vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Sébastien Huss
2024-01-10 13:23:08 +01:00
commit e0baae6132
25 changed files with 765 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
application/application.tf Normal file
View File

@@ -0,0 +1,46 @@
locals {
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
}
data "authentik_group" "akadmin" {
name = "authentik Admins"
}
resource "authentik_group" "groups" {
name = local.main_group
attributes = jsonencode({ "${local.app_name}" = true })
}
resource "authentik_group" "subgroup" {
count = length(var.sub_groups)
name = format("%s-%s", local.app_name, var.sub_groups[count.index])
parent = authentik_group.groups.id
}
resource "authentik_application" "prj_app" {
name = var.instance
slug = "${var.component}-${var.instance}"
group = var.app_group
protocol_provider = var.protocol_provider
backchannel_providers = var.backchannel_providers
meta_launch_url = format("https://%s", var.dns_name)
meta_icon = format("https://%s/%s", var.dns_name, var.icon)
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "prj_access_users" {
target = authentik_application.prj_app.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "prj_access_vynil" {
target = authentik_application.prj_app.uuid
group = data.authentik_group.akadmin.id
order = 1
}

7
application/outputs.tf Normal file
View File

@@ -0,0 +1,7 @@
output "application-id" {
value = authentik_application.prj_app.uuid
}
output "policy-id" {
value = authentik_policy_expression.policy.id
}

8
application/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
}
}

28
application/variables.tf Normal file
View File

@@ -0,0 +1,28 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "icon" {
type = string
}
variable "app_group" {
type = string
}
variable "protocol_provider" {
type = number
default = null
}
variable "dns_name" {
type = string
}
variable "sub_groups" {
type = list(string)
default = []
}
variable "backchannel_providers" {
type = list(number)
default = null
}

104
forward/forward.tf Normal file
View File

@@ -0,0 +1,104 @@
locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
external_url = format("https://%s", var.dns_names[0])
rules_icons = [for v in var.dns_names : {
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = var.service
}
"path" = "/${var.icon}"
"pathType" = "Prefix"
}]
}
}]
}
resource "kubectl_manifest" "prj_ingress_icon" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
tls:
- hosts: ${jsonencode(var.dns_names)}
secretName: "${var.instance}-cert"
EOF
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
resource "authentik_provider_proxy" "prj_forward" {
name = local.app_name
external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id
mode = "forward_single"
access_token_validity = var.access_token_validity
}
data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.prj_forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET"
request_headers = var.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({
name = "forward"
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id])
})
}
resource "kubectl_manifest" "prj_middleware" {
yaml_body = <<-EOF
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: "forward-${local.app_name}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forwardAuth:
address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-email
- X-authentik-groups
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
EOF
}
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

7
forward/outputs.tf Normal file
View File

@@ -0,0 +1,7 @@
output "provider-id" {
value = authentik_provider_proxy.prj_forward.id
}
output "sso_logout" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${var.component}-${var.instance}/end-session/"
}

20
forward/providers.tf Normal file
View File

@@ -0,0 +1,20 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

33
forward/variables.tf Normal file
View File

@@ -0,0 +1,33 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "icon" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "ingress_class" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_names" {
type = list(string)
}
variable "access_token_validity" {
type = string
default = "hours=10" // ;minutes=10
}
variable "service" {
}
variable "request_headers" {
type = map(string)
}

70
ingress/ingress.tf Normal file
View File

@@ -0,0 +1,70 @@
locals {
rules = [for v in var.dns_names : {
"host" = "${v}"
"http" = {
"paths" = [for idx, svc in var.services : {
"backend" = {
"service" = svc
}
"path" = "/${var.sub_paths[idx]}"
"pathType" = "Prefix"
}]
}
}]
}
resource "kubectl_manifest" "prj_certificate" {
count = var.create_cert ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
secretName: "${var.instance}${var.component == "" ? "" : "-"}${var.component}-cert"
dnsNames: ${jsonencode(var.dns_names)}
issuerRef:
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "prj_https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0
yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1"
kind: "Middleware"
metadata:
name: "${var.instance}-https"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
redirectScheme:
scheme: "https"
permanent: true
EOF
}
resource "kubectl_manifest" "prj_ingress" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}${var.component == "" ? "" : "-${var.component}"}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": "${join(",", [for m in concat(["${var.instance}-https"], var.middlewares) : format("%s-%s@kubernetescrd", var.namespace, m)])}"
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules)}
tls:
- hosts: ${jsonencode(var.dns_names)}
secretName: "${var.instance}${var.secret_component != "" ? "-${var.secret_component}" : var.component == "" ? "" : "-${var.component}"}-cert"
EOF
}

9
ingress/providers.tf Normal file
View File

@@ -0,0 +1,9 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

46
ingress/variables.tf Normal file
View File

@@ -0,0 +1,46 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "issuer" {
type = string
}
variable "ingress_class" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_names" {
type = list(string)
}
variable "middlewares" {
type = list(string)
default = []
}
variable "services" {
type = list(any)
}
variable "create_redirect" {
type = bool
default = false
}
variable "create_cert" {
type = bool
default = true
}
variable "sub_paths" {
type = list(string)
default = [""]
}
variable "secret_component" {
type = string
default = ""
}

