vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refacto and add modules

Browse Source
This commit is contained in:
Xavier Mortelette
2024-02-06 11:03:20 +01:00
parent 140321f714
commit 1e1cedcaeb
47 changed files with 685 additions and 360 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
application/application.tf
View File

@@ -1,6 +1,8 @@
locals {
app_name = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
app_name = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
main_group = format("app-%s", local.app_slug)
url_icon = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", var.dns_name, var.icon)
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
@@ -16,31 +18,31 @@ resource "authentik_group" "subgroup" {
parent = authentik_group.groups.id
}
resource "authentik_application" "prj_app" {
name = var.instance
slug = "${var.component}-${var.instance}"
resource "authentik_application" "app" {
name = var.app_name
slug = local.app_slug
group = var.app_group
protocol_provider = var.protocol_provider
backchannel_providers = var.backchannel_providers
meta_launch_url = format("https://%s", var.dns_name)
meta_icon = format("https://%s/%s", var.dns_name, var.icon)
meta_icon = local.url_icon
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
name = "${local.app_slug}-${local.main_group}"
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "prj_access_users" {
target = authentik_application.prj_app.uuid
resource "authentik_policy_binding" "access_users" {
target = authentik_application.app.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_app.uuid
resource "authentik_policy_binding" "access_vynil" {
target = authentik_application.app.uuid
group = data.authentik_group.akadmin.id
order = 1
}

6
application/outputs.tf
View File

@@ -1,8 +1,8 @@
output "application-id" {
value = authentik_application.prj_app.uuid
output "application_id" {
value = authentik_application.app.uuid
}
output "policy-id" {
output "policy_id" {
value = authentik_policy_expression.policy.id
}
output "main_group" {

4
application/variables.tf
View File

@@ -17,6 +17,10 @@ variable "protocol_provider" {
variable "dns_name" {
type = string
}
variable "app_name" {
type = string
default = ""
}
variable "sub_groups" {
type = list(string)
default = []

19
backup/backup.tf
View File

@@ -1,16 +1,15 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
}
resource "kubectl_manifest" "backup_schedule" {
count = var.backups.enable ? 1 : 0
yaml_body = <<-EOF
apiVersion: k8up.io/v1
kind: Schedule
metadata:
name: "${var.app_slug}-backup"
name: "${local.app_slug}-backup"
namespace: "${var.namespace}"
labels: ${jsonencode(local.labels)}
labels: ${jsonencode(var.labels)}
spec:
backend:
repoPasswordSecretRef:
@@ -20,11 +19,11 @@ resource "kubectl_manifest" "backup_schedule" {
accessKeyIDSecretRef:
key: "${var.backups.key_id_key}"
name: "${var.backups.secret_name}"
bucket: "${var.app_slug}-${var.namespace}"
bucket: "${local.app_slug}-${var.namespace}"
endpoint: "${var.backups.endpoint}/restic"
secretAccessKeySecretRef:
key: "${var.backups.secret_key}"
name: "${var.backups.secret-name}"
name: "${var.backups.secret_name}"
backup:
schedule: "${var.backups.schedule.backup}"
failedJobsHistoryLimit: 2
@@ -33,10 +32,10 @@ resource "kubectl_manifest" "backup_schedule" {
schedule: "${var.backups.schedule.check}"
prune:
retention:
keepDaily: ${var.backups.retention.keepDaily}
keepMonthly: ${var.backups.retention.keepMonthly}
keepWeekly: ${var.backups.retention.keepWeekly}
keepYearly: ${var.backups.retention.keepYearly}
keepDaily: ${var.backups.retention.keep_daily}
keepMonthly: ${var.backups.retention.keep_monthly}
keepWeekly: ${var.backups.retention.keep_weekly}
keepYearly: ${var.backups.retention.keep_yearly}
schedule: "${var.backups.schedule.prune}"
EOF
}

