vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:feature/improve_ingress
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:feature/forward
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

37 Commits
feature/im ... feature/fo

Author SHA1 Message Date
Xavier Mortelette
1df9904e1c WIP 2024-10-05 16:12:13 +02:00
Xavier Mortelette
2eafb09fa6 Refacto forward 2024-09-29 23:42:40 +02:00
Xavier Mortelette
47776ea7bf Refacto Saml 2024-09-22 21:29:45 +02:00
Xavier Mortelette
5299267f47 Fix linter, improve rabbit 2024-08-26 21:13:24 +02:00
Xavier Mortelette
9f12af60bc Refacto OAuth2 2024-05-21 09:42:56 +02:00
Xavier Mortelette
82a179dad3 Optimize service port definition 2024-05-21 09:30:23 +02:00
Xavier Mortelette
bcdf666cc0 Refacto and add modules 2024-05-21 09:29:51 +02:00
Sébastien Huss
159b576b24 No more sercretString dans oauth2 2024-05-17 16:10:54 +02:00
Sébastien Huss
1c42b356c1 Add selector(optional) to service 2024-05-17 16:05:20 +02:00
Sébastien Huss
6ea3cfc0bf fix redirect url 2024-05-17 12:11:06 +02:00
Sébastien Huss
140321f714 Migrate the middleware to the new CRD 2024-02-15 14:36:39 +01:00
Sébastien Huss
a77bf1ec51 improve oauth2 ouput 2024-01-29 09:48:07 +01:00
Sébastien Huss
4f306cdacf adding ingress output for secret_name 2024-01-29 09:33:11 +01:00
Sébastien Huss
0a9700ab94 fix 2024-01-28 11:48:34 +01:00
Sébastien Huss
0a92ad09d5 fix 2024-01-28 10:13:10 +01:00
Sébastien Huss
c1aac2424b fix 2024-01-28 10:11:54 +01:00
Sébastien Huss
ccfac82ad4 fix 2024-01-28 10:09:48 +01:00
Sébastien Huss
96714b7186 fix 2024-01-28 10:07:40 +01:00
Sébastien Huss
dd03003ebc Adding service definition output 2024-01-28 09:56:20 +01:00
Sébastien Huss
68d609a022 Adding service name output 2024-01-28 09:52:33 +01:00
Sébastien Huss
bc5f7ff32b Adding redis url output 2024-01-28 09:44:02 +01:00
Sébastien Huss
71b5da2e14 adding MongoDB 2024-01-28 09:26:08 +01:00
Sébastien Huss
2c066b9049 Adding storage modules 2024-01-27 00:03:20 +01:00
Sébastien Huss
c39cc31bc6 Actualiser application/variables.tf 2024-01-26 12:02:00 +01:00
Sébastien Huss
e645aa0060 Merge pull request 'Refacto modules' (#2) from feature/svc_lb into main 
Reviewed-on: #2
 2024-01-26 09:56:02 +01:00
Xavier Mortelette
384fdd7b69 Refacto and add lb 2024-01-26 09:56:02 +01:00
Sébastien Huss
15c5e64ea5 fixes 2024-01-24 16:58:23 +01:00
Sébastien Huss
1c106733e4 fixes 2024-01-24 16:22:26 +01:00
Sébastien Huss
e29893226d fixes 2024-01-24 16:12:35 +01:00
Sébastien Huss
fe67299dfd fixes 2024-01-24 16:10:40 +01:00
Sébastien Huss
c26cd0b7e7 fixes 2024-01-24 15:47:25 +01:00
Sébastien Huss
c13085ba7c fixes 2024-01-24 15:17:07 +01:00
Sébastien Huss
5d41cce866 fixes 2024-01-24 15:16:23 +01:00
Sébastien Huss
5619140b79 fixes 2024-01-24 15:12:02 +01:00
Sébastien Huss
e70e06c929 adding user configuration path as output for oauth2 modules 2024-01-24 15:04:44 +01:00
Sébastien Huss
eb9596d527 adding secrets values as output for oauth2 modules 2024-01-24 14:49:36 +01:00
Sébastien Huss
7c343269d6 Merge pull request 'Improve modules' (#1) from feature/improve_ingress into main 
Reviewed-on: #1
 2024-01-15 10:44:49 +01:00
55 changed files with 1765 additions and 309 deletions
Expand all files Collapse all files

5
.ci-img.yml Normal file
View File

@@ -0,0 +1,5 @@
---
lint:
image: ghcr.io/terraform-linters/tflint
opentofu:
image: ghcr.io/opentofu/opentofu:latest

64
application/application.tf
View File

@@ -1,7 +1,45 @@
locals { locals {
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
main_group = format("app-%s", local.app_name) application_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-application"
})
app_name = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
main_group = format("app-%s", local.app_slug)
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
dns_name = var.dns_name != "" ? var.dns_name : var.rule_mapper.host
url_icon = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", local.dns_name, var.icon)
backend = var.rule_mapper.paths[0].backend
rules_icons = [{
"host" = local.dns_name
"http" = {
"paths" = [{
"path" = "/${var.icon}"
"pathType" = "Prefix"
"backend" = local.backend
}]
}
}]
} }
resource "kubectl_manifest" "ingress_icon" {
count = startswith(var.icon, "fa-") ? 0 : 1
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${local.app_slug}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(local.application_labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
tls:
- secretName: "${local.secret_name}"
hosts: ${jsonencode([local.dns_name])}
EOF
}
data "authentik_group" "akadmin" { data "authentik_group" "akadmin" {
name = "authentik Admins" name = "authentik Admins"
} }
@@ -12,35 +50,35 @@ resource "authentik_group" "groups" {
resource "authentik_group" "subgroup" { resource "authentik_group" "subgroup" {
count = length(var.sub_groups) count = length(var.sub_groups)
name = format("%s-%s", local.app_name, var.sub_groups[count.index]) name = format("%s-%s", local.main_group, var.sub_groups[count.index])
parent = authentik_group.groups.id parent = authentik_group.groups.id
} }
resource "authentik_application" "prj_app" { resource "authentik_application" "app" {
name = var.instance name = var.app_name
slug = "${var.component}-${var.instance}" slug = local.app_slug
group = var.app_group group = var.app_group
protocol_provider = var.protocol_provider protocol_provider = var.protocol_provider
backchannel_providers = var.backchannel_providers backchannel_providers = var.backchannel_providers
meta_launch_url = format("https://%s", var.dns_name) meta_launch_url = format("https://%s", local.dns_name)
meta_icon = format("https://%s/%s", var.dns_name, var.icon) meta_icon = local.url_icon
} }
resource "authentik_policy_expression" "policy" { resource "authentik_policy_expression" "policy" {
name = local.main_group name = "${local.app_slug}-${local.main_group}"
expression = <<-EOF expression = <<-EOF
attr = request.user.group_attributes() attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF EOF
} }
resource "authentik_policy_binding" "prj_access_users" { resource "authentik_policy_binding" "access_users" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
policy = authentik_policy_expression.policy.id policy = authentik_policy_expression.policy.id
order = 0 order = 0
} }
resource "authentik_policy_binding" "prj_access_vynil" { resource "authentik_policy_binding" "access_vynil" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
group = data.authentik_group.akadmin.id group = data.authentik_group.akadmin.id
order = 1 order = 1
} }

