WIP

Refacto forward
Refacto Saml
2024-10-05 16:12:13 +02:00 · 2024-09-29 23:42:40 +02:00 · 2024-09-22 21:29:45 +02:00 · 2024-08-26 21:13:24 +02:00 · 2024-05-21 09:42:56 +02:00 · 2024-05-21 09:30:23 +02:00
53 changed files with 1153 additions and 517 deletions
--- a/.ci-img.yml
+++ b/.ci-img.yml
@@ -0,0 +1,5 @@
+---
+lint:
+  image: ghcr.io/terraform-linters/tflint
+opentofu:
+  image: ghcr.io/opentofu/opentofu:latest
--- a/application/application.tf
+++ b/application/application.tf
@@ -1,7 +1,45 @@
 locals {
-  app_name   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
-  main_group = format("app-%s", local.app_name)
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  application_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-application"
+  })
+  app_name    = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
+  main_group  = format("app-%s", local.app_slug)
+  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
+  dns_name    = var.dns_name != "" ? var.dns_name : var.rule_mapper.host
+  url_icon    = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", local.dns_name, var.icon)
+  backend     = var.rule_mapper.paths[0].backend
+  rules_icons = [{
+    "host" = local.dns_name
+    "http" = {
+      "paths" = [{
+        "path"     = "/${var.icon}"
+        "pathType" = "Prefix"
+        "backend"  = local.backend
+      }]
+    }
+  }]
 }
+
+resource "kubectl_manifest" "ingress_icon" {
+  count           = startswith(var.icon, "fa-") ? 0 : 1
+  force_conflicts = true
+  yaml_body       = <<-EOF
+    apiVersion: "networking.k8s.io/v1"
+    kind: "Ingress"
+    metadata:
+      name: "${local.app_slug}-icons"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.application_labels)}
+    spec:
+      ingressClassName: "${var.ingress_class}"
+      rules: ${jsonencode(local.rules_icons)}
+      tls:
+      - secretName: "${local.secret_name}"
+        hosts: ${jsonencode([local.dns_name])}
+  EOF
+}
+
 data "authentik_group" "akadmin" {
  name = "authentik Admins"
 }
@@ -16,31 +54,31 @@ resource "authentik_group" "subgroup" {
  parent = authentik_group.groups.id
 }

-resource "authentik_application" "prj_app" {
-  name                  = var.instance
-  slug                  = "${var.component}-${var.instance}"
+resource "authentik_application" "app" {
+  name                  = var.app_name
+  slug                  = local.app_slug
  group                 = var.app_group
  protocol_provider     = var.protocol_provider
  backchannel_providers = var.backchannel_providers
-  meta_launch_url       = format("https://%s", var.dns_name)
-  meta_icon             = format("https://%s/%s", var.dns_name, var.icon)
+  meta_launch_url       = format("https://%s", local.dns_name)
+  meta_icon             = local.url_icon
 }

 resource "authentik_policy_expression" "policy" {
-  name       = local.main_group
+  name       = "${local.app_slug}-${local.main_group}"
  expression = <<-EOF
    attr = request.user.group_attributes()
    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
  EOF
 }

-resource "authentik_policy_binding" "prj_access_users" {
-  target = authentik_application.prj_app.uuid
+resource "authentik_policy_binding" "access_users" {
+  target = authentik_application.app.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
 }
-resource "authentik_policy_binding" "prj_access_vynil" {
-  target = authentik_application.prj_app.uuid
+resource "authentik_policy_binding" "access_vynil" {
+  target = authentik_application.app.uuid
  group  = data.authentik_group.akadmin.id
  order  = 1
 }
--- a/application/outputs.tf
+++ b/application/outputs.tf
@@ -1,10 +1,15 @@
-output "application-id" {
-  value = authentik_application.prj_app.uuid
+output "application_id" {
+  value = authentik_application.app.uuid
 }

-output "policy-id" {
+output "policy_id" {
  value = authentik_policy_expression.policy.id
 }
+
 output "main_group" {
  value = local.main_group
-}
+}
+
+output "main_group_id" {
+  value = authentik_group.groups.id
+}
--- a/application/providers.tf
+++ b/application/providers.tf
@@ -1,5 +1,9 @@
 terraform {
  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
    authentik = {
      source  = "goauthentik/authentik"
      version = "~> 2023.5.0"
--- a/application/variables.tf
+++ b/application/variables.tf
@@ -15,7 +15,13 @@ variable "protocol_provider" {
  default = null
 }
 variable "dns_name" {
-  type = string
+  type        = string
+  description = "Deprecated, use rule_mapper"
+  default = ""
+}
+variable "app_name" {
+  type    = string
+  default = ""
 }
 variable "sub_groups" {
  type    = list(string)
@@ -26,3 +32,46 @@ variable "backchannel_providers" {
  type    = list(number)
  default = null
 }
+
+variable "ingress_class" {
+  type    = string
+  default = "traefik"
+}
+
+variable "rule_mapper" {
+  type = object({
+    host = string
+    paths = list(object({
+      path = optional(string)
+      type = optional(string)
+      backend = object({
+        service = object({
+          name = string
+          port = object({
+            name = string
+          })
+        })
+      })
+    }))
+  })
+  default = {
+    host  = "not.defined"
+    paths = []
+  }
+}
+
+variable "cert_name" {
+  type        = string
+  default     = ""
+  description = "Give a secret name for tls, if empty will use the ingress cert_name"
+}
+
+variable "namespace" {
+  type    = string
+  default = ""
+}
+
+variable "labels" {
+  type    = map(string)
+  default = {}
+}
--- a/backup/backup.tf
+++ b/backup/backup.tf
@@ -1,16 +1,15 @@
 locals {
-  app_slug   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
 }

 resource "kubectl_manifest" "backup_schedule" {
-  count = var.backups.enable ? 1 : 0
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
    apiVersion: k8up.io/v1
    kind: Schedule
    metadata:
-      name: "${var.app_slug}-backup"
+      name: "${local.app_slug}-backup"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.labels)}
+      labels: ${jsonencode(var.labels)}
    spec:
      backend:
        repoPasswordSecretRef:
@@ -20,11 +19,11 @@ resource "kubectl_manifest" "backup_schedule" {
          accessKeyIDSecretRef:
            key: "${var.backups.key_id_key}"
            name: "${var.backups.secret_name}"
-          bucket: "${var.app_slug}-${var.namespace}"
+          bucket: "${local.app_slug}-${var.namespace}"
          endpoint: "${var.backups.endpoint}/restic"
          secretAccessKeySecretRef:
            key: "${var.backups.secret_key}"
-            name: "${var.backups.secret-name}"
+            name: "${var.backups.secret_name}"
      backup:
        schedule: "${var.backups.schedule.backup}"
        failedJobsHistoryLimit: 2
@@ -33,10 +32,10 @@ resource "kubectl_manifest" "backup_schedule" {
        schedule: "${var.backups.schedule.check}"
      prune:
        retention:
-          keepDaily: ${var.backups.retention.keepDaily}
-          keepMonthly: ${var.backups.retention.keepMonthly}
-          keepWeekly: ${var.backups.retention.keepWeekly}
-          keepYearly: ${var.backups.retention.keepYearly}
+          keepDaily: ${var.backups.retention.keep_daily}
+          keepMonthly: ${var.backups.retention.keep_monthly}
+          keepWeekly: ${var.backups.retention.keep_weekly}
+          keepYearly: ${var.backups.retention.keep_yearly}
        schedule: "${var.backups.schedule.prune}"
  EOF
 }
--- a/backup/providers.tf
+++ b/backup/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/backup/variables.tf
+++ b/backup/variables.tf
@@ -11,45 +11,45 @@ variable "labels" {
  type = map(string)
 }
 variable "backups" {
-  default     = {
-    "enable" = false
-    "endpoint" = ""
+  default = {
+    "enable"     = false
+    "endpoint"   = ""
    "key_id_key" = "s3-id"
    "restic_key" = "bck-password"
    "retention" = {
-      "keepDaily" = 14
-      "keepMonthly" = 12
-      "keepWeekly" = 6
-      "keepYearly" = 12
+      "keep_daily"   = 14
+      "keep_monthly" = 12
+      "keep_weekly"  = 6
+      "keep_yearly"  = 12
    }
    "schedule" = {
      "backup" = "30 3 * * *"
-      "check" = "30 5 * * 1"
-      "db" = "30 3 * * *"
-      "prune" = "30 1 * * 0"
+      "check"  = "30 5 * * 1"
+      "db"     = "30 3 * * *"
+      "prune"  = "30 1 * * 0"
    }
-    "secret_key" = "s3-secret"
+    "secret_key"  = "s3-secret"
    "secret_name" = "backup-settings"
-    "use_barman" = false
+    "use_barman"  = false
  }
-  type        = object({
-    enable = optional(bool),
-    endpoint = optional(string),
+  type = object({
+    enable     = optional(bool),
+    endpoint   = optional(string),
    key_id_key = optional(string),
    restic_key = optional(string),
    retention = optional(object({
-      keepDaily = optional(number),
-      keepMonthly = optional(number),
-      keepWeekly = optional(number),
-      keepYearly = optional(number)
+      keep_daily   = optional(number),
+      keep_monthly = optional(number),
+      keep_weekly  = optional(number),
+      keep_yearly  = optional(number)
    })),
    schedule = optional(object({
      backup = optional(string),
-      check = optional(string),
-      prune = optional(string)
+      check  = optional(string),
+      prune  = optional(string)
    })),
-    secret_key = optional(string),
+    secret_key  = optional(string),
    secret_name = optional(string),
-    use_barman = optional(bool)
+    use_barman  = optional(bool)
  })
-}
+}
--- a/forward/forward.tf
+++ b/forward/forward.tf
@@ -1,59 +1,29 @@
 locals {
-  forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
-  forward_outpost_pk        = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
-  app_slug                  = "${var.instance}${var.component==""?"":"-"}${var.component}"
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  forward_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-forward"
  })
-  main_group                = format("app-%s", var.app_name)
-  external_url              = format("https://%s", var.dns_names[0])
-  rules_icons = [for v in var.dns_names : {
-    "host" = "${v}"
-    "http" = {
-      "paths" = [{
-        "backend" = {
-          "service" = var.service
-        }
-        "path"     = "/${var.icon}"
-        "pathType" = "Prefix"
-      }]
-    }
-  }]
+  external_url              = format("https://%s", var.dns_name)
+  forward_outpost_results   = jsondecode(data.http.proxy_outpost.response_body).results
+  forward_outpost_providers = local.forward_outpost_results[0].providers
+  forward_outpost_pk        = local.forward_outpost_results[0].pk
 }

