WIP

Refacto forward
2024-10-05 16:12:13 +02:00 · 2024-09-29 23:42:40 +02:00
27 changed files with 158 additions and 469 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +0,0 @@
 .terraform*
--- a/ak-gatekeeper/ak_provider.tf
+++ b/ak-gatekeeper/ak_provider.tf
@@ -1,17 +0,0 @@
 data "authentik_flow" "proxy_authorization_flow" {
  depends_on = [data.kubernetes_secret_v1.authentik]
  slug       = "default-provider-authorization-implicit-consent"
 }
 data "authentik_flow" "default_invalidation_flow" {
  depends_on = [data.kubernetes_secret_v1.authentik]
  slug       = "default-provider-invalidation-flow"
 }
 resource "authentik_provider_proxy" "app_proxy_provider" {
  name                  = "${local.app_slug}-provider"
  external_host         = local.external_url
  authorization_flow    = data.authentik_flow.proxy_authorization_flow.id
  mode                  = "forward_single"
  access_token_validity = var.access_token_validity
  invalidation_flow     = data.authentik_flow.default_invalidation_flow.id
 }
--- a/ak-gatekeeper/common.tf
+++ b/ak-gatekeeper/common.tf
@@ -1,15 +0,0 @@
 data "kubernetes_secret_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
 }
 locals {
  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  ak_gatekeeper_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "ak-gatekeeper"
  })
  authentik_url   = "http://authentik-authentik.${var.domain}-auth.svc"
  authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
  external_url    = format("https://%s", var.dns_name)
 }
--- a/ak-gatekeeper/middleware.tf
+++ b/ak-gatekeeper/middleware.tf
@@ -1,15 +0,0 @@
 resource "kubectl_manifest" "middleware" {
  yaml_body = <<-EOF
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
        name: "${local.app_slug}-gatekeeper"
        namespace: "${var.namespace}"
        labels: ${jsonencode(local.ak_gatekeeper_labels)}
    spec:
      forwardAuth:
        address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders: ${jsonencode(var.response_headers)}
  EOF
 }
--- a/ak-gatekeeper/outpost.tf
+++ b/ak-gatekeeper/outpost.tf
@@ -1,32 +0,0 @@
 locals {
  request_headers = {
    "Content-Type" = "application/json"
    Authorization  = "Bearer ${local.authentik_token}"
  }
  outposts = jsondecode(data.http.get_proxy_outpost.response_body).results
  outpost_providers = local.outposts[0].providers
  outpost_pk = local.outposts[0].pk
 }
 data "http" "get_proxy_outpost" {
  depends_on      = [data.kubernetes_secret_v1.authentik]
  url             = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
  method          = "GET"
  request_headers = local.request_headers
  lifecycle {
    postcondition {
      condition     = contains([200], self.status_code)
      error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
    }
  }
 }
 resource "restapi_object" "proxy_outpost_binding" {
  path = "/outposts/instances/${local.outpost_pk}/"
  data = jsonencode({
    name      = "${var.domain}-proxy-outpost"
    providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
  })
 }
--- a/ak-gatekeeper/outpost_read.sh
+++ b/ak-gatekeeper/outpost_read.sh
@@ -1,21 +0,0 @@
 #!/bin/bash
 set -e
 CURL_OPTIONS="-sL"
 if [ ! -z ${INSECURE_CURL+x} ]; then
 CURL_OPTIONS="${CURL_OPTIONS} -k"
 fi
 OUTPUT_FILE=$(mktemp)
 HTTP_CODE=$(curl $CURL_OPTIONS \
  --output $OUTPUT_FILE \
  --write-out "%{http_code}" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer ${AK_TOKEN}" \
  "${AK_BASEURL}/api/v3/outposts/instances/${AK_OUTPOST_ID}/")
 if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]] ; then
  >&2 cat $OUTPUT_FILE
  rm $OUTPUT_FILE
  exit 2
 fi
 cat | jq -r ".results"
 rm $OUTPUT_FILE
--- a/ak-gatekeeper/outputs.tf
+++ b/ak-gatekeeper/outputs.tf
@@ -1,6 +0,0 @@
 output "provider_id" {
  value = authentik_provider_proxy.app_proxy_provider.id
 }
 output "middleware" {
  value = kubectl_manifest.middleware.name
 }
--- a/ak-gatekeeper/providers.tf
+++ b/ak-gatekeeper/providers.tf
@@ -1,25 +0,0 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.20.0"
    }