14
application/outputs.tf
View File

@@ -1,7 +1,15 @@
output "application-id" { output "application_id" {
value = authentik_application.prj_app.uuid value = authentik_application.app.uuid
} }
output "policy-id" { output "policy_id" {
value = authentik_policy_expression.policy.id value = authentik_policy_expression.policy.id
} }
output "main_group" {
value = local.main_group
}
output "main_group_id" {
value = authentik_group.groups.id
}

4
application/providers.tf
View File

@@ -1,5 +1,9 @@
terraform { terraform {
required_providers { required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = { authentik = {
source = "goauthentik/authentik" source = "goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2023.5.0"

51
application/variables.tf
View File

@@ -15,7 +15,13 @@ variable "protocol_provider" {
default = null default = null
} }
variable "dns_name" { variable "dns_name" {
type = string type = string
description = "Deprecated, use rule_mapper"
default = ""
}
variable "app_name" {
type = string
default = ""
} }
variable "sub_groups" { variable "sub_groups" {
type = list(string) type = list(string)
@@ -26,3 +32,46 @@ variable "backchannel_providers" {
type = list(number) type = list(number)
default = null default = null
} }
variable "ingress_class" {
type = string
default = "traefik"
}
variable "rule_mapper" {
type = object({
host = string
paths = list(object({
path = optional(string)
type = optional(string)
backend = object({
service = object({
name = string
port = object({
name = string
})
})
})
}))
})
default = {
host = "not.defined"
paths = []
}
}
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty will use the ingress cert_name"
}
variable "namespace" {
type = string
default = ""
}
variable "labels" {
type = map(string)
default = {}
}

41
backup/backup.tf Normal file
View File

@@ -0,0 +1,41 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
}
resource "kubectl_manifest" "backup_schedule" {
yaml_body = <<-EOF
apiVersion: k8up.io/v1
kind: Schedule
metadata:
name: "${local.app_slug}-backup"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
backend:
repoPasswordSecretRef:
key: "${var.backups.restic_key}"
name: "${var.backups.secret_name}"
s3:
accessKeyIDSecretRef:
key: "${var.backups.key_id_key}"
name: "${var.backups.secret_name}"
bucket: "${local.app_slug}-${var.namespace}"
endpoint: "${var.backups.endpoint}/restic"
secretAccessKeySecretRef:
key: "${var.backups.secret_key}"
name: "${var.backups.secret_name}"
backup:
schedule: "${var.backups.schedule.backup}"
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
check:
schedule: "${var.backups.schedule.check}"
prune:
retention:
keepDaily: ${var.backups.retention.keep_daily}
keepMonthly: ${var.backups.retention.keep_monthly}
keepWeekly: ${var.backups.retention.keep_weekly}
keepYearly: ${var.backups.retention.keep_yearly}
schedule: "${var.backups.schedule.prune}"
EOF
}

3
backup/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "schedule_name" {
value = kubectl_manifest.backup_schedule.name
}

8
backup/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

55
backup/variables.tf Normal file
View File

@@ -0,0 +1,55 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "backups" {
default = {
"enable" = false
"endpoint" = ""
"key_id_key" = "s3-id"
"restic_key" = "bck-password"
"retention" = {
"keep_daily" = 14
"keep_monthly" = 12
"keep_weekly" = 6
"keep_yearly" = 12
}
"schedule" = {
"backup" = "30 3 * * *"
"check" = "30 5 * * 1"
"db" = "30 3 * * *"
"prune" = "30 1 * * 0"
}
"secret_key" = "s3-secret"
"secret_name" = "backup-settings"
"use_barman" = false
}
type = object({
enable = optional(bool),
endpoint = optional(string),
key_id_key = optional(string),
restic_key = optional(string),
retention = optional(object({
keep_daily = optional(number),
keep_monthly = optional(number),
keep_weekly = optional(number),
keep_yearly = optional(number)
})),
schedule = optional(object({
backup = optional(string),
check = optional(string),
prune = optional(string)
})),
secret_key = optional(string),
secret_name = optional(string),
use_barman = optional(bool)
})
}

134
forward/forward.tf
View File

@@ -1,56 +1,29 @@
locals { locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk forward_labels = merge(var.labels, {
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance) "app.kubernetes.io/component" = "authentik-forward"
main_group = format("app-%s", local.app_name) })
external_url = format("https://%s", var.dns_names[0]) external_url = format("https://%s", var.dns_name)
rules_icons = [for v in var.dns_names : { forward_outpost_results = jsondecode(data.http.proxy_outpost.response_body).results
"host" = "${v}" forward_outpost_providers = local.forward_outpost_results[0].providers
"http" = { forward_outpost_pk = local.forward_outpost_results[0].pk
"paths" = [{
"backend" = {
"service" = var.service
}
"path" = "/${var.icon}"
"pathType" = "Prefix"
}]
}
}]
} }
resource "kubectl_manifest" "prj_ingress_icon" { data "authentik_flow" "default_authorization_flow" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
tls:
- hosts: ${jsonencode(var.dns_names)}
secretName: "${var.instance}-cert"
EOF
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
resource "authentik_provider_proxy" "prj_forward" { resource "authentik_provider_proxy" "forward" {
name = local.app_name name = local.app_slug
external_host = local.external_url external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
mode = "forward_single" mode = "forward_single"
access_token_validity = var.access_token_validity access_token_validity = var.access_token_validity
} }
data "http" "get_forward_outpost" { data "http" "proxy_outpost" {
depends_on = [authentik_provider_proxy.prj_forward] depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = var.request_headers
lifecycle { lifecycle {
@@ -61,22 +34,82 @@ data "http" "get_forward_outpost" {
} }
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
## Begin modification
data "kubernetes_secret_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
resource "authentik_service_connection_kubernetes" "local" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
depends_on = [data.kubernetes_secret_v1.authentik]
name = "${var.domain}-local-forward"
local = true
}
# data "authentik_flow" "default_authorization_flow" {
# count = length(local.forward_outpost_results) == 0 ? 1 : 0
# depends_on = [authentik_service_connection_kubernetes.local]
# slug = "default-provider-authorization-implicit-consent"
# }
resource "authentik_provider_proxy" "provider_forward" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
name = "authentik-${var.domain}-forward-provider"
internal_host = "http://authentik-authentik"
external_host = "http://authentik-authentik"
authorization_flow = data.authentik_flow.default_authorization_flow.id
}
resource "authentik_outpost" "output_forward" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
name = "forward"
type = "proxy"
service_connection = authentik_service_connection_kubernetes.local.id
config = jsonencode({
"log_level" : "info",
"authentik_host" : "http://authentik",
"docker_map_ports" : true,
"kubernetes_replicas" : 1,
"kubernetes_namespace" : var.namespace,
"authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
"object_naming_template" : "ak-outpost-%(name)s",
"authentik_host_insecure" : false,
"kubernetes_service_type" : "ClusterIP",
"kubernetes_image_pull_secrets" : [],
"kubernetes_disabled_components" : [],
"kubernetes_ingress_annotations" : {},
"kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
})
protocol_providers = local.forward_outpost_providers
}
## End modification
resource "restapi_object" "forward_outpost_binding" { resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/" path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({ data = jsonencode({
name = "forward" name = "forward"
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id]) providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
}) })
} }
resource "kubectl_manifest" "prj_middleware" { resource "kubectl_manifest" "middleware" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
metadata: metadata:
name: "forward-${local.app_name}" name: "${local.app_slug}-forward"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.forward_labels)}
spec: spec:
forwardAuth: forwardAuth:
address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
@@ -95,10 +128,3 @@ resource "kubectl_manifest" "prj_middleware" {
- X-authentik-meta-version - X-authentik-meta-version
EOF EOF
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