16
backup/variables.tf
View File

@@ -17,10 +17,10 @@ variable "backups" {
"key_id_key" = "s3-id"
"restic_key" = "bck-password"
"retention" = {
"keepDaily" = 14
"keepMonthly" = 12
"keepWeekly" = 6
"keepYearly" = 12
"keep_daily" = 14
"keep_monthly" = 12
"keep_weekly" = 6
"keep_yearly" = 12
}
"schedule" = {
"backup" = "30 3 * * *"
@@ -38,10 +38,10 @@ variable "backups" {
key_id_key = optional(string),
restic_key = optional(string),
retention = optional(object({
keepDaily = optional(number),
keepMonthly = optional(number),
keepWeekly = optional(number),
keepYearly = optional(number)
keep_daily = optional(number),
keep_monthly = optional(number),
keep_weekly = optional(number),
keep_yearly = optional(number)
})),
schedule = optional(object({
backup = optional(string),

20
forward/forward.tf
View File

@@ -1,7 +1,5 @@
locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
forward_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-forward"
})
@@ -19,9 +17,11 @@ locals {
}]
}
}]
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
}
resource "kubectl_manifest" "prj_ingress_icon" {
resource "kubectl_manifest" "ingress_icon" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
@@ -39,20 +39,20 @@ resource "kubectl_manifest" "prj_ingress_icon" {
EOF
}
data "authentik_flow" "default-authorization-flow" {
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
resource "authentik_provider_proxy" "prj_forward" {
resource "authentik_provider_proxy" "forward" {
name = local.app_slug
external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id
authorization_flow = data.authentik_flow.default_authorization_flow.id
mode = "forward_single"
access_token_validity = var.access_token_validity
}
data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.prj_forward]
depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET"
request_headers = var.request_headers
@@ -68,11 +68,11 @@ resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({
name = "forward"
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id])
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
})
}
resource "kubectl_manifest" "prj_middleware" {
resource "kubectl_manifest" "middleware" {
yaml_body = <<-EOF
apiVersion: traefik.io/v1alpha1
kind: Middleware

4
forward/outputs.tf
View File

@@ -1,5 +1,5 @@
output "provider-id" {
value = authentik_provider_proxy.prj_forward.id
output "provider_id" {
value = authentik_provider_proxy.forward.id
}
output "sso_logout" {

18
forward/variables.tf
View File

@@ -6,10 +6,6 @@ variable "instance" {
type = string
}
variable "icon" {
type = string
}
variable "domain" {
type = string
}
@@ -18,12 +14,16 @@ variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "ingress_class" {
type = string
}
variable "labels" {
type = map(string)
variable "icon" {
type = string
}
variable "dns_names" {
@@ -41,6 +41,12 @@ variable "app_name" {
}
variable "service" {
type = object({
name = string
port = object({
number = number
})
})
}
variable "request_headers" {

25
ingress/ingress.tf
View File

@@ -1,24 +1,25 @@
locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pres_labels = merge(var.labels, {
"app.kubernetes.io/component" = "presentation"
})
rules = [for v in var.dns_names : {
"host" = "${v}"
"http" = {
"paths" = [for idx, svc in var.services : {
"path" = "/${var.sub_paths[idx]}"
"paths" = [for mapper in var.services_mapping : {
"path" = "/${mapper.path}"
"pathType" = "Prefix"
"backend" = {
"service" = svc
"service" = mapper.service
}
}]
}
}]
tls = var.enforce_tls ? [
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
{
secretName = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
secretName = local.secret_name
hosts = var.dns_names
}
] : []
@@ -36,8 +37,8 @@ locals {
)
}
resource "kubectl_manifest" "prj_certificate" {
count = var.create_cert ? 1 : 0
resource "kubectl_manifest" "certificate" {
count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
@@ -46,7 +47,7 @@ resource "kubectl_manifest" "prj_certificate" {
namespace: "${var.namespace}"
labels: ${jsonencode(local.pres_labels)}
spec:
secretName: "${local.app_slug}-cert"
secretName: "${local.secret_name}"
dnsNames: ${jsonencode(var.dns_names)}
issuerRef:
kind: "ClusterIssuer"
@@ -55,8 +56,8 @@ resource "kubectl_manifest" "prj_certificate" {
EOF
}
resource "kubectl_manifest" "prj_https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0
resource "kubectl_manifest" "https_redirect" {
count = var.create_redirect ? 1 : 0
yaml_body = <<-EOF
apiVersion: "traefik.io/v1alpha1"
kind: "Middleware"
@@ -71,7 +72,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
EOF
}
resource "kubectl_manifest" "prj_ingress" {
resource "kubectl_manifest" "ingress" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"