-resource "kubectl_manifest" "prj_ingress_icon" {
-  force_conflicts = true
-  yaml_body       = <<-EOF
-    apiVersion: "networking.k8s.io/v1"
-    kind: "Ingress"
-    metadata:
-      name: "${local.app_slug}-icons"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.forward_labels)}
-    spec:
-      ingressClassName: "${var.ingress_class}"
-      rules: ${jsonencode(local.rules_icons)}
-      tls:
-      - hosts: ${jsonencode(var.dns_names)}
-        secretName: "${var.instance}-cert"
-  EOF
-}
-
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
 }

-resource "authentik_provider_proxy" "prj_forward" {
+resource "authentik_provider_proxy" "forward" {
  name                  = local.app_slug
  external_host         = local.external_url
-  authorization_flow    = data.authentik_flow.default-authorization-flow.id
+  authorization_flow    = data.authentik_flow.default_authorization_flow.id
  mode                  = "forward_single"
  access_token_validity = var.access_token_validity
 }

-data "http" "get_forward_outpost" {
-  depends_on      = [authentik_provider_proxy.prj_forward]
-  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
+data "http" "proxy_outpost" {
+  depends_on      = [authentik_provider_proxy.forward]
+  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
  method          = "GET"
  request_headers = var.request_headers
  lifecycle {
@@ -64,15 +34,75 @@ data "http" "get_forward_outpost" {
  }
 }

+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+## Begin modification
+data "kubernetes_secret_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
+
+resource "authentik_service_connection_kubernetes" "local" {
+  # count      = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
+  depends_on = [data.kubernetes_secret_v1.authentik]
+  name       = "${var.domain}-local-forward"
+  local      = true
+}
+
+# data "authentik_flow" "default_authorization_flow" {
+#   count      = length(local.forward_outpost_results) == 0 ? 1 : 0
+#   depends_on = [authentik_service_connection_kubernetes.local]
+#   slug       = "default-provider-authorization-implicit-consent"
+# }
+
+resource "authentik_provider_proxy" "provider_forward" {
+  # count              = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
+  name               = "authentik-${var.domain}-forward-provider"
+  internal_host      = "http://authentik-authentik"
+  external_host      = "http://authentik-authentik"
+  authorization_flow = data.authentik_flow.default_authorization_flow.id
+}
+
+resource "authentik_outpost" "output_forward" {
+  # count              = length(jsondecode(data.http.proxy_outpost.response_body).results) == 0 ? 1 : 0
+  name               = "forward"
+  type               = "proxy"
+  service_connection = authentik_service_connection_kubernetes.local.id
+  config = jsonencode({
+    "log_level" : "info",
+    "authentik_host" : "http://authentik",
+    "docker_map_ports" : true,
+    "kubernetes_replicas" : 1,
+    "kubernetes_namespace" : var.namespace,
+    "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
+    "object_naming_template" : "ak-outpost-%(name)s",
+    "authentik_host_insecure" : false,
+    "kubernetes_service_type" : "ClusterIP",
+    "kubernetes_image_pull_secrets" : [],
+    "kubernetes_disabled_components" : [],
+    "kubernetes_ingress_annotations" : {},
+    "kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
+  })
+  protocol_providers = local.forward_outpost_providers
+}
+## End modification
+
 resource "restapi_object" "forward_outpost_binding" {
  path = "/outposts/instances/${local.forward_outpost_pk}/"
  data = jsonencode({
    name      = "forward"
-    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id])
+    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
  })
 }

-resource "kubectl_manifest" "prj_middleware" {
+resource "kubectl_manifest" "middleware" {
  yaml_body = <<-EOF
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
@@ -98,10 +128,3 @@ resource "kubectl_manifest" "prj_middleware" {
        - X-authentik-meta-version
  EOF
 }
-
-data "kubernetes_ingress_v1" "authentik" {
-  metadata {
-    name      = "authentik"
-    namespace = "${var.domain}-auth"
-  }
-}
--- a/forward/outputs.tf
+++ b/forward/outputs.tf
@@ -1,5 +1,5 @@
-output "provider-id" {
-  value       = authentik_provider_proxy.prj_forward.id
+output "provider_id" {
+  value = authentik_provider_proxy.forward.id
 }

 output "sso_logout" {
@@ -8,4 +8,4 @@ output "sso_logout" {

 output "middleware" {
  value = "${local.app_slug}-forward"
-}
+}
--- a/forward/providers.tf
+++ b/forward/providers.tf
@@ -1,20 +1,25 @@
 terraform {
+  required_version = ">= 1.0"
  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
    authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
    }
    http = {
-       source = "hashicorp/http"
-       version = "~> 3.3.0"
+      source  = "hashicorp/http"
+      version = "~> 3.3.0"
    }
    restapi = {
-       source = "Mastercard/restapi"
-       version = "~> 1.18.0"
+      source  = "Mastercard/restapi"
+      version = "~> 1.18.0"
    }
  }
 }
--- a/forward/variables.tf
+++ b/forward/variables.tf
@@ -6,10 +6,6 @@ variable "instance" {
  type = string
 }

-variable "icon" {
-  type = string
-}
-
 variable "domain" {
  type = string
 }
@@ -18,16 +14,12 @@ variable "namespace" {
  type = string
 }

-variable "ingress_class" {
-  type = string
-}
-
 variable "labels" {
  type = map(string)
 }

-variable "dns_names" {
-  type = list(string)
+variable "dns_name" {
+  type = string
 }

 variable "access_token_validity" {
@@ -35,14 +27,10 @@ variable "access_token_validity" {
  default = "hours=10" // ;minutes=10
 }