10
forward/outputs.tf
View File

@@ -1,7 +1,11 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_proxy.prj_forward.id value = authentik_provider_proxy.forward.id
} }
output "sso_logout" { output "sso_logout" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${var.component}-${var.instance}/end-session/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${local.app_slug}/end-session/"
}
output "middleware" {
value = "${local.app_slug}-forward"
} }

21
forward/providers.tf
View File

@@ -1,20 +1,25 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2023.5.0"
} }
http = { http = {
source = "hashicorp/http" source = "hashicorp/http"
version = "~> 3.3.0" version = "~> 3.3.0"
} }
restapi = { restapi = {
source = "Mastercard/restapi" source = "Mastercard/restapi"
version = "~> 1.18.0" version = "~> 1.18.0"
} }
} }
} }

23
forward/variables.tf
View File

@@ -1,33 +1,36 @@
variable "component" { variable "component" {
type = string type = string
} }
variable "instance" { variable "instance" {
type = string type = string
} }
variable "icon" {
type = string
}
variable "domain" { variable "domain" {
type = string type = string
} }
variable "namespace" { variable "namespace" {
type = string type = string
} }
variable "ingress_class" {
type = string
}
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "dns_names" {
type = list(string) variable "dns_name" {
type = string
} }
variable "access_token_validity" { variable "access_token_validity" {
type = string type = string
default = "hours=10" // ;minutes=10 default = "hours=10" // ;minutes=10
} }
variable "service" {
}
variable "request_headers" { variable "request_headers" {
type = map(string) type = map(string)
} }
variable "ingress_certificat_secret_name" {
type = string
}

59
ingress/ingress.tf
View File

@@ -1,26 +1,29 @@
locals { locals {
name = "${var.instance}${var.component == "" ? "" : "-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
rules = [for v in var.dns_names : { pres_labels = merge(var.labels, {
"host" = "${v}" "app.kubernetes.io/component" = "presentation"
})
rules = [for rule in var.rules_mapper : {
"host" = rule.host
"http" = { "http" = {
"paths" = [for idx, svc in var.services : { "paths" = [for mapper in rule.paths : {
"path" = "/${var.sub_paths[idx]}" "path" = "/${mapper.path}"
"pathType" = "Prefix" "pathType" = mapper.type != null && mapper.type != "" ? mapper.type : "Prefix"
"backend" = { "backend" = mapper.backend
"service" = svc
}
}] }]
} }
}] }]
tls = var.enforce_tls ? [ dns_names = [for rule in var.rules_mapper : rule.host]
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
{ {
secretName = var.cert_name != "" ? var.cert_name : "${local.name}-cert" secretName = local.secret_name
hosts = var.dns_names hosts = local.dns_names
} }
] : [] ] : []
middlewares = concat( middlewares = concat(
var.create_redirect ? ["${local.name}-https"] : [], var.create_redirect ? ["${local.app_slug}-https"] : [],
var.middlewares var.middlewares
) )
annotations = merge( annotations = merge(
@@ -28,23 +31,23 @@ locals {
"traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint "traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint
} : {}, } : {},
length(local.middlewares) > 0 ? { length(local.middlewares) > 0 ? {
"traefik.ingress.kubernetes.io/router.middlewares" : "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" "traefik.ingress.kubernetes.io/router.middlewares" : join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])
} : {}, } : {},
) )
} }
resource "kubectl_manifest" "prj_certificate" { resource "kubectl_manifest" "certificate" {
count = var.create_cert ? 1 : 0 count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1" apiVersion: "cert-manager.io/v1"
kind: "Certificate" kind: "Certificate"
metadata: metadata:
name: "${local.name}" name: "${local.app_slug}"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.pres_labels)}
spec: spec:
secretName: "${local.name}-cert" secretName: "${local.secret_name}"
dnsNames: ${jsonencode(var.dns_names)} dnsNames: ${jsonencode(local.dns_names)}
issuerRef: issuerRef:
kind: "ClusterIssuer" kind: "ClusterIssuer"
name: "${var.issuer}" name: "${var.issuer}"
@@ -52,15 +55,15 @@ resource "kubectl_manifest" "prj_certificate" {
EOF EOF
} }
resource "kubectl_manifest" "prj_https_redirect" { resource "kubectl_manifest" "https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0 count = var.create_redirect ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "traefik.containo.us/v1alpha1" apiVersion: "traefik.io/v1alpha1"
kind: "Middleware" kind: "Middleware"
metadata: metadata:
name: "${local.name}-https" name: "${local.app_slug}-https"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.pres_labels)}
spec: spec:
redirectScheme: redirectScheme:
scheme: "https" scheme: "https"
@@ -68,15 +71,15 @@ resource "kubectl_manifest" "prj_https_redirect" {
EOF EOF
} }
resource "kubectl_manifest" "prj_ingress" { resource "kubectl_manifest" "ingress" {
force_conflicts = true force_conflicts = true
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1" apiVersion: "networking.k8s.io/v1"
kind: "Ingress" kind: "Ingress"
metadata: metadata:
name: "${local.name}" name: "${local.app_slug}"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.pres_labels)}
annotations: ${jsonencode(local.annotations)} annotations: ${jsonencode(local.annotations)}
spec: spec:
ingressClassName: "${var.ingress_class}" ingressClassName: "${var.ingress_class}"

3
ingress/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "secret_name" {
value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
}

4
ingress/providers.tf
View File

@@ -2,8 +2,8 @@
terraform { terraform {
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
} }
} }

