diff --git a/forward/forward.tf b/forward/forward.tf index b3e134d..de288c4 100644 --- a/forward/forward.tf +++ b/forward/forward.tf @@ -3,9 +3,10 @@ locals { forward_labels = merge(var.labels, { "app.kubernetes.io/component" = "authentik-forward" }) - external_url = format("https://%s", var.dns_name) - forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers - forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk + external_url = format("https://%s", var.dns_name) + forward_outpost_results = jsondecode(data.http.get_forward_outpost.response_body).results + forward_outpost_providers = local.forward_outpost_results[0].providers + forward_outpost_pk = local.forward_outpost_results[0].pk } data "authentik_flow" "default_authorization_flow" { @@ -33,6 +34,66 @@ data "http" "get_forward_outpost" { } } +data "kubernetes_ingress_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} + +## Begin modification +data "kubernetes_secret_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} + +resource "authentik_service_connection_kubernetes" "local" { + # count = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0 + depends_on = [data.kubernetes_secret_v1.authentik] + name = "${var.domain}-local-forward" + local = true +} + +# data "authentik_flow" "default_authorization_flow" { +# count = length(local.forward_outpost_results) == 0 ? 1 : 0 +# depends_on = [authentik_service_connection_kubernetes.local] +# slug = "default-provider-authorization-implicit-consent" +# } + +resource "authentik_provider_proxy" "provider_forward" { + # count = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0 + name = "authentik-${var.domain}-forward-provider" + internal_host = "http://authentik-authentik" + external_host = "http://authentik-authentik" + authorization_flow = data.authentik_flow.default_authorization_flow.id +} + +resource "authentik_outpost" "output_forward" { + # count = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0 + name = "forward" + type = "proxy" + service_connection = authentik_service_connection_kubernetes.local.id + config = jsonencode({ + "log_level" : "info", + "authentik_host" : "http://authentik", + "docker_map_ports" : true, + "kubernetes_replicas" : 1, + "kubernetes_namespace" : var.namespace, + "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}", + "object_naming_template" : "ak-outpost-%(name)s", + "authentik_host_insecure" : false, + "kubernetes_service_type" : "ClusterIP", + "kubernetes_image_pull_secrets" : [], + "kubernetes_disabled_components" : [], + "kubernetes_ingress_annotations" : {}, + "kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name + }) + protocol_providers = local.forward_outpost_providers +} +## End modification + resource "restapi_object" "forward_outpost_binding" { path = "/outposts/instances/${local.forward_outpost_pk}/" data = jsonencode({ @@ -67,10 +128,3 @@ resource "kubectl_manifest" "middleware" { - X-authentik-meta-version EOF } - -data "kubernetes_ingress_v1" "authentik" { - metadata { - name = "authentik" - namespace = "${var.domain}-auth" - } -} diff --git a/forward/providers.tf b/forward/providers.tf index a5079b4..f3da28e 100644 --- a/forward/providers.tf +++ b/forward/providers.tf @@ -1,5 +1,10 @@ terraform { + required_version = ">= 1.0" required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.20.0" + } kubectl = { source = "gavinbunney/kubectl" version = "~> 1.14.0" diff --git a/forward/variables.tf b/forward/variables.tf index d06cbaf..ccae5a0 100644 --- a/forward/variables.tf +++ b/forward/variables.tf @@ -30,3 +30,7 @@ variable "access_token_validity" { variable "request_headers" { type = map(string) } + +variable "ingress_certificat_secret_name" { + type = string +} \ No newline at end of file