vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reafacto OAuth2

Browse Source 
Add roles mappings
Remove legacy groups
This commit is contained in:
Xavier Mortelette
2024-12-27 16:38:12 +01:00
parent fa2a69c61e
commit e8d1c4e86a
6 changed files with 87 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
oauth2/oauth2.tf
View File

@@ -1,5 +1,6 @@
locals { locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
main_group = format("kydah-%s", local.app_slug)
oauth2_labels = merge(var.labels, { oauth2_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-oauth2" "app.kubernetes.io/component" = "authentik-oauth2"
}) })
@@ -7,35 +8,44 @@ locals {
signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
} }
resource "kubectl_manifest" "secret_gen" { resource "random_uuid" "client_id" {
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-oauth2"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
ownerReferences: ${jsonencode(var.owner_references)}
spec:
forceRegenerate: false
fields:
- fieldName: "client_id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "secret_gen" {
metadata {
name = kubectl_manifest.secret_gen.name
namespace = var.namespace
}
} }
# resource "kubectl_manifest" "secret_gen" {
# yaml_body = <<-EOF
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
# kind: "StringSecret"
# metadata:
# name: "${local.app_slug}-oauth2"
# namespace: "${var.namespace}"
# labels: ${jsonencode(local.oauth2_labels)}
# ownerReferences: ${jsonencode(var.owner_references)}
# spec:
# forceRegenerate: false
# fields:
# - fieldName: "client_id"
# length: "32"
# EOF
# }
# data "kubernetes_secret_v1" "secret_gen" {
# metadata {
# name = kubectl_manifest.secret_gen.name
# namespace = var.namespace
# }
# }
data "authentik_certificate_key_pair" "ca" { data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate" name = "authentik Self-signed Certificate"
} }
resource "authentik_property_mapping_provider_scope" "app_scope" {
count = var.scope_attributes != "" ? 1 : 0
name = local.app_slug
scope_name = local.app_slug
expression = var.scope_attributes
}
data "authentik_property_mapping_provider_scope" "oauth2" { data "authentik_property_mapping_provider_scope" "oauth2" {
managed_list = [ managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"
]
} }
data "authentik_flow" "default_authorization_flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
@@ -48,17 +58,25 @@ data "authentik_flow" "default_invalidation_flow" {
} }
resource "authentik_group" "app_group" { resource "authentik_group" "app_group" {
name = local.app_slug name = local.main_group
attributes = jsonencode({ "app_slug" = local.app_slug }) attributes = jsonencode({
"${local.app_slug}" = {
"kydah_instance" = var.instance
"kydah_component" = var.component
}
})
} }
resource "authentik_group" "groups" { resource "authentik_group" "sub_groups" {
for_each = var.group_mapping for_each = var.group_mapping
name = each.key name = format("%s-%s", local.main_group, each.key)
parent = authentik_group.app_group.id parent = authentik_group.app_group.id
attributes = jsonencode({ attributes = jsonencode({
"app_slug" = local.app_slug "${local.app_slug}" = {
"gen_group_name" = each.value "kydah_instance" = var.instance
"kydah_component" = var.component
"kydah_app_group" = each.value
}
}) })
} }
@@ -78,15 +96,19 @@ resource "authentik_certificate_key_pair" "name" {
} }
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
depends_on = [authentik_property_mapping_provider_scope.app_scope]
name = local.app_slug name = local.app_slug
client_id = data.kubernetes_secret_v1.secret_gen.data.client_id client_id = random_uuid.client_id.result
authentication_flow = data.authentik_flow.default_authentication_flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default_authorization_flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
invalidation_flow = data.authentik_flow.default_invalidation_flow.id invalidation_flow = data.authentik_flow.default_invalidation_flow.id
client_type = var.client_type client_type = var.client_type
sub_mode = "user_username" sub_mode = "user_username"
signing_key = local.signing_id signing_key = local.signing_id
property_mappings = data.authentik_property_mapping_provider_scope.oauth2.ids property_mappings = concat(
data.authentik_property_mapping_provider_scope.oauth2.ids,
var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
)
redirect_uris = [ redirect_uris = [
"https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}" "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
] ]
@@ -100,7 +122,7 @@ data "kubernetes_ingress_v1" "authentik" {
} }
resource "kubectl_manifest" "oauth2_client_secret" { resource "kubectl_manifest" "oauth2_client_secret" {
force_new = true # force_new = true
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@@ -111,7 +133,7 @@ resource "kubectl_manifest" "oauth2_client_secret" {
ownerReferences: ${jsonencode(var.owner_references)} ownerReferences: ${jsonencode(var.owner_references)}
data: data:
oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}" oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
client_id: "${base64encode(data.kubernetes_secret_v1.secret_gen.data.client_id)}" client_id: "${base64encode(random_uuid.client_id.result)}"
client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}" client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
EOF EOF
} }

2
oauth2/outputs.tf
View File

@@ -23,7 +23,7 @@ output "sso_token_url" {
} }
output "client_id" { output "client_id" {
value = data.kubernetes_secret_v1.secret_gen.data.client_id value = random_uuid.client_id.result
} }
output "client_secret" { output "client_secret" {

4
oauth2/providers.tf
View File

@@ -14,5 +14,9 @@ terraform {
source = "registry.terraform.io/goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "2024.10.0" version = "2024.10.0"
} }
random = {
source = "hashicorp/random"
version = "3.6.3"
}
} }
} }

7
oauth2/variables.tf
View File

@@ -23,7 +23,7 @@ variable "redirect_path" {
variable "group_mapping" { variable "group_mapping" {
type = map(string) type = map(string)
default = {} default = {}
description = "Group mapping where key application group and value the generic group name" description = "Group mapping where key is authentik suffix group name and value is the application group name"
} }
variable "owner_references" { variable "owner_references" {
type = list(object({})) type = list(object({}))
@@ -39,6 +39,11 @@ variable "scopes" {
"scope-profile", "scope-profile",
] ]
} }
variable "scope_attributes" {
type = string
description = "Authentik expression for scope mapping"
default = ""
}
variable "client_type" { variable "client_type" {
type = string type = string
description = "OAuth client type confidential / public(PKCE)" description = "OAuth client type confidential / public(PKCE)"

5
postgresql/providers.tf
View File

@@ -1,5 +1,10 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"

24
postgresql/variables.tf
View File

@@ -25,21 +25,25 @@ variable "backups" {
"use_barman" = false "use_barman" = false
} }
type = object({ type = object({
enable = optional(bool), enable = optional(bool, false),
endpoint = optional(string), endpoint = optional(string, ""),
key_id_key = optional(string), key_id_key = optional(string, "s3-id"),
restic_key = optional(string), restic_key = optional(string, "bck-password"),
schedule = optional(object({ schedule = optional(object({
db = optional(string), db = string,
})), }), { db = "30 3 * * *" }),
secret_key = optional(string), secret_key = optional(string, "s3-secret"),
secret_name = optional(string), secret_name = optional(string, "backup-settings"),
use_barman = optional(bool) use_barman = optional(bool, false)
}) })
} }
variable "images" { variable "images" {
type = object({ type = object({
postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })), postgresql = optional(object({
registry = optional(string),
repository = optional(string),
tag = optional(number)
})),
}) })
default = { default = {
"postgresql" = { "postgresql" = {