60
ingress/variables.tf
View File

@@ -17,42 +17,48 @@ variable "ingress_class" {
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "dns_names" {
type = list(string)
}
variable "middlewares" { variable "middlewares" {
type = list(string) type = list(string)
default = [] default = []
} }
variable "services" {
type = list(any) variable "rules_mapper" {
type = list(object({
host = string
paths = list(object({
path = optional(string)
type = optional(string)
backend = object({
service = object({
name = string
port = object({
name = string
})
})
})
}))
}))
description = "Simplified rules mapper for ingress"
} }
variable "create_redirect" {
type = bool
default = true
}
variable "create_cert" {
type = bool
default = true
}
variable "enforce_tls" {
type = bool
default = true
}
variable "sub_paths" {
type = list(string)
default = [""]
}
variable "cert_name" {
type = string
default = ""
}
variable "entrypoint" { variable "entrypoint" {
type = string type = string
default = "" default = ""
description = "Define ingres support, if empty or define to websecure, tls will be activate"
validation { validation {
condition = contains(["", "web", "websecure"], var.entrypoint) condition = contains(["", "web", "websecure"], var.entrypoint)
error_message = "Only empty \"\", web or websecure is allowed" error_message = "Only empty \"\", web or websecure is allowed"
} }
} }
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
}
variable "create_redirect" {
type = bool
default = true
description = "Enfore https redirection"
}

157
ldap/ldap.tf Normal file
View File

@@ -0,0 +1,157 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
ldap_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-ldap"
})
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
base_group_dn = format("ou=groups,%s", local.base_dn)
base_user_dn = format("ou=users,%s", local.base_dn)
authentik_base_url = "http://authentik.${var.domain}-auth.svc"
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
sorted_group_names = reverse(distinct(sort([
for grp in var.user_groups : grp.name
])))
sorted_groups = flatten([
for name in local.sorted_group_names : [
for grp in var.user_groups :
grp if grp.name == name
]
])
}
data "authentik_group" "vynil_admin" {
name = "vynil-ldap-admins"
}
resource "authentik_group" "groups" {
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
attributes = jsonencode({ local.app_name = true })
}
data "authentik_group" "readed_groups" {
depends_on = [authentik_group.groups]
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
}
resource "authentik_application" "application_ldap" {
name = local.app_slug
slug = "${local.app_slug}-ldap"
protocol_provider = authentik_provider_ldap.provider_ldap.id
meta_launch_url = "blank://blank"
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "ldap_access_users" {
target = authentik_application.application_ldap.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "ldap_access_ldap" {
target = authentik_application.application_ldap.uuid
group = authentik_group.ldapsearch.id
order = 1
}
resource "authentik_policy_binding" "ldap_access_vynil" {
target = authentik_application.application_ldap.uuid
group = data.authentik_group.vynil_admin.id
order = 2
}
resource "kubectl_manifest" "ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-ldapsearch"
namespace: "${var.namespace}"
labels: ${jsonencode(local.ldap_labels)}
data:
LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
spec:
forceRegenerate: false
fields:
- fieldName: "LDAP_ADMIN_PASS"
length: "32"
EOF
}
data "kubernetes_secret_v1" "ldap_password" {
depends_on = [kubectl_manifest.ldap]
metadata {
name = kubectl_manifest.ldap.name
namespace = var.namespace
}
}
resource "authentik_user" "ldapsearch" {
username = "${local.app_slug}-ldapsearch"
name = "${local.app_slug}-ldapsearch"
}
resource "authentik_group" "ldapsearch" {
name = "${local.app_slug}-ldapsearch"
users = [authentik_user.ldapsearch.id]
}
data "http" "ldapsearch_password" {
url = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
method = "POST"
request_headers = var.request_headers
request_body = jsonencode({
password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
data "authentik_flow" "ldap_authentication_flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "provider_ldap" {
name = "${local.app_slug}-ldap"
base_dn = local.base_dn
search_group = authentik_group.ldapsearch.id
bind_flow = data.authentik_flow.ldap_authentication_flow.id
}
data "http" "get_ldap_outpost" {
depends_on = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
url = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = var.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap_outpost_pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
})
}

23
ldap/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "provider_id" {
value = authentik_provider_ldap.provider_ldap.id
}
output "ldap_address" {
value = "ak-outpost-ldap.${var.domain}-auth.svc"
}
output "ldap_search_account" {
value = "${local.app_slug}-ldapsearch"
}
output "base_dn" {
value = local.base_dn
}
output "base_group_dn" {
value = local.base_group_dn
}
output "base_user_dn" {
value = local.base_user_dn
}

24
ldap/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

25
ldap/variables.tf Normal file
View File

@@ -0,0 +1,25 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "request_headers" {
type = map(string)
}
variable "user_groups" {
type = map(string)
default = {}
}

126
mongo/mongo.tf Normal file
View File

@@ -0,0 +1,126 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mongo_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mongo"
})
db_name = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
username = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
}
resource "kubectl_manifest" "mongo_secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-mongo"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo_labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "password"
length: "16"
EOF
}
data "kubernetes_secret_v1" "mongo_secret" {
depends_on = [kubectl_manifest.mongo_secret]
metadata {
name = "${local.app_slug}-mongo"
namespace = var.namespace
}
}
resource "kubectl_manifest" "mongo" {
yaml_body = <<-EOF
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: "${local.app_slug}-mongo"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo_labels)}
spec:
members: 1
type: ${var.mongo_type}
version: "${var.mongo_version}"
statefulSet:
spec:
template:
metadata:
annotations:
"k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'"
"k8up.io/file-extension": ".archive"
spec:
containers:
- name: mongod
imagePullPolicy: "${var.pull_policy}"
resources: ${jsonencode(var.resources)}
env:
- name: MONGODB_NAME
value: ${local.db_name}
- name: MONGODB_USER
value: ${local.username}
- name: MONGODB_PASSWORD
valueFrom:
secretKeyRef:
name: "${local.app_slug}-mongo"
key: password
security:
authentication:
modes: ["SCRAM"]
additionalMongodConfig:
storage.wiredTiger.engineConfig.cacheSizeGB: 1
users:
- name: ${local.username}
db: ${local.db_name}
passwordSecretRef:
name: "${local.app_slug}-mongo"
roles:
- db: ${local.db_name}
name: readWrite
scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
EOF
}
resource "kubectl_manifest" "mongo_sa" {
yaml_body = <<-EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo_labels)}
EOF
}
resource "kubectl_manifest" "mongo_role" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo_labels)}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["patch", "delete", "get"]
EOF
}
resource "kubectl_manifest" "mongo_rb" {
yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo_labels)}
subjects:
- kind: ServiceAccount
name: ${local.app_slug}-mongodb-database
roleRef:
kind: Role
name: ${local.app_slug}-mongodb-database
apiGroup: rbac.authorization.k8s.io
EOF
}

21
mongo/outputs.tf Normal file
View File

@@ -0,0 +1,21 @@
output "url" {
value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
}
output "service" {
value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
}
output "password" {
value = local.mongo_password
}
output "username" {
value = local.username
}
output "db_name" {
value = local.db_name
}
output "secret" {
value = {
name = "${local.app_slug}-mongo"
key = "password"
}
}

