Refacto and add modules

Reviewed-on: #2

application/application.tf

@@ -1,6 +1,8 @@
 locals {
-  app_name   = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
-  main_group = format("app-%s", local.app_name)
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_name   = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
+  main_group = format("app-%s", local.app_slug)
+  url_icon   = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", var.dns_name, var.icon)
 }
 data "authentik_group" "akadmin" {
   name = "authentik Admins"
@@ -12,35 +14,35 @@ resource "authentik_group" "groups" {
 
 resource "authentik_group" "subgroup" {
   count  = length(var.sub_groups)
-  name   = format("%s-%s", local.app_name, var.sub_groups[count.index])
+  name   = format("%s-%s", local.main_group, var.sub_groups[count.index])
   parent = authentik_group.groups.id
 }
 
-resource "authentik_application" "prj_app" {
-  name                  = var.instance
-  slug                  = "${var.component}-${var.instance}"
+resource "authentik_application" "app" {
+  name                  = var.app_name
+  slug                  = local.app_slug
   group                 = var.app_group
   protocol_provider     = var.protocol_provider
   backchannel_providers = var.backchannel_providers
   meta_launch_url       = format("https://%s", var.dns_name)
-  meta_icon             = format("https://%s/%s", var.dns_name, var.icon)
+  meta_icon             = local.url_icon
 }
 
 resource "authentik_policy_expression" "policy" {
-  name       = local.main_group
+  name       = "${local.app_slug}-${local.main_group}"
   expression = <<-EOF
     attr = request.user.group_attributes()
     return attr['${local.app_name}'] if '${local.app_name}' in attr else False
   EOF
 }
 
-resource "authentik_policy_binding" "prj_access_users" {
-  target = authentik_application.prj_app.uuid
+resource "authentik_policy_binding" "access_users" {
+  target = authentik_application.app.uuid
   policy = authentik_policy_expression.policy.id
   order  = 0
 }
-resource "authentik_policy_binding" "prj_access_vynil" {
-  target = authentik_application.prj_app.uuid
+resource "authentik_policy_binding" "access_vynil" {
+  target = authentik_application.app.uuid
   group  = data.authentik_group.akadmin.id
   order  = 1
 }

application/outputs.tf

@@ -1,7 +1,10 @@
-output "application-id" {
-  value = authentik_application.prj_app.uuid
+output "application_id" {
+  value = authentik_application.app.uuid
 }
 
-output "policy-id" {
+output "policy_id" {
   value = authentik_policy_expression.policy.id
 }
+output "main_group" {
+  value = local.main_group
+}

application/variables.tf

@@ -17,6 +17,10 @@ variable "protocol_provider" {
 variable "dns_name" {
   type = string
 }
+variable "app_name" {
+  type    = string
+  default = ""
+}
 variable "sub_groups" {
   type    = list(string)
   default = []

backup/backup.tf

@@ -0,0 +1,41 @@
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+}
+
+resource "kubectl_manifest" "backup_schedule" {
+  yaml_body = <<-EOF
+    apiVersion: k8up.io/v1
+    kind: Schedule
+    metadata:
+      name: "${local.app_slug}-backup"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    spec:
+      backend:
+        repoPasswordSecretRef:
+          key: "${var.backups.restic_key}"
+          name: "${var.backups.secret_name}"
+        s3:
+          accessKeyIDSecretRef:
+            key: "${var.backups.key_id_key}"
+            name: "${var.backups.secret_name}"
+          bucket: "${local.app_slug}-${var.namespace}"
+          endpoint: "${var.backups.endpoint}/restic"
+          secretAccessKeySecretRef:
+            key: "${var.backups.secret_key}"
+            name: "${var.backups.secret_name}"
+      backup:
+        schedule: "${var.backups.schedule.backup}"
+        failedJobsHistoryLimit: 2
+        successfulJobsHistoryLimit: 2
+      check:
+        schedule: "${var.backups.schedule.check}"
+      prune:
+        retention:
+          keepDaily: ${var.backups.retention.keep_daily}
+          keepMonthly: ${var.backups.retention.keep_monthly}
+          keepWeekly: ${var.backups.retention.keep_weekly}
+          keepYearly: ${var.backups.retention.keep_yearly}
+        schedule: "${var.backups.schedule.prune}"
+  EOF
+}

backup/outputs.tf

@@ -0,0 +1,3 @@
+output "schedule_name" {
+  value = kubectl_manifest.backup_schedule.name
+}

backup/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}

backup/variables.tf

@@ -0,0 +1,55 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "backups" {
+  default = {
+    "enable"     = false
+    "endpoint"   = ""
+    "key_id_key" = "s3-id"
+    "restic_key" = "bck-password"
+    "retention" = {
+      "keep_daily"   = 14
+      "keep_monthly" = 12
+      "keep_weekly"  = 6
+      "keep_yearly"  = 12
+    }
+    "schedule" = {
+      "backup" = "30 3 * * *"
+      "check"  = "30 5 * * 1"
+      "db"     = "30 3 * * *"
+      "prune"  = "30 1 * * 0"
+    }
+    "secret_key"  = "s3-secret"
+    "secret_name" = "backup-settings"
+    "use_barman"  = false
+  }
+  type = object({
+    enable     = optional(bool),
+    endpoint   = optional(string),
+    key_id_key = optional(string),
+    restic_key = optional(string),
+    retention = optional(object({
+      keep_daily   = optional(number),
+      keep_monthly = optional(number),
+      keep_weekly  = optional(number),
+      keep_yearly  = optional(number)
+    })),
+    schedule = optional(object({
+      backup = optional(string),
+      check  = optional(string),
+      prune  = optional(string)
+    })),
+    secret_key  = optional(string),
+    secret_name = optional(string),
+    use_barman  = optional(bool)
+  })
+}

forward/forward.tf

@@ -1,9 +1,10 @@
 locals {
-  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
-  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
-  app_name                  = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
-  main_group                = format("app-%s", local.app_name)
-  external_url              = format("https://%s", var.dns_names[0])
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  forward_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-forward"
+  })
+  main_group   = format("app-%s", var.app_name)
+  external_url = format("https://%s", var.dns_names[0])
   rules_icons = [for v in var.dns_names : {
     "host" = "${v}"
     "http" = {
@@ -16,17 +17,19 @@ locals {
       }]
     }
   }]
+  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
+  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
 }
 