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14.0"
    }
    authentik = {
      source  = "registry.terraform.io/goauthentik/authentik"
      version = "2024.10.0"
    }
    http = {
      source  = "hashicorp/http"
      version = "~> 3.3.0"
    }
    restapi = {
      source  = "Mastercard/restapi"
      version = "~> 1.18.0"
    }
  }
 }
--- a/ak-gatekeeper/variables.tf
+++ b/ak-gatekeeper/variables.tf
@@ -1,64 +0,0 @@
 variable "component" {
  type = string
 }
 variable "instance" {
  type = string
 }
 variable "domain" {
  type = string
 }
 variable "namespace" {
  type = string
 }
 variable "labels" {
  type = map(string)
 }
 variable "dns_name" {
  type = string
 }
 variable "access_token_validity" {
  type    = string
  default = "hours=10" // ;minutes=10
 }
 variable "response_headers" {
  type = list(string)
  description = "List of sended headers from authentik to web application"
  default = [
    "X-authentik-username",
    "X-authentik-email",
    "X-authentik-groups",
    "X-authentik-name",
    "X-authentik-uid",
    "X-authentik-jwt",
    "X-authentik-meta-jwks",
    "X-authentik-meta-outpost",
    "X-authentik-meta-provider",
    "X-authentik-meta-app",
    "X-authentik-meta-version",
  ]
  validation {
    condition = alltrue(
      [for header in var.response_headers : contains([
        "X-authentik-username",
        "X-authentik-email",
        "X-authentik-groups",
        "X-authentik-name",
        "X-authentik-uid",
        "X-authentik-jwt",
        "X-authentik-meta-jwks",
        "X-authentik-meta-outpost",
        "X-authentik-meta-provider",
        "X-authentik-meta-app",
        "X-authentik-meta-version",
      ], header)]
    )
    error_message = "Only som headers are allowed by authentik"
  }
 }
--- a/application/providers.tf
+++ b/application/providers.tf
@@ -1,13 +1,12 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14.0"
    }
    authentik = {
-      source  = "registry.terraform.io/goauthentik/authentik"
+      source  = "goauthentik/authentik"
-      version = "2024.10.0"
+      version = "~> 2023.5.0"
    }
  }
 }
--- a/forward/forward.tf
+++ b/forward/forward.tf
@@ -3,9 +3,10 @@ locals {
  forward_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-forward"
  })
-  external_url = format("https://%s", var.dns_name)
+  external_url              = format("https://%s", var.dns_name)
-  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
+  forward_outpost_results   = jsondecode(data.http.proxy_outpost.response_body).results
-  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
+  forward_outpost_providers = local.forward_outpost_results[0].providers
  forward_outpost_pk        = local.forward_outpost_results[0].pk
 }
 data "authentik_flow" "default_authorization_flow" {
@@ -20,9 +21,9 @@ resource "authentik_provider_proxy" "forward" {
  access_token_validity = var.access_token_validity
 }
-data "http" "get_forward_outpost" {
+data "http" "proxy_outpost" {
  depends_on      = [authentik_provider_proxy.forward]
-  url             = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
  method          = "GET"
  request_headers = var.request_headers
  lifecycle {
@@ -33,6 +34,66 @@ data "http" "get_forward_outpost" {
  }
 }
 data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
 }
 ## Begin modification
 data "kubernetes_secret_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
 }
 resource "authentik_service_connection_kubernetes" "local" {
  # count      = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
  depends_on = [data.kubernetes_secret_v1.authentik]
  name       = "${var.domain}-local-forward"
  local      = true
 }
 # data "authentik_flow" "default_authorization_flow" {
 #   count      = length(local.forward_outpost_results) == 0 ? 1 : 0
 #   depends_on = [authentik_service_connection_kubernetes.local]
 #   slug       = "default-provider-authorization-implicit-consent"
 # }
 resource "authentik_provider_proxy" "provider_forward" {
  # count              = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
  name               = "authentik-${var.domain}-forward-provider"
