vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: vynil:96714b7186af23b693879ca593c837dce4a789cf
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
compare: vynil:main
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

10 Commits
96714b7186 ... main

Author SHA1 Message Date
Sébastien Huss
8e883d012e No more sercretString dans oauth2 2024-05-24 14:28:12 +02:00
Sébastien Huss
1c42b356c1 Add selector(optional) to service 2024-05-17 16:05:20 +02:00
Sébastien Huss
6ea3cfc0bf fix redirect url 2024-05-17 12:11:06 +02:00
Sébastien Huss
140321f714 Migrate the middleware to the new CRD 2024-02-15 14:36:39 +01:00
Sébastien Huss
a77bf1ec51 improve oauth2 ouput 2024-01-29 09:48:07 +01:00
Sébastien Huss
4f306cdacf adding ingress output for secret_name 2024-01-29 09:33:11 +01:00
Sébastien Huss
0a9700ab94 fix 2024-01-28 11:48:34 +01:00
Sébastien Huss
0a92ad09d5 fix 2024-01-28 10:13:10 +01:00
Sébastien Huss
c1aac2424b fix 2024-01-28 10:11:54 +01:00
Sébastien Huss
ccfac82ad4 fix 2024-01-28 10:09:48 +01:00
17 changed files with 126 additions and 50 deletions
Expand all files Collapse all files

5
application/application.tf
View File

@@ -7,13 +7,14 @@ data "authentik_group" "akadmin" {
}
resource "authentik_group" "groups" {
name = local.main_group
attributes = jsonencode({ "${local.app_name}" = true })
attributes = jsonencode({ "${local.app_name}" = var.attributes })
}
resource "authentik_group" "subgroup" {
count = length(var.sub_groups)
name = format("%s-%s", local.main_group, var.sub_groups[count.index])
parent = authentik_group.groups.id
attributes = length(var.sub_groups_attributes)>count.index?jsonencode({ "${local.app_name}" = var.sub_groups_attributes[count.index] }):jsonencode({ "${local.app_name}" = var.attributes })
}
resource "authentik_application" "prj_app" {
@@ -30,7 +31,7 @@ resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
return True if '${local.app_name}' in attr else False
EOF
}

6
application/variables.tf
View File

@@ -26,3 +26,9 @@ variable "backchannel_providers" {
type = list(number)
default = null
}
variable "attributes" {
default = {enable = true}
}
variable "sub_groups_attributes" {
default = []
}

2
forward/forward.tf
View File

@@ -74,7 +74,7 @@ resource "restapi_object" "forward_outpost_binding" {
resource "kubectl_manifest" "prj_middleware" {
yaml_body = <<-EOF
apiVersion: traefik.containo.us/v1alpha1
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: "${local.app_slug}-forward"

2
ingress/ingress.tf
View File

@@ -58,7 +58,7 @@ resource "kubectl_manifest" "prj_certificate" {
resource "kubectl_manifest" "prj_https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0
yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1"
apiVersion: "traefik.io/v1alpha1"
kind: "Middleware"
metadata:
name: "${local.app_slug}-https"

3
ingress/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "secret_name" {
value = var.create_cert ? "${local.app_slug}-cert":""
}

6
mongo/mongo.tf
View File

@@ -3,7 +3,7 @@ locals {
mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"]
username = var.username==""?var.component==""?var.instance:var.component:var.username
db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name
mongo-labels = merge(local.labels, {
mongo-labels = merge(var.labels, {
"app.kubernetes.io/component" = "mongo"
})
}
@@ -40,8 +40,8 @@ resource "kubectl_manifest" "prj_mongo" {
labels: ${jsonencode(local.mongo-labels)}
spec:
members: 1
type: ReplicaSet
version: "7.0.2"
type: ${var.mongo_type}
version: "${var.mongo_version}"
statefulSet:
spec:
template:

6
mongo/variables.tf
View File

@@ -18,11 +18,11 @@ variable "username" {
type = string
default = ""
}
variable "version" {
variable "mongo_version" {
type = string
default = "6.3.2"
default = "6.0.13"
}
variable "type" {
variable "mongo_type" {
type = string
default = "ReplicaSet"
}

42
oauth2/oauth2.tf
View File

@@ -4,29 +4,9 @@ locals {
"app.kubernetes.io/component" = "authentik-oauth2"
})
}
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
labels = local.oauth2_labels
}
resource "random_password" "client_id" {
length = 32
special = false
}
data "authentik_certificate_key_pair" "ca" {
@@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" {
resource "authentik_provider_oauth2" "oauth2" {
name = "${local.app_slug}"
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
client_id = random_password.client_id.result
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential"
@@ -57,10 +37,21 @@ resource "authentik_provider_oauth2" "oauth2" {
signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [
"https://${var.dns_name}/${var.redirect_path}"
"https://${var.redirect_path!=""?"${var.dns_name}/${var.redirect_path}":"${var.dns_name}"}"
]
}
resource "kubernetes_secret_v1" "oauth2-client-id" {
metadata {
name = "${local.app_slug}-id"
namespace = var.namespace
labels = local.oauth2_labels
}
data = {
client-id = random_password.client_id.result
}
}
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${local.app_slug}-secret"
@@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
labels = local.oauth2_labels
}
data = {
client-id = random_password.client_id.result
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}