2
ingress/outputs.tf
View File

@@ -1,3 +1,3 @@
output "secret_name" {
value = var.create_cert ? "${local.app_slug}-cert":""
value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
}

46
ingress/variables.tf
View File

@@ -24,35 +24,37 @@ variable "middlewares" {
type = list(string)
default = []
}
variable "services" {
type = list(any)
variable "services_mapping" {
type = list(object({
path = optional(string)
service = object({
name= string
port = object({
number = number
})
})
}))
}
variable "create_redirect" {
type = bool
default = true
}
variable "create_cert" {
type = bool
default = true
}
variable "enforce_tls" {
type = bool
default = true
}
variable "sub_paths" {
type = list(string)
default = [""]
}
variable "cert_name" {
type = string
default = ""
}
variable "entrypoint" {
type = string
default = ""
description = "Define ingres support, if empty or define to websecure, tls will be activate"
validation {
condition = contains(["", "web", "websecure"], var.entrypoint)
error_message = "Only empty \"\", web or websecure is allowed"
}
}
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
}
variable "create_redirect" {
type = bool
default = true
description = "Enfore https redirection"
}

157
ldap/ldap.tf Normal file
View File

@@ -0,0 +1,157 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
ldap_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-ldap"
})
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
base_group_dn = format("ou=groups,%s", local.base_dn)
base_user_dn = format("ou=users,%s", local.base_dn)
authentik_base_url = "http://authentik.${var.domain}-auth.svc"
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
sorted_group_names = reverse(distinct(sort([
for grp in var.user_groups : grp.name
])))
sorted_groups = flatten([
for name in local.sorted_group_names : [
for grp in var.user_groups :
grp if grp.name == name
]
])
}
data "authentik_group" "vynil_admin" {
name = "vynil-ldap-admins"
}
resource "authentik_group" "groups" {
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
attributes = jsonencode({ "${local.app_name}" = true })
}
data "authentik_group" "readed_groups" {
depends_on = [authentik_group.groups]
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
}
resource "authentik_application" "application_ldap" {
name = local.app_slug
slug = "${local.app_slug}-ldap"
protocol_provider = authentik_provider_ldap.provider_ldap.id
meta_launch_url = "blank://blank"
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "ldap_access_users" {
target = authentik_application.application_ldap.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "ldap_access_ldap" {
target = authentik_application.application_ldap.uuid
group = authentik_group.ldapsearch.id
order = 1
}
resource "authentik_policy_binding" "ldap_access_vynil" {
target = authentik_application.application_ldap.uuid
group = data.authentik_group.vynil_admin.id
order = 2
}
resource "kubectl_manifest" "ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-ldapsearch"
namespace: "${var.namespace}"
labels: ${jsonencode(local.ldap_labels)}
data:
LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
spec:
forceRegenerate: false
fields:
- fieldName: "LDAP_ADMIN_PASS"
length: "32"
EOF
}
data "kubernetes_secret_v1" "ldap_password" {
depends_on = [kubectl_manifest.ldap]
metadata {
name = kubectl_manifest.ldap.name
namespace = var.namespace
}
}
resource "authentik_user" "ldapsearch" {
username = "${local.app_slug}-ldapsearch"
name = "${local.app_slug}-ldapsearch"
}
resource "authentik_group" "ldapsearch" {
name = "${local.app_slug}-ldapsearch"
users = [authentik_user.ldapsearch.id]
}
data "http" "ldapsearch_password" {
url = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
method = "POST"
request_headers = var.request_headers
request_body = jsonencode({
password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
data "authentik_flow" "ldap_authentication_flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "provider_ldap" {
name = "${local.app_slug}-ldap"
base_dn = local.base_dn
search_group = authentik_group.ldapsearch.id
bind_flow = data.authentik_flow.ldap_authentication_flow.id
}
data "http" "get_ldap_outpost" {
depends_on = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
url = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = var.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap_outpost_pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
})
}