  internal_host      = "http://authentik-authentik"
  external_host      = "http://authentik-authentik"
  authorization_flow = data.authentik_flow.default_authorization_flow.id
 }
 resource "authentik_outpost" "output_forward" {
  # count              = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
  name               = "forward"
  type               = "proxy"
  service_connection = authentik_service_connection_kubernetes.local.id
  config = jsonencode({
    "log_level" : "info",
    "authentik_host" : "http://authentik",
    "docker_map_ports" : true,
    "kubernetes_replicas" : 1,
    "kubernetes_namespace" : var.namespace,
    "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
    "object_naming_template" : "ak-outpost-%(name)s",
    "authentik_host_insecure" : false,
    "kubernetes_service_type" : "ClusterIP",
    "kubernetes_image_pull_secrets" : [],
    "kubernetes_disabled_components" : [],
    "kubernetes_ingress_annotations" : {},
    "kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
  })
  protocol_providers = local.forward_outpost_providers
 }
 ## End modification
 resource "restapi_object" "forward_outpost_binding" {
  path = "/outposts/instances/${local.forward_outpost_pk}/"
  data = jsonencode({
@@ -67,10 +128,3 @@ resource "kubectl_manifest" "middleware" {
        - X-authentik-meta-version
  EOF
 }
 data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
 }
--- a/forward/providers.tf
+++ b/forward/providers.tf
@@ -1,5 +1,10 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.20.0"
    }
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14.0"
--- a/forward/variables.tf
+++ b/forward/variables.tf
@@ -30,3 +30,7 @@ variable "access_token_validity" {
 variable "request_headers" {
  type = map(string)
 }
 variable "ingress_certificat_secret_name" {
  type = string
 }
--- a/ldap/ldap.tf
+++ b/ldap/ldap.tf
@@ -6,7 +6,7 @@ locals {
  base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
  base_group_dn          = format("ou=groups,%s", local.base_dn)
  base_user_dn           = format("ou=users,%s", local.base_dn)
-  authentik_base_url     = "http://authentik-authentik.${var.domain}-auth.svc"
+  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
  ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
  ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
--- a/oauth2/oauth2.tf
+++ b/oauth2/oauth2.tf
@@ -1,51 +1,25 @@
 locals {
-  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  main_group = format("kydah-%s", local.app_slug)
  oauth2_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-oauth2"
  })
  cert_signing = var.cert_sign_secret_name != ""
  signing_id   = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
 }
-resource "random_uuid" "client_id" {
+resource "random_password" "client_id" {
  length  = 32
  special = false
 }
 # resource "kubectl_manifest" "secret_gen" {
 #   yaml_body = <<-EOF
 #     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
 #     kind: "StringSecret"
 #     metadata:
 #       name: "${local.app_slug}-oauth2"
 #       namespace: "${var.namespace}"
 #       labels: ${jsonencode(local.oauth2_labels)}
 #       ownerReferences: ${jsonencode(var.owner_references)}
 #     spec:
 #       forceRegenerate: false
 #       fields:
 #       - fieldName: "client_id"
 #         length: "32"
 #   EOF
 # }
 # data "kubernetes_secret_v1" "secret_gen" {
 #   metadata {
 #     name      = kubectl_manifest.secret_gen.name
 #     namespace = var.namespace
 #   }
 # }
 data "authentik_certificate_key_pair" "ca" {
  name = "authentik Self-signed Certificate"
 }
-resource "authentik_property_mapping_provider_scope" "app_scope" {
+data "authentik_scope_mapping" "oauth2" {
-  count      = var.scope_attributes != "" ? 1 : 0
+  managed_list = [
-  name       = local.app_slug
+    "goauthentik.io/providers/oauth2/scope-email",
-  scope_name = local.app_slug
+    "goauthentik.io/providers/oauth2/scope-openid",
-  expression = var.scope_attributes