-variable "app_name" {
-  type = string
-  default = ""
-}
-
-variable "service" {
-}
-
 variable "request_headers" {
  type = map(string)
 }
+
+variable "ingress_certificat_secret_name" {
+  type = string
+}
--- a/ingress/ingress.tf
+++ b/ingress/ingress.tf
@@ -1,25 +1,25 @@

 locals {
-  app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  pres_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "presentation"
  })
-  rules = [for v in var.dns_names : {
-    "host" = "${v}"
+  rules = [for rule in var.rules_mapper : {
+    "host" = rule.host
    "http" = {
-      "paths" = [for idx, svc in var.services : {
-        "path"     = "/${var.sub_paths[idx]}"
-        "pathType" = "Prefix"
-        "backend" = {
-          "service" = svc
-        }
+      "paths" = [for mapper in rule.paths : {
+        "path"     = "/${mapper.path}"
+        "pathType" = mapper.type != null && mapper.type != "" ? mapper.type : "Prefix"
+        "backend"  = mapper.backend
      }]
    }
  }]
-  tls = var.enforce_tls ? [
+  dns_names   = [for rule in var.rules_mapper : rule.host]
+  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
+  tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
    {
-      secretName = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
-      hosts      = var.dns_names
+      secretName = local.secret_name
+      hosts      = local.dns_names
    }
  ] : []
  middlewares = concat(
@@ -31,13 +31,13 @@ locals {
      "traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint
    } : {},
    length(local.middlewares) > 0 ? {
-      "traefik.ingress.kubernetes.io/router.middlewares" : "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}"
+      "traefik.ingress.kubernetes.io/router.middlewares" : join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])
    } : {},
  )
 }

-resource "kubectl_manifest" "prj_certificate" {
-  count     = var.create_cert ? 1 : 0
+resource "kubectl_manifest" "certificate" {
+  count     = var.cert_name == "" ? 1 : 0
  yaml_body = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Certificate"
@@ -46,8 +46,8 @@ resource "kubectl_manifest" "prj_certificate" {
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.pres_labels)}
    spec:
-        secretName: "${local.app_slug}-cert"
-        dnsNames: ${jsonencode(var.dns_names)}
+        secretName: "${local.secret_name}"
+        dnsNames: ${jsonencode(local.dns_names)}
        issuerRef:
          kind: "ClusterIssuer"
          name: "${var.issuer}"
@@ -55,8 +55,8 @@ resource "kubectl_manifest" "prj_certificate" {
  EOF
 }

-resource "kubectl_manifest" "prj_https_redirect" {
-  count     = var.create_redirect || var.component == "" ? 1 : 0
+resource "kubectl_manifest" "https_redirect" {
+  count     = var.create_redirect ? 1 : 0
  yaml_body = <<-EOF
    apiVersion: "traefik.io/v1alpha1"
    kind: "Middleware"
@@ -71,7 +71,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
  EOF
 }

-resource "kubectl_manifest" "prj_ingress" {
+resource "kubectl_manifest" "ingress" {
  force_conflicts = true
  yaml_body       = <<-EOF
    apiVersion: "networking.k8s.io/v1"
--- a/ingress/outputs.tf
+++ b/ingress/outputs.tf
@@ -1,3 +1,3 @@
 output "secret_name" {
-  value = var.create_cert ? "${local.app_slug}-cert":""
+  value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
 }
--- a/ingress/providers.tf
+++ b/ingress/providers.tf
@@ -2,8 +2,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/ingress/variables.tf
+++ b/ingress/variables.tf
@@ -17,42 +17,48 @@ variable "ingress_class" {
 variable "labels" {
  type = map(string)
 }
-variable "dns_names" {
-  type = list(string)
-}
 variable "middlewares" {
  type    = list(string)
  default = []
 }
-variable "services" {
-  type = list(any)
+
+variable "rules_mapper" {
+  type = list(object({
+    host = string
+    paths = list(object({
+      path = optional(string)
+      type = optional(string)
+      backend = object({
+        service = object({
+          name = string
+          port = object({
+            name = string
+          })
+        })
+      })
+    }))
+  }))
+  description = "Simplified rules mapper for ingress"
 }

