vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refacto Oauht2

Browse Source
This commit is contained in:
Xavier Mortelette
2024-10-29 16:01:41 +01:00
parent f4ac0c5ac3
commit 03698c2dc2
12 changed files with 209 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.terraform*

5
ak-gatekeeper/ak_provider.tf
View File

@@ -2,6 +2,10 @@ data "authentik_flow" "proxy_authorization_flow" {
depends_on = [data.kubernetes_secret_v1.authentik] depends_on = [data.kubernetes_secret_v1.authentik]
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default_invalidation_flow" {
depends_on = [data.kubernetes_secret_v1.authentik]
slug = "default-provider-invalidation-flow"
}
resource "authentik_provider_proxy" "app_proxy_provider" { resource "authentik_provider_proxy" "app_proxy_provider" {
name = "${local.app_slug}-provider" name = "${local.app_slug}-provider"
@@ -9,4 +13,5 @@ resource "authentik_provider_proxy" "app_proxy_provider" {
authorization_flow = data.authentik_flow.proxy_authorization_flow.id authorization_flow = data.authentik_flow.proxy_authorization_flow.id
mode = "forward_single" mode = "forward_single"
access_token_validity = var.access_token_validity access_token_validity = var.access_token_validity
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
} }

4
ak-gatekeeper/providers.tf
View File

@@ -10,8 +10,8 @@ terraform {
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2024.10.0"
} }
http = { http = {
source = "hashicorp/http" source = "hashicorp/http"

5
application/providers.tf
View File

@@ -1,12 +1,13 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2024.10.0"
} }
} }
} }

115
oauth2/oauth2.tf
View File

@@ -3,22 +3,38 @@ locals {
oauth2_labels = merge(var.labels, { oauth2_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-oauth2" "app.kubernetes.io/component" = "authentik-oauth2"
}) })
cert_signing = var.cert_sign_secret_name != ""
signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
} }
resource "random_password" "client_id" { resource "kubectl_manifest" "secret_gen" {
length = 32 yaml_body = <<-EOF
special = false apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-oauth2"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
ownerReferences: ${jsonencode(var.owner_references)}
spec:
forceRegenerate: false
fields:
- fieldName: "client_id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "secret_gen" {
metadata {
name = kubectl_manifest.secret_gen.name
namespace = var.namespace
}
} }
data "authentik_certificate_key_pair" "ca" { data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate" name = "authentik Self-signed Certificate"
} }
data "authentik_property_mapping_provider_scope" "oauth2" {
data "authentik_scope_mapping" "oauth2" {
managed_list = [ managed_list = [
"goauthentik.io/providers/oauth2/scope-email", for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
] ]
} }
data "authentik_flow" "default_authorization_flow" { data "authentik_flow" "default_authorization_flow" {
@@ -27,16 +43,50 @@ data "authentik_flow" "default_authorization_flow" {
data "authentik_flow" "default_authentication_flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
data "authentik_flow" "default_invalidation_flow" {
slug = "default-provider-invalidation-flow"
}
resource "authentik_group" "app_group" {
name = local.app_slug
attributes = jsonencode({ "app_slug" = local.app_slug })
}
resource "authentik_group" "groups" {
for_each = var.group_mapping
name = each.key
parent = authentik_group.app_group.id
attributes = jsonencode({
"app_slug" = local.app_slug
"gen_group_name" = each.value
})
}
data "kubernetes_secret_v1" "signing_cert" {
count = var.cert_sign_secret_name != "" ? 1 : 0
metadata {
name = var.cert_sign_secret_name
namespace = var.namespace
}
}
resource "authentik_certificate_key_pair" "name" {
count = local.cert_signing ? 1 : 0
name = "${local.app_slug} Signing"
certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
key_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
}
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
name = local.app_slug name = local.app_slug
client_id = random_password.client_id.result client_id = data.kubernetes_secret_v1.secret_gen.data.client_id
authentication_flow = data.authentik_flow.default_authentication_flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default_authorization_flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
client_type = "confidential" invalidation_flow = data.authentik_flow.default_invalidation_flow.id
client_type = var.client_type
sub_mode = "user_username" sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id signing_key = local.signing_id
property_mappings = data.authentik_scope_mapping.oauth2.ids property_mappings = data.authentik_property_mapping_provider_scope.oauth2.ids
redirect_uris = [ redirect_uris = [
"https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}" "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
] ]
@@ -49,15 +99,32 @@ data "kubernetes_ingress_v1" "authentik" {
} }
} }
resource "kubernetes_secret" "oauth2_client_secret" { resource "kubectl_manifest" "oauth2_client_secret" {
metadata { force_new = true
name = "${local.app_slug}-oauth2" yaml_body = <<-EOF
namespace = var.namespace apiVersion: v1
labels = local.oauth2_labels kind: Secret
} metadata:
data = { name: "${local.app_slug}-oauth2"
oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/" namespace: "${var.namespace}"
client_id = random_password.client_id.result labels: ${jsonencode(local.oauth2_labels)}
client_secret = authentik_provider_oauth2.oauth2.client_secret ownerReferences: ${jsonencode(var.owner_references)}
} data:
oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
client_id: "${base64encode(data.kubernetes_secret_v1.secret_gen.data.client_id)}"
client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
EOF
} }
# resource "kubernetes_secret" "oauth2_client_secret" {
# metadata {
# name = "${local.app_slug}-oauth2"
# namespace = var.namespace
# labels = local.oauth2_labels
# }
# data = {
# oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
# client_id = data.kubernetes_secret_v1.secret_gen.data["client_id"]
# client_secret = authentik_provider_oauth2.oauth2.client_secret
# }
# }