-resource "kubectl_manifest" "prj_ingress_icon" {
+resource "kubectl_manifest" "ingress_icon" {
   force_conflicts = true
   yaml_body       = <<-EOF
     apiVersion: "networking.k8s.io/v1"
     kind: "Ingress"
     metadata:
-      name: "${var.instance}-icons"
+      name: "${local.app_slug}-icons"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.forward_labels)}
     spec:
       ingressClassName: "${var.ingress_class}"
       rules: ${jsonencode(local.rules_icons)}
@@ -36,20 +39,20 @@ resource "kubectl_manifest" "prj_ingress_icon" {
   EOF
 }
 
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
 
-resource "authentik_provider_proxy" "prj_forward" {
-  name                  = local.app_name
+resource "authentik_provider_proxy" "forward" {
+  name                  = local.app_slug
   external_host         = local.external_url
-  authorization_flow    = data.authentik_flow.default-authorization-flow.id
+  authorization_flow    = data.authentik_flow.default_authorization_flow.id
   mode                  = "forward_single"
   access_token_validity = var.access_token_validity
 }
 
 data "http" "get_forward_outpost" {
-  depends_on      = [authentik_provider_proxy.prj_forward]
+  depends_on      = [authentik_provider_proxy.forward]
   url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
   method          = "GET"
   request_headers = var.request_headers
@@ -65,18 +68,18 @@ resource "restapi_object" "forward_outpost_binding" {
   path = "/outposts/instances/${local.forward_outpost_pk}/"
   data = jsonencode({
     name      = "forward"
-    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id])
+    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
   })
 }
 
-resource "kubectl_manifest" "prj_middleware" {
+resource "kubectl_manifest" "middleware" {
   yaml_body = <<-EOF
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
     kind: Middleware
     metadata:
-        name: "forward-${local.app_name}"
+        name: "${local.app_slug}-forward"
         namespace: "${var.namespace}"
-        labels: ${jsonencode(var.labels)}
+        labels: ${jsonencode(local.forward_labels)}
     spec:
       forwardAuth:
         address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik

forward/outputs.tf

@@ -1,7 +1,11 @@
-output "provider-id" {
-  value       = authentik_provider_proxy.prj_forward.id
+output "provider_id" {
+  value = authentik_provider_proxy.forward.id
 }
 
 output "sso_logout" {
-  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${var.component}-${var.instance}/end-session/"
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${local.app_slug}/end-session/"
+}
+
+output "middleware" {
+  value = "${local.app_slug}-forward"
 }

forward/providers.tf

@@ -1,20 +1,20 @@
 terraform {
   required_providers {
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
     authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
     }
     http = {
-       source = "hashicorp/http"
-       version = "~> 3.3.0"
+      source  = "hashicorp/http"
+      version = "~> 3.3.0"
     }
     restapi = {
-       source = "Mastercard/restapi"
-       version = "~> 1.18.0"
+      source  = "Mastercard/restapi"
+      version = "~> 1.18.0"
     }
   }
 }

forward/variables.tf

@@ -1,33 +1,54 @@
 variable "component" {
   type = string
 }
+
 variable "instance" {
   type = string
 }
-variable "icon" {
-  type = string
-}
+
 variable "domain" {
   type = string
 }
+
 variable "namespace" {
   type = string
 }
-variable "ingress_class" {
-  type = string
-}
+
 variable "labels" {
   type = map(string)
 }
+
+variable "ingress_class" {
+  type = string
+}
+
+variable "icon" {
+  type = string
+}
+
 variable "dns_names" {
   type = list(string)
 }
+
 variable "access_token_validity" {
   type    = string
   default = "hours=10" // ;minutes=10
 }
-variable "service" {
+
+variable "app_name" {
+  type    = string
+  default = ""
 }
+
+variable "service" {
+  type = object({
+    name = string
+    port = object({
+      number = number
+    })
+  })
+}
+
 variable "request_headers" {
   type = map(string)
 }

ingress/ingress.tf

@@ -1,26 +1,30 @@
 
 locals {
-  name = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  pres_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "presentation"
+  })
   rules = [for v in var.dns_names : {
     "host" = "${v}"
     "http" = {
-      "paths" = [for idx, svc in var.services : {
-        "path"     = "/${var.sub_paths[idx]}"
+      "paths" = [for mapper in var.services_mapping : {
+        "path"     = "/${mapper.path}"
         "pathType" = "Prefix"
         "backend" = {
-          "service" = svc
+          "service" = mapper.service
         }
       }]
     }
   }]
-  tls = var.enforce_tls ? [
+  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
+  tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
     {
-      secretName = var.cert_name != "" ? var.cert_name : "${local.name}-cert"
+      secretName = local.secret_name
       hosts      = var.dns_names
     }
   ] : []
   middlewares = concat(
-    var.create_redirect ? ["${local.name}-https"] : [],
+    var.create_redirect ? ["${local.app_slug}-https"] : [],
     var.middlewares
   )
   annotations = merge(
@@ -33,17 +37,17 @@ locals {
   )
 }
 
-resource "kubectl_manifest" "prj_certificate" {
-  count     = var.create_cert ? 1 : 0
+resource "kubectl_manifest" "certificate" {
+  count     = var.cert_name == "" ? 1 : 0
   yaml_body = <<-EOF
     apiVersion: "cert-manager.io/v1"
     kind: "Certificate"
     metadata:
-      name: "${local.name}"
+      name: "${local.app_slug}"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.pres_labels)}
     spec:
-        secretName: "${local.name}-cert"
+        secretName: "${local.secret_name}"
         dnsNames: ${jsonencode(var.dns_names)}
         issuerRef:
           kind: "ClusterIssuer"
@@ -52,15 +56,15 @@ resource "kubectl_manifest" "prj_certificate" {
   EOF
 }
 