-variable "create_redirect" {
-  type    = bool
-  default = true
-}
-variable "create_cert" {
-  type    = bool
-  default = true
-}
-variable "enforce_tls" {
-  type    = bool
-  default = true
-}
-variable "sub_paths" {
-  type    = list(string)
-  default = [""]
-}
-variable "cert_name" {
-  type    = string
-  default = ""
-}
 variable "entrypoint" {
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
+  description = "Define ingres support, if empty or define to websecure, tls will be activate"
  validation {
    condition     = contains(["", "web", "websecure"], var.entrypoint)
    error_message = "Only empty \"\", web or websecure is allowed"
  }
 }
+
+variable "cert_name" {
+  type        = string
+  default     = ""
+  description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
+}
+
+variable "create_redirect" {
+  type        = bool
+  default     = true
+  description = "Enfore https redirection"
+}
--- a/ldap/ldap.tf
+++ b/ldap/ldap.tf
@@ -0,0 +1,157 @@
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  ldap_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "authentik-ldap"
+  })
+  base_dn                = format("dc=%s", join(",dc=", split(".", var.dns_name)))
+  base_group_dn          = format("ou=groups,%s", local.base_dn)
+  base_user_dn           = format("ou=users,%s", local.base_dn)
+  authentik_base_url     = "http://authentik.${var.domain}-auth.svc"
+  ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
+  ldap_outpost_pk        = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
+
+  app_name   = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  main_group = format("app-%s", local.app_name)
+  sorted_group_names = reverse(distinct(sort([
+    for grp in var.user_groups : grp.name
+  ])))
+  sorted_groups = flatten([
+    for name in local.sorted_group_names : [
+      for grp in var.user_groups :
+      grp if grp.name == name
+    ]
+  ])
+}
+
+data "authentik_group" "vynil_admin" {
+  name = "vynil-ldap-admins"
+}
+
+resource "authentik_group" "groups" {
+  count      = length(local.sorted_groups)
+  name       = local.sorted_groups[count.index].name
+  attributes = jsonencode({ local.app_name = true })
+}
+
+data "authentik_group" "readed_groups" {
+  depends_on = [authentik_group.groups]
+  count      = length(local.sorted_groups)
+  name       = local.sorted_groups[count.index].name
+}
+
+resource "authentik_application" "application_ldap" {
+  name              = local.app_slug
+  slug              = "${local.app_slug}-ldap"
+  protocol_provider = authentik_provider_ldap.provider_ldap.id
+  meta_launch_url   = "blank://blank"
+}
+
+resource "authentik_policy_expression" "policy" {
+  name       = local.main_group
+  expression = <<-EOF
+    attr = request.user.group_attributes()
+    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
+  EOF
+}
+
+resource "authentik_policy_binding" "ldap_access_users" {
+  target = authentik_application.application_ldap.uuid
+  policy = authentik_policy_expression.policy.id
+  order  = 0
+}
+resource "authentik_policy_binding" "ldap_access_ldap" {
+  target = authentik_application.application_ldap.uuid
+  group  = authentik_group.ldapsearch.id
+  order  = 1
+}
+resource "authentik_policy_binding" "ldap_access_vynil" {
+  target = authentik_application.application_ldap.uuid
+  group  = data.authentik_group.vynil_admin.id
+  order  = 2
+}
+
+
+resource "kubectl_manifest" "ldap" {
+  ignore_fields = ["metadata.annotations"]
+  yaml_body     = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${local.app_slug}-ldapsearch"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.ldap_labels)}
+    data:
+        LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
+    spec:
+      forceRegenerate: false
+      fields:
+      - fieldName: "LDAP_ADMIN_PASS"
+        length: "32"
+  EOF
+}
+
+data "kubernetes_secret_v1" "ldap_password" {
+  depends_on = [kubectl_manifest.ldap]
+  metadata {
+    name      = kubectl_manifest.ldap.name
+    namespace = var.namespace
+  }
+}
+
+resource "authentik_user" "ldapsearch" {
+  username = "${local.app_slug}-ldapsearch"
+  name     = "${local.app_slug}-ldapsearch"
+}
+
+resource "authentik_group" "ldapsearch" {
+  name  = "${local.app_slug}-ldapsearch"
+  users = [authentik_user.ldapsearch.id]
+}
+
+
+data "http" "ldapsearch_password" {
+  url             = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
+  method          = "POST"
+  request_headers = var.request_headers
+  request_body = jsonencode({
+    password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
+  })
+  lifecycle {
+    postcondition {
+      condition     = contains([201, 204], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+data "authentik_flow" "ldap_authentication_flow" {
+  slug = "ldap-authentication-flow"
+}
+
+resource "authentik_provider_ldap" "provider_ldap" {
+  name         = "${local.app_slug}-ldap"
+  base_dn      = local.base_dn
+  search_group = authentik_group.ldapsearch.id
+  bind_flow    = data.authentik_flow.ldap_authentication_flow.id
+}
+
+data "http" "get_ldap_outpost" {
+  depends_on      = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
+  url             = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
+  method          = "GET"
+  request_headers = var.request_headers
+  lifecycle {
+    postcondition {
+      condition     = contains([200], self.status_code)
+      error_message = "Status code invalid"
+    }
+  }
+}
+
+resource "restapi_object" "ldap_outpost_binding" {
+  path = "/outposts/instances/${local.ldap_outpost_pk}/"
+  data = jsonencode({
+    name      = "ldap"
+    providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
+  })
+}
--- a/ldap/outputs.tf
+++ b/ldap/outputs.tf
@@ -0,0 +1,23 @@
+output "provider_id" {
+  value = authentik_provider_ldap.provider_ldap.id
+}
+
+output "ldap_address" {
+  value = "ak-outpost-ldap.${var.domain}-auth.svc"
+}
+
+output "ldap_search_account" {
+  value = "${local.app_slug}-ldapsearch"
+}
+
+output "base_dn" {
+  value = local.base_dn
+}
+
+output "base_group_dn" {
+  value = local.base_group_dn
+}
+
+output "base_user_dn" {
+  value = local.base_user_dn
+}
--- a/ldap/providers.tf
+++ b/ldap/providers.tf
@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.3.0"
+    }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "~> 1.18.0"
+    }
+  }
+}
--- a/ldap/variables.tf
+++ b/ldap/variables.tf
@@ -0,0 +1,25 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "domain" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "dns_name" {
+  type = string
+}
+variable "request_headers" {
+  type = map(string)
+}
+variable "user_groups" {
+  type    = map(string)
+  default = {}
+}
--- a/mongo/mongo.tf
+++ b/mongo/mongo.tf
@@ -1,21 +1,21 @@
 locals {
-  app_slug   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
-  mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"]
-  username = var.username==""?var.component==""?var.instance:var.component:var.username
-  db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name
-  mongo-labels = merge(var.labels, {
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  mongo_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "mongo"
  })
+  db_name        = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
+  username       = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
+  mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
 }
-resource "kubectl_manifest" "prj_mongo_secret" {
+resource "kubectl_manifest" "mongo_secret" {
  ignore_fields = ["metadata.annotations"]
-  yaml_body  = <<-EOF
+  yaml_body     = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${local.app_slug}-mongo"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.mongo-labels)}
+      labels: ${jsonencode(local.mongo_labels)}
    spec:
      forceRegenerate: false
      fields:
@@ -23,21 +23,21 @@ resource "kubectl_manifest" "prj_mongo_secret" {
        length: "16"
  EOF
 }
-data "kubernetes_secret_v1" "prj_mongo_secret" {
-  depends_on = [ kubectl_manifest.prj_mongo_secret ]
+data "kubernetes_secret_v1" "mongo_secret" {
+  depends_on = [kubectl_manifest.mongo_secret]
  metadata {
-    name = "${local.app_slug}-mongo"
+    name      = "${local.app_slug}-mongo"
    namespace = var.namespace
  }
 }
-resource "kubectl_manifest" "prj_mongo" {
-  yaml_body  = <<-EOF
+resource "kubectl_manifest" "mongo" {
+  yaml_body = <<-EOF
    apiVersion: mongodbcommunity.mongodb.com/v1
    kind: MongoDBCommunity
    metadata:
      name: "${local.app_slug}-mongo"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.mongo-labels)}
+      labels: ${jsonencode(local.mongo_labels)}
    spec:
      members: 1
      type: ${var.mongo_type}
@@ -52,7 +52,7 @@ resource "kubectl_manifest" "prj_mongo" {
            spec:
              containers:
              - name: mongod
-                imagePullPolicy: "${var.pullPolicy}"
+                imagePullPolicy: "${var.pull_policy}"
                resources: ${jsonencode(var.resources)}
                env:
                - name: MONGODB_NAME
@@ -80,24 +80,24 @@ resource "kubectl_manifest" "prj_mongo" {
        scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
  EOF
 }
-resource "kubectl_manifest" "prj_mongo_sa" {
-  yaml_body  = <<-EOF
+resource "kubectl_manifest" "mongo_sa" {
+  yaml_body = <<-EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
-      name: "mongodb-database"
+      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.mongo-labels)}
+      labels: ${jsonencode(local.mongo_labels)}
  EOF
 }
-resource "kubectl_manifest" "prj_mongo_role" {
-  yaml_body  = <<-EOF
+resource "kubectl_manifest" "mongo_role" {
+  yaml_body = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
-      name: "mongodb-database"
+      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.mongo-labels)}
+      labels: ${jsonencode(local.mongo_labels)}
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
@@ -107,20 +107,20 @@ resource "kubectl_manifest" "prj_mongo_role" {
      verbs: ["patch", "delete", "get"]
  EOF
 }
-resource "kubectl_manifest" "prj_mongo_rb" {
-  yaml_body  = <<-EOF
+resource "kubectl_manifest" "mongo_rb" {
+  yaml_body = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
-      name: "mongodb-database"
+      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.mongo-labels)}
+      labels: ${jsonencode(local.mongo_labels)}
    subjects:
    - kind: ServiceAccount
-      name: mongodb-database
+      name: ${local.app_slug}-mongodb-database
    roleRef:
      kind: Role
-      name: mongodb-database
+      name: ${local.app_slug}-mongodb-database
      apiGroup: rbac.authorization.k8s.io
  EOF
 }
--- a/mongo/outputs.tf
+++ b/mongo/outputs.tf
@@ -1,11 +1,11 @@
 output "url" {
-  value = "mongodb://${local.username}:${local.mongo-password}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
+  value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
 }
 output "service" {
  value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
 }
 output "password" {
-  value = local.mongo-password
+  value = local.mongo_password
 }
 output "username" {
  value = local.username
@@ -16,6 +16,6 @@ output "db_name" {
 output "secret" {
  value = {
    name = "${local.app_slug}-mongo"
-    key = "password"
+    key  = "password"
  }
 }
--- a/mongo/providers.tf
+++ b/mongo/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/mongo/variables.tf
+++ b/mongo/variables.tf
@@ -11,45 +11,45 @@ variable "labels" {
  type = map(string)
 }
 variable "db_name" {
-  type = string
+  type    = string
  default = ""
 }
 variable "username" {
-  type = string
+  type    = string
  default = ""
 }
 variable "mongo_version" {
-  type = string
+  type    = string
  default = "6.0.13"
 }
 variable "mongo_type" {
-  type = string
+  type    = string
  default = "ReplicaSet"
 }
-variable "pullPolicy" {
-  type = string
+variable "pull_policy" {
+  type    = string
  default = "IfNotPresent"
 }
 variable "resources" {
-  type        = object({
+  type = object({
    limits = optional(object({
-      cpu = string
+      cpu    = string
      memory = string
    }))
    requests = optional(object({
-      cpu = string
+      cpu    = string
      memory = string
    }))
  })
  default = {
    limits = {
-      cpu = "1"
+      cpu    = "1"
      memory = "1100M"
    }
    requests = {
-      cpu = "0.3"
+      cpu    = "0.3"
      memory = "400M"
    }
  }

-}
+}
--- a/mysql/mysql.tf
+++ b/mysql/mysql.tf
@@ -1,8 +1,8 @@
 locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  mysql_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "mysql"
  })
-  app_slug       = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  mysql_host     = "${local.app_slug}-mysql.${var.namespace}.svc"
  mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
  mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]
@@ -36,12 +36,12 @@ data "kubernetes_secret_v1" "mysql_secret" {
  metadata {
    name      = "${local.app_slug}-mysql"
    namespace = var.namespace
-    labels = local.mysql_labels
+    labels    = local.mysql_labels
  }
 }

 resource "kubectl_manifest" "mysql" {
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
    apiVersion: mysql.oracle.com/v2
    kind: InnoDBCluster
    metadata:
@@ -66,7 +66,7 @@ resource "kubectl_manifest" "mysql" {
 }

 resource "time_sleep" "wait_mysql_ready" {
-  depends_on = [kubectl_manifest.mysql]
+  depends_on      = [kubectl_manifest.mysql]
  create_duration = "45s"
 }

