Refacto and add modules

.ci-img.yml

@@ -1,5 +0,0 @@
----
-lint:
-  image: ghcr.io/terraform-linters/tflint
-opentofu:
-  image: ghcr.io/opentofu/opentofu:latest

.gitignore

@@ -1 +0,0 @@
-.terraform*

ak-gatekeeper/ak_provider.tf

@@ -1,17 +0,0 @@
-data "authentik_flow" "proxy_authorization_flow" {
-  depends_on = [data.kubernetes_secret_v1.authentik]
-  slug       = "default-provider-authorization-implicit-consent"
-}
-data "authentik_flow" "default_invalidation_flow" {
-  depends_on = [data.kubernetes_secret_v1.authentik]
-  slug       = "default-provider-invalidation-flow"
-}
-
-resource "authentik_provider_proxy" "app_proxy_provider" {
-  name                  = "${local.app_slug}-provider"
-  external_host         = local.external_url
-  authorization_flow    = data.authentik_flow.proxy_authorization_flow.id
-  mode                  = "forward_single"
-  access_token_validity = var.access_token_validity
-  invalidation_flow     = data.authentik_flow.default_invalidation_flow.id
-}

ak-gatekeeper/common.tf

@@ -1,15 +0,0 @@
-data "kubernetes_secret_v1" "authentik" {
-  metadata {
-    name      = "authentik"
-    namespace = "${var.domain}-auth"
-  }
-}
-locals {
-  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-  ak_gatekeeper_labels = merge(var.labels, {
-    "app.kubernetes.io/component" = "ak-gatekeeper"
-  })
-  authentik_url   = "http://authentik-authentik.${var.domain}-auth.svc"
-  authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
-  external_url    = format("https://%s", var.dns_name)
-}

ak-gatekeeper/middleware.tf

@@ -1,15 +0,0 @@
-resource "kubectl_manifest" "middleware" {
-  yaml_body = <<-EOF
-    apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-        name: "${local.app_slug}-gatekeeper"
-        namespace: "${var.namespace}"
-        labels: ${jsonencode(local.ak_gatekeeper_labels)}
-    spec:
-      forwardAuth:
-        address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders: ${jsonencode(var.response_headers)}
-  EOF
-}

ak-gatekeeper/outpost.tf

@@ -1,32 +0,0 @@
-locals {
-  request_headers = {
-    "Content-Type" = "application/json"
-    Authorization  = "Bearer ${local.authentik_token}"
-  }
-  outposts = jsondecode(data.http.get_proxy_outpost.response_body).results
-  outpost_providers = local.outposts[0].providers
-  outpost_pk = local.outposts[0].pk
-}
-
-
-data "http" "get_proxy_outpost" {
-  depends_on      = [data.kubernetes_secret_v1.authentik]
-  url             = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
-  method          = "GET"
-  request_headers = local.request_headers
-  lifecycle {
-    postcondition {
-      condition     = contains([200], self.status_code)
-      error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
-    }
-  }
-}
-
-
-resource "restapi_object" "proxy_outpost_binding" {
-  path = "/outposts/instances/${local.outpost_pk}/"
-  data = jsonencode({
-    name      = "${var.domain}-proxy-outpost"
-    providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
-  })
-}

ak-gatekeeper/outpost_read.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-set -e
-
-CURL_OPTIONS="-sL"
-if [ ! -z ${INSECURE_CURL+x} ]; then
- CURL_OPTIONS="${CURL_OPTIONS} -k"
-fi
-OUTPUT_FILE=$(mktemp)
-HTTP_CODE=$(curl $CURL_OPTIONS \
-  --output $OUTPUT_FILE \
-  --write-out "%{http_code}" \
-  -H "Accept: application/json" \
-  -H "Authorization: Bearer ${AK_TOKEN}" \
-  "${AK_BASEURL}/api/v3/outposts/instances/${AK_OUTPOST_ID}/")
-if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]] ; then
-  >&2 cat $OUTPUT_FILE
-  rm $OUTPUT_FILE
-  exit 2
-fi
-cat | jq -r ".results"
-rm $OUTPUT_FILE

ak-gatekeeper/outputs.tf

@@ -1,6 +0,0 @@
-output "provider_id" {
-  value = authentik_provider_proxy.app_proxy_provider.id
-}
-output "middleware" {
-  value = kubectl_manifest.middleware.name
-}

ak-gatekeeper/providers.tf

@@ -1,25 +0,0 @@
-terraform {
-  required_version = ">= 1.0"
-  required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> 2.20.0"
-    }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = "~> 1.14.0"
-    }
-    authentik = {
-      source  = "registry.terraform.io/goauthentik/authentik"
-      version = "2024.10.0"
-    }
-    http = {
-      source  = "hashicorp/http"
-      version = "~> 3.3.0"
-    }
-    restapi = {
-      source  = "Mastercard/restapi"
-      version = "~> 1.18.0"
-    }
-  }
-}