+    "goauthentik.io/providers/oauth2/scope-profile"
-}
+  ]
 data "authentik_property_mapping_provider_scope" "oauth2" {
  managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
 }
 data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
@@ -53,62 +27,16 @@ data "authentik_flow" "default_authorization_flow" {
 data "authentik_flow" "default_authentication_flow" {
  slug = "default-authentication-flow"
 }
 data "authentik_flow" "default_invalidation_flow" {
  slug = "default-provider-invalidation-flow"
 }
 resource "authentik_group" "app_group" {
  name       = local.main_group
  attributes = jsonencode({
    "${local.app_slug}" = {
      "kydah_instance"  = var.instance
      "kydah_component" = var.component
    }
  })
 }
 resource "authentik_group" "sub_groups" {
  for_each = var.group_mapping
  name     = format("%s-%s", local.main_group, each.key)
  parent   = authentik_group.app_group.id
  attributes = jsonencode({
    "${local.app_slug}" = {
      "kydah_instance"  = var.instance
      "kydah_component" = var.component
      "kydah_app_group" = each.value
    }
  })
 }
 data "kubernetes_secret_v1" "signing_cert" {
  count = var.cert_sign_secret_name != "" ? 1 : 0
  metadata {
    name      = var.cert_sign_secret_name
    namespace = var.namespace
  }
 }
 resource "authentik_certificate_key_pair" "name" {
  count            = local.cert_signing ? 1 : 0
  name             = "${local.app_slug} Signing"
  certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
  key_data         = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
 }
 resource "authentik_provider_oauth2" "oauth2" {
  depends_on          = [authentik_property_mapping_provider_scope.app_scope]
  name                = local.app_slug
-  client_id           = random_uuid.client_id.result
+  client_id           = random_password.client_id.result
  authentication_flow = data.authentik_flow.default_authentication_flow.id
  authorization_flow  = data.authentik_flow.default_authorization_flow.id
-  invalidation_flow   = data.authentik_flow.default_invalidation_flow.id
+  client_type         = "confidential"
  client_type         = var.client_type
  sub_mode            = "user_username"
-  signing_key         = local.signing_id
+  signing_key         = data.authentik_certificate_key_pair.ca.id
-  property_mappings = concat(
+  property_mappings   = data.authentik_scope_mapping.oauth2.ids
    data.authentik_property_mapping_provider_scope.oauth2.ids,
    var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
  )
  redirect_uris = [
    "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
  ]
@@ -121,32 +49,15 @@ data "kubernetes_ingress_v1" "authentik" {
  }
 }
-resource "kubectl_manifest" "oauth2_client_secret" {
+resource "kubernetes_secret" "oauth2_client_secret" {
-  # force_new = true
+  metadata {
-  yaml_body = <<-EOF
+    name      = "${local.app_slug}-oauth2"
-    apiVersion: v1
+    namespace = var.namespace
-    kind: Secret
+    labels    = local.oauth2_labels
-    metadata:
+  }
-      name: "${local.app_slug}-oauth2"
+  data = {
-      namespace: "${var.namespace}"
+    oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
-      labels: ${jsonencode(local.oauth2_labels)}
+    client_id     = random_password.client_id.result
-      ownerReferences: ${jsonencode(var.owner_references)}
+    client_secret = authentik_provider_oauth2.oauth2.client_secret
-    data:
+  }
      oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
      client_id: "${base64encode(random_uuid.client_id.result)}"
      client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
  EOF
 }
 # resource "kubernetes_secret" "oauth2_client_secret" {
 #   metadata {
 #     name      = "${local.app_slug}-oauth2"
 #     namespace = var.namespace
 #     labels    = local.oauth2_labels
 #   }
 #   data = {
 #     oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
 #     client_id     = data.kubernetes_secret_v1.secret_gen.data["client_id"]
 #     client_secret = authentik_provider_oauth2.oauth2.client_secret
 #   }
 # }
--- a/oauth2/outputs.tf
