vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:feature/refacto_underscore
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:main
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

3 Commits
feature/re ... main

Author SHA1 Message Date
Sébastien Huss
8e883d012e No more sercretString dans oauth2 2024-05-24 14:28:12 +02:00
Sébastien Huss
1c42b356c1 Add selector(optional) to service 2024-05-17 16:05:20 +02:00
Sébastien Huss
6ea3cfc0bf fix redirect url 2024-05-17 12:11:06 +02:00
9 changed files with 97 additions and 37 deletions
Expand all files Collapse all files

5
application/application.tf
View File

@@ -7,13 +7,14 @@ data "authentik_group" "akadmin" {
} }
resource "authentik_group" "groups" { resource "authentik_group" "groups" {
name = local.main_group name = local.main_group
attributes = jsonencode({ "${local.app_name}" = true }) attributes = jsonencode({ "${local.app_name}" = var.attributes })
} }
resource "authentik_group" "subgroup" { resource "authentik_group" "subgroup" {
count = length(var.sub_groups) count = length(var.sub_groups)
name = format("%s-%s", local.main_group, var.sub_groups[count.index]) name = format("%s-%s", local.main_group, var.sub_groups[count.index])
parent = authentik_group.groups.id parent = authentik_group.groups.id
attributes = length(var.sub_groups_attributes)>count.index?jsonencode({ "${local.app_name}" = var.sub_groups_attributes[count.index] }):jsonencode({ "${local.app_name}" = var.attributes })
} }
resource "authentik_application" "prj_app" { resource "authentik_application" "prj_app" {
@@ -30,7 +31,7 @@ resource "authentik_policy_expression" "policy" {
name = local.main_group name = local.main_group
expression = <<-EOF expression = <<-EOF
attr = request.user.group_attributes() attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False return True if '${local.app_name}' in attr else False
EOF EOF
} }

6
application/variables.tf
View File

@@ -26,3 +26,9 @@ variable "backchannel_providers" {
type = list(number) type = list(number)
default = null default = null
} }
variable "attributes" {
default = {enable = true}
}
variable "sub_groups_attributes" {
default = []
}

42
oauth2/oauth2.tf
View File

@@ -4,29 +4,9 @@ locals {
"app.kubernetes.io/component" = "authentik-oauth2" "app.kubernetes.io/component" = "authentik-oauth2"
}) })
} }
resource "kubectl_manifest" "oauth2-secret" { resource "random_password" "client_id" {
ignore_fields = ["metadata.annotations"] length = 32
yaml_body = <<-EOF special = false
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
labels = local.oauth2_labels
}
} }
data "authentik_certificate_key_pair" "ca" { data "authentik_certificate_key_pair" "ca" {
@@ -49,7 +29,7 @@ data "authentik_flow" "default-authentication-flow" {
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
name = "${local.app_slug}" name = "${local.app_slug}"
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] client_id = random_password.client_id.result
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id
client_type = "confidential" client_type = "confidential"
@@ -57,10 +37,21 @@ resource "authentik_provider_oauth2" "oauth2" {
signing_key = data.authentik_certificate_key_pair.ca.id signing_key = data.authentik_certificate_key_pair.ca.id
property_mappings = data.authentik_scope_mapping.oauth2.ids property_mappings = data.authentik_scope_mapping.oauth2.ids
redirect_uris = [ redirect_uris = [
"https://${var.dns_name}/${var.redirect_path}" "https://${var.redirect_path!=""?"${var.dns_name}/${var.redirect_path}":"${var.dns_name}"}"
] ]
} }
resource "kubernetes_secret_v1" "oauth2-client-id" {
metadata {
name = "${local.app_slug}-id"
namespace = var.namespace
labels = local.oauth2_labels
}
data = {
client-id = random_password.client_id.result
}
}
resource "kubernetes_secret_v1" "oauth2-client-secret" { resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata { metadata {
name = "${local.app_slug}-secret" name = "${local.app_slug}-secret"
@@ -68,6 +59,7 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
labels = local.oauth2_labels labels = local.oauth2_labels
} }
data = { data = {
client-id = random_password.client_id.result
client-secret = authentik_provider_oauth2.oauth2.client_secret client-secret = authentik_provider_oauth2.oauth2.client_secret
} }
} }

6
oauth2/outputs.tf
View File

@@ -18,14 +18,14 @@ output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
} }
output "client_id" { output "client_id" {
value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] value = random_password.client_id.result
} }
output "client_secret" { output "client_secret" {
value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"] value = authentik_provider_oauth2.oauth2.client_secret
} }
output "secret_client_id_name" { output "secret_client_id_name" {
value = kubectl_manifest.oauth2-secret.name value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
} }
output "secret_client_secret_name" { output "secret_client_secret_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name