8
mongo/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

55
mongo/variables.tf Normal file
View File

@@ -0,0 +1,55 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "db_name" {
type = string
default = ""
}
variable "username" {
type = string
default = ""
}
variable "mongo_version" {
type = string
default = "6.0.13"
}
variable "mongo_type" {
type = string
default = "ReplicaSet"
}
variable "pull_policy" {
type = string
default = "IfNotPresent"
}
variable "resources" {
type = object({
limits = optional(object({
cpu = string
memory = string
}))
requests = optional(object({
cpu = string
memory = string
}))
})
default = {
limits = {
cpu = "1"
memory = "1100M"
}
requests = {
cpu = "0.3"
memory = "400M"
}
}
}

72
mysql/mysql.tf
View File

@@ -1,17 +1,21 @@
locals { locals {
mysql_host = "${var.instance}-${var.component}-db.${var.namespace}.svc" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_username = data.kubernetes_secret_v1.prj_mysql_secret.data["rootUser"] mysql_labels = merge(var.labels, {
mysql_password = data.kubernetes_secret_v1.prj_mysql_secret.data["rootPassword"] "app.kubernetes.io/component" = "mysql"
})
mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]
} }
resource "kubectl_manifest" "prj_mysql_secret" { resource "kubectl_manifest" "mysql_secret" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1" apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret" kind: "StringSecret"
metadata: metadata:
name: "${var.instance}-${var.component}-db" name: "${local.app_slug}-mysql"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.mysql_labels)}
spec: spec:
forceRegenerate: false forceRegenerate: false
data: data:
@@ -27,19 +31,26 @@ resource "kubectl_manifest" "prj_mysql_secret" {
EOF EOF
} }
resource "kubectl_manifest" "prj_mysql" { data "kubernetes_secret_v1" "mysql_secret" {
depends_on = [kubectl_manifest.prj_mysql_secret] depends_on = [kubectl_manifest.mysql_secret]
yaml_body = <<-EOF metadata {
name = "${local.app_slug}-mysql"
namespace = var.namespace
labels = local.mysql_labels
}
}
resource "kubectl_manifest" "mysql" {
yaml_body = <<-EOF
apiVersion: mysql.oracle.com/v2 apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster kind: InnoDBCluster
metadata: metadata:
name: "${var.instance}-${var.component}-db" name: "${local.app_slug}-mysql"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.mysql_labels)}
spec: spec:
secretName: ${kubectl_manifest.prj_mysql_secret.name} secretName: ${data.kubernetes_secret_v1.mysql_secret.metadata[0].name}
tlsUseSelfSigned: true tlsUseSelfSigned: true
# tlsSecretName: "${var.instance}-db-cert"
instances: 1 instances: 1
router: router:
instances: 1 instances: 1
@@ -55,38 +66,29 @@ resource "kubectl_manifest" "prj_mysql" {
} }
resource "time_sleep" "wait_mysql_ready" { resource "time_sleep" "wait_mysql_ready" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql] depends_on = [kubectl_manifest.mysql]
create_duration = "45s" create_duration = "45s"
} }
data "kubernetes_secret_v1" "prj_mysql_secret" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
metadata {
name = "${var.instance}-${var.component}-db"
namespace = var.namespace
}
}
resource "mysql_database" "app" { resource "mysql_database" "app" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready] depends_on = [
name = var.database kubectl_manifest.mysql,
time_sleep.wait_mysql_ready
]
name = var.database
} }
resource "mysql_user" "app_user" { resource "mysql_user" "app_user" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready] depends_on = [
host = data.kubernetes_secret_v1.prj_mysql_secret.data["userHost"] time_sleep.wait_mysql_ready,
user = data.kubernetes_secret_v1.prj_mysql_secret.data["username"] mysql_database.app,
plaintext_password = data.kubernetes_secret_v1.prj_mysql_secret.data["password"] ]
host = data.kubernetes_secret_v1.mysql_secret.data["userHost"]
user = data.kubernetes_secret_v1.mysql_secret.data["username"]
plaintext_password = data.kubernetes_secret_v1.mysql_secret.data["password"]
} }
resource "mysql_grant" "app_user_grant" { resource "mysql_grant" "app_user_grant" {
depends_on = [
kubectl_manifest.prj_mysql_secret,
kubectl_manifest.prj_mysql,
time_sleep.wait_mysql_ready,
mysql_database.app,
mysql_user.app_user
]
user = mysql_user.app_user.user user = mysql_user.app_user.user
host = mysql_user.app_user.host host = mysql_user.app_user.host
database = mysql_database.app.name database = mysql_database.app.name

15
mysql/outpost.tf Normal file
View File

@@ -0,0 +1,15 @@
output "conn_string" {
value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
}
output "service" {
value = "${local.app_slug}-mysql.${var.namespace}.svc"
}
output "host" {
value = "${local.app_slug}-mysql"
}
output "secret_name" {
value = "${local.app_slug}-db"
}

8
mysql/providers.tf
View File

@@ -1,12 +1,12 @@
terraform { terraform {
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
mysql = { mysql = {
source = "TakatoHano/mysql" source = "TakatoHano/mysql"
version = "1.2.1" version = "1.2.1"
} }
} }
} }

68
oauth2/oauth2.tf
View File

@@ -1,25 +1,13 @@
resource "kubectl_manifest" "oauth2-secret" { locals {
ignore_fields = ["metadata.annotations"] app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
yaml_body = <<-EOF oauth2_labels = merge(var.labels, {
apiVersion: "secretgenerator.mittwald.de/v1alpha1" "app.kubernetes.io/component" = "authentik-oauth2"
kind: "StringSecret" })
metadata:
name: "${var.component}-${var.instance}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
} }
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret] resource "random_password" "client_id" {
metadata { length = 32
name = kubectl_manifest.oauth2-secret.name special = false
namespace = var.namespace
}
} }
data "authentik_certificate_key_pair" "ca" { data "authentik_certificate_key_pair" "ca" {
@@ -33,41 +21,43 @@ data "authentik_scope_mapping" "oauth2" {
"goauthentik.io/providers/oauth2/scope-profile" "goauthentik.io/providers/oauth2/scope-profile"
] ]
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}" name = local.app_slug
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] client_id = random_password.client_id.result
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
client_type = "confidential" client_type = "confidential"
sub_mode = "user_username" sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [ redirect_uris = [
"https://${var.dns_name}/${var.redirect_path}" "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
] ]
} }
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
namespace = var.namespace
labels = var.labels
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}
data "kubernetes_ingress_v1" "authentik" { data "kubernetes_ingress_v1" "authentik" {
metadata { metadata {
name = "authentik" name = "authentik"
namespace = "${var.domain}-auth" namespace = "${var.domain}-auth"
} }
} }
resource "kubernetes_secret" "oauth2_client_secret" {
metadata {
name = "${local.app_slug}-oauth2"
namespace = var.namespace
labels = local.oauth2_labels
}
data = {
oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
client_id = random_password.client_id.result
client_secret = authentik_provider_oauth2.oauth2.client_secret
}
}