+++ b/oauth2/outputs.tf
@@ -23,7 +23,7 @@ output "sso_token_url" {
 }
 output "client_id" {
-  value = random_uuid.client_id.result
+  value = random_password.client_id.result
 }
 output "client_secret" {
@@ -31,6 +31,6 @@ output "client_secret" {
 }
 output "oauth2_secret_name" {
-  value = kubectl_manifest.oauth2_client_secret.name
+  value = kubernetes_secret.oauth2_client_secret.metadata[0].name
 }
--- a/oauth2/providers.tf
+++ b/oauth2/providers.tf
@@ -1,6 +1,5 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
@@ -11,12 +10,8 @@ terraform {
      version = "~> 1.14.0"
    }
    authentik = {
-      source  = "registry.terraform.io/goauthentik/authentik"
+      source  = "goauthentik/authentik"
-      version = "2024.10.0"
+      version = "~> 2023.5.0"
    }
    random = {
      source = "hashicorp/random"
      version = "3.6.3"
    }
  }
 }
--- a/oauth2/variables.tf
+++ b/oauth2/variables.tf
@@ -20,41 +20,3 @@ variable "redirect_path" {
  type    = string
  default = ""
 }
 variable "group_mapping" {
  type = map(string)
  default = {}
  description = "Group mapping where key is authentik suffix group name and value is the application group name"
 }
 variable "owner_references" {
  type = list(object({}))
  description = "Adding owner references"
  default = []
 }
 variable "scopes" {
  type = list(string)
  description = "List of default scope allowed"
  default = [
    "scope-email",
    "scope-openid",
    "scope-profile",
  ]
 }
 variable "scope_attributes" {
  type = string
  description = "Authentik expression for scope mapping"
  default = ""
 }
 variable "client_type" {
  type = string
  description = "OAuth client type confidential / public(PKCE)"
  default = "confidential"
  validation {
    condition     = contains(["confidential", "public"], var.client_type)
    error_message = "Only empty confidential or public is allowed"
  }
 }
 variable "cert_sign_secret_name" {
  type = string
  description = "The name of the secret for signing JWT (if empty use authentik default)"
  default = ""
 }
--- a/postgresql/providers.tf
+++ b/postgresql/providers.tf
@@ -1,10 +1,5 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.20.0"
    }
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "~> 1.14.0"
--- a/postgresql/variables.tf
+++ b/postgresql/variables.tf
@@ -25,25 +25,21 @@ variable "backups" {
    "use_barman"  = false
  }
  type = object({
-    enable     = optional(bool, false),
+    enable     = optional(bool),
-    endpoint   = optional(string, ""),
+    endpoint   = optional(string),
-    key_id_key = optional(string, "s3-id"),
+    key_id_key = optional(string),
-    restic_key = optional(string, "bck-password"),
+    restic_key = optional(string),
    schedule = optional(object({
-      db = string,
+      db = optional(string),
-    }), { db = "30 3 * * *" }),
+    })),
-    secret_key  = optional(string, "s3-secret"),
+    secret_key  = optional(string),
-    secret_name = optional(string, "backup-settings"),
+    secret_name = optional(string),
-    use_barman  = optional(bool, false)
+    use_barman  = optional(bool)
  })
 }
 variable "images" {
  type = object({
-    postgresql = optional(object({
+    postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
      registry = optional(string),
      repository = optional(string),
      tag = optional(number)
    })),
  })
  default = {
    "postgresql" = {
--- a/pvc/providers.tf
+++ b/pvc/providers.tf
@@ -1,13 +1,8 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
-    kubernetes = {
+    kubectl = {
-      source  = "hashicorp/kubernetes"
+      source  = "gavinbunney/kubectl"
-      version = "~> 2.20.0"
+      version = "~> 1.14.0"
    }
    # kubectl = {
    #   source  = "gavinbunney/kubectl"
    #   version = "~> 1.14.0"
    # }
  }
 }
--- a/pvc/pvc.tf
+++ b/pvc/pvc.tf
@@ -3,60 +3,30 @@ locals {
  pvc_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "pvc"
  })
-  pvc_annotations = {
+  pvc_spec = merge({
-    "k8up.io/backup" = var.backup