--- a/mysql/outpost.tf
+++ b/mysql/outpost.tf
@@ -1,12 +1,15 @@
-output "dns_names" {
-  value = [
-    "${local.app_slug}-mysql",
-    "${local.app_slug}-mysql-instances"
-  ]
+output "conn_string" {
+  value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
 }
-output "mysql_host" {
-  value =" ${local.app_slug}-mysql"
+
+output "service" {
+  value = "${local.app_slug}-mysql.${var.namespace}.svc"
 }
+
+output "host" {
+  value = "${local.app_slug}-mysql"
+}
+
 output "secret_name" {
  value = "${local.app_slug}-db"
-}
+}
--- a/mysql/providers.tf
+++ b/mysql/providers.tf
@@ -1,12 +1,12 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
    mysql = {
-      source = "TakatoHano/mysql"
+      source  = "TakatoHano/mysql"
      version = "1.2.1"
    }
  }
-}
+}
--- a/oauth2/oauth2.tf
+++ b/oauth2/oauth2.tf
@@ -1,32 +1,13 @@
 locals {
-  app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  oauth2_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-oauth2"
  })
 }
-resource "kubectl_manifest" "oauth2-secret" {
-  ignore_fields = ["metadata.annotations"]
-  yaml_body     = <<-EOF
-    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
-    kind: "StringSecret"
-    metadata:
-      name: "${local.app_slug}-id"
-      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.oauth2_labels)}
-    spec:
-      forceRegenerate: false
-      fields:
-      - fieldName: "client-id"
-        length: "32"
-  EOF
-}
-data "kubernetes_secret_v1" "oauth2-client-id" {
-  depends_on = [kubectl_manifest.oauth2-secret]
-  metadata {
-    name      = kubectl_manifest.oauth2-secret.name
-    namespace = var.namespace
-    labels = local.oauth2_labels
-  }
+
+resource "random_password" "client_id" {
+  length  = 32
+  special = false
 }

 data "authentik_certificate_key_pair" "ca" {
@@ -40,49 +21,43 @@ data "authentik_scope_mapping" "oauth2" {
    "goauthentik.io/providers/oauth2/scope-profile"
  ]
 }
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
 }
-data "authentik_flow" "default-authentication-flow" {
+data "authentik_flow" "default_authentication_flow" {
  slug = "default-authentication-flow"
 }

 resource "authentik_provider_oauth2" "oauth2" {
-  name                = "${local.app_slug}"
-  client_id           = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
-  authentication_flow = data.authentik_flow.default-authentication-flow.id
-  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  name                = local.app_slug
+  client_id           = random_password.client_id.result
+  authentication_flow = data.authentik_flow.default_authentication_flow.id
+  authorization_flow  = data.authentik_flow.default_authorization_flow.id
  client_type         = "confidential"
  sub_mode            = "user_username"
  signing_key         = data.authentik_certificate_key_pair.ca.id
  property_mappings   = data.authentik_scope_mapping.oauth2.ids
  redirect_uris = [
-    "https://${var.redirect_path!=""?"${var.dns_name}/${var.redirect_path}":"${var.dns_name}"}"
+    "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
  ]
 }

-resource "kubernetes_secret_v1" "oauth2-client-secret" {
-  metadata {
-    name      = "${local.app_slug}-secret"
-    namespace = var.namespace
-    labels    = local.oauth2_labels
-  }
-  data = {
-    client-secret = authentik_provider_oauth2.oauth2.client_secret
-  }
-}
-
-data "kubernetes_secret_v1" "oauth2-client-secret" {
-  depends_on = [kubernetes_secret_v1.oauth2-client-secret]
-  metadata {
-    name      = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
-    namespace = var.namespace
-  }
-}
-
 data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
 }
+
+resource "kubernetes_secret" "oauth2_client_secret" {
+  metadata {
+    name      = "${local.app_slug}-oauth2"
+    namespace = var.namespace
+    labels    = local.oauth2_labels
+  }
+  data = {
+    oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
+    client_id     = random_password.client_id.result
+    client_secret = authentik_provider_oauth2.oauth2.client_secret
+  }
+}
--- a/oauth2/outputs.tf
+++ b/oauth2/outputs.tf
@@ -1,38 +1,36 @@
-output "provider-id" {
+output "provider_id" {
  value = authentik_provider_oauth2.oauth2.id
 }

 output "sso_signout_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/"
 }
+
 output "sso_configuration_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
 }
+
 output "sso_userinfo_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/"
 }
+
 output "sso_authorize_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
 }
+
 output "sso_token_url" {
  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
 }
+
 output "client_id" {
-  value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
-}
-output "client_secret" {
-  value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
+  value = random_password.client_id.result
 }

-output "secret_client_id_name" {
-  value = kubectl_manifest.oauth2-secret.name
+output "client_secret" {
+  value = authentik_provider_oauth2.oauth2.client_secret
 }
-output "secret_client_secret_name" {
-  value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
-}
-output "secret_client_id_key" {
-  value = "client-id"
-}
-output "secret_client_secret_key" {
-  value = "client-secret"
+
+output "oauth2_secret_name" {
+  value = kubernetes_secret.oauth2_client_secret.metadata[0].name
 }
+
--- a/oauth2/providers.tf
+++ b/oauth2/providers.tf
@@ -2,16 +2,16 @@
 terraform {
  required_providers {
    kubernetes = {
-        source = "hashicorp/kubernetes"
-        version = "~> 2.20.0"
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
    }
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
    authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
    }
  }
 }
--- a/postgresql/outputs.tf
+++ b/postgresql/outputs.tf
@@ -1,3 +1,23 @@
-output "host" {
-  value = "${var.app_slug}-redis.${var.namespace}.svc"
+output "conn_string" {
+  value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
 }
+
+output "service" {
+  value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
+}
+
+output "db_host" {
+  value = "${local.app_slug}-pg-rw"
+}
+
+output "db_name" {
+  value = var.component
+}
+
+output "db_port" {
+  value = "5432"
+}
+
+output "secret_name" {
+  value = "${local.app_slug}-pg-app"
+}
--- a/postgresql/postgresql.tf
+++ b/postgresql/postgresql.tf
@@ -1,21 +1,21 @@
 locals {
-  app_slug   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
-  pg-labels = merge(local.labels, {
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  pg_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "pg"
  })
-  pool-labels = merge(local.labels, {
+  pool_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "pg-pool"
  })
 }

-resource "kubectl_manifest" "prj_pg" {
+resource "kubectl_manifest" "pg" {
  yaml_body  = join("", concat([<<-EOF
    apiVersion: postgresql.cnpg.io/v1
    kind: Cluster
    metadata:
      name: "${local.app_slug}-pg"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.pg-labels)}
+      labels: ${jsonencode(local.pg_labels)}
      annotations:
        "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
        "k8up.io/file-extension": ".sql"
@@ -34,7 +34,7 @@ resource "kubectl_manifest" "prj_pg" {
  ], var.backups.enable&&var.backups.use_barman?[<<-EOF
      backup:
        barmanObjectStore:
-          destinationPath: "s3://${var.app_slug}-${var.namespace}/"
+          destinationPath: "s3://${local.app_slug}-${var.namespace}/"
          endpointURL: "${var.backups.endpoint}/barman"
          s3Credentials:
            accessKeyId:
@@ -47,7 +47,7 @@ resource "kubectl_manifest" "prj_pg" {
  ]:[""]))
 }

-resource "kubectl_manifest" "prj_pg_backup" {
+resource "kubectl_manifest" "pg_backup" {
  count = var.backups.enable ? 1:0
  yaml_body  = <<-EOF
    apiVersion: postgresql.cnpg.io/v1
@@ -55,7 +55,7 @@ resource "kubectl_manifest" "prj_pg_backup" {
    metadata:
      name: "${local.app_slug}-pg"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.pg-labels)}
+      labels: ${jsonencode(local.pg_labels)}
    spec:
      schedule: "${var.backups.schedule.db}"
      backupOwnerReference: self
@@ -64,15 +64,15 @@ resource "kubectl_manifest" "prj_pg_backup" {
  EOF
 }