ak-gatekeeper/variables.tf

@@ -1,64 +0,0 @@
-variable "component" {
-  type = string
-}
-
-variable "instance" {
-  type = string
-}
-
-variable "domain" {
-  type = string
-}
-
-variable "namespace" {
-  type = string
-}
-
-variable "labels" {
-  type = map(string)
-}
-
-variable "dns_name" {
-  type = string
-}
-
-variable "access_token_validity" {
-  type    = string
-  default = "hours=10" // ;minutes=10
-}
-
-variable "response_headers" {
-  type = list(string)
-  description = "List of sended headers from authentik to web application"
-  default = [
-    "X-authentik-username",
-    "X-authentik-email",
-    "X-authentik-groups",
-    "X-authentik-name",
-    "X-authentik-uid",
-    "X-authentik-jwt",
-    "X-authentik-meta-jwks",
-    "X-authentik-meta-outpost",
-    "X-authentik-meta-provider",
-    "X-authentik-meta-app",
-    "X-authentik-meta-version",
-  ]
-  validation {
-    condition = alltrue(
-      [for header in var.response_headers : contains([
-        "X-authentik-username",
-        "X-authentik-email",
-        "X-authentik-groups",
-        "X-authentik-name",
-        "X-authentik-uid",
-        "X-authentik-jwt",
-        "X-authentik-meta-jwks",
-        "X-authentik-meta-outpost",
-        "X-authentik-meta-provider",
-        "X-authentik-meta-app",
-        "X-authentik-meta-version",
-      ], header)]
-    )
-    error_message = "Only som headers are allowed by authentik"
-  }
-}

application/application.tf

@@ -1,45 +1,9 @@
 locals {
-  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-  application_labels = merge(var.labels, {
-    "app.kubernetes.io/component" = "authentik-application"
-  })
-  app_name    = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
-  main_group  = format("app-%s", local.app_slug)
-  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
-  dns_name    = var.dns_name != "" ? var.dns_name : var.rule_mapper.host
-  url_icon    = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", local.dns_name, var.icon)
-  backend     = var.rule_mapper.paths[0].backend
-  rules_icons = [{
-    "host" = local.dns_name
-    "http" = {
-      "paths" = [{
-        "path"     = "/${var.icon}"
-        "pathType" = "Prefix"
-        "backend"  = local.backend
-      }]
-    }
-  }]
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_name   = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
+  main_group = format("app-%s", local.app_slug)
+  url_icon   = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", var.dns_name, var.icon)
 }
-
-resource "kubectl_manifest" "ingress_icon" {
-  count           = startswith(var.icon, "fa-") ? 0 : 1
-  force_conflicts = true
-  yaml_body       = <<-EOF
-    apiVersion: "networking.k8s.io/v1"
-    kind: "Ingress"
-    metadata:
-      name: "${local.app_slug}-icons"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.application_labels)}
-    spec:
-      ingressClassName: "${var.ingress_class}"
-      rules: ${jsonencode(local.rules_icons)}
-      tls:
-      - secretName: "${local.secret_name}"
-        hosts: ${jsonencode([local.dns_name])}
-  EOF
-}
-
 data "authentik_group" "akadmin" {
   name = "authentik Admins"
 }
@@ -60,7 +24,7 @@ resource "authentik_application" "app" {
   group                 = var.app_group
   protocol_provider     = var.protocol_provider
   backchannel_providers = var.backchannel_providers
-  meta_launch_url       = format("https://%s", local.dns_name)
+  meta_launch_url       = format("https://%s", var.dns_name)
   meta_icon             = local.url_icon
 }
 

application/outputs.tf

@@ -5,11 +5,6 @@ output "application_id" {
 output "policy_id" {
   value = authentik_policy_expression.policy.id
 }
-
 output "main_group" {
   value = local.main_group
 }
-
-output "main_group_id" {
-  value = authentik_group.groups.id
-}

application/providers.tf

@@ -1,13 +1,8 @@
 terraform {
-  required_version = ">= 1.0"
   required_providers {
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = "~> 1.14.0"
-    }
     authentik = {
-      source  = "registry.terraform.io/goauthentik/authentik"
-      version = "2024.10.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
     }
   }
 }

application/variables.tf

@@ -15,9 +15,7 @@ variable "protocol_provider" {
   default = null
 }
 variable "dns_name" {
-  type        = string
-  description = "Deprecated, use rule_mapper"
-  default = ""
+  type = string
 }
 variable "app_name" {
   type    = string
@@ -32,46 +30,3 @@ variable "backchannel_providers" {
   type    = list(number)
   default = null
 }
-
-variable "ingress_class" {
-  type    = string
-  default = "traefik"
-}
-
-variable "rule_mapper" {
-  type = object({
-    host = string
-    paths = list(object({
-      path = optional(string)
-      type = optional(string)
-      backend = object({
-        service = object({
-          name = string
-          port = object({
-            name = string
-          })
-        })
-      })
-    }))
-  })
-  default = {
-    host  = "not.defined"
-    paths = []
-  }
-}
-
-variable "cert_name" {
-  type        = string
-  default     = ""
-  description = "Give a secret name for tls, if empty will use the ingress cert_name"
-}
-
-variable "namespace" {
-  type    = string
-  default = ""
-}
-
-variable "labels" {
-  type    = map(string)
-  default = {}
-}

forward/forward.tf

@@ -3,11 +3,42 @@ locals {
   forward_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "authentik-forward"
   })
-  external_url = format("https://%s", var.dns_name)
+  main_group   = format("app-%s", var.app_name)
+  external_url = format("https://%s", var.dns_names[0])
+  rules_icons = [for v in var.dns_names : {
+    "host" = "${v}"
+    "http" = {
+      "paths" = [{
+        "backend" = {
+          "service" = var.service
+        }
+        "path"     = "/${var.icon}"
+        "pathType" = "Prefix"
+      }]
+    }
+  }]
   forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
   forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
 }
 