-resource "kubectl_manifest" "prj_https_redirect" {
-  count     = var.create_redirect || var.component == "" ? 1 : 0
+resource "kubectl_manifest" "https_redirect" {
+  count     = var.create_redirect ? 1 : 0
   yaml_body = <<-EOF
-    apiVersion: "traefik.containo.us/v1alpha1"
+    apiVersion: "traefik.io/v1alpha1"
     kind: "Middleware"
     metadata:
-      name: "${local.name}-https"
+      name: "${local.app_slug}-https"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.pres_labels)}
     spec:
       redirectScheme:
         scheme: "https"
@@ -68,15 +72,15 @@ resource "kubectl_manifest" "prj_https_redirect" {
   EOF
 }
 
-resource "kubectl_manifest" "prj_ingress" {
+resource "kubectl_manifest" "ingress" {
   force_conflicts = true
   yaml_body       = <<-EOF
     apiVersion: "networking.k8s.io/v1"
     kind: "Ingress"
     metadata:
-      name: "${local.name}"
+      name: "${local.app_slug}"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.pres_labels)}
       annotations: ${jsonencode(local.annotations)}
     spec:
       ingressClassName: "${var.ingress_class}"

ingress/outputs.tf

@@ -0,0 +1,3 @@
+output "secret_name" {
+  value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
+}

ingress/providers.tf

@@ -2,8 +2,8 @@
 terraform {
   required_providers {
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
   }
 }

ingress/variables.tf

@@ -24,35 +24,37 @@ variable "middlewares" {
   type    = list(string)
   default = []
 }
-variable "services" {
-  type = list(any)
+
+variable "services_mapping" {
+  type = list(object({
+    path = optional(string)
+    service = object({
+      name= string
+      port = object({
+        number = number
+      })
+    })
+  }))
 }
 
-variable "create_redirect" {
-  type    = bool
-  default = true
-}
-variable "create_cert" {
-  type    = bool
-  default = true
-}
-variable "enforce_tls" {
-  type    = bool
-  default = true
-}
-variable "sub_paths" {
-  type    = list(string)
-  default = [""]
-}
-variable "cert_name" {
-  type    = string
-  default = ""
-}
 variable "entrypoint" {
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
+  description = "Define ingres support, if empty or define to websecure, tls will be activate"
   validation {
     condition     = contains(["", "web", "websecure"], var.entrypoint)
     error_message = "Only empty \"\", web or websecure is allowed"
   }
 }
+
+variable "cert_name" {
+  type        = string
+  default     = ""
+  description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
+}
+
+variable "create_redirect" {
+  type        = bool
+  default     = true
+  description = "Enfore https redirection"
+}

ldap/ldap.tf

@@ -0,0 +1,157 @@
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  ldap_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-ldap"
+  })
+  base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
+  base_group_dn          = format("ou=groups,%s", local.base_dn)
+  base_user_dn           = format("ou=users,%s", local.base_dn)
+  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
+  ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
+  ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
+
+  app_name   = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main_group = format("app-%s", local.app_name)
+  sorted_group_names = reverse(distinct(sort([
+    for grp in var.user_groups : grp.name
+  ])))
+  sorted_groups = flatten([
+    for name in local.sorted_group_names : [
+      for grp in var.user_groups :
+      grp if grp.name == name
+    ]
+  ])
+}
+
+data "authentik_group" "vynil_admin" {
+  name = "vynil-ldap-admins"
+}
+
+resource "authentik_group" "groups" {
+  count      = length(local.sorted_groups)
+  name       = local.sorted_groups[count.index].name
+  attributes = jsonencode({ "${local.app_name}" = true })
+}
+
+data "authentik_group" "readed_groups" {
+  depends_on = [authentik_group.groups]
+  count      = length(local.sorted_groups)
+  name       = local.sorted_groups[count.index].name
+}
+
+resource "authentik_application" "application_ldap" {
+  name              = local.app_slug
+  slug              = "${local.app_slug}-ldap"
+  protocol_provider = authentik_provider_ldap.provider_ldap.id
+  meta_launch_url   = "blank://blank"
+}
+
+resource "authentik_policy_expression" "policy" {
+  name       = local.main_group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
+  EOF
+}
+
+resource "authentik_policy_binding" "ldap_access_users" {
+  target = authentik_application.application_ldap.uuid
+  policy = authentik_policy_expression.policy.id
+  order  = 0
+}
+resource "authentik_policy_binding" "ldap_access_ldap" {
+  target = authentik_application.application_ldap.uuid
+  group  = authentik_group.ldapsearch.id
+  order  = 1
+}
+resource "authentik_policy_binding" "ldap_access_vynil" {
+  target = authentik_application.application_ldap.uuid
+  group  = data.authentik_group.vynil_admin.id
+  order  = 2
+}
+
+
+resource "kubectl_manifest" "ldap" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body     = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${local.app_slug}-ldapsearch"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.ldap_labels)}
+    data:
+        LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "LDAP_ADMIN_PASS"
+        length: "32"
+  EOF
+}
+
+data "kubernetes_secret_v1" "ldap_password" {
+  depends_on = [kubectl_manifest.ldap]
+  metadata {
+    name      = kubectl_manifest.ldap.name
+    namespace = var.namespace
+  }
+}
+
+resource "authentik_user" "ldapsearch" {
+  username = "${local.app_slug}-ldapsearch"
+  name     = "${local.app_slug}-ldapsearch"
+}
+
+resource "authentik_group" "ldapsearch" {
+  name  = "${local.app_slug}-ldapsearch"
+  users = [authentik_user.ldapsearch.id]
+}
+
+
+data "http" "ldapsearch_password" {
+  url             = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
+  method          = "POST"
+  request_headers = var.request_headers
+  request_body = jsonencode({
+    password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
+  })
+  lifecycle {
+    postcondition {
+      condition     = contains([201, 204], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+data "authentik_flow" "ldap_authentication_flow" {
+  slug = "ldap-authentication-flow"
+}
+
+resource "authentik_provider_ldap" "provider_ldap" {
+  name         = "${local.app_slug}-ldap"
+  base_dn      = local.base_dn
+  search_group = authentik_group.ldapsearch.id
+  bind_flow    = data.authentik_flow.ldap_authentication_flow.id
+}
+
+data "http" "get_ldap_outpost" {
+  depends_on      = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
+  url             = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
+  method          = "GET"
+  request_headers = var.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+resource "restapi_object" "ldap_outpost_binding" {
+  path = "/outposts/instances/${local.ldap_outpost_pk}/"
+  data = jsonencode({
+    name      = "ldap"
+    providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
+  })
+}

