Fix service Name
This commit is contained in:
@@ -1,7 +1,7 @@
|
||||
data "kubernetes_secret_v1" "authentik" {
|
||||
metadata {
|
||||
name = "authentik"
|
||||
namespace = var.namespace
|
||||
namespace = "${var.domain}-auth"
|
||||
}
|
||||
}
|
||||
locals {
|
||||
@@ -9,7 +9,7 @@ locals {
|
||||
ak_gatekeeper_labels = merge(var.labels, {
|
||||
"app.kubernetes.io/component" = "ak-gatekeeper"
|
||||
})
|
||||
authentik_url = "http://authentik.${var.domain}-auth.svc"
|
||||
authentik_url = "http://authentik-authentik.${var.domain}-auth.svc"
|
||||
authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
|
||||
external_url = format("https://%s", var.dns_name)
|
||||
}
|
||||
|
||||
@@ -1,51 +0,0 @@
|
||||
# locals {
|
||||
# app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
|
||||
# forward_labels = merge(var.labels, {
|
||||
# "app.kubernetes.io/component" = "ak-gatekeeper"
|
||||
# })
|
||||
# external_url = format("https://%s", var.dns_name)
|
||||
# forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
|
||||
# forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
|
||||
# }
|
||||
|
||||
# data "authentik_flow" "default_authorization_flow" {
|
||||
# slug = "default-provider-authorization-implicit-consent"
|
||||
# }
|
||||
|
||||
# resource "authentik_provider_proxy" "forward" {
|
||||
# name = local.app_slug
|
||||
# external_host = local.external_url
|
||||
# authorization_flow = data.authentik_flow.default_authorization_flow.id
|
||||
# mode = "forward_single"
|
||||
# access_token_validity = var.access_token_validity
|
||||
# }
|
||||
|
||||
# data "http" "get_forward_outpost" {
|
||||
# depends_on = [authentik_provider_proxy.forward]
|
||||
# url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
|
||||
# method = "GET"
|
||||
# request_headers = var.request_headers
|
||||
# lifecycle {
|
||||
# postcondition {
|
||||
# condition = contains([200], self.status_code)
|
||||
# error_message = "Status code invalid"
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
|
||||
# resource "restapi_object" "forward_outpost_binding" {
|
||||
# path = "/outposts/instances/${local.forward_outpost_pk}/"
|
||||
# data = jsonencode({
|
||||
# name = "forward"
|
||||
# providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
|
||||
# })
|
||||
# }
|
||||
|
||||
|
||||
|
||||
# data "kubernetes_ingress_v1" "authentik" {
|
||||
# metadata {
|
||||
# name = "authentik"
|
||||
# namespace = "${var.domain}-auth"
|
||||
# }
|
||||
# }
|
||||
@@ -8,19 +8,8 @@ resource "kubectl_manifest" "middleware" {
|
||||
labels: ${jsonencode(local.ak_gatekeeper_labels)}
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://authentik.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
|
||||
address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
- X-authentik-email
|
||||
- X-authentik-groups
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
- X-authentik-jwt
|
||||
- X-authentik-meta-jwks
|
||||
- X-authentik-meta-outpost
|
||||
- X-authentik-meta-provider
|
||||
- X-authentik-meta-app
|
||||
- X-authentik-meta-version
|
||||
authResponseHeaders: ${jsonencode(var.response_headers)}
|
||||
EOF
|
||||
}
|
||||
@@ -11,64 +11,22 @@ locals {
|
||||
|
||||
data "http" "get_proxy_outpost" {
|
||||
depends_on = [data.kubernetes_secret_v1.authentik]
|
||||
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
|
||||
url = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
|
||||
method = "GET"
|
||||
request_headers = var.request_headers
|
||||
request_headers = local.request_headers
|
||||
lifecycle {
|
||||
postcondition {
|
||||
condition = contains([200], self.status_code)
|
||||
error_message = "Status code invalid"
|
||||
error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# resource "restapi_object" "proxy_outpost_binding" {
|
||||
# path = "/outposts/instances/${local.outpost_pk}/"
|
||||
# data = jsonencode({
|
||||
# name = "${var.domain}-proxy-outpost"
|
||||
# providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
|
||||
# })
|
||||
# }
|
||||
|
||||
# data "http" "get_local_sck" {
|
||||
# depends_on = [data.kubernetes_secret_v1.authentik]
|
||||
# url = "http://authentik-authentik.${var.namespace}.svc/api/v3/outposts/service_connections/kubernetes/?local=true"
|
||||
# method = "GET"
|
||||
# request_headers = local.request_headers
|
||||
# lifecycle {
|
||||
# postcondition {
|
||||
# condition = contains([200], self.status_code)
|
