first commit

forward/forward.tf

@@ -0,0 +1,104 @@
+locals {
+  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
+  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
+  app_name                  = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main_group                = format("app-%s", local.app_name)
+  external_url              = format("https://%s", var.dns_names[0])
+  rules_icons = [for v in var.dns_names : {
+    "host" = "${v}"
+    "http" = {
+      "paths" = [{
+        "backend" = {
+          "service" = var.service
+        }
+        "path"     = "/${var.icon}"
+        "pathType" = "Prefix"
+      }]
+    }
+  }]
+}
+
+resource "kubectl_manifest" "prj_ingress_icon" {
+  force_conflicts = true
+  yaml_body       = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${var.instance}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+      ingressClassName: "${var.ingress_class}"
+      rules: ${jsonencode(local.rules_icons)}
+      tls:
+      - hosts: ${jsonencode(var.dns_names)}
+        secretName: "${var.instance}-cert"
+  EOF
+}
+
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+resource "authentik_provider_proxy" "prj_forward" {
+  name                  = local.app_name
+  external_host         = local.external_url
+  authorization_flow    = data.authentik_flow.default-authorization-flow.id
+  mode                  = "forward_single"
+  access_token_validity = var.access_token_validity
+}
+
+data "http" "get_forward_outpost" {
+  depends_on      = [authentik_provider_proxy.prj_forward]
+  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  method          = "GET"
+  request_headers = var.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+resource "restapi_object" "forward_outpost_binding" {
+  path = "/outposts/instances/${local.forward_outpost_pk}/"
+  data = jsonencode({
+    name      = "forward"
+    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id])
+  })
+}
+
+resource "kubectl_manifest" "prj_middleware" {
+  yaml_body = <<-EOF
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+        name: "forward-${local.app_name}"
+        namespace: "${var.namespace}"
+        labels: ${jsonencode(var.labels)}
+    spec:
+      forwardAuth:
+        address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-email
+        - X-authentik-groups
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
+  EOF
+}
+
+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}