ldap/outputs.tf

@@ -0,0 +1,23 @@
+output "provider_id" {
+  value = authentik_provider_ldap.provider_ldap.id
+}
+
+output "ldap_address" {
+  value = "ak-outpost-ldap.${var.domain}-auth.svc"
+}
+
+output "ldap_search_account" {
+  value = "${local.app_slug}-ldapsearch"
+}
+
+output "base_dn" {
+  value = local.base_dn
+}
+
+output "base_group_dn" {
+  value = local.base_group_dn
+}
+
+output "base_user_dn" {
+  value = local.base_user_dn
+}

ldap/providers.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.3.0"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "~> 1.18.0"
+    }
+  }
+}

ldap/variables.tf

@@ -0,0 +1,25 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "domain" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "dns_name" {
+  type = string
+}
+variable "request_headers" {
+  type = map(string)
+}
+variable "user_groups" {
+  type    = map(string)
+  default = {}
+}

mongo/mongo.tf

@@ -0,0 +1,126 @@
+locals {
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  mongo_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "mongo"
+  })
+  db_name        = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
+  username       = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
+  mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
+}
+resource "kubectl_manifest" "mongo_secret" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body     = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${local.app_slug}-mongo"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.mongo_labels)}
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "password"
+        length: "16"
+  EOF
+}
+data "kubernetes_secret_v1" "mongo_secret" {
+  depends_on = [kubectl_manifest.mongo_secret]
+  metadata {
+    name      = "${local.app_slug}-mongo"
+    namespace = var.namespace
+  }
+}
+resource "kubectl_manifest" "mongo" {
+  yaml_body = <<-EOF
+    apiVersion: mongodbcommunity.mongodb.com/v1
+    kind: MongoDBCommunity
+    metadata:
+      name: "${local.app_slug}-mongo"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.mongo_labels)}
+    spec:
+      members: 1
+      type: ${var.mongo_type}
+      version: "${var.mongo_version}"
+      statefulSet:
+        spec:
+          template:
+            metadata:
+              annotations:
+                "k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'"
+                "k8up.io/file-extension": ".archive"
+            spec:
+              containers:
+              - name: mongod
+                imagePullPolicy: "${var.pull_policy}"
+                resources: ${jsonencode(var.resources)}
+                env:
+                - name: MONGODB_NAME
+                  value: ${local.db_name}
+                - name: MONGODB_USER
+                  value: ${local.username}
+                - name: MONGODB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: "${local.app_slug}-mongo"
+                      key: password
+      security:
+        authentication:
+          modes: ["SCRAM"]
+      additionalMongodConfig:
+        storage.wiredTiger.engineConfig.cacheSizeGB: 1
+      users:
+      - name: ${local.username}
+        db: ${local.db_name}
+        passwordSecretRef:
+          name: "${local.app_slug}-mongo"
+        roles:
+        - db: ${local.db_name}
+          name: readWrite
+        scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
+  EOF
+}
+resource "kubectl_manifest" "mongo_sa" {
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: "${local.app_slug}-mongodb-database"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.mongo_labels)}
+  EOF
+}
+resource "kubectl_manifest" "mongo_role" {
+  yaml_body = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: "${local.app_slug}-mongodb-database"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.mongo_labels)}
+    rules:
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["get"]
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["patch", "delete", "get"]
+  EOF
+}
+resource "kubectl_manifest" "mongo_rb" {
+  yaml_body = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: "${local.app_slug}-mongodb-database"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.mongo_labels)}
+    subjects:
+    - kind: ServiceAccount
+      name: ${local.app_slug}-mongodb-database
+    roleRef:
+      kind: Role
+      name: ${local.app_slug}-mongodb-database
+      apiGroup: rbac.authorization.k8s.io
+  EOF
+}

mongo/outputs.tf

@@ -0,0 +1,21 @@
+output "url" {
+  value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
+}
+output "service" {
+  value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
+}
+output "password" {
+  value = local.mongo_password
+}
+output "username" {
+  value = local.username
+}
+output "db_name" {
+  value = local.db_name
+}
+output "secret" {
+  value = {
+    name = "${local.app_slug}-mongo"
+    key  = "password"
+  }
+}

mongo/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}

mongo/variables.tf

@@ -0,0 +1,55 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "db_name" {
+  type    = string
+  default = ""
+}
+variable "username" {
+  type    = string
+  default = ""
+}
+variable "mongo_version" {
+  type    = string
+  default = "6.0.13"
+}
+variable "mongo_type" {
+  type    = string
+  default = "ReplicaSet"
+}
+variable "pull_policy" {
+  type    = string
+  default = "IfNotPresent"
+}
+variable "resources" {
+  type = object({
+    limits = optional(object({
+      cpu    = string
+      memory = string
+    }))
+    requests = optional(object({
+      cpu    = string
+      memory = string
+    }))
+  })
+  default = {
+    limits = {
+      cpu    = "1"
+      memory = "1100M"
+    }
+    requests = {
+      cpu    = "0.3"
+      memory = "400M"
+    }
+  }
+
+}

mysql/mysql.tf

@@ -1,17 +1,21 @@
 locals {
-  mysql_host     = "${var.instance}-${var.component}-db.${var.namespace}.svc"
-  mysql_username = data.kubernetes_secret_v1.prj_mysql_secret.data["rootUser"]
-  mysql_password = data.kubernetes_secret_v1.prj_mysql_secret.data["rootPassword"]
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  mysql_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "mysql"
+  })
+  mysql_host     = "${local.app_slug}-mysql.${var.namespace}.svc"
+  mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
+  mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]
 }
 
-resource "kubectl_manifest" "prj_mysql_secret" {
+resource "kubectl_manifest" "mysql_secret" {
   yaml_body = <<-EOF
     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
     kind: "StringSecret"
     metadata:
-      name: "${var.instance}-${var.component}-db"
+      name: "${local.app_slug}-mysql"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.mysql_labels)}
     spec:
       forceRegenerate: false
       data:
@@ -27,19 +31,26 @@ resource "kubectl_manifest" "prj_mysql_secret" {
   EOF
 }
 
