vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix service Name

Browse Source
This commit is contained in:
Xavier Mortelette
2024-10-11 22:55:30 +02:00
parent 5dbc3bdea2
commit f4ac0c5ac3
10 changed files with 58 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ak-gatekeeper/common.tf
View File

@@ -1,7 +1,7 @@
data "kubernetes_secret_v1" "authentik" { data "kubernetes_secret_v1" "authentik" {
metadata { metadata {
name = "authentik" name = "authentik"
namespace = var.namespace namespace = "${var.domain}-auth"
} }
} }
locals { locals {
@@ -9,7 +9,7 @@ locals {
ak_gatekeeper_labels = merge(var.labels, { ak_gatekeeper_labels = merge(var.labels, {
"app.kubernetes.io/component" = "ak-gatekeeper" "app.kubernetes.io/component" = "ak-gatekeeper"
}) })
authentik_url = "http://authentik.${var.domain}-auth.svc" authentik_url = "http://authentik-authentik.${var.domain}-auth.svc"
authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token") authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
external_url = format("https://%s", var.dns_name) external_url = format("https://%s", var.dns_name)
} }

51
ak-gatekeeper/forward.tf
View File

@@ -1,51 +0,0 @@
# locals {
# app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
# forward_labels = merge(var.labels, {
# "app.kubernetes.io/component" = "ak-gatekeeper"
# })
# external_url = format("https://%s", var.dns_name)
# forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
# forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
# }
# data "authentik_flow" "default_authorization_flow" {
# slug = "default-provider-authorization-implicit-consent"
# }
# resource "authentik_provider_proxy" "forward" {
# name = local.app_slug
# external_host = local.external_url
# authorization_flow = data.authentik_flow.default_authorization_flow.id
# mode = "forward_single"
# access_token_validity = var.access_token_validity
# }
# data "http" "get_forward_outpost" {
# depends_on = [authentik_provider_proxy.forward]
# url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
# method = "GET"
# request_headers = var.request_headers
# lifecycle {
# postcondition {
# condition = contains([200], self.status_code)
# error_message = "Status code invalid"
# }
# }
# }
# resource "restapi_object" "forward_outpost_binding" {
# path = "/outposts/instances/${local.forward_outpost_pk}/"
# data = jsonencode({
# name = "forward"
# providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
# })
# }
# data "kubernetes_ingress_v1" "authentik" {
# metadata {
# name = "authentik"
# namespace = "${var.domain}-auth"
# }
# }

15
ak-gatekeeper/middleware.tf
View File

@@ -8,19 +8,8 @@ resource "kubectl_manifest" "middleware" {
labels: ${jsonencode(local.ak_gatekeeper_labels)} labels: ${jsonencode(local.ak_gatekeeper_labels)}
spec: spec:
forwardAuth: forwardAuth:
address: http://authentik.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders: ${jsonencode(var.response_headers)}
- X-authentik-username
- X-authentik-email
- X-authentik-groups
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
EOF EOF
} }