-resource "kubectl_manifest" "prj_pg_pool" {
-  depends_on = [kubectl_manifest.prj_pg]
+resource "kubectl_manifest" "pg_pool" {
+  depends_on = [kubectl_manifest.pg]
  yaml_body  = <<-EOF
    apiVersion: postgresql.cnpg.io/v1
    kind: Pooler
    metadata:
      name: "${local.app_slug}-pool"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.pool-labels)}
+      labels: ${jsonencode(local.pool_labels)}
    spec:
      cluster:
        name: "${local.app_slug}-pg"
@@ -85,3 +85,11 @@ resource "kubectl_manifest" "prj_pg_pool" {
          default_pool_size: "10"
  EOF
 }
+
+data "kubernetes_secret_v1" "credentials" {
+  depends_on = [ kubectl_manifest.pg ]
+  metadata {
+    name = "${local.app_slug}-pg-app"
+    namespace = var.namespace
+  }
+}
--- a/postgresql/providers.tf
+++ b/postgresql/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/postgresql/variables.tf
+++ b/postgresql/variables.tf
@@ -12,52 +12,52 @@ variable "labels" {
 }

 variable "backups" {
-  default     = {
-    "enable" = false
-    "endpoint" = ""
+  default = {
+    "enable"     = false
+    "endpoint"   = ""
    "key_id_key" = "s3-id"
    "restic_key" = "bck-password"
    "schedule" = {
      "db" = "30 3 * * *"
    }
-    "secret_key" = "s3-secret"
+    "secret_key"  = "s3-secret"
    "secret_name" = "backup-settings"
-    "use_barman" = false
+    "use_barman"  = false
  }
-  type        = object({
-    enable = optional(bool),
-    endpoint = optional(string),
+  type = object({
+    enable     = optional(bool),
+    endpoint   = optional(string),
    key_id_key = optional(string),
    restic_key = optional(string),
    schedule = optional(object({
      db = optional(string),
    })),
-    secret_key = optional(string),
+    secret_key  = optional(string),
    secret_name = optional(string),
-    use_barman = optional(bool)
+    use_barman  = optional(bool)
  })
 }
 variable "images" {
-  type        = object({
-    postgresql = optional(object({registry = optional(string), repository = optional(string), tag = optional(number)})),
+  type = object({
+    postgresql = optional(object({ registry = optional(string), repository = optional(string), tag = optional(number) })),
  })
-  default     = {
+  default = {
    "postgresql" = {
-      "registry" = "ghcr.io"
+      "registry"   = "ghcr.io"
      "repository" = "cloudnative-pg/postgresql"
-      "tag" = 15.3
+      "tag"        = 15.3
    }
  }
 }
 variable "replicas" {
-  type        = number
-  default     = 1
+  type    = number
+  default = 1
 }
 variable "storage" {
-  type        = object({
+  type = object({
    size = optional(string)
  })
-  default     = {
+  default = {
    "size" = "5Gi"
  }
-}
+}
--- a/pvc/providers.tf
+++ b/pvc/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/pvc/pvc.tf
+++ b/pvc/pvc.tf
@@ -1,27 +1,32 @@
 locals {
-  app_slug   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
+  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  pvc_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "pvc"
+  })
  pvc_spec = merge({
-    "accessModes" = [var.storage.accessMode]
-    "volumeMode" = var.storage.type
+    "accessModes" = [var.storage.access_mode]
+    "volumeMode"  = var.storage.type
    "resources" = {
      "requests" = {
-        "storage" = "${var.storage.size}"
+        "storage" = var.storage.size
      }
    }
-  }, var.storage.volume.class != "" ?{
+    }, var.storage.class != "" ? {
    "storageClassName" = var.storage.class
-  }:{})
+  } : {})
 }
 resource "kubectl_manifest" "pvc" {
-  yaml_body  = <<-EOF
+  ignore_fields = ["spec.resources.requests.storage"]
+  yaml_body = <<-EOF
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: ${local.app_slug}
      namespace: "${var.namespace}"
      annotations:
-        k8up.io/backup: "true"
-      labels: ${jsonencode(local.labels)}
+        k8up.io/backup: "${var.backup}"
+        resize.kubesphere.io/storage_limit: "${var.storage.max_size}
+      labels: ${jsonencode(local.pvc_labels)}
    spec: ${jsonencode(local.pvc_spec)}
  EOF
 }
--- a/pvc/variables.tf
+++ b/pvc/variables.tf
@@ -11,16 +11,23 @@ variable "labels" {
  type = map(string)
 }
 variable "storage" {
-  type        = object({
-    accessMode = optional(string),
-    class = optional(string),
-    size = optional(string),
-    type = optional(string)
+  type = object({
+    access_mode = optional(string),
+    class       = optional(string),
+    size        = optional(string),
+    max_size    = optional(string),
+    type        = optional(string)
  })
-  default     = {
-    "accessMode" = "ReadWriteOnce"
-    "class" = ""
-    "size" = "10Gi"
-    "type" = "Filesystem"
+  default = {
+    "access_mode" = "ReadWriteOnce"
+    "class"       = ""
+    "size"        = "2Gi"
+    "max_size"    = "10Gi"
+    "type"        = "Filesystem"
  }
-}
+}
+
+variable "backup" {
+  type    = bool
+  default = true
+}
--- a/rabbitmq/outputs.tf
+++ b/rabbitmq/outputs.tf
@@ -0,0 +1,23 @@
+output "conn_string" {
+  value = "mqtt://${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["password"])}@${local.app_slug}-mq.${var.namespace}.svc:1883"
+}
+
+output "service" {
+  value = "${local.app_slug}-mq.${var.namespace}.svc"
+}
+
+output "db_host" {
+  value = "${local.app_slug}-mq"
+}
+
+output "db_port" {
+  value = "1883"
+}
+
+output "cert_secret_name" {
+  value = local.secret_name
+}
+
+output "user_secret_name" {
+  value = "${local.app_slug}-user"
+}
--- a/rabbitmq/providers.tf
+++ b/rabbitmq/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
+    }
+  }
+}
--- a/rabbitmq/rabbitmq.tf
+++ b/rabbitmq/rabbitmq.tf
@@ -0,0 +1,101 @@
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  rabbit_labels = merge(var.labels, {
+    "app.kubernetes.io/component" = "rabbitmq"
+  })
+  secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
+  pvc_spec = merge({
+    "storage" = var.storage.size
+    }, var.storage.class != "" ? {
+    "storageClassName" = var.storage.class
+  } : {})
+}
+
+resource "kubectl_manifest" "certificate" {
+  count     = var.cert_name == "" ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: "cert-manager.io/v1"
+    kind: "Certificate"
+    metadata:
+      name: "${local.app_slug}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.rabbit_labels)}
+    spec:
+        secretName: "${local.secret_name}"
+        dnsNames:
+        - "${local.app_slug}-mq.${var.namespace}.svc"
+        - "*.${local.app_slug}-mq-nodes.${var.namespace}.svc"
+        issuerRef:
+          kind: "ClusterIssuer"
+          name: "${var.issuer}"
+          group: "cert-manager.io"
+  EOF
+}
+
+resource "kubectl_manifest" "rabbit_secret" {
+  yaml_body = <<-EOF
+    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
+    kind: "StringSecret"
+    metadata:
+      name: "${local.app_slug}-user"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.rabbit_labels)}
+    spec:
+      forceRegenerate: false
+      data:
+        username: "${var.instance}"
+        port: "5672"
+        host: "${local.app_slug}-mq.${var.namespace}.svc"
+      fields:
+      - fieldName: "password"
+        length: "32"
+  EOF
+}
+
+data "kubernetes_secret_v1" "rabbit_secret" {
+  depends_on = [kubectl_manifest.rabbit_secret]
+  metadata {
+    name      = "${local.app_slug}-user"
+    namespace = var.namespace
+    labels    = local.rabbit_labels
+  }
+}
+
+# based on https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples
+
+resource "kubectl_manifest" "rabbitmq" {
+  depends_on = [
+    kubectl_manifest.certificate,
+    kubectl_manifest.rabbit_secret,
+    data.kubernetes_secret_v1.rabbit_secret,
+  ]
+  yaml_body = <<-EOF
+    apiVersion: rabbitmq.com/v1beta1
+    kind: RabbitmqCluster
+    metadata:
+      name: "${local.app_slug}-mq"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.rabbit_labels)}
+    spec:
+      replicas: ${var.replicas}
+      image: "${var.image.registry}/${var.image.repository}:${var.image.tag}"
+      imagePullPolicy: "${var.image.pull_policy}"
+      persistence: ${jsonencode(local.pvc_spec)}
+      resources: ${jsonencode(var.resources)}
+      tls:
+        secretName: ${local.secret_name}
+      rabbitmq:
+        erlangInetConfig: |
+          {inet6, true}.
+        envConfig: |
+            SERVER_ADDITIONAL_ERL_ARGS="-kernel inetrc '/etc/rabbitmq/erl_inetrc'  -proto_dist inet6_tcp"
+            RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
+        additionalConfig: |
+          cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
+          default_user=${data.kubernetes_secret_v1.rabbit_secret.data["username"]}
+          default_pass=${data.kubernetes_secret_v1.rabbit_secret.data["password"]}
+        additionalPlugins: ${jsonencode(var.plugins)}
+      service:
+        ipFamilyPolicy: "PreferDualStack"
+  EOF
+}
--- a/rabbitmq/variables.tf
+++ b/rabbitmq/variables.tf
@@ -0,0 +1,78 @@
+variable "component" {
+  type = string
+}
+variable "instance" {
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "labels" {
+  type = map(string)
+}
+variable "issuer" {
+  type = string
+}
+variable "replicas" {
+  type    = number
+  default = 1
+}
+variable "image" {
+  type = object({
+    registry    = optional(string),
+    repository  = optional(string),
+    tag         = optional(string),
+    pull_policy = optional(string)
+  })
+  description = "Image parameters"
+  default = {
+    "registry"    = "docker.io"
+    "repository"  = "rabbitmq"
+    "tag"         = "3.11.28-management-alpine"
+    "pull_policy" = "IfNotPresent"
+  }
+}
+variable "storage" {
+  description = "Storage parameters"
+  type = object({
+    class = optional(string),
+    size  = optional(string),
+  })
+  default = {
+    class = ""
+    size  = "1Gi"
+  }
+}
+variable "resources" {
+  description = "Resources parameters"
+  type = object({
+    requests = optional(object({
+      cpu    = optional(string),
+      memory = optional(string)
+    })),
+    limits = optional(object({
+      cpu    = optional(string),
+      memory = optional(string)
+    }))
+  })
+  default = {
+    requests = {
+      cpu    = "1000m",
+      memory = "2Gi"
+    },
+    limits = {
+      cpu    = "1000m",
+      memory = "2Gi"
+    }
+  }
+}
+variable "cert_name" {
+  type        = string
+  default     = ""
+  description = "Give a secret name for tls, if empty a new one will be created"
+}
+variable "plugins" {
+  description = "RabitMQ plugins"
+  type        = list(string)
+  default     = ["rabbitmq_mqtt", "rabbitmq_web_mqtt"]
+}
--- a/redis/outputs.tf
+++ b/redis/outputs.tf
@@ -1,6 +1,19 @@
-output "host" {
-  value = "${local.app_slug}-redis.${var.namespace}.svc"
-}
-output "url" {
+output "conn_string" {
  value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
 }
+
+output "service" {
+  value = "${local.app_slug}-redis.${var.namespace}.svc"
+}
+
+output "port" {
+  value = 6379
+}
+
+output "db_host" {
+  value = "${local.app_slug}-redis"
+}
+
+output "secret_name" {
+  value = lookup(var.password, "name", "")
+}
--- a/redis/providers.tf
+++ b/redis/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/redis/redis.tf
+++ b/redis/redis.tf
@@ -1,27 +1,27 @@
 locals {
-  app_slug   = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance)
-  redis-labels = merge(var.labels, {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  redis_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "redis"
  })
  cfg = merge({
-    "image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
-    "imagePullPolicy" = "${var.images.redis.pullPolicy}"
-  },lookup(var.password, "enabled", false)?{
+    "image"           = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
+    "imagePullPolicy" = var.images.redis.pull_policy
+    }, lookup(var.password, "enabled", false) ? {
    redisSecret = {
      name = lookup(var.password, "name", var.component)
      key  = lookup(var.password, "key", "redis-password")
    }
-  }:{})
+  } : {})
 }

