vynil/domain
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
domain/share/authentik/authentik_Secret.tf
Sébastien Huss fbb9c7f8fb fix
2024-05-23 13:22:55 +02:00

139 lines
4.2 KiB
HCL
Raw Permalink Blame History

locals {
secrets-labels = merge(local.common_labels, {
"app.kubernetes.io/component" = "backup-secret"
})
secret-labels = merge(local.secrets-labels, {
"k8up.io/backup" = "true"
})
}
resource "kubectl_manifest" "authentik_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.secret-labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "AUTHENTIK_SECRET_KEY"
length: "128"
- fieldName: "AUTHENTIK_BOOTSTRAP_PASSWORD"
length: "32"
- fieldName: "AUTHENTIK_BOOTSTRAP_TOKEN"
length: "64"
- fieldName: "AUTHENTIK_REDIS__PASSWORD"
length: "32"
EOF
}
resource "kubectl_manifest" "cm" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.instance}-${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common_labels)}
data:
AUTHENTIK_EMAIL__PORT: "${var.email.port}"
AUTHENTIK_EMAIL__TIMEOUT: "${var.email.timeout}"
AUTHENTIK_EMAIL__USE_TLS: "${var.email.use_tls}"
AUTHENTIK_EMAIL__USE_SSL: "${var.email.use_ssl}"
AUTHENTIK_ERROR_REPORTING__ENABLED: "${var.error_reporting.enabled}"
AUTHENTIK_ERROR_REPORTING__ENVIRONMENT: "${var.error_reporting.environment}"
AUTHENTIK_ERROR_REPORTING__SEND_PII: "${var.error_reporting.send_pii}"
AUTHENTIK_GEOIP: "${var.geoip}"
AUTHENTIK_LOG_LEVEL: "${var.loglevel}"
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE: "${var.images.app.registry}/${var.images.app.project}/%(type)s:%(version)s"
AUTHENTIK_POSTGRESQL__HOST: ${var.instance}-${var.component}-pool.${var.namespace}.svc
AUTHENTIK_POSTGRESQL__NAME: "${var.component}"
AUTHENTIK_POSTGRESQL__PORT: "5432"
AUTHENTIK_POSTGRESQL__USER: "${var.component}"
AUTHENTIK_REDIS__HOST: "${var.name}-${var.component}-redis"
AUTHENTIK_BOOTSTRAP_EMAIL: "${var.admin.email}@${var.domain_name}"
GUNICORN_CMD_ARGS: "--timeout=90"
EOF
}
resource "kubectl_manifest" "pre_backup_sa" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: backup-secret
namespace: "${var.namespace}"
labels: ${jsonencode(local.secrets-labels)}
EOF
}
resource "kubectl_manifest" "pre_backup_role" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: backup-secret
namespace: "${var.namespace}"
labels: ${jsonencode(local.secrets-labels)}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
EOF
}
resource "kubectl_manifest" "pre_backup_rb" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: backup-secret
namespace: "${var.namespace}"
labels: ${jsonencode(local.secrets-labels)}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: backup-secret
subjects:
- kind: ServiceAccount
name: backup-secret
namespace: "${var.namespace}"
EOF
}
resource "kubectl_manifest" "pre_backup_pod" {
count = var.backups.enable?1:0
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: k8up.io/v1
kind: PreBackupPod
metadata:
name: secret
namespace: "${var.namespace}"
labels: ${jsonencode(local.secrets-labels)}
spec:
backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
pod:
spec:
containers:
- command:
- cat
image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
imagePullPolicy: "${var.images.kubectl.pull_policy}"
name: secret
tty: true
serviceAccount: backup-secret
serviceAccountName: backup-secret
EOF
}
Reference in New Issue View Git Blame Copy Permalink