+resource "kubectl_manifest" "ingress_icon" {
+  force_conflicts = true
+  yaml_body       = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${local.app_slug}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.forward_labels)}
+    spec:
+      ingressClassName: "${var.ingress_class}"
+      rules: ${jsonencode(local.rules_icons)}
+      tls:
+      - hosts: ${jsonencode(var.dns_names)}
+        secretName: "${var.instance}-cert"
+  EOF
+}
+
 data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
@@ -22,7 +53,7 @@ resource "authentik_provider_proxy" "forward" {
 
 data "http" "get_forward_outpost" {
   depends_on      = [authentik_provider_proxy.forward]
-  url             = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
   method          = "GET"
   request_headers = var.request_headers
   lifecycle {

forward/variables.tf

@@ -18,15 +18,37 @@ variable "labels" {
   type = map(string)
 }
 
-variable "dns_name" {
+variable "ingress_class" {
   type = string
 }
 
+variable "icon" {
+  type = string
+}
+
+variable "dns_names" {
+  type = list(string)
+}
+
 variable "access_token_validity" {
   type    = string
   default = "hours=10" // ;minutes=10
 }
 
+variable "app_name" {
+  type    = string
+  default = ""
+}
+
+variable "service" {
+  type = object({
+    name = string
+    port = object({
+      number = number
+    })
+  })
+}
+
 variable "request_headers" {
   type = map(string)
 }

ingress/ingress.tf

@@ -4,22 +4,23 @@ locals {
   pres_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "presentation"
   })
-  rules = [for rule in var.rules_mapper : {
-    "host" = rule.host
+  rules = [for v in var.dns_names : {
+    "host" = "${v}"
     "http" = {
-      "paths" = [for mapper in rule.paths : {
+      "paths" = [for mapper in var.services_mapping : {
         "path"     = "/${mapper.path}"
-        "pathType" = mapper.type != null && mapper.type != "" ? mapper.type : "Prefix"
-        "backend"  = mapper.backend
+        "pathType" = "Prefix"
+        "backend" = {
+          "service" = mapper.service
+        }
       }]
     }
   }]
-  dns_names   = [for rule in var.rules_mapper : rule.host]
   secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
   tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
     {
       secretName = local.secret_name
-      hosts      = local.dns_names
+      hosts      = var.dns_names
     }
   ] : []
   middlewares = concat(
@@ -31,7 +32,7 @@ locals {
       "traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint
     } : {},
     length(local.middlewares) > 0 ? {
-      "traefik.ingress.kubernetes.io/router.middlewares" : join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])
+      "traefik.ingress.kubernetes.io/router.middlewares" : "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
     } : {},
   )
 }
@@ -47,7 +48,7 @@ resource "kubectl_manifest" "certificate" {
       labels: ${jsonencode(local.pres_labels)}
     spec:
         secretName: "${local.secret_name}"
-        dnsNames: ${jsonencode(local.dns_names)}
+        dnsNames: ${jsonencode(var.dns_names)}
         issuerRef:
           kind: "ClusterIssuer"
           name: "${var.issuer}"

ingress/variables.tf

@@ -17,28 +17,24 @@ variable "ingress_class" {
 variable "labels" {
   type = map(string)
 }
+variable "dns_names" {
+  type = list(string)
+}
 variable "middlewares" {
   type    = list(string)
   default = []
 }
 
-variable "rules_mapper" {
+variable "services_mapping" {
   type = list(object({
-    host = string
-    paths = list(object({
-      path = optional(string)
-      type = optional(string)
-      backend = object({
-        service = object({
-          name = string
-          port = object({
-            name = string
-          })
-        })
+    path = optional(string)
+    service = object({
+      name= string
+      port = object({
+        number = number
       })
-    }))
+    })
   }))
-  description = "Simplified rules mapper for ingress"
 }
 
 variable "entrypoint" {

ldap/ldap.tf

@@ -6,7 +6,7 @@ locals {
   base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
   base_group_dn          = format("ou=groups,%s", local.base_dn)
   base_user_dn           = format("ou=users,%s", local.base_dn)
-  authentik_base_url     = "http://authentik-authentik.${var.domain}-auth.svc"
+  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
   ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
   ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
 
@@ -30,7 +30,7 @@ data "authentik_group" "vynil_admin" {
 resource "authentik_group" "groups" {
   count      = length(local.sorted_groups)
   name       = local.sorted_groups[count.index].name
-  attributes = jsonencode({ local.app_name = true })
+  attributes = jsonencode({ "${local.app_name}" = true })
 }
 
 data "authentik_group" "readed_groups" {

oauth2/oauth2.tf

@@ -1,51 +1,44 @@
 locals {
-  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-  main_group = format("kydah-%s", local.app_slug)
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
   oauth2_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "authentik-oauth2"
   })
-  cert_signing = var.cert_sign_secret_name != ""
-  signing_id   = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
+}
+resource "kubectl_manifest" "oauth2_secret" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body     = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${local.app_slug}-id"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.oauth2_labels)}
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "client-id"
+        length: "32"
+  EOF
+}
+data "kubernetes_secret_v1" "oauth2_client_id" {
+  depends_on = [kubectl_manifest.oauth2_secret]
+  metadata {
+    name      = kubectl_manifest.oauth2_secret.name
+    namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
 }
 