62
ak-gatekeeper/outpost.tf
View File

@@ -11,64 +11,22 @@ locals {
data "http" "get_proxy_outpost" { data "http" "get_proxy_outpost" {
depends_on = [data.kubernetes_secret_v1.authentik] depends_on = [data.kubernetes_secret_v1.authentik]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost" url = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = local.request_headers
lifecycle { lifecycle {
postcondition { postcondition {
condition = contains([200], self.status_code) condition = contains([200], self.status_code)
error_message = "Status code invalid" error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
} }
} }
} }
# resource "restapi_object" "proxy_outpost_binding" { resource "restapi_object" "proxy_outpost_binding" {
# path = "/outposts/instances/${local.outpost_pk}/" path = "/outposts/instances/${local.outpost_pk}/"
# data = jsonencode({ data = jsonencode({
# name = "${var.domain}-proxy-outpost" name = "${var.domain}-proxy-outpost"
# providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id]) providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
# }) })
# } }
# data "http" "get_local_sck" {
# depends_on = [data.kubernetes_secret_v1.authentik]
# url = "http://authentik-authentik.${var.namespace}.svc/api/v3/outposts/service_connections/kubernetes/?local=true"
# method = "GET"
# request_headers = local.request_headers
# lifecycle {
# postcondition {
# condition = contains([200], self.status_code)
# error_message = "Status code invalid"
# }
# }
# }
# data "kubernetes_ingress_v1" "authentik" {
# metadata {
# name = "authentik"
# namespace = var.namespace
# }
# }
# resource "authentik_outpost" "proxy_outpost" {
# depends_on = [data.http.get_local_sck, data.kubernetes_ingress_v1.authentik]
# name = "${var.domain}-proxy-outpost"
# type = "proxy"
# service_connection = local.local_sck[0].pk
# config = jsonencode({
# "log_level" : "info",
# "authentik_host" : "http://authentik.${var.namespace}.svc",
# "docker_map_ports" : true,
# "kubernetes_replicas" : 1,
# "kubernetes_namespace" : var.namespace,
# "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
# "object_naming_template" : "ak-%(name)s",
# "authentik_host_insecure" : false,
# "kubernetes_service_type" : "ClusterIP",
# "kubernetes_image_pull_secrets" : [],
# "kubernetes_disabled_components" : [],
# "kubernetes_ingress_annotations" : {},
# })
# protocol_providers = [authentik_provider_proxy.domain_proxy_provider.id]
# }

36
ak-gatekeeper/variables.tf
View File

@@ -27,6 +27,38 @@ variable "access_token_validity" {
default = "hours=10" // ;minutes=10 default = "hours=10" // ;minutes=10
} }
variable "request_headers" { variable "response_headers" {
type = map(string) type = list(string)
description = "List of sended headers from authentik to web application"
default = [
"X-authentik-username",
"X-authentik-email",
"X-authentik-groups",
"X-authentik-name",
"X-authentik-uid",
"X-authentik-jwt",
"X-authentik-meta-jwks",
"X-authentik-meta-outpost",
"X-authentik-meta-provider",
"X-authentik-meta-app",
"X-authentik-meta-version",
]
validation {
condition = alltrue(
[for header in var.response_headers : contains([
"X-authentik-username",
"X-authentik-email",
"X-authentik-groups",
"X-authentik-name",
"X-authentik-uid",
"X-authentik-jwt",
"X-authentik-meta-jwks",
"X-authentik-meta-outpost",
"X-authentik-meta-provider",
"X-authentik-meta-app",
"X-authentik-meta-version",
], header)]
)
error_message = "Only som headers are allowed by authentik"
}
} }

2
forward/forward.tf
View File

@@ -22,7 +22,7 @@ resource "authentik_provider_proxy" "forward" {
data "http" "get_forward_outpost" { data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.forward] depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" url = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = var.request_headers
lifecycle { lifecycle {

2
ldap/ldap.tf
View File

@@ -6,7 +6,7 @@ locals {
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name))) base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
base_group_dn = format("ou=groups,%s", local.base_dn) base_group_dn = format("ou=groups,%s", local.base_dn)
base_user_dn = format("ou=users,%s", local.base_dn) base_user_dn = format("ou=users,%s", local.base_dn)
authentik_base_url = "http://authentik.${var.domain}-auth.svc" authentik_base_url = "http://authentik-authentik.${var.domain}-auth.svc"
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk

1
service/providers.tf
View File

@@ -1,4 +1,5 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"

1
service/svc.tf
View File

@@ -66,6 +66,7 @@ resource "kubectl_manifest" "endpoint" {
name: "${local.app_slug}" name: "${local.app_slug}"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(var.labels)}
ownerReferences: ${jsonencode(var.owner_references)}
subsets: subsets:
- addresses: - addresses:
- ip: ${var.target_host} - ip: ${var.target_host}

6
service/variables.tf
View File

@@ -79,3 +79,9 @@ variable "lb_policy" {
error_message = "Only Cluster or Local is allowed" error_message = "Only Cluster or Local is allowed"
} }
} }
variable "owner_references" {
type = list(object({}))
description = "Adding owner references"
default = []
}