||||
# error_message = "Status code invalid"
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
|
||||
# data "kubernetes_ingress_v1" "authentik" {
|
||||
# metadata {
|
||||
# name = "authentik"
|
||||
# namespace = var.namespace
|
||||
# }
|
||||
# }
|
||||
|
||||
# resource "authentik_outpost" "proxy_outpost" {
|
||||
# depends_on = [data.http.get_local_sck, data.kubernetes_ingress_v1.authentik]
|
||||
# name = "${var.domain}-proxy-outpost"
|
||||
# type = "proxy"
|
||||
# service_connection = local.local_sck[0].pk
|
||||
# config = jsonencode({
|
||||
# "log_level" : "info",
|
||||
# "authentik_host" : "http://authentik.${var.namespace}.svc",
|
||||
# "docker_map_ports" : true,
|
||||
# "kubernetes_replicas" : 1,
|
||||
# "kubernetes_namespace" : var.namespace,
|
||||
# "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
|
||||
# "object_naming_template" : "ak-%(name)s",
|
||||
# "authentik_host_insecure" : false,
|
||||
# "kubernetes_service_type" : "ClusterIP",
|
||||
# "kubernetes_image_pull_secrets" : [],
|
||||
# "kubernetes_disabled_components" : [],
|
||||
# "kubernetes_ingress_annotations" : {},
|
||||
# })
|
||||
# protocol_providers = [authentik_provider_proxy.domain_proxy_provider.id]
|
||||
# }
|
||||
resource "restapi_object" "proxy_outpost_binding" {
|
||||
path = "/outposts/instances/${local.outpost_pk}/"
|
||||
data = jsonencode({
|
||||
name = "${var.domain}-proxy-outpost"
|
||||
providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
|
||||
})
|
||||
}
|
||||
|
||||
@@ -27,6 +27,38 @@ variable "access_token_validity" {
|
||||
default = "hours=10" // ;minutes=10
|
||||
}
|
||||
|
||||
variable "request_headers" {
|
||||
type = map(string)
|
||||
variable "response_headers" {
|
||||
type = list(string)
|
||||
description = "List of sended headers from authentik to web application"
|
||||
default = [
|
||||
"X-authentik-username",
|
||||
"X-authentik-email",
|
||||
"X-authentik-groups",
|
||||
"X-authentik-name",
|
||||
"X-authentik-uid",
|
||||
"X-authentik-jwt",
|
||||
"X-authentik-meta-jwks",
|
||||
"X-authentik-meta-outpost",
|
||||
"X-authentik-meta-provider",
|
||||
"X-authentik-meta-app",
|
||||
"X-authentik-meta-version",
|
||||
]
|
||||
validation {
|
||||
condition = alltrue(
|
||||
[for header in var.response_headers : contains([
|
||||
"X-authentik-username",
|
||||
"X-authentik-email",
|
||||
"X-authentik-groups",
|
||||
"X-authentik-name",
|
||||
"X-authentik-uid",
|
||||
"X-authentik-jwt",
|
||||
"X-authentik-meta-jwks",
|
||||
"X-authentik-meta-outpost",
|
||||
"X-authentik-meta-provider",
|
||||
"X-authentik-meta-app",
|
||||
"X-authentik-meta-version",
|
||||
], header)]
|
||||
)
|
||||
error_message = "Only som headers are allowed by authentik"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ resource "authentik_provider_proxy" "forward" {
|
||||
|
||||
data "http" "get_forward_outpost" {
|
||||
depends_on = [authentik_provider_proxy.forward]
|
||||
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
|
||||
url = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
|
||||
method = "GET"
|
||||
request_headers = var.request_headers
|
||||
lifecycle {
|
||||
|
||||
@@ -6,7 +6,7 @@ locals {
|
||||
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
|
||||
base_group_dn = format("ou=groups,%s", local.base_dn)
|
||||
base_user_dn = format("ou=users,%s", local.base_dn)
|
||||
authentik_base_url = "http://authentik.${var.domain}-auth.svc"
|
||||
authentik_base_url = "http://authentik-authentik.${var.domain}-auth.svc"
|
||||
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
|
||||
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
terraform {
|
||||
required_version = ">= 1.0"
|
||||
required_providers {
|
||||
kubectl = {
|
||||
source = "gavinbunney/kubectl"
|
||||
|
||||
@@ -66,6 +66,7 @@ resource "kubectl_manifest" "endpoint" {
|
||||
name: "${local.app_slug}"
|
||||
namespace: "${var.namespace}"
|
||||
labels: ${jsonencode(var.labels)}
|
||||
ownerReferences: ${jsonencode(var.owner_references)}
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: ${var.target_host}
|
||||
|
||||
@@ -79,3 +79,9 @@ variable "lb_policy" {
|
||||
error_message = "Only Cluster or Local is allowed"
|
||||
}
|
||||
}
|
||||
|
||||
variable "owner_references" {
|
||||
type = list(object({}))
|
||||
description = "Adding owner references"
|
||||
default = []
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user