35
oauth2/outputs.tf
View File

@@ -1,7 +1,36 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_oauth2.oauth2.id value = authentik_provider_oauth2.oauth2.id
} }
output "sso_configuration_url" { output "sso_signout_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/"
} }
output "sso_configuration_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
}
output "sso_userinfo_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/"
}
output "sso_authorize_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
}
output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
}
output "client_id" {
value = random_password.client_id.result
}
output "client_secret" {
value = authentik_provider_oauth2.oauth2.client_secret
}
output "oauth2_secret_name" {
value = kubernetes_secret.oauth2_client_secret.metadata[0].name
}

12
oauth2/providers.tf
View File

@@ -2,16 +2,16 @@
terraform { terraform {
required_providers { required_providers {
kubernetes = { kubernetes = {
source = "hashicorp/kubernetes" source = "hashicorp/kubernetes"
version = "~> 2.20.0" version = "~> 2.20.0"
} }
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2023.5.0"
} }
} }
} }

23
postgresql/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "conn_string" {
value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
}
output "service" {
value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-pg-rw"
}
output "db_name" {
value = var.component
}
output "db_port" {
value = "5432"
}
output "secret_name" {
value = "${local.app_slug}-pg-app"
}

95
postgresql/postgresql.tf Normal file
View File

@@ -0,0 +1,95 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pg_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg"
})
pool_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg-pool"
})
}
resource "kubectl_manifest" "pg" {
yaml_body = join("", concat([<<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: "${local.app_slug}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg_labels)}
annotations:
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
"k8up.io/file-extension": ".sql"
spec:
instances: ${var.replicas}
imageName: "${var.images.postgresql.registry}/${var.images.postgresql.repository}:${var.images.postgresql.tag}"
storage:
size: "${var.storage.size}"
bootstrap:
initdb:
database: "${var.component}"
owner: "${var.component}"
monitoring:
enablePodMonitor: true
EOF
], var.backups.enable&&var.backups.use_barman?[<<-EOF
backup:
barmanObjectStore:
destinationPath: "s3://${local.app_slug}-${var.namespace}/"
endpointURL: "${var.backups.endpoint}/barman"
s3Credentials:
accessKeyId:
name: "${var.backups.secret_name}"
key: "${var.backups.key_id_key}"
secretAccessKey:
name: "${var.backups.secret_name}"
key: "${var.backups.secret_key}"
EOF
]:[""]))
}
resource "kubectl_manifest" "pg_backup" {
count = var.backups.enable ? 1:0
yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: "${local.app_slug}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg_labels)}
spec:
schedule: "${var.backups.schedule.db}"
backupOwnerReference: self
cluster:
name: "${local.app_slug}-pg"
EOF
}
resource "kubectl_manifest" "pg_pool" {
depends_on = [kubectl_manifest.pg]
yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: "${local.app_slug}-pool"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pool_labels)}
spec:
cluster:
name: "${local.app_slug}-pg"
instances: 1
type: rw
pgbouncer:
poolMode: session
parameters:
max_client_conn: "1000"
default_pool_size: "10"
EOF
}
data "kubernetes_secret_v1" "credentials" {
depends_on = [ kubectl_manifest.pg ]
metadata {
name = "${local.app_slug}-pg-app"
namespace = var.namespace
}
}

8
postgresql/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

63
postgresql/variables.tf Normal file
View File

@@ -0,0 +1,63 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "backups" {
default = {
"enable" = false
"endpoint" = ""
"key_id_key" = "s3-id"
"restic_key" = "bck-password"
"schedule" = {
"db" = "30 3 * * *"
}
"secret_key" = "s3-secret"
"secret_name" = "backup-settings"
"use_barman" = false
}
type = object({
enable = optional(bool),
endpoint = optional(string),
key_id_key = optional(string),
restic_key = optional(string),
schedule = optional(object({
db = optional(string),
})),
secret_key = optional(string),
secret_name = optional(string),
use_barman = optional(bool)
})
}
variable "images" {
type = object({
postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
})
default = {
"postgresql" = {
"registry" = "ghcr.io"
"repository" = "cloudnative-pg/postgresql"
"tag" = 15.3
}
}
}
variable "replicas" {
type = number
default = 1
}
variable "storage" {
type = object({
size = optional(string)
})
default = {
"size" = "5Gi"
}
}

3
pvc/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "name" {
value = local.app_slug
}

8
pvc/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

32
pvc/pvc.tf Normal file
View File

@@ -0,0 +1,32 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pvc_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pvc"
})
pvc_spec = merge({
"accessModes" = [var.storage.access_mode]
"volumeMode" = var.storage.type
"resources" = {
"requests" = {
"storage" = var.storage.size
}
}
}, var.storage.class != "" ? {
"storageClassName" = var.storage.class
} : {})
}
resource "kubectl_manifest" "pvc" {
ignore_fields = ["spec.resources.requests.storage"]
yaml_body = <<-EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ${local.app_slug}
namespace: "${var.namespace}"
annotations:
k8up.io/backup: "${var.backup}"
resize.kubesphere.io/storage_limit: "${var.storage.max_size}
labels: ${jsonencode(local.pvc_labels)}
spec: ${jsonencode(local.pvc_spec)}
EOF
}

33
pvc/variables.tf Normal file
View File

@@ -0,0 +1,33 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "storage" {
type = object({
access_mode = optional(string),
class = optional(string),
size = optional(string),
max_size = optional(string),
type = optional(string)
})
default = {
"access_mode" = "ReadWriteOnce"
"class" = ""
"size" = "2Gi"
"max_size" = "10Gi"
"type" = "Filesystem"
}
}
variable "backup" {
type = bool
default = true
}

23
rabbitmq/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "conn_string" {
value = "mqtt://${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["password"])}@${local.app_slug}-mq.${var.namespace}.svc:1883"
}
output "service" {
value = "${local.app_slug}-mq.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-mq"
}
output "db_port" {
value = "1883"
}
output "cert_secret_name" {
value = local.secret_name
}
output "user_secret_name" {
value = "${local.app_slug}-user"
}

