No more sercretString dans oauth2

2024-05-17 16:10:54 +02:00
parent 1c42b356c1
commit 159b576b24
2 changed files with 19 additions and 27 deletions
--- a/oauth2/oauth2.tf
+++ b/oauth2/oauth2.tf
@@ -4,29 +4,9 @@ locals {
    "app.kubernetes.io/component" = "authentik-oauth2"
  })
 }
-resource "kubectl_manifest" "oauth2-secret" {
-  ignore_fields = ["metadata.annotations"]
-  yaml_body     = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-id"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "client-id"
-        length: "32"
-  EOF
-}
-data "kubernetes_secret_v1" "oauth2-client-id" {
-  depends_on = [kubectl_manifest.oauth2-secret]
-  metadata {
-    name      = kubectl_manifest.oauth2-secret.name
-    namespace = var.namespace
-    labels = local.oauth2_labels
-  }
+resource "random_password" "client_id" {
+  length           = 32
+  special          = false
 }

 data "authentik_certificate_key_pair" "ca" {
@@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" {

 resource "authentik_provider_oauth2" "oauth2" {
  name                = "${local.app_slug}"
-  client_id           = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  client_id           = random_password.client_id.result
  authentication_flow = data.authentik_flow.default-authentication-flow.id
  authorization_flow  = data.authentik_flow.default-authorization-flow.id
  client_type         = "confidential"
@@ -61,6 +41,17 @@ resource "authentik_provider_oauth2" "oauth2" {
  ]
 }

+resource "kubernetes_secret_v1" "oauth2-client-id" {
+  metadata {
+    name      = "${local.app_slug}-id"
+    namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
+  data = {
+    client-id = random_password.client_id.result
+  }
+}
+
 resource "kubernetes_secret_v1" "oauth2-client-secret" {
  metadata {
    name      = "${local.app_slug}-secret"
@@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
    labels    = local.oauth2_labels
  }
  data = {
+    client-id = random_password.client_id.result
    client-secret = authentik_provider_oauth2.oauth2.client_secret
  }
 }
--- a/oauth2/outputs.tf
+++ b/oauth2/outputs.tf
@@ -18,14 +18,14 @@ output "sso_token_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
 }
 output "client_id" {
-  value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
+  value = random_password.client_id.result
 }
 output "client_secret" {
-  value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
+  value = authentik_provider_oauth2.oauth2.client_secret
 }

 output "secret_client_id_name" {
-  value = kubectl_manifest.oauth2-secret.name
+  value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
 }
 output "secret_client_secret_name" {
  value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name