150 lines
5.1 KiB
HCL
150 lines
5.1 KiB
HCL
|
|
locals {
|
|
base-dn = format("dc=%s", join(",dc=", split(".", format("%s.%s", var.sub-domain, var.domain-name))))
|
|
base-group-dn = format("ou=groups,%s", local.base-dn)
|
|
base-user-dn = format("ou=users,%s", local.base-dn)
|
|
authentik-token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
|
|
request_headers = {
|
|
"Content-Type" = "application/json"
|
|
Authorization = "Bearer ${local.authentik-token}"
|
|
}
|
|
ldap-outpost-prividers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
|
|
ldap-outpost-pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
|
|
}
|
|
resource "kubectl_manifest" "gitea_ldap" {
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
|
|
kind: "StringSecret"
|
|
metadata:
|
|
name: "${var.component}-ldap"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.common-labels)}
|
|
spec:
|
|
forceRegenerate: false
|
|
data:
|
|
bindDn: "cn=${var.component}-ldapsearch,${local.base-user-dn}"
|
|
user-search-base: "${local.base-user-dn}"
|
|
user-filter: "(&(|(memberof=cn=gitea_admin,${local.base-group-dn})(memberof=cn=gitea_users,${local.base-group-dn}))(|(cn=%[1]s)(mail=%[1]s)))"
|
|
admin-filter: "(memberof=cn=gitea_admin,${local.base-group-dn})"
|
|
endpoint: "ak-outpost-ldap.${var.domain}-auth.svc"
|
|
fields:
|
|
- fieldName: "bindPassword"
|
|
length: "32"
|
|
EOF
|
|
}
|
|
data "kubernetes_secret_v1" "gitea_ldap_password" {
|
|
depends_on = [kubectl_manifest.gitea_ldap]
|
|
metadata {
|
|
name = kubectl_manifest.gitea_ldap.name
|
|
namespace = var.namespace
|
|
}
|
|
}
|
|
|
|
resource "authentik_user" "gitea_ldapsearch" {
|
|
username = "${var.component}-ldapsearch"
|
|
name = "${var.component}-ldapsearch"
|
|
}
|
|
|
|
resource "authentik_group" "gitea_ldapsearch" {
|
|
name = "${var.component}-ldapsearch"
|
|
users = [authentik_user.gitea_ldapsearch.id]
|
|
is_superuser = true
|
|
}
|
|
|
|
|
|
data "http" "gitea_ldapsearch_password" {
|
|
url = "http://authentik.${var.domain}-auth.svc/api/v3/core/users/${authentik_user.gitea_ldapsearch.id}/set_password/"
|
|
method = "POST"
|
|
request_headers = local.request_headers
|
|
request_body = jsonencode({password=data.kubernetes_secret_v1.gitea_ldap_password.data["bindPassword"]})
|
|
lifecycle {
|
|
postcondition {
|
|
condition = contains([201, 204], self.status_code)
|
|
error_message = "Status code invalid"
|
|
}
|
|
}
|
|
}
|
|
|
|
data "authentik_flow" "ldap-authentication-flow" {
|
|
depends_on = [authentik_user.gitea_ldapsearch] # fake dependency so it is not evaluated at plan stage
|
|
slug = "ldap-authentication-flow"
|
|
}
|
|
|
|
resource "authentik_provider_ldap" "gitea_provider_ldap" {
|
|
name = "gitea-ldap-provider"
|
|
base_dn = local.base-dn
|
|
search_group = authentik_group.gitea_ldapsearch.id
|
|
bind_flow = data.authentik_flow.ldap-authentication-flow.id
|
|
}
|
|
|
|
resource "authentik_application" "gitea_application" {
|
|
name = "gitea"
|
|
slug = "gitea"
|
|
protocol_provider = authentik_provider_ldap.gitea_provider_ldap.id
|
|
meta_launch_url = format("https://%s.%s", var.sub-domain, var.domain-name)
|
|
meta_icon = format("https://%s.%s/%s", var.sub-domain, var.domain-name, "assets/img/logo.svg")
|
|
}
|
|
|
|
resource "authentik_group" "gitea_users" {
|
|
name = "gitea_users"
|
|
}
|
|
|
|
data "authentik_group" "vynil-admin" {
|
|
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
|
|
name = "vynil-ldap-admins"
|
|
}
|
|
|
|
resource "authentik_group" "gitea_admin" {
|
|
name = "gitea_admin"
|
|
parent = authentik_group.gitea_users.id
|
|
}
|
|
|
|
resource "authentik_policy_binding" "gitea_access_users" {
|
|
target = authentik_application.gitea_application.uuid
|
|
group = authentik_group.gitea_users.id
|
|
order = 0
|
|
}
|
|
resource "authentik_policy_binding" "gitea_access_vynil" {
|
|
target = authentik_application.gitea_application.uuid
|
|
group = data.authentik_group.vynil-admin.id
|
|
order = 1
|
|
}
|
|
resource "authentik_policy_binding" "gitea_access_ldap" {
|
|
target = authentik_application.gitea_application.uuid
|
|
group = authentik_group.gitea_ldapsearch.id
|
|
order = 2
|
|
}
|
|
|
|
data "http" "get_ldap_outpost" {
|
|
depends_on = [authentik_group.gitea_users] # fake dependency so it is not evaluated at plan stage
|
|
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=ldap"
|
|
method = "GET"
|
|
request_headers = local.request_headers
|
|
lifecycle {
|
|
postcondition {
|
|
condition = contains([200], self.status_code)
|
|
error_message = "Status code invalid"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "restapi" {
|
|
uri = "http://authentik.${var.domain}-auth.svc/api/v3/"
|
|
headers = local.request_headers
|
|
create_method = "PATCH"
|
|
update_method = "PATCH"
|
|
destroy_method = "PATCH"
|
|
write_returns_object = true
|
|
id_attribute = "name"
|
|
}
|
|
|
|
resource "restapi_object" "ldap_outpost_binding" {
|
|
path = "/outposts/instances/${local.ldap-outpost-pk}/"
|
|
data = jsonencode({
|
|
name = "ldap"
|
|
providers = contains(local.ldap-outpost-prividers, authentik_provider_ldap.gitea_provider_ldap.id) ? local.ldap-outpost-prividers : concat(local.ldap-outpost-prividers, [authentik_provider_ldap.gitea_provider_ldap.id])
|
|
})
|
|
}
|
|
|