-resource "random_uuid" "client_id" {
-}
-
-# resource "kubectl_manifest" "secret_gen" {
-#   yaml_body = <<-EOF
-#     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-#     kind: "StringSecret"
-#     metadata:
-#       name: "${local.app_slug}-oauth2"
-#       namespace: "${var.namespace}"
-#       labels: ${jsonencode(local.oauth2_labels)}
-#       ownerReferences: ${jsonencode(var.owner_references)}
-#     spec:
-#       forceRegenerate: false
-#       fields:
-#       - fieldName: "client_id"
-#         length: "32"
-#   EOF
-# }
-# data "kubernetes_secret_v1" "secret_gen" {
-#   metadata {
-#     name      = kubectl_manifest.secret_gen.name
-#     namespace = var.namespace
-#   }
-# }
 data "authentik_certificate_key_pair" "ca" {
   name = "authentik Self-signed Certificate"
 }
 
-resource "authentik_property_mapping_provider_scope" "app_scope" {
-  count      = var.scope_attributes != "" ? 1 : 0
-  name       = local.app_slug
-  scope_name = local.app_slug
-  expression = var.scope_attributes
-}
-
-data "authentik_property_mapping_provider_scope" "oauth2" {
-  managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
+data "authentik_scope_mapping" "oauth2" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-profile"
+  ]
 }
 data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
@@ -53,65 +46,38 @@ data "authentik_flow" "default_authorization_flow" {
 data "authentik_flow" "default_authentication_flow" {
   slug = "default-authentication-flow"
 }
-data "authentik_flow" "default_invalidation_flow" {
-  slug = "default-provider-invalidation-flow"
+
+resource "authentik_provider_oauth2" "oauth2" {
+  name                = local.app_slug
+  client_id           = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
+  authentication_flow = data.authentik_flow.default_authentication_flow.id
+  authorization_flow  = data.authentik_flow.default_authorization_flow.id
+  client_type         = "confidential"
+  sub_mode            = "user_username"
+  signing_key         = data.authentik_certificate_key_pair.ca.id
+  property_mappings   = data.authentik_scope_mapping.oauth2.ids
+  redirect_uris = [
+    "https://${var.dns_name}/${var.redirect_path}"
+  ]
 }
 
-resource "authentik_group" "app_group" {
-  name       = local.main_group
-  attributes = jsonencode({
-    "${local.app_slug}" = {
-      "kydah_instance"  = var.instance
-      "kydah_component" = var.component
-    }
-  })
-}
-
-resource "authentik_group" "sub_groups" {
-  for_each = var.group_mapping
-  name     = format("%s-%s", local.main_group, each.key)
-  parent   = authentik_group.app_group.id
-  attributes = jsonencode({
-    "${local.app_slug}" = {
-      "kydah_instance"  = var.instance
-      "kydah_component" = var.component
-      "kydah_app_group" = each.value
-    }
-  })
-}
-
-data "kubernetes_secret_v1" "signing_cert" {
-  count = var.cert_sign_secret_name != "" ? 1 : 0
+resource "kubernetes_secret_v1" "oauth2_client_secret" {
   metadata {
-    name      = var.cert_sign_secret_name
+    name      = "${local.app_slug}-secret"
     namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
+  data = {
+    client-secret = authentik_provider_oauth2.oauth2.client_secret
   }
 }
 
-resource "authentik_certificate_key_pair" "name" {
-  count            = local.cert_signing ? 1 : 0
-  name             = "${local.app_slug} Signing"
-  certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
-  key_data         = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
-}
-
-resource "authentik_provider_oauth2" "oauth2" {
-  depends_on          = [authentik_property_mapping_provider_scope.app_scope]
-  name                = local.app_slug
-  client_id           = random_uuid.client_id.result
-  authentication_flow = data.authentik_flow.default_authentication_flow.id
-  authorization_flow  = data.authentik_flow.default_authorization_flow.id
-  invalidation_flow   = data.authentik_flow.default_invalidation_flow.id
-  client_type         = var.client_type
-  sub_mode            = "user_username"
-  signing_key         = local.signing_id
-  property_mappings = concat(
-    data.authentik_property_mapping_provider_scope.oauth2.ids,
-    var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
-  )
-  redirect_uris = [
-    "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
-  ]
+data "kubernetes_secret_v1" "oauth2_client_secret" {
+  depends_on = [kubernetes_secret_v1.oauth2_client_secret]
+  metadata {
+    name      = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
+    namespace = var.namespace
+  }
 }
 
 data "kubernetes_ingress_v1" "authentik" {
@@ -120,33 +86,3 @@ data "kubernetes_ingress_v1" "authentik" {
     namespace = "${var.domain}-auth"
   }
 }
-
-resource "kubectl_manifest" "oauth2_client_secret" {
-  # force_new = true
-  yaml_body = <<-EOF
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: "${local.app_slug}-oauth2"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-      ownerReferences: ${jsonencode(var.owner_references)}
-    data:
-      oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
-      client_id: "${base64encode(random_uuid.client_id.result)}"
-      client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
-  EOF
-}
-
-# resource "kubernetes_secret" "oauth2_client_secret" {
-#   metadata {
-#     name      = "${local.app_slug}-oauth2"
-#     namespace = var.namespace
-#     labels    = local.oauth2_labels
-#   }
-#   data = {
-#     oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
-#     client_id     = data.kubernetes_secret_v1.secret_gen.data["client_id"]
-#     client_secret = authentik_provider_oauth2.oauth2.client_secret
-#   }
-# }

oauth2/outputs.tf

@@ -5,32 +5,34 @@ output "provider_id" {
 output "sso_signout_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/"
 }
-
 output "sso_configuration_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
 }
-
 output "sso_userinfo_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/"
 }
-
 output "sso_authorize_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
 }
-
 output "sso_token_url" {
   value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
 }
-
 output "client_id" {
-  value = random_uuid.client_id.result
+  value = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
 }
-
 output "client_secret" {
-  value = authentik_provider_oauth2.oauth2.client_secret
+  value = data.kubernetes_secret_v1.oauth2_client_secret.data["client-secret"]
 }
 
