From f4ac0c5ac305bf360d98940d698d059ed2d61962 Mon Sep 17 00:00:00 2001
From: Xavier Mortelette <xavier.mortelette@pragmitil.com>
Date: Fri, 11 Oct 2024 22:55:30 +0200
Subject: [PATCH] Fix service Name

---
 ak-gatekeeper/common.tf     |  4 +--
 ak-gatekeeper/forward.tf    | 51 ------------------------------
 ak-gatekeeper/middleware.tf | 15 ++-------
 ak-gatekeeper/outpost.tf    | 62 ++++++-------------------------------
 ak-gatekeeper/variables.tf  | 36 +++++++++++++++++++--
 forward/forward.tf          |  2 +-
 ldap/ldap.tf                |  2 +-
 service/providers.tf        |  1 +
 service/svc.tf              |  1 +
 service/variables.tf        |  6 ++++
 10 files changed, 58 insertions(+), 122 deletions(-)
 delete mode 100644 ak-gatekeeper/forward.tf

diff --git a/ak-gatekeeper/common.tf b/ak-gatekeeper/common.tf
index ddb87f7..321d28e 100644
--- a/ak-gatekeeper/common.tf
+++ b/ak-gatekeeper/common.tf
@@ -1,7 +1,7 @@
 data "kubernetes_secret_v1" "authentik" {
   metadata {
     name      = "authentik"
-    namespace = var.namespace
+    namespace = "${var.domain}-auth"
   }
 }
 locals {
@@ -9,7 +9,7 @@ locals {
   ak_gatekeeper_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "ak-gatekeeper"
   })
-  authentik_url   = "http://authentik.${var.domain}-auth.svc"
+  authentik_url   = "http://authentik-authentik.${var.domain}-auth.svc"
   authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
   external_url    = format("https://%s", var.dns_name)
 }
diff --git a/ak-gatekeeper/forward.tf b/ak-gatekeeper/forward.tf
deleted file mode 100644
index 9130e9d..0000000
--- a/ak-gatekeeper/forward.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-# locals {
-#   app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-#   forward_labels = merge(var.labels, {
-#     "app.kubernetes.io/component" = "ak-gatekeeper"
-#   })
-#   external_url = format("https://%s", var.dns_name)
-#   forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
-#   forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
-# }
-
-# data "authentik_flow" "default_authorization_flow" {
-#   slug = "default-provider-authorization-implicit-consent"
-# }
-
-# resource "authentik_provider_proxy" "forward" {
-#   name                  = local.app_slug
-#   external_host         = local.external_url
-#   authorization_flow    = data.authentik_flow.default_authorization_flow.id
-#   mode                  = "forward_single"
-#   access_token_validity = var.access_token_validity
-# }
-
-# data "http" "get_forward_outpost" {
-#   depends_on      = [authentik_provider_proxy.forward]
-#   url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
-#   method          = "GET"
-#   request_headers = var.request_headers
-#   lifecycle {
-#     postcondition {
-#       condition     = contains([200], self.status_code)
-#       error_message = "Status code invalid"
-#     }
-#   }
-# }
-
-# resource "restapi_object" "forward_outpost_binding" {
-#   path = "/outposts/instances/${local.forward_outpost_pk}/"
-#   data = jsonencode({
-#     name      = "forward"
-#     providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
-#   })
-# }
-
-
-
-# data "kubernetes_ingress_v1" "authentik" {
-#   metadata {
-#     name      = "authentik"
-#     namespace = "${var.domain}-auth"
-#   }
-# }
diff --git a/ak-gatekeeper/middleware.tf b/ak-gatekeeper/middleware.tf
index 4df753f..e52d786 100644
--- a/ak-gatekeeper/middleware.tf
+++ b/ak-gatekeeper/middleware.tf
@@ -8,19 +8,8 @@ resource "kubectl_manifest" "middleware" {
         labels: ${jsonencode(local.ak_gatekeeper_labels)}
     spec:
       forwardAuth:
-        address: http://authentik.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
+        address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
         trustForwardHeader: true
-        authResponseHeaders:
-        - X-authentik-username
-        - X-authentik-email
-        - X-authentik-groups
-        - X-authentik-name
-        - X-authentik-uid
-        - X-authentik-jwt
-        - X-authentik-meta-jwks
-        - X-authentik-meta-outpost
-        - X-authentik-meta-provider
-        - X-authentik-meta-app
-        - X-authentik-meta-version
+        authResponseHeaders: ${jsonencode(var.response_headers)}
   EOF
 }
\ No newline at end of file
diff --git a/ak-gatekeeper/outpost.tf b/ak-gatekeeper/outpost.tf
index bd0fe15..98feb13 100644
--- a/ak-gatekeeper/outpost.tf
+++ b/ak-gatekeeper/outpost.tf
@@ -11,64 +11,22 @@ locals {
 
 data "http" "get_proxy_outpost" {
   depends_on      = [data.kubernetes_secret_v1.authentik]
-  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
+  url             = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
   method          = "GET"
-  request_headers = var.request_headers
+  request_headers = local.request_headers
   lifecycle {
     postcondition {
       condition     = contains([200], self.status_code)
-      error_message = "Status code invalid"
+      error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
     }
   }
 }
 