8
rabbitmq/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

101
rabbitmq/rabbitmq.tf Normal file
View File

@@ -0,0 +1,101 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
rabbit_labels = merge(var.labels, {
"app.kubernetes.io/component" = "rabbitmq"
})
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
pvc_spec = merge({
"storage" = var.storage.size
}, var.storage.class != "" ? {
"storageClassName" = var.storage.class
} : {})
}
resource "kubectl_manifest" "certificate" {
count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
secretName: "${local.secret_name}"
dnsNames:
- "${local.app_slug}-mq.${var.namespace}.svc"
- "*.${local.app_slug}-mq-nodes.${var.namespace}.svc"
issuerRef:
kind: "ClusterIssuer"
name: "${var.issuer}"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "rabbit_secret" {
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-user"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
forceRegenerate: false
data:
username: "${var.instance}"
port: "5672"
host: "${local.app_slug}-mq.${var.namespace}.svc"
fields:
- fieldName: "password"
length: "32"
EOF
}
data "kubernetes_secret_v1" "rabbit_secret" {
depends_on = [kubectl_manifest.rabbit_secret]
metadata {
name = "${local.app_slug}-user"
namespace = var.namespace
labels = local.rabbit_labels
}
}
# based on https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples
resource "kubectl_manifest" "rabbitmq" {
depends_on = [
kubectl_manifest.certificate,
kubectl_manifest.rabbit_secret,
data.kubernetes_secret_v1.rabbit_secret,
]
yaml_body = <<-EOF
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: "${local.app_slug}-mq"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
replicas: ${var.replicas}
image: "${var.image.registry}/${var.image.repository}:${var.image.tag}"
imagePullPolicy: "${var.image.pull_policy}"
persistence: ${jsonencode(local.pvc_spec)}
resources: ${jsonencode(var.resources)}
tls:
secretName: ${local.secret_name}
rabbitmq:
erlangInetConfig: |
{inet6, true}.
envConfig: |
SERVER_ADDITIONAL_ERL_ARGS="-kernel inetrc '/etc/rabbitmq/erl_inetrc' -proto_dist inet6_tcp"
RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
additionalConfig: |
cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
default_user=${data.kubernetes_secret_v1.rabbit_secret.data["username"]}
default_pass=${data.kubernetes_secret_v1.rabbit_secret.data["password"]}
additionalPlugins: ${jsonencode(var.plugins)}
service:
ipFamilyPolicy: "PreferDualStack"
EOF
}

78
rabbitmq/variables.tf Normal file
View File

@@ -0,0 +1,78 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "issuer" {
type = string
}
variable "replicas" {
type = number
default = 1
}
variable "image" {
type = object({
registry = optional(string),
repository = optional(string),
tag = optional(string),
pull_policy = optional(string)
})
description = "Image parameters"
default = {
"registry" = "docker.io"
"repository" = "rabbitmq"
"tag" = "3.11.28-management-alpine"
"pull_policy" = "IfNotPresent"
}
}
variable "storage" {
description = "Storage parameters"
type = object({
class = optional(string),
size = optional(string),
})
default = {
class = ""
size = "1Gi"
}
}
variable "resources" {
description = "Resources parameters"
type = object({
requests = optional(object({
cpu = optional(string),
memory = optional(string)
})),
limits = optional(object({
cpu = optional(string),
memory = optional(string)
}))
})
default = {
requests = {
cpu = "1000m",
memory = "2Gi"
},
limits = {
cpu = "1000m",
memory = "2Gi"
}
}
}
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty a new one will be created"
}
variable "plugins" {
description = "RabitMQ plugins"
type = list(string)
default = ["rabbitmq_mqtt", "rabbitmq_web_mqtt"]
}

19
redis/outputs.tf Normal file
View File

@@ -0,0 +1,19 @@
output "conn_string" {
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
}
output "service" {
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "port" {
value = 6379
}
output "db_host" {
value = "${local.app_slug}-redis"
}
output "secret_name" {
value = lookup(var.password, "name", "")
}

8
redis/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

41
redis/redis.tf Normal file
View File

@@ -0,0 +1,41 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
redis_labels = merge(var.labels, {
"app.kubernetes.io/component" = "redis"
})
cfg = merge({
"image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
"imagePullPolicy" = var.images.redis.pull_policy
}, lookup(var.password, "enabled", false) ? {
redisSecret = {
name = lookup(var.password, "name", var.component)
key = lookup(var.password, "key", "redis-password")
}
} : {})
}
resource "kubectl_manifest" "redis" {
yaml_body = <<-EOF
apiVersion: "redis.redis.opstreelabs.in/v1beta1"
kind: "Redis"
metadata:
name: "${local.app_slug}-redis"
namespace: "${var.namespace}"
labels: ${jsonencode(local.redis_labels)}
spec:
kubernetesConfig: ${jsonencode(local.cfg)}
storage:
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: "${var.storage.size}"
redisExporter:
enabled: ${var.exporter.enabled}
image: "${var.images.redis_exporter.registry}/${var.images.redis_exporter.repository}:${var.images.redis_exporter.tag}"
securityContext:
runAsUser: 1000
fsGroup: 1000
EOF
}

61
redis/variables.tf Normal file
View File

@@ -0,0 +1,61 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "images" {
type = object({
redis = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
})
default = {
"redis" = {
"pull_policy" = "IfNotPresent"
"registry" = "quay.io"
"repository" = "opstree/redis"
"tag" = "v7.0.12"
}
"redis_exporter" = {
"pull_policy" = "IfNotPresent"
"registry" = "quay.io"
"repository" = "opstree/redis-exporter"
"tag" = "v1.44.0"
}
}
}
variable "exporter" {
type = object({
enabled = optional(bool)
})
default = {
"enabled" = true
}
}
variable "password" {
type = object({
enabled = optional(bool),
name = optional(string),
key = optional(string)
})
default = {
"enabled" = false
"name" = ""
"key" = ""
}
}
variable "storage" {
type = object({
size = optional(string)
})
default = {
"size" = "2Gi"
}
}

14
saml/outputs.tf
View File

@@ -1,3 +1,11 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_saml.prj.id value = authentik_provider_saml.prj.id
} }
output "metadata_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/api/v3/providers/saml/${authentik_provider_saml.prj.id}/metadata/?download"
}
output "saml_certificate_secret_name" {
value = "${local.app_slug}-saml"
}

13
saml/providers.tf
View File

@@ -1,12 +1,17 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "goauthentik/authentik"
version = "~> 2023.5.0" version = "~> 2023.5.0"
} }
} }
} }

46
saml/saml.tf
View File

@@ -1,19 +1,25 @@
data "authentik_flow" "default-authorization-flow" { locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml"
})
}
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
data "authentik_property_mapping_saml" "saml_maps" { data "authentik_property_mapping_saml" "saml_maps" {
managed_list = [ managed_list = [
"goauthentik.io/providers/saml/email", "goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/groups", "goauthentik.io/providers/saml/groups",
"goauthentik.io/providers/saml/name", "goauthentik.io/providers/saml/name",
"goauthentik.io/providers/saml/upn", "goauthentik.io/providers/saml/upn",
"goauthentik.io/providers/saml/uid", "goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username", "goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname", "goauthentik.io/providers/saml/ms-windowsaccountname",
] ]
} }
@@ -26,27 +32,27 @@ data "authentik_certificate_key_pair" "generated" {
} }
resource "kubectl_manifest" "saml_certificate" { resource "kubectl_manifest" "saml_certificate" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1" apiVersion: "cert-manager.io/v1"
kind: "Certificate" kind: "Certificate"
metadata: metadata:
name: "${var.instance}-${var.component}-saml" name: "${local.app_slug}-saml"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)} labels: ${jsonencode(local.saml_labels)}
spec: spec:
secretName: "${var.instance}-${var.component}-saml" secretName: "${local.app_slug}-saml"
dnsNames: ${jsonencode(var.dns_names)} dnsNames: ${jsonencode(var.dns_names)}
issuerRef: issuerRef:
name: "self-sign" name: "${var.issuer}"
kind: "ClusterIssuer" kind: "ClusterIssuer"
group: "cert-manager.io" group: "cert-manager.io"
EOF EOF
} }
resource "authentik_provider_saml" "prj" { resource "authentik_provider_saml" "prj" {
name = "${var.component}-${var.instance}-saml" name = "${local.app_slug}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}" acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
@@ -54,3 +60,9 @@ resource "authentik_provider_saml" "prj" {
sp_binding = var.binding sp_binding = var.binding
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