-resource "kubectl_manifest" "prj_mysql" {
-  depends_on = [kubectl_manifest.prj_mysql_secret]
-  yaml_body  = <<-EOF
+data "kubernetes_secret_v1" "mysql_secret" {
+  depends_on = [kubectl_manifest.mysql_secret]
+  metadata {
+    name      = "${local.app_slug}-mysql"
+    namespace = var.namespace
+    labels    = local.mysql_labels
+  }
+}
+
+resource "kubectl_manifest" "mysql" {
+  yaml_body = <<-EOF
     apiVersion: mysql.oracle.com/v2
     kind: InnoDBCluster
     metadata:
-      name: "${var.instance}-${var.component}-db"
+      name: "${local.app_slug}-mysql"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.mysql_labels)}
     spec:
-      secretName: ${kubectl_manifest.prj_mysql_secret.name}
+      secretName: ${data.kubernetes_secret_v1.mysql_secret.metadata[0].name}
       tlsUseSelfSigned: true
-      # tlsSecretName: "${var.instance}-db-cert"
       instances: 1
       router:
         instances: 1
@@ -55,38 +66,29 @@ resource "kubectl_manifest" "prj_mysql" {
 }
 
 resource "time_sleep" "wait_mysql_ready" {
-  depends_on      = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql]
+  depends_on      = [kubectl_manifest.mysql]
   create_duration = "45s"
 }
 
-data "kubernetes_secret_v1" "prj_mysql_secret" {
-  depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
-  metadata {
-    name      = "${var.instance}-${var.component}-db"
-    namespace = var.namespace
-  }
-}
-
 resource "mysql_database" "app" {
-  depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
-  name       = var.database
+  depends_on = [
+    kubectl_manifest.mysql,
+    time_sleep.wait_mysql_ready
+  ]
+  name = var.database
 }
 
 resource "mysql_user" "app_user" {
-  depends_on         = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
-  host               = data.kubernetes_secret_v1.prj_mysql_secret.data["userHost"]
-  user               = data.kubernetes_secret_v1.prj_mysql_secret.data["username"]
-  plaintext_password = data.kubernetes_secret_v1.prj_mysql_secret.data["password"]
+  depends_on = [
+    time_sleep.wait_mysql_ready,
+    mysql_database.app,
+  ]
+  host               = data.kubernetes_secret_v1.mysql_secret.data["userHost"]
+  user               = data.kubernetes_secret_v1.mysql_secret.data["username"]
+  plaintext_password = data.kubernetes_secret_v1.mysql_secret.data["password"]
 }
 
 resource "mysql_grant" "app_user_grant" {
-  depends_on = [
-    kubectl_manifest.prj_mysql_secret,
-    kubectl_manifest.prj_mysql,
-    time_sleep.wait_mysql_ready,
-    mysql_database.app,
-    mysql_user.app_user
-  ]
   user       = mysql_user.app_user.user
   host       = mysql_user.app_user.host
   database   = mysql_database.app.name

mysql/outpost.tf

@@ -0,0 +1,15 @@
+output "conn_string" {
+  value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
+}
+
+output "service" {
+  value = "${local.app_slug}-mysql.${var.namespace}.svc"
+}
+
+output "host" {
+  value = "${local.app_slug}-mysql"
+}
+
+output "secret_name" {
+  value = "${local.app_slug}-db"
+}

mysql/providers.tf

@@ -1,12 +1,12 @@
 terraform {
   required_providers {
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
     mysql = {
-      source = "TakatoHano/mysql"
+      source  = "TakatoHano/mysql"
       version = "1.2.1"
     }
   }
-}
+}

oauth2/oauth2.tf

@@ -1,12 +1,18 @@
-resource "kubectl_manifest" "oauth2-secret" {
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  oauth2_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-oauth2"
+  })
+}
+resource "kubectl_manifest" "oauth2_secret" {
   ignore_fields = ["metadata.annotations"]
   yaml_body     = <<-EOF
     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
     kind: "StringSecret"
     metadata:
-      name: "${var.component}-${var.instance}-id"
+      name: "${local.app_slug}-id"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.oauth2_labels)}
     spec:
       forceRegenerate: false
       fields:
@@ -14,11 +20,12 @@ resource "kubectl_manifest" "oauth2-secret" {
         length: "32"
   EOF
 }
-data "kubernetes_secret_v1" "oauth2-client-id" {
-  depends_on = [kubectl_manifest.oauth2-secret]
+data "kubernetes_secret_v1" "oauth2_client_id" {
+  depends_on = [kubectl_manifest.oauth2_secret]
   metadata {
-    name      = kubectl_manifest.oauth2-secret.name
+    name      = kubectl_manifest.oauth2_secret.name
     namespace = var.namespace
+    labels    = local.oauth2_labels
   }
 }
 
@@ -33,18 +40,18 @@ data "authentik_scope_mapping" "oauth2" {
     "goauthentik.io/providers/oauth2/scope-profile"
   ]
 }
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
-data "authentik_flow" "default-authentication-flow" {
+data "authentik_flow" "default_authentication_flow" {
   slug = "default-authentication-flow"
 }
 
 resource "authentik_provider_oauth2" "oauth2" {
-  name                = "${var.component}-${var.instance}"
-  client_id           = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
-  authentication_flow = data.authentik_flow.default-authentication-flow.id
-  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  name                = local.app_slug
+  client_id           = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
+  authentication_flow = data.authentik_flow.default_authentication_flow.id
+  authorization_flow  = data.authentik_flow.default_authorization_flow.id
   client_type         = "confidential"
   sub_mode            = "user_username"
   signing_key         = data.authentik_certificate_key_pair.ca.id
@@ -54,17 +61,25 @@ resource "authentik_provider_oauth2" "oauth2" {
   ]
 }
 
-resource "kubernetes_secret_v1" "oauth2-client-secret" {
+resource "kubernetes_secret_v1" "oauth2_client_secret" {
   metadata {
-    name      = "${var.component}-${var.instance}-secret"
+    name      = "${local.app_slug}-secret"
     namespace = var.namespace
-    labels    = var.labels
+    labels    = local.oauth2_labels
   }
   data = {
     client-secret = authentik_provider_oauth2.oauth2.client_secret
   }
 }
 