4
oauth2/outputs.tf
View File

@@ -23,7 +23,7 @@ output "sso_token_url" {
} }
output "client_id" { output "client_id" {
value = random_password.client_id.result value = data.kubernetes_secret_v1.secret_gen.data.client_id
} }
output "client_secret" { output "client_secret" {
@@ -31,6 +31,6 @@ output "client_secret" {
} }
output "oauth2_secret_name" { output "oauth2_secret_name" {
value = kubernetes_secret.oauth2_client_secret.metadata[0].name value = kubectl_manifest.oauth2_client_secret.name
} }

5
oauth2/providers.tf
View File

@@ -1,5 +1,6 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = { kubernetes = {
source = "hashicorp/kubernetes" source = "hashicorp/kubernetes"
@@ -10,8 +11,8 @@ terraform {
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2024.10.0"
} }
} }
} }

33
oauth2/variables.tf
View File

@@ -20,3 +20,36 @@ variable "redirect_path" {
type = string type = string
default = "" default = ""
} }
variable "group_mapping" {
type = map(string)
default = {}
description = "Group mapping where key application group and value the generic group name"
}
variable "owner_references" {
type = list(object({}))
description = "Adding owner references"
default = []
}
variable "scopes" {
type = list(string)
description = "List of default scope allowed"
default = [
"scope-email",
"scope-openid",
"scope-profile",
]
}
variable "client_type" {
type = string
description = "OAuth client type confidential / public(PKCE)"
default = "confidential"
validation {
condition = contains(["confidential", "public"], var.client_type)
error_message = "Only empty confidential or public is allowed"
}
}
variable "cert_sign_secret_name" {
type = string
description = "The name of the secret for signing JWT (if empty use authentik default)"
default = ""
}

11
pvc/providers.tf
View File

@@ -1,8 +1,13 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = { kubernetes = {
source = "gavinbunney/kubectl" source = "hashicorp/kubernetes"
version = "~> 1.14.0" version = "~> 2.20.0"
} }
# kubectl = {
# source = "gavinbunney/kubectl"
# version = "~> 1.14.0"
# }
} }
} }

80
pvc/pvc.tf
View File

@@ -3,30 +3,60 @@ locals {
pvc_labels = merge(var.labels, { pvc_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pvc" "app.kubernetes.io/component" = "pvc"
}) })
pvc_spec = merge({ pvc_annotations = {
"accessModes" = [var.storage.access_mode] "k8up.io/backup" = var.backup
"volumeMode" = var.storage.type "resize.kubesphere.io/storage_limit" = var.storage.max_size
"resources" = { }
"requests" = { # pvc_spec = merge({
"storage" = var.storage.size # "accessModes" = [var.storage.access_mode]
# "volumeMode" = var.storage.type
# "resources" = {
# "requests" = {
# "storage" = var.storage.size
# }
# }
# }, var.storage.class != "" ? {
# "storageClassName" = var.storage.class
# } : {})
}
# resource "kubectl_manifest" "pvc" {
# ignore_fields = [
# "spec.resources.requests.storage",
# "spec.storageClassName",
# ]
# yaml_body = <<-EOF
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: ${local.app_slug}
# namespace: "${var.namespace}"
# annotations:
# k8up.io/backup: "${var.backup}"
# resize.kubesphere.io/storage_limit: "${var.storage.max_size}"
# labels: ${jsonencode(local.pvc_labels)}
# spec: ${jsonencode(local.pvc_spec)}
# EOF
# }
resource "kubernetes_persistent_volume_claim_v1" "pvc" {
metadata {
name = local.app_slug
namespace = var.namespace
annotations = local.pvc_annotations
labels = local.pvc_labels
}
spec {
access_modes = [var.storage.access_mode]
resources {
requests = {
storage = var.storage.size
} }
} }
}, var.storage.class != "" ? { storage_class_name = var.storage.class
"storageClassName" = var.storage.class }
} : {}) lifecycle {
} ignore_changes = [
resource "kubectl_manifest" "pvc" { spec[0].resources[0].requests[0],
ignore_fields = ["spec.resources.requests.storage"] spec[0].storage_class_name,
yaml_body = <<-EOF ]
apiVersion: v1 }
kind: PersistentVolumeClaim }
metadata:
name: ${local.app_slug}
namespace: "${var.namespace}"
annotations:
k8up.io/backup: "${var.backup}"
resize.kubesphere.io/storage_limit: "${var.storage.max_size}
labels: ${jsonencode(local.pvc_labels)}
spec: ${jsonencode(local.pvc_spec)}
EOF
}

17
pvc/variables.tf
View File

@@ -12,19 +12,12 @@ variable "labels" {
} }
variable "storage" { variable "storage" {
type = object({ type = object({
access_mode = optional(string), access_mode = optional(string, "ReadWriteOnce"),
class = optional(string), class = optional(string, ""),
size = optional(string), size = optional(string, "2Gi"),
max_size = optional(string), max_size = optional(string, "10Gi"),
type = optional(string) type = optional(string, "Filesystem")
}) })
default = {
"access_mode" = "ReadWriteOnce"
"class" = ""
"size" = "2Gi"
"max_size" = "10Gi"
"type" = "Filesystem"
}
} }
variable "backup" { variable "backup" {

2
redis/outputs.tf
View File

@@ -1,5 +1,5 @@
output "conn_string" { output "conn_string" {
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379" value = "tcp://${local.app_slug}-redis.${var.namespace}.svc:6379"
} }
output "service" { output "service" {