23
saml/variables.tf
View File

@@ -1,19 +1,28 @@
variable "component" { variable "component" {
type = string type = string
} }
variable "instance" { variable "instance" {
type = string type = string
}
variable "namespace" {
type = string
}
variable "domain" {
type = string
}
variable "issuer" {
type = string
} }
variable "dns_names" { variable "dns_names" {
type = list(string) type = list(string)
} }
variable "acs_path" { variable "acs_path" {
type = string type = string
} }
variable "binding" { variable "binding" {
type = string type = string
default = "post" default = "post"
} }
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }

15
service/outputs.tf Normal file
View File

@@ -0,0 +1,15 @@
output "name" {
value = local.app_slug
}
output "ingress_backend_exposure" {
value = [for port_map in var.port_mapper :
{
"service" = {
"name" = local.app_slug
"port" = {
"name" = port_map.name
}
}
}
]
}

4
service/providers.tf
View File

@@ -1,8 +1,8 @@
terraform { terraform {
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"
} }
} }
} }

72
service/svc.tf
View File

@@ -1,29 +1,51 @@
locals { locals {
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : { app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
"name" = target selector = length(var.selector) > 0 ? var.selector : var.labels
"port" = var.ports[idx] default_ports = var.svc_type != "NodePort" ? [for port_map in var.port_mapper : {
"protocol" = var.protocols[idx] "name" = lower(port_map.name != null && port_map.name != "" ? port_map.name : "${port_map.port}-${port_map.protocol}")
"targetPort" = target "port" = port_map.port
"protocol" = port_map.protocol
"targetPort" = port_map.target
}] : [] }] : []
node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : { node_ports = var.svc_type == "NodePort" ? [for port_map in var.port_mapper : {
"port" = port "port" = port_map.port
"targetPort" = port "targetPort" = port_map.target
"nodePort" = var.node_ports[idx] "nodePort" = port_map.port
}] : [] }] : []
metadata = merge(
{
"name" = local.app_slug
"namespace" = var.namespace
"labels" = var.labels
},
length(var.annotations) > 0 ? {
"annotations" = var.annotations
} : {}
)
spec = { spec = {
"ClusterIP" = { "ClusterIP" = {
type = "ClusterIP" type = "ClusterIP"
ports = local.cluster_ports ports = local.default_ports
selector = var.labels selector = local.selector
ipFamilyPolicy = var.ip_family
}, },
"ExternalName" = { "ExternalName" = {
type = "ExternalName" type = "ExternalName"
externalName = var.target_host externalName = var.target_host
ports = local.default_ports
}, },
"NodePort" = { "NodePort" = {
type = "NodePort" type = "NodePort"
selector = var.labels selector = local.selector
ports = local.node_ports ports = local.node_ports
ipFamilyPolicy = var.ip_family
},
"LoadBalancer" = {
type = "LoadBalancer"
selector = local.selector
ports = local.default_ports
externalTrafficPolicy = var.lb_policy
ipFamilyPolicy = var.ip_family
} }
} }
} }
@@ -31,10 +53,22 @@ resource "kubectl_manifest" "service" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata: ${jsonencode(local.metadata)}
name: "${var.instance}-${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
spec: ${jsonencode(local.spec[var.svc_type])} spec: ${jsonencode(local.spec[var.svc_type])}
EOF EOF
} }
resource "kubectl_manifest" "endpoint" {
count = var.svc_type == "ExternalName" ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Endpoints
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
subsets:
- addresses:
- ip: ${var.target_host}
ports: ${jsonencode([for port_map in var.port_mapper : { "port" = port_map.port }])}
EOF
}

75
service/variables.tf
View File

@@ -8,41 +8,74 @@ variable "namespace" {
type = string type = string
} }
variable "labels" { variable "labels" {
type = map(string) type = map(string)
description = "Service labels"
}
variable "selector" {
type = map(string)
description = "Service selector labels (default same as labels)"
default = {}
}
variable "annotations" {
type = map(string)
default = {}
} }
variable "svc_type" { variable "svc_type" {
type = string type = string
default = "ClusterIP" default = "ClusterIP"
validation { validation {
condition = contains(["ClusterIP", "ExternalName", "NodePort"], var.svc_type) condition = contains(["ClusterIP", "ExternalName", "NodePort", "LoadBalancer"], var.svc_type)
error_message = "Only ClusterIP or ExternalName is allowed" error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
} }
} }
variable "ports" {
type = list(number) variable "ip_family" {
default = [80] type = string
} default = "PreferDualStack"
variable "targets" {
type = list(string)
default = ["http"]
}
variable "protocols" {
type = list(any)
default = ["TCP"]
validation { validation {
condition = alltrue([for proto in var.protocols : contains(["TCP", "UDP"], proto)]) condition = contains(["SingleStack", "PreferDualStack"], var.ip_family)
error_message = "Only TCP or UDP is allowed" error_message = "Only SingleStack or PreferDualStack is allowed"
} }
} }
variable "port_mapper" {
description = "List information for port mapping in the service"
type = list(object({
name = optional(string)
port = number
protocol = string
target = string
}))
default = [{
"name" = "80-TCP",
"port" = 80,
"protocol" = "TCP"
"target" = "80-TCP"
}]
validation {
condition = alltrue(
[for port_map in var.port_mapper : contains(["TCP", "UDP"], port_map.protocol)]
)
error_message = "Only numeric on containerPort and TCP or UDP on protocol is allowed"
}
# validation {
# condition = (var.svc_type == "NodePort") == alltrue(
# [for port_map in var.port_mapper : port_map.port >= 30000 && port_map.port <= 32767]
# )
# error_message = "The range of valid ports is 30000-32767 for a NodePort type"
# }
}
variable "target_host" { variable "target_host" {
type = string type = string
default = "" default = ""
} }
variable "node_ports" {
type = list(number) variable "lb_policy" {
default = [30080] type = string
default = "Cluster"
validation { validation {
condition = alltrue([for port in var.node_ports : port >= 30000 && port <= 32767]) condition = contains(["Cluster", "Local"], var.lb_policy)
error_message = "The range of valid ports is 30000-32767" error_message = "Only Cluster or Local is allowed"
} }
} }