+data "kubernetes_secret_v1" "oauth2_client_secret" {
+  depends_on = [kubernetes_secret_v1.oauth2_client_secret]
+  metadata {
+    name      = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
+    namespace = var.namespace
+  }
+}
+
 data "kubernetes_ingress_v1" "authentik" {
   metadata {
     name      = "authentik"

oauth2/outputs.tf

@@ -1,7 +1,38 @@
-output "provider-id" {
+output "provider_id" {
   value = authentik_provider_oauth2.oauth2.id
 }
 
-output "sso_configuration_url" {
-  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}"
+output "sso_signout_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/"
+}
+output "sso_configuration_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
+}
+output "sso_userinfo_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/"
+}
+output "sso_authorize_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
+}
+output "sso_token_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
+}
+output "client_id" {
+  value = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
+}
+output "client_secret" {
+  value = data.kubernetes_secret_v1.oauth2_client_secret.data["client-secret"]
+}
+
+output "secret_client_id_name" {
+  value = kubectl_manifest.oauth2_secret.name
+}
+output "secret_client_secret_name" {
+  value = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
+}
+output "secret_client_id_key" {
+  value = "client-id"
+}
+output "secret_client_secret_key" {
+  value = "client-secret"
 }

oauth2/providers.tf

@@ -2,16 +2,16 @@
 terraform {
   required_providers {
     kubernetes = {
-        source = "hashicorp/kubernetes"
-        version = "~> 2.20.0"
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
     }
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
     authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
     }
   }
 }

postgresql/outputs.tf

@@ -0,0 +1,23 @@
+output "conn_string" {
+  value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
+}
+
+output "service" {
+  value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
+}
+
+output "db_host" {
+  value = "${local.app_slug}-pg-rw"
+}
+
+output "db_name" {
+  value = var.component
+}
+
+output "db_port" {
+  value = "5432"
+}
+
+output "secret_name" {
+  value = "${local.app_slug}-pg-app"
+}

postgresql/postgresql.tf

@@ -0,0 +1,95 @@
+locals {
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  pg_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "pg"
+  })
+  pool_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "pg-pool"
+  })
+}
+
+resource "kubectl_manifest" "pg" {
+  yaml_body  = join("", concat([<<-EOF
+    apiVersion: postgresql.cnpg.io/v1
+    kind: Cluster
+    metadata:
+      name: "${local.app_slug}-pg"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.pg_labels)}
+      annotations:
+        "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
+        "k8up.io/file-extension": ".sql"
+    spec:
+      instances: ${var.replicas}
+      imageName: "${var.images.postgresql.registry}/${var.images.postgresql.repository}:${var.images.postgresql.tag}"
+      storage:
+        size: "${var.storage.size}"
+      bootstrap:
+        initdb:
+          database: "${var.component}"
+          owner: "${var.component}"
+      monitoring:
+        enablePodMonitor: true
+  EOF
+  ], var.backups.enable&&var.backups.use_barman?[<<-EOF
+      backup:
+        barmanObjectStore:
+          destinationPath: "s3://${local.app_slug}-${var.namespace}/"
+          endpointURL: "${var.backups.endpoint}/barman"
+          s3Credentials:
+            accessKeyId:
+              name: "${var.backups.secret_name}"
+              key: "${var.backups.key_id_key}"
+            secretAccessKey:
+              name: "${var.backups.secret_name}"
+              key: "${var.backups.secret_key}"
+  EOF
+  ]:[""]))
+}
+
+resource "kubectl_manifest" "pg_backup" {
+  count = var.backups.enable ? 1:0
+  yaml_body  = <<-EOF
+    apiVersion: postgresql.cnpg.io/v1
+    kind: ScheduledBackup
+    metadata:
+      name: "${local.app_slug}-pg"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.pg_labels)}
+    spec:
+      schedule: "${var.backups.schedule.db}"
+      backupOwnerReference: self
+      cluster:
+        name: "${local.app_slug}-pg"
+  EOF
+}
+
+resource "kubectl_manifest" "pg_pool" {
+  depends_on = [kubectl_manifest.pg]
+  yaml_body  = <<-EOF
+    apiVersion: postgresql.cnpg.io/v1
+    kind: Pooler
+    metadata:
+      name: "${local.app_slug}-pool"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.pool_labels)}
+    spec:
+      cluster:
+        name: "${local.app_slug}-pg"
+      instances: 1
+      type: rw
+      pgbouncer:
+        poolMode: session
+        parameters:
+          max_client_conn: "1000"
+          default_pool_size: "10"
+  EOF
+}
+
+data "kubernetes_secret_v1" "credentials" {
+  depends_on = [ kubectl_manifest.pg ]
+  metadata {
+    name = "${local.app_slug}-pg-app"
+    namespace = var.namespace
+  }
+}

postgresql/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}

postgresql/variables.tf

@@ -0,0 +1,63 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+
+variable "backups" {
+  default = {
+    "enable"     = false
+    "endpoint"   = ""
+    "key_id_key" = "s3-id"
+    "restic_key" = "bck-password"
+    "schedule" = {
+      "db" = "30 3 * * *"
+    }
+    "secret_key"  = "s3-secret"
+    "secret_name" = "backup-settings"
+    "use_barman"  = false
+  }
+  type = object({
+    enable     = optional(bool),
+    endpoint   = optional(string),
+    key_id_key = optional(string),
+    restic_key = optional(string),
+    schedule = optional(object({
+      db = optional(string),
+    })),
+    secret_key  = optional(string),
+    secret_name = optional(string),
+    use_barman  = optional(bool)
+  })
+}
+variable "images" {
+  type = object({
+    postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
+  })
+  default = {
+    "postgresql" = {
+      "registry"   = "ghcr.io"
+      "repository" = "cloudnative-pg/postgresql"
+      "tag"        = 15.3
+    }
+  }
+}
+variable "replicas" {
+  type    = number
+  default = 1
+}
+variable "storage" {
+  type = object({
+    size = optional(string)
+  })
+  default = {
+    "size" = "5Gi"
+  }
+}