 resource "kubectl_manifest" "redis" {
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
    apiVersion: "redis.redis.opstreelabs.in/v1beta1"
    kind: "Redis"
    metadata:
      name: "${local.app_slug}-redis"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.redis-labels)}
+      labels: ${jsonencode(local.redis_labels)}
    spec:
      kubernetesConfig: ${jsonencode(local.cfg)}
      storage:
--- a/redis/variables.tf
+++ b/redis/variables.tf
@@ -10,56 +10,52 @@ variable "namespace" {
 variable "labels" {
  type = map(string)
 }
-variable "annotations" {
-  type = map(string)
-  default = {}
-}

 variable "images" {
-  type        = object({
-    redis = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})),
-    redis_exporter = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)}))
+  type = object({
+    redis          = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
+    redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
  })
-  default     = {
+  default = {
    "redis" = {
-      "pullPolicy" = "IfNotPresent"
-      "registry" = "quay.io"
-      "repository" = "opstree/redis"
-      "tag" = "v7.0.12"
+      "pull_policy" = "IfNotPresent"
+      "registry"    = "quay.io"
+      "repository"  = "opstree/redis"
+      "tag"         = "v7.0.12"
    }
    "redis_exporter" = {
-      "pullPolicy" = "IfNotPresent"
-      "registry" = "quay.io"
-      "repository" = "opstree/redis-exporter"
-      "tag" = "v1.44.0"
+      "pull_policy" = "IfNotPresent"
+      "registry"    = "quay.io"
+      "repository"  = "opstree/redis-exporter"
+      "tag"         = "v1.44.0"
    }
  }
 }
 variable "exporter" {
-  type        = object({
+  type = object({
    enabled = optional(bool)
  })
-  default     = {
+  default = {
    "enabled" = true
  }
 }
 variable "password" {
-  type        = object({
+  type = object({
    enabled = optional(bool),
-    name = optional(string),
-    key = optional(string)
+    name    = optional(string),
+    key     = optional(string)
  })
-  default     = {
+  default = {
    "enabled" = false
-    "name" = ""
-    "key" = ""
+    "name"    = ""
+    "key"     = ""
  }
 }
 variable "storage" {
-  type        = object({
+  type = object({
    size = optional(string)
  })
-  default     = {
+  default = {
    "size" = "2Gi"
  }
-}
+}
--- a/saml/outputs.tf
+++ b/saml/outputs.tf
@@ -1,3 +1,11 @@
-output "provider-id" {
-  value       = authentik_provider_saml.prj.id
-}
+output "provider_id" {
+  value = authentik_provider_saml.prj.id
+}
+
+output "metadata_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/api/v3/providers/saml/${authentik_provider_saml.prj.id}/metadata/?download"
+}
+
+output "saml_certificate_secret_name" {
+  value = "${local.app_slug}-saml"
+}
--- a/saml/providers.tf
+++ b/saml/providers.tf
@@ -1,12 +1,17 @@
 terraform {
+  required_version = ">= 1.0"
  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
    authentik = {
-        source = "goauthentik/authentik"
-        version = "~> 2023.5.0"
+      source  = "goauthentik/authentik"
+      version = "~> 2023.5.0"
    }
  }
 }
--- a/saml/saml.tf
+++ b/saml/saml.tf
@@ -1,25 +1,25 @@
-locals{
-  app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
-    saml_labels = merge(var.labels, {
+locals {
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  saml_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-saml"
  })
 }
-data "authentik_flow" "default-authorization-flow" {
+data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
 }
-data "authentik_flow" "default-authentication-flow" {
+data "authentik_flow" "default_authentication_flow" {
  slug = "default-authentication-flow"
 }

 data "authentik_property_mapping_saml" "saml_maps" {
  managed_list = [
-      "goauthentik.io/providers/saml/email",
-      "goauthentik.io/providers/saml/groups",
-      "goauthentik.io/providers/saml/name",
-      "goauthentik.io/providers/saml/upn",
-      "goauthentik.io/providers/saml/uid",
-      "goauthentik.io/providers/saml/username",
-      "goauthentik.io/providers/saml/ms-windowsaccountname",
+    "goauthentik.io/providers/saml/email",
+    "goauthentik.io/providers/saml/groups",
+    "goauthentik.io/providers/saml/name",
+    "goauthentik.io/providers/saml/upn",
+    "goauthentik.io/providers/saml/uid",
+    "goauthentik.io/providers/saml/username",
+    "goauthentik.io/providers/saml/ms-windowsaccountname",
  ]
 }

@@ -32,7 +32,7 @@ data "authentik_certificate_key_pair" "generated" {
 }

 resource "kubectl_manifest" "saml_certificate" {
-  yaml_body  = <<-EOF
+  yaml_body = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Certificate"
    metadata:
@@ -51,8 +51,8 @@ resource "kubectl_manifest" "saml_certificate" {

 resource "authentik_provider_saml" "prj" {
  name                = "${local.app_slug}-saml"
-  authentication_flow = data.authentik_flow.default-authentication-flow.id
-  authorization_flow  = data.authentik_flow.default-authorization-flow.id
+  authentication_flow = data.authentik_flow.default_authentication_flow.id
+  authorization_flow  = data.authentik_flow.default_authorization_flow.id
  acs_url             = "https://${var.dns_names[0]}/${var.acs_path}"
  property_mappings   = data.authentik_property_mapping_saml.saml_maps.ids
  name_id_mapping     = data.authentik_property_mapping_saml.saml_name.id
@@ -60,3 +60,9 @@ resource "authentik_provider_saml" "prj" {
  sp_binding          = var.binding
 }

