var.images.app.tag}" imagePullPolicy: "${var.images.app.pullPolicy}" env: - name: "AUTHENTIK_POSTGRESQL__HOST" value: "${var.instance}-${var.component}-pool.${var.namespace}.svc" - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: "${var.instance}-${var.component}-pg-app" key: password envFrom: - secretRef: name: ${var.component} - configMapRef: name: ${var.component} EOF } patches { target { kind = "ClusterRole" name = "authentik-vynil-auth" } patch = <<-EOF - op: replace path: /metadata/name value: authentik-${var.namespace} EOF } patches { target { kind = "ClusterRoleBinding" name = "authentik-vynil-auth" } patch = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: authentik-vynil-auth roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: authentik-${var.namespace} subjects: - kind: ServiceAccount name: authentik namespace: ${var.namespace} EOF } patches { target { kind = "ClusterRoleBinding" name = "authentik-vynil-auth" } patch = <<-EOF - op: replace path: /metadata/name value: authentik-${var.namespace} EOF } }