26
saml/outputs.tf
View File

@@ -1,3 +1,27 @@
output "app_id" {
value = "${local.app_slug}-saml"
}
output "provider-id" { output "provider-id" {
value = authentik_provider_saml.prj.id value = authentik_provider_saml.prj.id
} }
output "issuer" {
value = authentik_provider_saml.prj.issuer
}
output "url_slo_post" {
value = authentik_provider_saml.prj.url_slo_post
}
output "url_slo_redirect" {
value = authentik_provider_saml.prj.url_slo_redirect
}
output "url_sso_init" {
value = authentik_provider_saml.prj.url_sso_init
}
output "url_sso_post" {
value = authentik_provider_saml.prj.url_sso_post
}
output "url_sso_redirect" {
value = authentik_provider_saml.prj.url_sso_redirect
}
output "certificate_data" {
value = data.authentik_certificate_key_pair.generated.certificate_data
}

23
saml/saml.tf
View File

@@ -1,6 +1,6 @@
locals{ locals{
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
saml_labels = merge(var.labels, { saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml" "app.kubernetes.io/component" = "authentik-saml"
}) })
} }
@@ -12,7 +12,7 @@ data "authentik_flow" "default-authentication-flow" {
} }
data "authentik_property_mapping_saml" "saml_maps" { data "authentik_property_mapping_saml" "saml_maps" {
managed_list = [ managed_list = var.group_mapping==null?[
"goauthentik.io/providers/saml/email", "goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/groups", "goauthentik.io/providers/saml/groups",
"goauthentik.io/providers/saml/name", "goauthentik.io/providers/saml/name",
@@ -20,9 +20,24 @@ data "authentik_property_mapping_saml" "saml_maps" {
"goauthentik.io/providers/saml/uid", "goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username", "goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname", "goauthentik.io/providers/saml/ms-windowsaccountname",
]:[
"goauthentik.io/providers/saml/email",
"goauthentik.io/providers/saml/name",
"goauthentik.io/providers/saml/upn",
"goauthentik.io/providers/saml/uid",
"goauthentik.io/providers/saml/username",
"goauthentik.io/providers/saml/ms-windowsaccountname",
] ]
} }
resource "authentik_property_mapping_saml" "mapping" {
count = var.group_mapping==null?0:1
friendly_name = "groups"
name = "${local.app_slug} Group mapping"
saml_name = "http://schemas.xmlsoap.org/claims/Group"
expression = var.group_mapping
}
data "authentik_property_mapping_saml" "saml_name" { data "authentik_property_mapping_saml" "saml_name" {
managed = "goauthentik.io/providers/saml/username" managed = "goauthentik.io/providers/saml/username"
} }
@@ -54,9 +69,11 @@ resource "authentik_provider_saml" "prj" {
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default-authorization-flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}" acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids property_mappings = var.group_mapping==null?data.authentik_property_mapping_saml.saml_maps.ids:concat(data.authentik_property_mapping_saml.saml_maps.ids,[authentik_property_mapping_saml.mapping[0].id])
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
signing_kp = data.authentik_certificate_key_pair.generated.id signing_kp = data.authentik_certificate_key_pair.generated.id
sp_binding = var.binding sp_binding = var.binding
audience = var.audience
issuer = var.saml_issuer
} }

15
saml/variables.tf
View File

@@ -17,6 +17,21 @@ variable "binding" {
type = string type = string
default = "post" default = "post"
} }
variable "namespace" {
type = string
}
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "group_mapping" {
type = string
default = null
}
variable "audience" {
type = string
default = null
}
variable "saml_issuer" {
type = string
default = null
}

7
service/svc.tf
View File

@@ -1,4 +1,5 @@
locals { locals {
selector = var.selector==null?var.labels:var.selector
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : { cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
"name" = target "name" = target
@@ -35,7 +36,7 @@ locals {
"ClusterIP" = { "ClusterIP" = {
type = "ClusterIP" type = "ClusterIP"
ports = local.cluster_ports ports = local.cluster_ports
selector = var.labels selector = local.selector
}, },
"ExternalName" = { "ExternalName" = {
type = "ExternalName" type = "ExternalName"
@@ -44,12 +45,12 @@ locals {
}, },
"NodePort" = { "NodePort" = {
type = "NodePort" type = "NodePort"
selector = var.labels selector = local.selector
ports = local.node_ports ports = local.node_ports
}, },
"LoadBalancer" = { "LoadBalancer" = {
type = "LoadBalancer" type = "LoadBalancer"
selector = var.labels selector = local.selector
ports = local.lb_ports ports = local.lb_ports
externalTrafficPolicy = var.lb_policy externalTrafficPolicy = var.lb_policy
} }

4
service/variables.tf
View File

@@ -10,6 +10,10 @@ variable "namespace" {
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "selector" {
type = map(string)
default = null
}
variable "annotations" { variable "annotations" {
type = map(string) type = map(string)
default = {} default = {}