23
ldap/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "provider_id" {
value = authentik_provider_ldap.provider_ldap.id
}
output "ldap_address" {
value = "ak-outpost-ldap.${var.domain}-auth.svc"
}
output "ldap_search_account" {
value = "${local.app_slug}-ldapsearch"
}
output "base_dn" {
value = local.base_dn
}
output "base_group_dn" {
value = local.base_group_dn
}
output "base_user_dn" {
value = local.base_user_dn
}

24
ldap/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

25
ldap/variables.tf Normal file
View File

@@ -0,0 +1,25 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "request_headers" {
type = map(string)
}
variable "user_groups" {
type = map(string)
default = {}
}

46
mongo/mongo.tf
View File

@@ -1,13 +1,13 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"]
username = var.username==""?var.component==""?var.instance:var.component:var.username
db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name
mongo-labels = merge(var.labels, {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mongo_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mongo"
})
db_name = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
username = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
}
resource "kubectl_manifest" "prj_mongo_secret" {
resource "kubectl_manifest" "mongo_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -15,7 +15,7 @@ resource "kubectl_manifest" "prj_mongo_secret" {
metadata:
name: "${local.app_slug}-mongo"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)}
labels: ${jsonencode(local.mongo_labels)}
spec:
forceRegenerate: false
fields:
@@ -23,21 +23,21 @@ resource "kubectl_manifest" "prj_mongo_secret" {
length: "16"
EOF
}
data "kubernetes_secret_v1" "prj_mongo_secret" {
depends_on = [ kubectl_manifest.prj_mongo_secret ]
data "kubernetes_secret_v1" "mongo_secret" {
depends_on = [kubectl_manifest.mongo_secret]
metadata {
name = "${local.app_slug}-mongo"
namespace = var.namespace
}
}
resource "kubectl_manifest" "prj_mongo" {
resource "kubectl_manifest" "mongo" {
yaml_body = <<-EOF
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: "${local.app_slug}-mongo"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)}
labels: ${jsonencode(local.mongo_labels)}
spec:
members: 1
type: ${var.mongo_type}
@@ -52,7 +52,7 @@ resource "kubectl_manifest" "prj_mongo" {
spec:
containers:
- name: mongod
imagePullPolicy: "${var.pullPolicy}"
imagePullPolicy: "${var.pull_policy}"
resources: ${jsonencode(var.resources)}
env:
- name: MONGODB_NAME
@@ -80,24 +80,24 @@ resource "kubectl_manifest" "prj_mongo" {
scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
EOF
}
resource "kubectl_manifest" "prj_mongo_sa" {
resource "kubectl_manifest" "mongo_sa" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: "mongodb-database"
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)}
labels: ${jsonencode(local.mongo_labels)}
EOF
}
resource "kubectl_manifest" "prj_mongo_role" {
resource "kubectl_manifest" "mongo_role" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "mongodb-database"
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)}
labels: ${jsonencode(local.mongo_labels)}
rules:
- apiGroups: [""]
resources: ["secrets"]
@@ -107,20 +107,20 @@ resource "kubectl_manifest" "prj_mongo_role" {
verbs: ["patch", "delete", "get"]
EOF
}
resource "kubectl_manifest" "prj_mongo_rb" {
resource "kubectl_manifest" "mongo_rb" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "mongodb-database"
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)}
labels: ${jsonencode(local.mongo_labels)}
subjects:
- kind: ServiceAccount
name: mongodb-database
name: ${local.app_slug}-mongodb-database
roleRef:
kind: Role
name: mongodb-database
name: ${local.app_slug}-mongodb-database
apiGroup: rbac.authorization.k8s.io
EOF
}

4
mongo/outputs.tf
View File

@@ -1,11 +1,11 @@
output "url" {
value = "mongodb://${local.username}:${local.mongo-password}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
}
output "service" {
value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
}
output "password" {
value = local.mongo-password
value = local.mongo_password
}
output "username" {
value = local.username

2
mongo/variables.tf
View File

@@ -26,7 +26,7 @@ variable "mongo_type" {
type = string
default = "ReplicaSet"
}
variable "pullPolicy" {
variable "pull_policy" {
type = string
default = "IfNotPresent"
}

2
mysql/mysql.tf
View File

@@ -1,8 +1,8 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mysql"
})
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]