+    "accessModes" = [var.storage.access_mode]
-    "resize.kubesphere.io/storage_limit" = var.storage.max_size
+    "volumeMode"  = var.storage.type
-  }
+    "resources" = {
-  # pvc_spec = merge({
+      "requests" = {
-  #   "accessModes" = [var.storage.access_mode]
+        "storage" = var.storage.size
  #   "volumeMode"  = var.storage.type
  #   "resources" = {
  #     "requests" = {
  #       "storage" = var.storage.size
  #     }
  #   }
  #   }, var.storage.class != "" ? {
  #   "storageClassName" = var.storage.class
  # } : {})
 }
 # resource "kubectl_manifest" "pvc" {
 #   ignore_fields = [
 #     "spec.resources.requests.storage",
 #     "spec.storageClassName",
 #   ]
 #   yaml_body = <<-EOF
 #     apiVersion: v1
 #     kind: PersistentVolumeClaim
 #     metadata:
 #       name: ${local.app_slug}
 #       namespace: "${var.namespace}"
 #       annotations:
 #         k8up.io/backup: "${var.backup}"
 #         resize.kubesphere.io/storage_limit: "${var.storage.max_size}"
 #       labels: ${jsonencode(local.pvc_labels)}
 #     spec: ${jsonencode(local.pvc_spec)}
 #   EOF
 # }
 resource "kubernetes_persistent_volume_claim_v1" "pvc" {
  metadata {
    name = local.app_slug
    namespace = var.namespace
    annotations = local.pvc_annotations
    labels = local.pvc_labels
  }
  spec {
    access_modes = [var.storage.access_mode]
    resources {
      requests = {
        storage = var.storage.size
      }
    }
-    storage_class_name = var.storage.class
+    }, var.storage.class != "" ? {
-  }
+    "storageClassName" = var.storage.class
-  lifecycle {
+  } : {})
-    ignore_changes = [
+}
-      spec[0].resources[0].requests[0],
+resource "kubectl_manifest" "pvc" {
-      spec[0].storage_class_name,
+  ignore_fields = ["spec.resources.requests.storage"]
-     ]
+  yaml_body = <<-EOF
-  }
+    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: ${local.app_slug}
      namespace: "${var.namespace}"
      annotations:
        k8up.io/backup: "${var.backup}"
        resize.kubesphere.io/storage_limit: "${var.storage.max_size}
      labels: ${jsonencode(local.pvc_labels)}
    spec: ${jsonencode(local.pvc_spec)}
  EOF
 }
--- a/pvc/variables.tf
+++ b/pvc/variables.tf
@@ -12,12 +12,19 @@ variable "labels" {
 }
 variable "storage" {
  type = object({
-    access_mode = optional(string, "ReadWriteOnce"),
+    access_mode = optional(string),
-    class       = optional(string, ""),
+    class       = optional(string),
-    size        = optional(string, "2Gi"),
+    size        = optional(string),
-    max_size    = optional(string, "10Gi"),
+    max_size    = optional(string),
-    type        = optional(string, "Filesystem")
+    type        = optional(string)
  })
  default = {
    "access_mode" = "ReadWriteOnce"
    "class"       = ""
    "size"        = "2Gi"
    "max_size"    = "10Gi"
    "type"        = "Filesystem"
  }
 }
 variable "backup" {
--- a/redis/outputs.tf
+++ b/redis/outputs.tf
@@ -1,5 +1,5 @@
 output "conn_string" {
-  value = "tcp://${local.app_slug}-redis.${var.namespace}.svc:6379"
+  value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
 }
 output "service" {
--- a/service/providers.tf
+++ b/service/providers.tf
@@ -1,5 +1,4 @@
 terraform {
  required_version = ">= 1.0"
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
--- a/service/svc.tf
+++ b/service/svc.tf
@@ -66,7 +66,6 @@ resource "kubectl_manifest" "endpoint" {
      name: "${local.app_slug}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(var.labels)}
      ownerReferences: ${jsonencode(var.owner_references)}
    subsets:
      - addresses:
          - ip: ${var.target_host}
--- a/service/variables.tf
+++ b/service/variables.tf
@@ -79,9 +79,3 @@ variable "lb_policy" {
    error_message = "Only Cluster or Local is allowed"
  }
 }
 variable "owner_references" {
  type = list(object({}))
  description = "Adding owner references"
  default = []
 }
Author	SHA1	Message	Date
Xavier Mortelette	1df9904e1c	WIP	2024-10-05 16:12:13 +02:00
Xavier Mortelette	2eafb09fa6	Refacto forward	2024-09-29 23:42:40 +02:00