17
oauth2/outputs.tf
View File

@@ -18,8 +18,21 @@ output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
}
output "client_id" {
value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
value = random_password.client_id.result
}
output "client_secret" {
value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
value = authentik_provider_oauth2.oauth2.client_secret
}
output "secret_client_id_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
}
output "secret_client_secret_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
}
output "secret_client_id_key" {
value = "client-id"
}
output "secret_client_secret_key" {
value = "client-secret"
}

4
redis/outputs.tf
View File

@@ -1,6 +1,6 @@
output "host" {
value = "${var.app_slug}-redis.${var.namespace}.svc"
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "url" {
value = "redis://${var.app_slug}-redis.${var.namespace}.svc:6379"
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
}

4
redis/redis.tf
View File

@@ -1,6 +1,6 @@
locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
redis-labels = merge(local.labels, {
redis-labels = merge(var.labels, {
"app.kubernetes.io/component" = "redis"
})
cfg = merge({
@@ -23,7 +23,7 @@ resource "kubectl_manifest" "redis" {
namespace: "${var.namespace}"
labels: ${jsonencode(local.redis-labels)}
spec:
kubernetesConfig: ${jsonencode(cfg)}
kubernetesConfig: ${jsonencode(local.cfg)}
storage:
volumeClaimTemplate:
spec:

26
saml/outputs.tf
View File

@@ -1,3 +1,27 @@
output "app_id" {
value = "${local.app_slug}-saml"
}
output "provider-id" {
value = authentik_provider_saml.prj.id
}
}
output "issuer" {
value = authentik_provider_saml.prj.issuer
}
output "url_slo_post" {
value = authentik_provider_saml.prj.url_slo_post
}
output "url_slo_redirect" {
value = authentik_provider_saml.prj.url_slo_redirect
}
output "url_sso_init" {
value = authentik_provider_saml.prj.url_sso_init
}
output "url_sso_post" {
value = authentik_provider_saml.prj.url_sso_post
}
output "url_sso_redirect" {
value = authentik_provider_saml.prj.url_sso_redirect
}
output "certificate_data" {
value = data.authentik_certificate_key_pair.generated.certificate_data
}

23
saml/saml.tf
View File

@@ -1,6 +1,6 @@
locals{
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
saml_labels = merge(var.labels, {
saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml"
})
}
@@ -12,7 +12,7 @@ data "authentik_flow" "default-authentication-flow" {
}
data "authentik_property_mapping_saml" "saml_maps" {
managed_list = [
managed_list = var.group_mapping==null?[
"goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/groups",
"goauthentik.io/providers/saml/name",
@@ -20,9 +20,24 @@ data "authentik_property_mapping_saml" "saml_maps" {
"goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname",
]:[
"goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/name",
"goauthentik.io/providers/saml/upn",
"goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname",
]
}
resource "authentik_property_mapping_saml" "mapping" {
count = var.group_mapping==null?0:1
friendly_name = "groups"
name = "${local.app_slug} Group mapping"
saml_name = "http://schemas.xmlsoap.org/claims/Group"
expression = var.group_mapping
}
data "authentik_property_mapping_saml" "saml_name" {
managed = "goauthentik.io/providers/saml/username"
}
@@ -54,9 +69,11 @@ resource "authentik_provider_saml" "prj" {
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
property_mappings = var.group_mapping==null?data.authentik_property_mapping_saml.saml_maps.ids:concat(data.authentik_property_mapping_saml.saml_maps.ids,[authentik_property_mapping_saml.mapping[0].id])
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
signing_kp = data.authentik_certificate_key_pair.generated.id
sp_binding = var.binding
audience = var.audience
issuer = var.saml_issuer
}

15
saml/variables.tf
View File

@@ -17,6 +17,21 @@ variable "binding" {
type = string
default = "post"
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "group_mapping" {
type = string
default = null
}
variable "audience" {
type = string
default = null
}
variable "saml_issuer" {
type = string
default = null
}

4
service/outputs.tf
View File

@@ -1,9 +1,9 @@
output "name" {
value = "${var.app_slug}"
value = "${local.app_slug}"
}
output "default_definition" {
value = {
"name" = "${var.app_slug}"
"name" = "${local.app_slug}"
"port" = {
"number" = var.ports[0]
}

7
service/svc.tf
View File

@@ -1,4 +1,5 @@
locals {
selector = var.selector==null?var.labels:var.selector
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
"name" = target
@@ -35,7 +36,7 @@ locals {
"ClusterIP" = {
type = "ClusterIP"
ports = local.cluster_ports
selector = var.labels
selector = local.selector
},
"ExternalName" = {
type = "ExternalName"
@@ -44,12 +45,12 @@ locals {
},
"NodePort" = {
type = "NodePort"
selector = var.labels
selector = local.selector
ports = local.node_ports
},
"LoadBalancer" = {
type = "LoadBalancer"
selector = var.labels
selector = local.selector
ports = local.lb_ports
externalTrafficPolicy = var.lb_policy
}

4
service/variables.tf
View File

@@ -10,6 +10,10 @@ variable "namespace" {
variable "labels" {
type = map(string)
}
variable "selector" {
type = map(string)
default = null
}
variable "annotations" {
type = map(string)
default = {}