17
mysql/outpost.tf
View File

@@ -1,12 +1,15 @@
output "dns_names" {
value = [
"${local.app_slug}-mysql",
"${local.app_slug}-mysql-instances"
]
output "conn_string" {
value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
}
output "mysql_host" {
value =" ${local.app_slug}-mysql"
output "service" {
value = "${local.app_slug}-mysql.${var.namespace}.svc"
}
output "host" {
value = "${local.app_slug}-mysql"
}
output "secret_name" {
value = "${local.app_slug}-db"
}

30
oauth2/oauth2.tf
View File

@@ -1,10 +1,10 @@
locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
oauth2_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-oauth2"
})
}
resource "kubectl_manifest" "oauth2-secret" {
resource "kubectl_manifest" "oauth2_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -20,10 +20,10 @@ resource "kubectl_manifest" "oauth2-secret" {
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
data "kubernetes_secret_v1" "oauth2_client_id" {
depends_on = [kubectl_manifest.oauth2_secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
name = kubectl_manifest.oauth2_secret.name
namespace = var.namespace
labels = local.oauth2_labels
}
@@ -40,18 +40,18 @@ data "authentik_scope_mapping" "oauth2" {
"goauthentik.io/providers/oauth2/scope-profile"
]
}
data "authentik_flow" "default-authorization-flow" {
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${local.app_slug}"
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
name = local.app_slug
client_id = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default_authorization_flow.id
client_type = "confidential"
sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id
@@ -61,7 +61,7 @@ resource "authentik_provider_oauth2" "oauth2" {
]
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
resource "kubernetes_secret_v1" "oauth2_client_secret" {
metadata {
name = "${local.app_slug}-secret"
namespace = var.namespace
@@ -72,10 +72,10 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
}
}
data "kubernetes_secret_v1" "oauth2-client-secret" {
depends_on = [kubernetes_secret_v1.oauth2-client-secret]
data "kubernetes_secret_v1" "oauth2_client_secret" {
depends_on = [kubernetes_secret_v1.oauth2_client_secret]
metadata {
name = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
name = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
namespace = var.namespace
}
}

10
oauth2/outputs.tf
View File

@@ -1,4 +1,4 @@
output "provider-id" {
output "provider_id" {
value = authentik_provider_oauth2.oauth2.id
}
@@ -18,17 +18,17 @@ output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
}
output "client_id" {
value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
value = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
}
output "client_secret" {
value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
value = data.kubernetes_secret_v1.oauth2_client_secret.data["client-secret"]
}
output "secret_client_id_name" {
value = kubectl_manifest.oauth2-secret.name
value = kubectl_manifest.oauth2_secret.name
}
output "secret_client_secret_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
value = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
}
output "secret_client_id_key" {
value = "client-id"

24
postgresql/outputs.tf
View File

@@ -1,3 +1,23 @@
output "host" {
value = "${var.app_slug}-redis.${var.namespace}.svc"
output "conn_string" {
value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
}
output "service" {
value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-pg-rw"
}
output "db_name" {
value = var.component
}
output "db_port" {
value = "5432"
}
output "secret_name" {
value = "${local.app_slug}-pg-app"
}