pvc/outputs.tf

@@ -0,0 +1,3 @@
+output "name" {
+  value = local.app_slug
+}

pvc/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}

pvc/pvc.tf

@@ -0,0 +1,30 @@
+locals {
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  pvc_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "pvc"
+  })
+  pvc_spec = merge({
+    "accessModes" = [var.storage.access_mode]
+    "volumeMode"  = var.storage.type
+    "resources" = {
+      "requests" = {
+        "storage" = "${var.storage.size}"
+      }
+    }
+    }, var.storage.class != "" ? {
+    "storageClassName" = var.storage.class
+  } : {})
+}
+resource "kubectl_manifest" "pvc" {
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: ${local.app_slug}
+      namespace: "${var.namespace}"
+      annotations:
+        k8up.io/backup: "${var.backup}"
+      labels: ${jsonencode(local.pvc_labels)}
+    spec: ${jsonencode(local.pvc_spec)}
+  EOF
+}

pvc/variables.tf

@@ -0,0 +1,31 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "storage" {
+  type = object({
+    access_mode = optional(string),
+    class      = optional(string),
+    size       = optional(string),
+    type       = optional(string)
+  })
+  default = {
+    "access_mode" = "ReadWriteOnce"
+    "class"      = ""
+    "size"       = "10Gi"
+    "type"       = "Filesystem"
+  }
+}
+
+variable "backup" {
+  type = bool
+  default = true
+}

redis/outputs.tf

@@ -0,0 +1,15 @@
+output "conn_string" {
+  value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
+}
+
+output "service" {
+  value = "${local.app_slug}-redis.${var.namespace}.svc"
+}
+
+output "db_host" {
+  value = "${local.app_slug}-redis"
+}
+
+output "secret_name" {
+  value = lookup(var.password, "name", "")
+}

redis/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}

redis/redis.tf

@@ -0,0 +1,41 @@
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  redis_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "redis"
+  })
+  cfg = merge({
+    "image"           = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
+    "imagePullPolicy" = "${var.images.redis.pull_policy}"
+    }, lookup(var.password, "enabled", false) ? {
+    redisSecret = {
+      name = lookup(var.password, "name", var.component)
+      key  = lookup(var.password, "key", "redis-password")
+    }
+  } : {})
+}
+
+resource "kubectl_manifest" "redis" {
+  yaml_body = <<-EOF
+    apiVersion: "redis.redis.opstreelabs.in/v1beta1"
+    kind: "Redis"
+    metadata:
+      name: "${local.app_slug}-redis"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.redis_labels)}
+    spec:
+      kubernetesConfig: ${jsonencode(local.cfg)}
+      storage:
+        volumeClaimTemplate:
+          spec:
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: "${var.storage.size}"
+      redisExporter:
+        enabled: ${var.exporter.enabled}
+        image: "${var.images.redis_exporter.registry}/${var.images.redis_exporter.repository}:${var.images.redis_exporter.tag}"
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+  EOF
+}

redis/variables.tf

@@ -0,0 +1,65 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "annotations" {
+  type    = map(string)
+  default = {}
+}
+
+variable "images" {
+  type = object({
+    redis          = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
+    redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
+  })
+  default = {
+    "redis" = {
+      "pull_policy" = "IfNotPresent"
+      "registry"    = "quay.io"
+      "repository"  = "opstree/redis"
+      "tag"         = "v7.0.12"
+    }
+    "redis_exporter" = {
+      "pull_policy" = "IfNotPresent"
+      "registry"    = "quay.io"
+      "repository"  = "opstree/redis-exporter"
+      "tag"         = "v1.44.0"
+    }
+  }
+}
+variable "exporter" {
+  type = object({
+    enabled = optional(bool)
+  })
+  default = {
+    "enabled" = true
+  }
+}
+variable "password" {
+  type = object({
+    enabled = optional(bool),
+    name    = optional(string),
+    key     = optional(string)
+  })
+  default = {
+    "enabled" = false
+    "name"    = ""
+    "key"     = ""
+  }
+}
+variable "storage" {
+  type = object({
+    size = optional(string)
+  })
+  default = {
+    "size" = "2Gi"
+  }
+}

saml/outputs.tf

@@ -1,3 +1,3 @@
 output "provider-id" {
-  value       = authentik_provider_saml.prj.id
-}
+  value = authentik_provider_saml.prj.id
+}

saml/providers.tf

@@ -1,12 +1,12 @@
 terraform {
   required_providers {
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
     authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
     }
   }
 }

saml/saml.tf

@@ -1,19 +1,25 @@
-data "authentik_flow" "default-authorization-flow" {
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  saml_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-saml"
+  })
+}
+data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
-data "authentik_flow" "default-authentication-flow" {
+data "authentik_flow" "default_authentication_flow" {
   slug = "default-authentication-flow"
 }
 
 data "authentik_property_mapping_saml" "saml_maps" {
   managed_list = [
-      "goauthentik.io/providers/saml/email",
-      "goauthentik.io/providers/saml/groups",
-      "goauthentik.io/providers/saml/name",
-      "goauthentik.io/providers/saml/upn",
-      "goauthentik.io/providers/saml/uid",
-      "goauthentik.io/providers/saml/username",
-      "goauthentik.io/providers/saml/ms-windowsaccountname",
+    "goauthentik.io/providers/saml/email",
+    "goauthentik.io/providers/saml/groups",
+    "goauthentik.io/providers/saml/name",
+    "goauthentik.io/providers/saml/upn",
+    "goauthentik.io/providers/saml/uid",
+    "goauthentik.io/providers/saml/username",
+    "goauthentik.io/providers/saml/ms-windowsaccountname",
   ]
 }
 