-output "oauth2_secret_name" {
-  value = kubectl_manifest.oauth2_client_secret.name
+output "secret_client_id_name" {
+  value = kubectl_manifest.oauth2_secret.name
+}
+output "secret_client_secret_name" {
+  value = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
+}
+output "secret_client_id_key" {
+  value = "client-id"
+}
+output "secret_client_secret_key" {
+  value = "client-secret"
 }
-

oauth2/providers.tf

@@ -1,6 +1,5 @@
 
 terraform {
-  required_version = ">= 1.0"
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"
@@ -11,12 +10,8 @@ terraform {
       version = "~> 1.14.0"
     }
     authentik = {
-      source  = "registry.terraform.io/goauthentik/authentik"
-      version = "2024.10.0"
-    }
-    random = {
-      source = "hashicorp/random"
-      version = "3.6.3"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
     }
   }
 }

oauth2/variables.tf

@@ -20,41 +20,3 @@ variable "redirect_path" {
   type    = string
   default = ""
 }
-variable "group_mapping" {
-  type = map(string)
-  default = {}
-  description = "Group mapping where key is authentik suffix group name and value is the application group name"
-}
-variable "owner_references" {
-  type = list(object({}))
-  description = "Adding owner references"
-  default = []
-}
-variable "scopes" {
-  type = list(string)
-  description = "List of default scope allowed"
-  default = [
-    "scope-email",
-    "scope-openid",
-    "scope-profile",
-  ]
-}
-variable "scope_attributes" {
-  type = string
-  description = "Authentik expression for scope mapping"
-  default = ""
-}
-variable "client_type" {
-  type = string
-  description = "OAuth client type confidential / public(PKCE)"
-  default = "confidential"
-  validation {
-    condition     = contains(["confidential", "public"], var.client_type)
-    error_message = "Only empty confidential or public is allowed"
-  }
-}
-variable "cert_sign_secret_name" {
-  type = string
-  description = "The name of the secret for signing JWT (if empty use authentik default)"
-  default = ""
-}

postgresql/providers.tf

@@ -1,10 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
   required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> 2.20.0"
-    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"

postgresql/variables.tf

@@ -25,25 +25,21 @@ variable "backups" {
     "use_barman"  = false
   }
   type = object({
-    enable     = optional(bool, false),
-    endpoint   = optional(string, ""),
-    key_id_key = optional(string, "s3-id"),
-    restic_key = optional(string, "bck-password"),
+    enable     = optional(bool),
+    endpoint   = optional(string),
+    key_id_key = optional(string),
+    restic_key = optional(string),
     schedule = optional(object({
-      db = string,
-    }), { db = "30 3 * * *" }),
-    secret_key  = optional(string, "s3-secret"),
-    secret_name = optional(string, "backup-settings"),
-    use_barman  = optional(bool, false)
+      db = optional(string),
+    })),
+    secret_key  = optional(string),
+    secret_name = optional(string),
+    use_barman  = optional(bool)
   })
 }
 variable "images" {
   type = object({
-    postgresql = optional(object({
-      registry = optional(string),
-      repository = optional(string),
-      tag = optional(number)
-    })),
+    postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
   })
   default = {
     "postgresql" = {

pvc/providers.tf

@@ -1,13 +1,8 @@
 terraform {
-  required_version = ">= 1.0"
   required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> 2.20.0"
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
-    # kubectl = {
-    #   source  = "gavinbunney/kubectl"
-    #   version = "~> 1.14.0"
-    # }
   }
 }

pvc/pvc.tf

@@ -3,60 +3,28 @@ locals {
   pvc_labels = merge(var.labels, {
     "app.kubernetes.io/component" = "pvc"
   })
-  pvc_annotations = {
-    "k8up.io/backup" = var.backup
-    "resize.kubesphere.io/storage_limit" = var.storage.max_size
-  }
-  # pvc_spec = merge({
-  #   "accessModes" = [var.storage.access_mode]
-  #   "volumeMode"  = var.storage.type
-  #   "resources" = {
-  #     "requests" = {
-  #       "storage" = var.storage.size
-  #     }
-  #   }
-  #   }, var.storage.class != "" ? {
-  #   "storageClassName" = var.storage.class
-  # } : {})
-}
-# resource "kubectl_manifest" "pvc" {
-#   ignore_fields = [
-#     "spec.resources.requests.storage",
-#     "spec.storageClassName",
-#   ]
-#   yaml_body = <<-EOF
-#     apiVersion: v1
-#     kind: PersistentVolumeClaim
-#     metadata:
-#       name: ${local.app_slug}
-#       namespace: "${var.namespace}"
-#       annotations:
-#         k8up.io/backup: "${var.backup}"
-#         resize.kubesphere.io/storage_limit: "${var.storage.max_size}"
-#       labels: ${jsonencode(local.pvc_labels)}
-#     spec: ${jsonencode(local.pvc_spec)}
-#   EOF
-# }
-resource "kubernetes_persistent_volume_claim_v1" "pvc" {
-  metadata {
-    name = local.app_slug
-    namespace = var.namespace
-    annotations = local.pvc_annotations
-    labels = local.pvc_labels
-  }
-  spec {
-    access_modes = [var.storage.access_mode]
-    resources {
-      requests = {
-        storage = var.storage.size
+  pvc_spec = merge({
+    "accessModes" = [var.storage.access_mode]
+    "volumeMode"  = var.storage.type
+    "resources" = {
+      "requests" = {
+        "storage" = "${var.storage.size}"
       }
     }
-    storage_class_name = var.storage.class
-  }
-  lifecycle {
-    ignore_changes = [
-      spec[0].resources[0].requests[0],
-      spec[0].storage_class_name,
-     ]
-  }
-}
+    }, var.storage.class != "" ? {
+    "storageClassName" = var.storage.class
+  } : {})
+}
+resource "kubectl_manifest" "pvc" {
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: ${local.app_slug}
+      namespace: "${var.namespace}"
+      annotations:
+        k8up.io/backup: "${var.backup}"
+      labels: ${jsonencode(local.pvc_labels)}
+    spec: ${jsonencode(local.pvc_spec)}
+  EOF
+}

