vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:feature/service_improvement
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:feature/forward
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

2 Commits
feature/se ... feature/fo

Author SHA1 Message Date
Xavier Mortelette
1df9904e1c WIP 2024-10-05 16:12:13 +02:00
Xavier Mortelette
2eafb09fa6 Refacto forward 2024-09-29 23:42:40 +02:00
3 changed files with 75 additions and 12 deletions
Expand all files Collapse all files

78
forward/forward.tf
View File

@@ -3,9 +3,10 @@ locals {
forward_labels = merge(var.labels, { forward_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-forward" "app.kubernetes.io/component" = "authentik-forward"
}) })
external_url = format("https://%s", var.dns_name) external_url = format("https://%s", var.dns_name)
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers forward_outpost_results = jsondecode(data.http.proxy_outpost.response_body).results
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk forward_outpost_providers = local.forward_outpost_results[0].providers
forward_outpost_pk = local.forward_outpost_results[0].pk
} }
data "authentik_flow" "default_authorization_flow" { data "authentik_flow" "default_authorization_flow" {
@@ -20,9 +21,9 @@ resource "authentik_provider_proxy" "forward" {
access_token_validity = var.access_token_validity access_token_validity = var.access_token_validity
} }
data "http" "get_forward_outpost" { data "http" "proxy_outpost" {
depends_on = [authentik_provider_proxy.forward] depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = var.request_headers
lifecycle { lifecycle {
@@ -33,6 +34,66 @@ data "http" "get_forward_outpost" {
} }
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
## Begin modification
data "kubernetes_secret_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
resource "authentik_service_connection_kubernetes" "local" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
depends_on = [data.kubernetes_secret_v1.authentik]
name = "${var.domain}-local-forward"
local = true
}
# data "authentik_flow" "default_authorization_flow" {
# count = length(local.forward_outpost_results) == 0 ? 1 : 0
# depends_on = [authentik_service_connection_kubernetes.local]
# slug = "default-provider-authorization-implicit-consent"
# }
resource "authentik_provider_proxy" "provider_forward" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
name = "authentik-${var.domain}-forward-provider"
internal_host = "http://authentik-authentik"
external_host = "http://authentik-authentik"
authorization_flow = data.authentik_flow.default_authorization_flow.id
}
resource "authentik_outpost" "output_forward" {
# count = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
name = "forward"
type = "proxy"
service_connection = authentik_service_connection_kubernetes.local.id
config = jsonencode({
"log_level" : "info",
"authentik_host" : "http://authentik",
"docker_map_ports" : true,
"kubernetes_replicas" : 1,
"kubernetes_namespace" : var.namespace,
"authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
"object_naming_template" : "ak-outpost-%(name)s",
"authentik_host_insecure" : false,
"kubernetes_service_type" : "ClusterIP",
"kubernetes_image_pull_secrets" : [],
"kubernetes_disabled_components" : [],
"kubernetes_ingress_annotations" : {},
"kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
})
protocol_providers = local.forward_outpost_providers
}
## End modification
resource "restapi_object" "forward_outpost_binding" { resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/" path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({ data = jsonencode({
@@ -67,10 +128,3 @@ resource "kubectl_manifest" "middleware" {
- X-authentik-meta-version - X-authentik-meta-version
EOF EOF
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

5
forward/providers.tf
View File

@@ -1,5 +1,10 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"

4
forward/variables.tf
View File

@@ -30,3 +30,7 @@ variable "access_token_validity" {
variable "request_headers" { variable "request_headers" {
type = map(string) type = map(string)
} }
variable "ingress_certificat_secret_name" {
type = string
}