@@ -26,27 +32,27 @@ data "authentik_certificate_key_pair" "generated" {
 }
 
 resource "kubectl_manifest" "saml_certificate" {
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
     apiVersion: "cert-manager.io/v1"
     kind: "Certificate"
     metadata:
-      name: "${var.instance}-${var.component}-saml"
+      name: "${local.app_slug}-saml"
       namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+      labels: ${jsonencode(local.saml_labels)}
     spec:
-        secretName: "${var.instance}-${var.component}-saml"
+        secretName: "${local.app_slug}-saml"
         dnsNames: ${jsonencode(var.dns_names)}
         issuerRef:
-          name: "self-sign"
+          name: "${var.issuer}"
           kind: "ClusterIssuer"
           group: "cert-manager.io"
   EOF
 }
 
 resource "authentik_provider_saml" "prj" {
-  name                = "${var.component}-${var.instance}-saml"
-  authentication_flow = data.authentik_flow.default-authentication-flow.id
-  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  name                = "${local.app_slug}-saml"
+  authentication_flow = data.authentik_flow.default_authentication_flow.id
+  authorization_flow  = data.authentik_flow.default_authorization_flow.id
   acs_url             = "https://${var.dns_names[0]}/${var.acs_path}"
   property_mappings   = data.authentik_property_mapping_saml.saml_maps.ids
   name_id_mapping     = data.authentik_property_mapping_saml.saml_name.id

saml/variables.tf

@@ -1,19 +1,22 @@
 variable "component" {
-  type        = string
+  type = string
 }
 variable "instance" {
-  type        = string
+  type = string
+}
+variable "issuer" {
+  type = string
 }
 variable "dns_names" {
-  type        = list(string)
+  type = list(string)
 }
 variable "acs_path" {
-  type        = string
+  type = string
 }
 variable "binding" {
-  type        = string
-  default     = "post"
+  type    = string
+  default = "post"
 }
 variable "labels" {
-  type        = map(string)
+  type = map(string)
 }

service/outputs.tf

@@ -0,0 +1,11 @@
+output "name" {
+  value = local.app_slug
+}
+output "default_definition" {
+  value = {
+    "name" = "${local.app_slug}"
+    "port" = {
+      "number" = var.ports[0]
+    }
+  }
+}

service/providers.tf

@@ -1,8 +1,8 @@
 terraform {
   required_providers {
     kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
     }
   }
 }

service/svc.tf

@@ -1,29 +1,61 @@
 locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
   cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
     "name"       = target
     "port"       = var.ports[idx]
     "protocol"   = var.protocols[idx]
     "targetPort" = target
   }] : []
+  ext_ports = var.svc_type == "ExternalName" ? [for idx, target in var.targets : {
+    "name"       = target
+    "port"       = var.ports[idx]
+    "protocol"   = var.protocols[idx]
+    "targetPort" = var.ports[idx]
+  }] : []
+  lb_ports = var.svc_type == "LoadBalancer" ? [for port in var.lb_ports : {
+    "port"       = port.port.number
+    "name"       = port.name
+    "targetPort" = port.port.number
+  }] : []
   node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
     "port"       = port
     "targetPort" = port
     "nodePort"   = var.node_ports[idx]
   }] : []
+  metadata = merge(
+    {
+      "name"      = local.app_slug
+      "namespace" = var.namespace
+      "labels"    = var.labels
+    },
+    length(var.annotations) > 0 ? {
+      "annotations" = var.annotations
+    } : {}
+  )
   spec = {
     "ClusterIP" = {
-      type     = "ClusterIP"
-      ports    = local.cluster_ports
-      selector = var.labels
+      type           = "ClusterIP"
+      ports          = local.cluster_ports
+      selector       = var.labels
+      ipFamilyPolicy = var.ip_family
     },
     "ExternalName" = {
-      type         = "ExternalName"
-      externalName = var.target_host
+      type           = "ExternalName"
+      externalName   = var.target_host
+      ports          = local.ext_ports
     },
     "NodePort" = {
-      type     = "NodePort"
-      selector = var.labels
-      ports    = local.node_ports
+      type           = "NodePort"
+      selector       = var.labels
+      ports          = local.node_ports
+      ipFamilyPolicy = var.ip_family
+    },
+    "LoadBalancer" = {
+      type                  = "LoadBalancer"
+      selector              = var.labels
+      ports                 = local.lb_ports
+      externalTrafficPolicy = var.lb_policy
+      ipFamilyPolicy        = var.ip_family
     }
   }
 }
@@ -31,10 +63,22 @@ resource "kubectl_manifest" "service" {
   yaml_body = <<-EOF
     apiVersion: v1
     kind: Service
-    metadata:
-      name: "${var.instance}-${var.component}"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(var.labels)}
+    metadata: ${jsonencode(local.metadata)}
     spec: ${jsonencode(local.spec[var.svc_type])}
   EOF
 }
+resource "kubectl_manifest" "endpoint" {
+  count     = var.svc_type == "ExternalName" ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: Endpoints
+    metadata:
+      name: "${local.app_slug}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    subsets:
+      - addresses:
+          - ip: ${var.target_host}
+        ports:  ${jsonencode([for port in var.ports : { "port" = port }])}
+  EOF
+}

service/variables.tf

@@ -10,14 +10,28 @@ variable "namespace" {
 variable "labels" {
   type = map(string)
 }
+variable "annotations" {
+  type    = map(string)
+  default = {}
+}
 variable "svc_type" {
   type    = string
   default = "ClusterIP"
   validation {
-    condition     = contains(["ClusterIP", "ExternalName", "NodePort"], var.svc_type)
-    error_message = "Only ClusterIP or ExternalName is allowed"
+    condition     = contains(["ClusterIP", "ExternalName", "NodePort", "LoadBalancer"], var.svc_type)
+    error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
   }
 }
+
+variable "ip_family" {
+  type    = string
+  default = "PreferDualStack"
+  validation {
+    condition     = contains(["SingleStack", "PreferDualStack"], var.ip_family)
+    error_message = "Only SingleStack or PreferDualStack is allowed"
+  }
+}
+
 variable "ports" {
   type    = list(number)
   default = [80]
@@ -46,3 +60,20 @@ variable "node_ports" {
     error_message = "The range of valid ports is 30000-32767"
   }
 }
+variable "lb_ports" {
+  type = list(object({
+    name = string
+    port = object({
+      number = number
+    })
+  }))
+  default = []
+}
+variable "lb_policy" {
+  type    = string
+  default = "Cluster"
+  validation {
+    condition     = contains(["Cluster", "Local"], var.lb_policy)
+    error_message = "Only Cluster or Local is allowed"
+  }
+}