pvc/variables.tf

@@ -12,15 +12,20 @@ variable "labels" {
 }
 variable "storage" {
   type = object({
-    access_mode = optional(string, "ReadWriteOnce"),
-    class       = optional(string, ""),
-    size        = optional(string, "2Gi"),
-    max_size    = optional(string, "10Gi"),
-    type        = optional(string, "Filesystem")
+    access_mode = optional(string),
+    class      = optional(string),
+    size       = optional(string),
+    type       = optional(string)
   })
+  default = {
+    "access_mode" = "ReadWriteOnce"
+    "class"      = ""
+    "size"       = "10Gi"
+    "type"       = "Filesystem"
+  }
 }
 
 variable "backup" {
-  type    = bool
+  type = bool
   default = true
 }

rabbitmq/outputs.tf

@@ -1,23 +0,0 @@
-output "conn_string" {
-  value = "mqtt://${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["password"])}@${local.app_slug}-mq.${var.namespace}.svc:1883"
-}
-
-output "service" {
-  value = "${local.app_slug}-mq.${var.namespace}.svc"
-}
-
-output "db_host" {
-  value = "${local.app_slug}-mq"
-}
-
-output "db_port" {
-  value = "1883"
-}
-
-output "cert_secret_name" {
-  value = local.secret_name
-}
-
-output "user_secret_name" {
-  value = "${local.app_slug}-user"
-}

rabbitmq/providers.tf

@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = "~> 1.14.0"
-    }
-  }
-}

rabbitmq/rabbitmq.tf

@@ -1,101 +0,0 @@
-locals {
-  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-  rabbit_labels = merge(var.labels, {
-    "app.kubernetes.io/component" = "rabbitmq"
-  })
-  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
-  pvc_spec = merge({
-    "storage" = var.storage.size
-    }, var.storage.class != "" ? {
-    "storageClassName" = var.storage.class
-  } : {})
-}
-
-resource "kubectl_manifest" "certificate" {
-  count     = var.cert_name == "" ? 1 : 0
-  yaml_body = <<-EOF
-    apiVersion: "cert-manager.io/v1"
-    kind: "Certificate"
-    metadata:
-      name: "${local.app_slug}"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.rabbit_labels)}
-    spec:
-        secretName: "${local.secret_name}"
-        dnsNames:
-        - "${local.app_slug}-mq.${var.namespace}.svc"
-        - "*.${local.app_slug}-mq-nodes.${var.namespace}.svc"
-        issuerRef:
-          kind: "ClusterIssuer"
-          name: "${var.issuer}"
-          group: "cert-manager.io"
-  EOF
-}
-
-resource "kubectl_manifest" "rabbit_secret" {
-  yaml_body = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-user"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.rabbit_labels)}
-    spec:
-      forceRegenerate: false
-      data:
-        username: "${var.instance}"
-        port: "5672"
-        host: "${local.app_slug}-mq.${var.namespace}.svc"
-      fields:
-      - fieldName: "password"
-        length: "32"
-  EOF
-}
-
-data "kubernetes_secret_v1" "rabbit_secret" {
-  depends_on = [kubectl_manifest.rabbit_secret]
-  metadata {
-    name      = "${local.app_slug}-user"
-    namespace = var.namespace
-    labels    = local.rabbit_labels
-  }
-}
-
-# based on https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples
-
-resource "kubectl_manifest" "rabbitmq" {
-  depends_on = [
-    kubectl_manifest.certificate,
-    kubectl_manifest.rabbit_secret,
-    data.kubernetes_secret_v1.rabbit_secret,
-  ]
-  yaml_body = <<-EOF
-    apiVersion: rabbitmq.com/v1beta1
-    kind: RabbitmqCluster
-    metadata:
-      name: "${local.app_slug}-mq"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.rabbit_labels)}
-    spec:
-      replicas: ${var.replicas}
-      image: "${var.image.registry}/${var.image.repository}:${var.image.tag}"
-      imagePullPolicy: "${var.image.pull_policy}"
-      persistence: ${jsonencode(local.pvc_spec)}
-      resources: ${jsonencode(var.resources)}
-      tls:
-        secretName: ${local.secret_name}
-      rabbitmq:
-        erlangInetConfig: |
-          {inet6, true}.
-        envConfig: |
-            SERVER_ADDITIONAL_ERL_ARGS="-kernel inetrc '/etc/rabbitmq/erl_inetrc'  -proto_dist inet6_tcp"
-            RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
-        additionalConfig: |
-          cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
-          default_user=${data.kubernetes_secret_v1.rabbit_secret.data["username"]}
-          default_pass=${data.kubernetes_secret_v1.rabbit_secret.data["password"]}
-        additionalPlugins: ${jsonencode(var.plugins)}
-      service:
-        ipFamilyPolicy: "PreferDualStack"
-  EOF
-}