 
-# resource "restapi_object" "proxy_outpost_binding" {
-#   path = "/outposts/instances/${local.outpost_pk}/"
-#   data = jsonencode({
-#     name      = "${var.domain}-proxy-outpost"
-#     providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
-#   })
-# }
-
-# data "http" "get_local_sck" {
-#   depends_on      = [data.kubernetes_secret_v1.authentik]
-#   url             = "http://authentik-authentik.${var.namespace}.svc/api/v3/outposts/service_connections/kubernetes/?local=true"
-#   method          = "GET"
-#   request_headers = local.request_headers
-#   lifecycle {
-#     postcondition {
-#       condition     = contains([200], self.status_code)
-#       error_message = "Status code invalid"
-#     }
-#   }
-# }
-
-# data "kubernetes_ingress_v1" "authentik" {
-#   metadata {
-#     name      = "authentik"
-#     namespace = var.namespace
-#   }
-# }
-
-# resource "authentik_outpost" "proxy_outpost" {
-#   depends_on         = [data.http.get_local_sck, data.kubernetes_ingress_v1.authentik]
-#   name               = "${var.domain}-proxy-outpost"
-#   type               = "proxy"
-#   service_connection = local.local_sck[0].pk
-#   config = jsonencode({
-#     "log_level" : "info",
-#     "authentik_host" : "http://authentik.${var.namespace}.svc",
-#     "docker_map_ports" : true,
-#     "kubernetes_replicas" : 1,
-#     "kubernetes_namespace" : var.namespace,
-#     "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
-#     "object_naming_template" : "ak-%(name)s",
-#     "authentik_host_insecure" : false,
-#     "kubernetes_service_type" : "ClusterIP",
-#     "kubernetes_image_pull_secrets" : [],
-#     "kubernetes_disabled_components" : [],
-#     "kubernetes_ingress_annotations" : {},
-#   })
-#   protocol_providers = [authentik_provider_proxy.domain_proxy_provider.id]
-# }
+resource "restapi_object" "proxy_outpost_binding" {
+  path = "/outposts/instances/${local.outpost_pk}/"
+  data = jsonencode({
+    name      = "${var.domain}-proxy-outpost"
+    providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
+  })
+}
diff --git a/ak-gatekeeper/variables.tf b/ak-gatekeeper/variables.tf
index d06cbaf..374ba31 100644
--- a/ak-gatekeeper/variables.tf
+++ b/ak-gatekeeper/variables.tf
@@ -27,6 +27,38 @@ variable "access_token_validity" {
   default = "hours=10" // ;minutes=10
 }
 
-variable "request_headers" {
-  type = map(string)
+variable "response_headers" {
+  type = list(string)
+  description = "List of sended headers from authentik to web application"
+  default = [
+    "X-authentik-username",
+    "X-authentik-email",
+    "X-authentik-groups",
+    "X-authentik-name",
+    "X-authentik-uid",
+    "X-authentik-jwt",
+    "X-authentik-meta-jwks",
+    "X-authentik-meta-outpost",
+    "X-authentik-meta-provider",
+    "X-authentik-meta-app",
+    "X-authentik-meta-version",
+  ]
+  validation {
+    condition = alltrue(
+      [for header in var.response_headers : contains([
+        "X-authentik-username",
+        "X-authentik-email",
+        "X-authentik-groups",
+        "X-authentik-name",
+        "X-authentik-uid",
+        "X-authentik-jwt",
+        "X-authentik-meta-jwks",
+        "X-authentik-meta-outpost",
+        "X-authentik-meta-provider",
+        "X-authentik-meta-app",
+        "X-authentik-meta-version",
+      ], header)]
+    )
+    error_message = "Only som headers are allowed by authentik"
+  }
 }
diff --git a/forward/forward.tf b/forward/forward.tf
index b3e134d..b039e2a 100644
--- a/forward/forward.tf
+++ b/forward/forward.tf
@@ -22,7 +22,7 @@ resource "authentik_provider_proxy" "forward" {
 
 data "http" "get_forward_outpost" {
   depends_on      = [authentik_provider_proxy.forward]
-  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  url             = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
   method          = "GET"
   request_headers = var.request_headers
   lifecycle {
diff --git a/ldap/ldap.tf b/ldap/ldap.tf
index 390fb18..8ae4b4e 100644
--- a/ldap/ldap.tf
+++ b/ldap/ldap.tf
@@ -6,7 +6,7 @@ locals {
   base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
   base_group_dn          = format("ou=groups,%s", local.base_dn)
   base_user_dn           = format("ou=users,%s", local.base_dn)
-  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
+  authentik_base_url     = "http://authentik-authentik.${var.domain}-auth.svc"
   ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
   ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
 
diff --git a/service/providers.tf b/service/providers.tf
index 852127e..d215cd2 100644
--- a/service/providers.tf
+++ b/service/providers.tf
@@ -1,4 +1,5 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
     kubectl = {
       source  = "gavinbunney/kubectl"
diff --git a/service/svc.tf b/service/svc.tf
index 06cafc4..691a6e0 100644
--- a/service/svc.tf
+++ b/service/svc.tf
@@ -66,6 +66,7 @@ resource "kubectl_manifest" "endpoint" {
       name: "${local.app_slug}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
+      ownerReferences: ${jsonencode(var.owner_references)}
     subsets:
       - addresses:
           - ip: ${var.target_host}
diff --git a/service/variables.tf b/service/variables.tf
index bbf444a..2d90601 100644
--- a/service/variables.tf
+++ b/service/variables.tf
@@ -79,3 +79,9 @@ variable "lb_policy" {
     error_message = "Only Cluster or Local is allowed"
   }
 }
+
+variable "owner_references" {
+  type = list(object({}))
+  description = "Adding owner references"
+  default = []
+}