30
postgresql/postgresql.tf
View File

@@ -1,21 +1,21 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
pg-labels = merge(local.labels, {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pg_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg"
})
pool-labels = merge(local.labels, {
pool_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg-pool"
})
}
resource "kubectl_manifest" "prj_pg" {
resource "kubectl_manifest" "pg" {
yaml_body = join("", concat([<<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: "${local.app_slug}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)}
labels: ${jsonencode(local.pg_labels)}
annotations:
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
"k8up.io/file-extension": ".sql"
@@ -34,7 +34,7 @@ resource "kubectl_manifest" "prj_pg" {
], var.backups.enable&&var.backups.use_barman?[<<-EOF
backup:
barmanObjectStore:
destinationPath: "s3://${var.app_slug}-${var.namespace}/"
destinationPath: "s3://${local.app_slug}-${var.namespace}/"
endpointURL: "${var.backups.endpoint}/barman"
s3Credentials:
accessKeyId:
@@ -47,7 +47,7 @@ resource "kubectl_manifest" "prj_pg" {
]:[""]))
}
resource "kubectl_manifest" "prj_pg_backup" {
resource "kubectl_manifest" "pg_backup" {
count = var.backups.enable ? 1:0
yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1
@@ -55,7 +55,7 @@ resource "kubectl_manifest" "prj_pg_backup" {
metadata:
name: "${local.app_slug}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)}
labels: ${jsonencode(local.pg_labels)}
spec:
schedule: "${var.backups.schedule.db}"
backupOwnerReference: self
@@ -64,15 +64,15 @@ resource "kubectl_manifest" "prj_pg_backup" {
EOF
}
resource "kubectl_manifest" "prj_pg_pool" {
depends_on = [kubectl_manifest.prj_pg]
resource "kubectl_manifest" "pg_pool" {
depends_on = [kubectl_manifest.pg]
yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: "${local.app_slug}-pool"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pool-labels)}
labels: ${jsonencode(local.pool_labels)}
spec:
cluster:
name: "${local.app_slug}-pg"
@@ -85,3 +85,11 @@ resource "kubectl_manifest" "prj_pg_pool" {
default_pool_size: "10"
EOF
}
data "kubernetes_secret_v1" "credentials" {
depends_on = [ kubectl_manifest.pg ]
metadata {
name = "${local.app_slug}-pg-app"
namespace = var.namespace
}
}

2
postgresql/variables.tf
View File

@@ -39,7 +39,7 @@ variable "backups" {
}
variable "images" {
type = object({
postgresql = optional(object({registry = optional(string), repository = optional(string), tag = optional(number)})),
postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
})
default = {
"postgresql" = {

15
pvc/pvc.tf
View File

@@ -1,16 +1,19 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pvc_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pvc"
})
pvc_spec = merge({
"accessModes" = [var.storage.accessMode]
"accessModes" = [var.storage.access_mode]
"volumeMode" = var.storage.type
"resources" = {
"requests" = {
"storage" = "${var.storage.size}"
}
}
}, var.storage.volume.class != "" ?{
}, var.storage.class != "" ? {
"storageClassName" = var.storage.class
}:{})
} : {})
}
resource "kubectl_manifest" "pvc" {
yaml_body = <<-EOF
@@ -20,8 +23,8 @@ resource "kubectl_manifest" "pvc" {
name: ${local.app_slug}
namespace: "${var.namespace}"
annotations:
k8up.io/backup: "true"
labels: ${jsonencode(local.labels)}
k8up.io/backup: "${var.backup}"
labels: ${jsonencode(local.pvc_labels)}
spec: ${jsonencode(local.pvc_spec)}
EOF
}

9
pvc/variables.tf
View File

@@ -12,15 +12,20 @@ variable "labels" {
}
variable "storage" {
type = object({
accessMode = optional(string),
access_mode = optional(string),
class = optional(string),
size = optional(string),
type = optional(string)
})
default = {
"accessMode" = "ReadWriteOnce"
"access_mode" = "ReadWriteOnce"
"class" = ""
"size" = "10Gi"
"type" = "Filesystem"
}
}
variable "backup" {
type = bool
default = true
}

17
redis/outputs.tf
View File

@@ -1,6 +1,15 @@
output "host" {
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "url" {
output "conn_string" {
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
}
output "service" {
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-redis"
}
output "secret_name" {
value = lookup(var.password, "name", "")
}

12
redis/redis.tf
View File

@@ -1,17 +1,17 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
redis-labels = merge(var.labels, {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
redis_labels = merge(var.labels, {
"app.kubernetes.io/component" = "redis"
})
cfg = merge({
"image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
"imagePullPolicy" = "${var.images.redis.pullPolicy}"
},lookup(var.password, "enabled", false)?{
"imagePullPolicy" = "${var.images.redis.pull_policy}"
}, lookup(var.password, "enabled", false) ? {
redisSecret = {
name = lookup(var.password, "name", var.component)
key = lookup(var.password, "key", "redis-password")
}
}:{})
} : {})
}
resource "kubectl_manifest" "redis" {
@@ -21,7 +21,7 @@ resource "kubectl_manifest" "redis" {
metadata:
name: "${local.app_slug}-redis"
namespace: "${var.namespace}"
labels: ${jsonencode(local.redis-labels)}
labels: ${jsonencode(local.redis_labels)}
spec:
kubernetesConfig: ${jsonencode(local.cfg)}
storage:

8
redis/variables.tf
View File

@@ -17,18 +17,18 @@ variable "annotations" {
variable "images" {
type = object({
redis = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})),
redis_exporter = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)}))
redis = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
})
default = {
"redis" = {
"pullPolicy" = "IfNotPresent"
"pull_policy" = "IfNotPresent"
"registry" = "quay.io"
"repository" = "opstree/redis"
"tag" = "v7.0.12"
}
"redis_exporter" = {
"pullPolicy" = "IfNotPresent"
"pull_policy" = "IfNotPresent"
"registry" = "quay.io"
"repository" = "opstree/redis-exporter"
"tag" = "v1.44.0"

12
saml/saml.tf
View File

@@ -1,13 +1,13 @@
locals{
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml"
})
}
data "authentik_flow" "default-authorization-flow" {
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow"
}
@@ -51,8 +51,8 @@ resource "kubectl_manifest" "saml_certificate" {
resource "authentik_provider_saml" "prj" {
name = "${local.app_slug}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default_authorization_flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id

2
service/outputs.tf
View File

@@ -1,5 +1,5 @@
output "name" {
value = "${local.app_slug}"
value = local.app_slug
}
output "default_definition" {
value = {

35
service/svc.tf
View File

@@ -1,5 +1,5 @@
locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
"name" = target
"port" = var.ports[idx]
@@ -12,9 +12,10 @@ locals {
"protocol" = var.protocols[idx]
"targetPort" = var.ports[idx]
}] : []
lb_ports = var.svc_type == "LoadBalancer" ? [for idx, port in var.lb_ports : {
"port" = port
"targetPort" = var.ports[idx]
lb_ports = var.svc_type == "LoadBalancer" ? [for port in var.lb_ports : {
"port" = port.port.number
"name" = port.name
"targetPort" = port.port.number
}] : []
node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
"port" = port
@@ -23,12 +24,12 @@ locals {
}] : []
metadata = merge(
{
"name"= "${local.app_slug}"
"namespace"= var.namespace
"labels"= var.labels
"name" = local.app_slug
"namespace" = var.namespace
"labels" = var.labels
},
length(var.annotations) > 0 ? {
"annotations"= var.annotations
"annotations" = var.annotations
} : {}
)
spec = {
@@ -36,6 +37,7 @@ locals {
type = "ClusterIP"
ports = local.cluster_ports
selector = var.labels
ipFamilyPolicy = var.ip_family
},
"ExternalName" = {
type = "ExternalName"
@@ -46,12 +48,14 @@ locals {
type = "NodePort"
selector = var.labels
ports = local.node_ports
ipFamilyPolicy = var.ip_family
},
"LoadBalancer" = {
type = "LoadBalancer"
selector = var.labels
ports = local.lb_ports
externalTrafficPolicy = var.lb_policy
ipFamilyPolicy = var.ip_family
}
}
}
@@ -63,3 +67,18 @@ resource "kubectl_manifest" "service" {
spec: ${jsonencode(local.spec[var.svc_type])}
EOF
}
resource "kubectl_manifest" "endpoint" {
count = var.svc_type == "ExternalName" ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Endpoints
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
subsets:
- addresses:
- ip: ${var.target_host}
ports: ${jsonencode([for port in var.ports : { "port" = port }])}
EOF
}

19
service/variables.tf
View File

@@ -22,6 +22,16 @@ variable "svc_type" {
error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
}
}
variable "ip_family" {
type = string
default = "PreferDualStack"
validation {
condition = contains(["SingleStack", "PreferDualStack"], var.ip_family)
error_message = "Only SingleStack or PreferDualStack is allowed"
}
}
variable "ports" {
type = list(number)
default = [80]
@@ -51,8 +61,13 @@ variable "node_ports" {
}
}
variable "lb_ports" {
type = list(number)
default = [8080]
type = list(object({
name = string
port = object({
number = number
})
}))
default = []
}
variable "lb_policy" {
type = string