rabbitmq/variables.tf

@@ -1,78 +0,0 @@
-variable "component" {
-  type = string
-}
-variable "instance" {
-  type = string
-}
-variable "namespace" {
-  type = string
-}
-variable "labels" {
-  type = map(string)
-}
-variable "issuer" {
-  type = string
-}
-variable "replicas" {
-  type    = number
-  default = 1
-}
-variable "image" {
-  type = object({
-    registry    = optional(string),
-    repository  = optional(string),
-    tag         = optional(string),
-    pull_policy = optional(string)
-  })
-  description = "Image parameters"
-  default = {
-    "registry"    = "docker.io"
-    "repository"  = "rabbitmq"
-    "tag"         = "3.11.28-management-alpine"
-    "pull_policy" = "IfNotPresent"
-  }
-}
-variable "storage" {
-  description = "Storage parameters"
-  type = object({
-    class = optional(string),
-    size  = optional(string),
-  })
-  default = {
-    class = ""
-    size  = "1Gi"
-  }
-}
-variable "resources" {
-  description = "Resources parameters"
-  type = object({
-    requests = optional(object({
-      cpu    = optional(string),
-      memory = optional(string)
-    })),
-    limits = optional(object({
-      cpu    = optional(string),
-      memory = optional(string)
-    }))
-  })
-  default = {
-    requests = {
-      cpu    = "1000m",
-      memory = "2Gi"
-    },
-    limits = {
-      cpu    = "1000m",
-      memory = "2Gi"
-    }
-  }
-}
-variable "cert_name" {
-  type        = string
-  default     = ""
-  description = "Give a secret name for tls, if empty a new one will be created"
-}
-variable "plugins" {
-  description = "RabitMQ plugins"
-  type        = list(string)
-  default     = ["rabbitmq_mqtt", "rabbitmq_web_mqtt"]
-}

redis/outputs.tf

@@ -1,15 +1,11 @@
 output "conn_string" {
-  value = "tcp://${local.app_slug}-redis.${var.namespace}.svc:6379"
+  value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
 }
 
 output "service" {
   value = "${local.app_slug}-redis.${var.namespace}.svc"
 }
 
-output "port" {
-  value = 6379
-}
-
 output "db_host" {
   value = "${local.app_slug}-redis"
 }

redis/redis.tf

@@ -5,7 +5,7 @@ locals {
   })
   cfg = merge({
     "image"           = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
-    "imagePullPolicy" = var.images.redis.pull_policy
+    "imagePullPolicy" = "${var.images.redis.pull_policy}"
     }, lookup(var.password, "enabled", false) ? {
     redisSecret = {
       name = lookup(var.password, "name", var.component)

redis/variables.tf

@@ -10,6 +10,10 @@ variable "namespace" {
 variable "labels" {
   type = map(string)
 }
+variable "annotations" {
+  type    = map(string)
+  default = {}
+}
 
 variable "images" {
   type = object({

saml/outputs.tf

@@ -1,11 +1,3 @@
-output "provider_id" {
+output "provider-id" {
   value = authentik_provider_saml.prj.id
 }
-
-output "metadata_url" {
-  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/api/v3/providers/saml/${authentik_provider_saml.prj.id}/metadata/?download"
-}
-
-output "saml_certificate_secret_name" {
-  value = "${local.app_slug}-saml"
-}

saml/providers.tf

@@ -1,10 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
   required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> 2.20.0"
-    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"

saml/saml.tf

@@ -60,9 +60,3 @@ resource "authentik_provider_saml" "prj" {
   sp_binding          = var.binding
 }
 
-data "kubernetes_ingress_v1" "authentik" {
-  metadata {
-    name      = "authentik"
-    namespace = "${var.domain}-auth"
-  }
-}

saml/variables.tf

@@ -4,12 +4,6 @@ variable "component" {
 variable "instance" {
   type = string
 }
-variable "namespace" {
-  type = string
-}
-variable "domain" {
-  type = string
-}
 variable "issuer" {
   type = string
 }

service/outputs.tf

@@ -1,15 +1,11 @@
 output "name" {
   value = local.app_slug
 }
-output "ingress_backend_exposure" {
-  value = [for port_map in var.port_mapper :
-    {
-      "service" = {
-        "name" = local.app_slug
-        "port" = {
-          "name" = port_map.name
-        }
-      }
+output "default_definition" {
+  value = {
+    "name" = "${local.app_slug}"
+    "port" = {
+      "number" = var.ports[0]
     }
-  ]
+  }
 }

service/providers.tf

@@ -1,5 +1,4 @@
 terraform {
-  required_version = ">= 1.0"
   required_providers {
     kubectl = {
       source  = "gavinbunney/kubectl"