94
mysql/mysql.tf Normal file
View File

@@ -0,0 +1,94 @@
locals {
mysql_host = "${var.instance}-${var.component}-db.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.prj_mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.prj_mysql_secret.data["rootPassword"]
}
resource "kubectl_manifest" "prj_mysql_secret" {
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.instance}-${var.component}-db"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forceRegenerate: false
data:
rootUser: "root-${var.instance}"
rootHost: "%"
username: "${var.instance}"
userHost: "%"
fields:
- fieldName: "rootPassword"
length: "32"
- fieldName: "password"
length: "32"
EOF
}
resource "kubectl_manifest" "prj_mysql" {
depends_on = [kubectl_manifest.prj_mysql_secret]
yaml_body = <<-EOF
apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster
metadata:
name: "${var.instance}-${var.component}-db"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
secretName: ${kubectl_manifest.prj_mysql_secret.name}
tlsUseSelfSigned: true
# tlsSecretName: "${var.instance}-db-cert"
instances: 1
router:
instances: 1
edition: community
imagePullPolicy: IfNotPresent
datadirVolumeClaimTemplate:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${var.storage}"
EOF
}
resource "time_sleep" "wait_mysql_ready" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql]
create_duration = "45s"
}
data "kubernetes_secret_v1" "prj_mysql_secret" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
metadata {
name = "${var.instance}-${var.component}-db"
namespace = var.namespace
}
}
resource "mysql_database" "app" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
name = var.database
}
resource "mysql_user" "app_user" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
host = data.kubernetes_secret_v1.prj_mysql_secret.data["userHost"]
user = data.kubernetes_secret_v1.prj_mysql_secret.data["username"]
plaintext_password = data.kubernetes_secret_v1.prj_mysql_secret.data["password"]
}
resource "mysql_grant" "app_user_grant" {
depends_on = [
kubectl_manifest.prj_mysql_secret,
kubectl_manifest.prj_mysql,
time_sleep.wait_mysql_ready,
mysql_database.app,
mysql_user.app_user
]
user = mysql_user.app_user.user
host = mysql_user.app_user.host
database = mysql_database.app.name
privileges = ["ALL PRIVILEGES"]
}

12
mysql/providers.tf Normal file
View File

@@ -0,0 +1,12 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
mysql = {
source = "TakatoHano/mysql"
version = "1.2.1"
}
}
}

18
mysql/variables.tf Normal file
View File

@@ -0,0 +1,18 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "storage" {
type = string
}
variable "database" {
type = string
}

73
oauth2/oauth2.tf Normal file
View File

@@ -0,0 +1,73 @@
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-${var.instance}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
}
}
data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate"
}
data "authentik_scope_mapping" "oauth2" {
managed_list = [
"goauthentik.io/providers/oauth2/scope-email",
"goauthentik.io/providers/oauth2/scope-openid",
"goauthentik.io/providers/oauth2/scope-profile"
]
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}"
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential"
sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${var.dns_name}/${var.redirect_path}"
]
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
namespace = var.namespace
labels = var.labels
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

7
oauth2/outputs.tf Normal file
View File

@@ -0,0 +1,7 @@
output "provider-id" {
value = authentik_provider_oauth2.oauth2.id
}
output "sso_configuration_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}"
}

17
oauth2/providers.tf Normal file
View File

@@ -0,0 +1,17 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
}
}

22
oauth2/variables.tf Normal file
View File

@@ -0,0 +1,22 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "domain" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "redirect_path" {
type = string
default = ""
}

3
saml/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "provider-id" {
value = authentik_provider_saml.prj.id
}

12
saml/providers.tf Normal file
View File

@@ -0,0 +1,12 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
}
}

56
saml/saml.tf Normal file
View File

@@ -0,0 +1,56 @@
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
slug = "default-authentication-flow"
}
data "authentik_property_mapping_saml" "saml_maps" {
managed_list = [
"goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/groups",
"goauthentik.io/providers/saml/name",
"goauthentik.io/providers/saml/upn",
"goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname",
]
}
data "authentik_property_mapping_saml" "saml_name" {
managed = "goauthentik.io/providers/saml/username"
}
data "authentik_certificate_key_pair" "generated" {
name = "authentik Self-signed Certificate"
}
resource "kubectl_manifest" "saml_certificate" {
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}-${var.component}-saml"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
secretName: "${var.instance}-${var.component}-saml"
dnsNames: ${jsonencode(var.dns_names)}
issuerRef:
name: "self-sign"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "authentik_provider_saml" "prj" {
name = "${var.component}-${var.instance}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
signing_kp = data.authentik_certificate_key_pair.generated.id
sp_binding = var.binding
}

19
saml/variables.tf Normal file
View File

@@ -0,0 +1,19 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "dns_names" {
type = list(string)
}
variable "acs_path" {
type = string
}
variable "binding" {
type = string
default = "post"
}
variable "labels" {
type = map(string)
}

8
service/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

22
service/svc.tf Normal file
View File

@@ -0,0 +1,22 @@
locals {
ports = [ for idx, target in var.targets : {
"name" = target
"port"= var.ports[idx]
"protocol"= var.protocols[idx]
"targetPort" = target
}]
}
resource "kubectl_manifest" "service" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: "${var.instance}-${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
type: ClusterIP
ports: ${jsonencode(local.ports)}
selector: ${jsonencode(var.labels)}
EOF
}

24
service/variables.tf Normal file
View File

@@ -0,0 +1,24 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "ports" {
type = list
default = [80]
}
variable "targets" {
type = list
default = ["http"]
}
variable "protocols" {
type = list
default = ["TCP"]
}