service/svc.tf

@@ -1,16 +1,26 @@
 locals {
   app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
-  selector = length(var.selector) > 0 ? var.selector : var.labels
-  default_ports = var.svc_type != "NodePort" ? [for port_map in var.port_mapper : {
-    "name"       = lower(port_map.name != null && port_map.name != "" ? port_map.name : "${port_map.port}-${port_map.protocol}")
-    "port"       = port_map.port
-    "protocol"   = port_map.protocol
-    "targetPort" = port_map.target
+  cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
+    "name"       = target
+    "port"       = var.ports[idx]
+    "protocol"   = var.protocols[idx]
+    "targetPort" = target
   }] : []
-  node_ports = var.svc_type == "NodePort" ? [for port_map in var.port_mapper : {
-    "port"       = port_map.port
-    "targetPort" = port_map.target
-    "nodePort"   = port_map.port
+  ext_ports = var.svc_type == "ExternalName" ? [for idx, target in var.targets : {
+    "name"       = target
+    "port"       = var.ports[idx]
+    "protocol"   = var.protocols[idx]
+    "targetPort" = var.ports[idx]
+  }] : []
+  lb_ports = var.svc_type == "LoadBalancer" ? [for port in var.lb_ports : {
+    "port"       = port.port.number
+    "name"       = port.name
+    "targetPort" = port.port.number
+  }] : []
+  node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
+    "port"       = port
+    "targetPort" = port
+    "nodePort"   = var.node_ports[idx]
   }] : []
   metadata = merge(
     {
@@ -25,25 +35,25 @@ locals {
   spec = {
     "ClusterIP" = {
       type           = "ClusterIP"
-      ports          = local.default_ports
-      selector       = local.selector
+      ports          = local.cluster_ports
+      selector       = var.labels
       ipFamilyPolicy = var.ip_family
     },
     "ExternalName" = {
-      type         = "ExternalName"
-      externalName = var.target_host
-      ports        = local.default_ports
+      type           = "ExternalName"
+      externalName   = var.target_host
+      ports          = local.ext_ports
     },
     "NodePort" = {
       type           = "NodePort"
-      selector       = local.selector
+      selector       = var.labels
       ports          = local.node_ports
       ipFamilyPolicy = var.ip_family
     },
     "LoadBalancer" = {
       type                  = "LoadBalancer"
-      selector              = local.selector
-      ports                 = local.default_ports
+      selector              = var.labels
+      ports                 = local.lb_ports
       externalTrafficPolicy = var.lb_policy
       ipFamilyPolicy        = var.ip_family
     }
@@ -66,10 +76,9 @@ resource "kubectl_manifest" "endpoint" {
       name: "${local.app_slug}"
       namespace: "${var.namespace}"
       labels: ${jsonencode(var.labels)}
-      ownerReferences: ${jsonencode(var.owner_references)}
     subsets:
       - addresses:
           - ip: ${var.target_host}
-        ports:  ${jsonencode([for port_map in var.port_mapper : { "port" = port_map.port }])}
+        ports:  ${jsonencode([for port in var.ports : { "port" = port }])}
   EOF
 }

service/variables.tf

@@ -8,13 +8,7 @@ variable "namespace" {
   type = string
 }
 variable "labels" {
-  type        = map(string)
-  description = "Service labels"
-}
-variable "selector" {
-  type        = map(string)
-  description = "Service selector labels (default same as labels)"
-  default     = {}
+  type = map(string)
 }
 variable "annotations" {
   type    = map(string)
@@ -38,39 +32,43 @@ variable "ip_family" {
   }
 }
 
-variable "port_mapper" {
-  description = "List information for port mapping in the service"
-  type = list(object({
-    name     = optional(string)
-    port     = number
-    protocol = string
-    target   = string
-  }))
-  default = [{
-    "name"     = "80-TCP",
-    "port"     = 80,
-    "protocol" = "TCP"
-    "target"   = "80-TCP"
-  }]
-  validation {
-    condition = alltrue(
-      [for port_map in var.port_mapper : contains(["TCP", "UDP"], port_map.protocol)]
-    )
-    error_message = "Only numeric on containerPort and TCP or UDP on protocol is allowed"
-  }
-  # validation {
-  #   condition = (var.svc_type == "NodePort") == alltrue(
-  #     [for port_map in var.port_mapper : port_map.port >= 30000 && port_map.port <= 32767]
-  #   )
-  #   error_message = "The range of valid ports is 30000-32767 for a NodePort type"
-  # }
+variable "ports" {
+  type    = list(number)
+  default = [80]
+}
+variable "targets" {
+  type    = list(string)
+  default = ["http"]
+}
+variable "protocols" {
+  type    = list(any)
+  default = ["TCP"]
+  validation {
+    condition     = alltrue([for proto in var.protocols : contains(["TCP", "UDP"], proto)])
+    error_message = "Only TCP or UDP is allowed"
+  }
 }
-
 variable "target_host" {
   type    = string
   default = ""
 }
-
+variable "node_ports" {
+  type    = list(number)
+  default = [30080]
+  validation {
+    condition     = alltrue([for port in var.node_ports : port >= 30000 && port <= 32767])
+    error_message = "The range of valid ports is 30000-32767"
+  }
+}
+variable "lb_ports" {
+  type = list(object({
+    name = string
+    port = object({
+      number = number
+    })
+  }))
+  default = []
+}
 variable "lb_policy" {
   type    = string
   default = "Cluster"
@@ -79,9 +77,3 @@ variable "lb_policy" {
     error_message = "Only Cluster or Local is allowed"
   }
 }
-
-variable "owner_references" {
-  type = list(object({}))
-  description = "Adding owner references"
-  default = []
-}