+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
--- a/saml/variables.tf
+++ b/saml/variables.tf
@@ -1,22 +1,28 @@
 variable "component" {
-  type        = string
+  type = string
 }
 variable "instance" {
-  type        = string
+  type = string
+}
+variable "namespace" {
+  type = string
+}
+variable "domain" {
+  type = string
 }
 variable "issuer" {
  type = string
 }
 variable "dns_names" {
-  type        = list(string)
+  type = list(string)
 }
 variable "acs_path" {
-  type        = string
+  type = string
 }
 variable "binding" {
-  type        = string
-  default     = "post"
+  type    = string
+  default = "post"
 }
 variable "labels" {
-  type        = map(string)
+  type = map(string)
 }
--- a/service/outputs.tf
+++ b/service/outputs.tf
@@ -1,11 +1,15 @@
 output "name" {
-  value = "${local.app_slug}"
+  value = local.app_slug
 }
-output "default_definition" {
-  value = {
-    "name"  = "${local.app_slug}"
-    "port" = {
-      "number" = var.ports[0]
+output "ingress_backend_exposure" {
+  value = [for port_map in var.port_mapper :
+    {
+      "service" = {
+        "name" = local.app_slug
+        "port" = {
+          "name" = port_map.name
+        }
+      }
    }
-  }
-}
+  ]
+}
--- a/service/providers.tf
+++ b/service/providers.tf
@@ -1,8 +1,8 @@
 terraform {
  required_providers {
    kubectl = {
-        source = "gavinbunney/kubectl"
-        version = "~> 1.14.0"
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14.0"
    }
  }
 }
--- a/service/svc.tf
+++ b/service/svc.tf
@@ -1,58 +1,51 @@
 locals {
-  selector = var.selector==null?var.labels:var.selector
-  app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
-  cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
-    "name"       = target
-    "port"       = var.ports[idx]
-    "protocol"   = var.protocols[idx]
-    "targetPort" = target
+  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
+  selector = length(var.selector) > 0 ? var.selector : var.labels
+  default_ports = var.svc_type != "NodePort" ? [for port_map in var.port_mapper : {
+    "name"       = lower(port_map.name != null && port_map.name != "" ? port_map.name : "${port_map.port}-${port_map.protocol}")
+    "port"       = port_map.port
+    "protocol"   = port_map.protocol
+    "targetPort" = port_map.target
  }] : []
-  ext_ports = var.svc_type == "ExternalName" ? [for idx, target in var.targets : {
-    "name"       = target
-    "port"       = var.ports[idx]
-    "protocol"   = var.protocols[idx]
-    "targetPort" = var.ports[idx]
-  }] : []
-  lb_ports = var.svc_type == "LoadBalancer" ? [for idx, port in var.lb_ports : {
-    "port"       = port
-    "targetPort" = var.ports[idx]
-  }] : []
-  node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
-    "port"       = port
-    "targetPort" = port
-    "nodePort"   = var.node_ports[idx]
+  node_ports = var.svc_type == "NodePort" ? [for port_map in var.port_mapper : {
+    "port"       = port_map.port
+    "targetPort" = port_map.target
+    "nodePort"   = port_map.port
  }] : []
  metadata = merge(
    {
-      "name"= "${local.app_slug}"
-      "namespace"= var.namespace
-      "labels"= var.labels
+      "name"      = local.app_slug
+      "namespace" = var.namespace
+      "labels"    = var.labels
    },
    length(var.annotations) > 0 ? {
-      "annotations"= var.annotations
+      "annotations" = var.annotations
    } : {}
  )
  spec = {
    "ClusterIP" = {
-      type     = "ClusterIP"
-      ports    = local.cluster_ports
-      selector = local.selector
+      type           = "ClusterIP"
+      ports          = local.default_ports
+      selector       = local.selector
+      ipFamilyPolicy = var.ip_family
    },
    "ExternalName" = {
      type         = "ExternalName"
      externalName = var.target_host
-      ports = local.ext_ports
+      ports        = local.default_ports
    },
    "NodePort" = {
-      type     = "NodePort"
-      selector = local.selector
-      ports    = local.node_ports
+      type           = "NodePort"
+      selector       = local.selector
+      ports          = local.node_ports
+      ipFamilyPolicy = var.ip_family
    },
    "LoadBalancer" = {
-      type     = "LoadBalancer"
-      selector = local.selector
-      ports    = local.lb_ports
+      type                  = "LoadBalancer"
+      selector              = local.selector
+      ports                 = local.default_ports
      externalTrafficPolicy = var.lb_policy
+      ipFamilyPolicy        = var.ip_family
    }
  }
 }
@@ -64,3 +57,18 @@ resource "kubectl_manifest" "service" {
    spec: ${jsonencode(local.spec[var.svc_type])}
  EOF
 }
+resource "kubectl_manifest" "endpoint" {
+  count     = var.svc_type == "ExternalName" ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: Endpoints
+    metadata:
+      name: "${local.app_slug}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(var.labels)}
+    subsets:
+      - addresses:
+          - ip: ${var.target_host}
+        ports:  ${jsonencode([for port_map in var.port_mapper : { "port" = port_map.port }])}
+  EOF
+}
--- a/service/variables.tf
+++ b/service/variables.tf
@@ -8,14 +8,16 @@ variable "namespace" {
  type = string
 }
 variable "labels" {
-  type = map(string)
+  type        = map(string)
+  description = "Service labels"
 }
 variable "selector" {
-  type = map(string)
-  default = null
+  type        = map(string)
+  description = "Service selector labels (default same as labels)"
+  default     = {}
 }
 variable "annotations" {
-  type = map(string)
+  type    = map(string)
  default = {}
 }
 variable "svc_type" {
@@ -26,38 +28,49 @@ variable "svc_type" {
    error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
  }
 }
-variable "ports" {
-  type    = list(number)
-  default = [80]
-}
-variable "targets" {
-  type    = list(string)
-  default = ["http"]
-}
-variable "protocols" {
-  type    = list(any)
-  default = ["TCP"]
+
+variable "ip_family" {
+  type    = string
+  default = "PreferDualStack"
  validation {
-    condition     = alltrue([for proto in var.protocols : contains(["TCP", "UDP"], proto)])
-    error_message = "Only TCP or UDP is allowed"
+    condition     = contains(["SingleStack", "PreferDualStack"], var.ip_family)
+    error_message = "Only SingleStack or PreferDualStack is allowed"
  }
 }
+
+variable "port_mapper" {
+  description = "List information for port mapping in the service"
+  type = list(object({
+    name     = optional(string)
+    port     = number
+    protocol = string
+    target   = string
+  }))
+  default = [{
+    "name"     = "80-TCP",
+    "port"     = 80,
+    "protocol" = "TCP"
+    "target"   = "80-TCP"
+  }]
+  validation {
+    condition = alltrue(
+      [for port_map in var.port_mapper : contains(["TCP", "UDP"], port_map.protocol)]
+    )
+    error_message = "Only numeric on containerPort and TCP or UDP on protocol is allowed"
+  }
+  # validation {
+  #   condition = (var.svc_type == "NodePort") == alltrue(
+  #     [for port_map in var.port_mapper : port_map.port >= 30000 && port_map.port <= 32767]
+  #   )
+  #   error_message = "The range of valid ports is 30000-32767 for a NodePort type"
+  # }
+}
+
 variable "target_host" {
  type    = string
  default = ""
 }
-variable "node_ports" {
-  type    = list(number)
-  default = [30080]
-  validation {
-    condition     = alltrue([for port in var.node_ports : port >= 30000 && port <= 32767])
-    error_message = "The range of valid ports is 30000-32767"
-  }
-}
-variable "lb_ports" {
-  type    = list(number)
-  default = [8080]
-}
+
 variable "lb_policy" {
  type    = string
  default = "Cluster"
Author	SHA1	Message	Date
Xavier Mortelette	1df9904e1c	WIP	2024-10-05 16:12:13 +02:00
Xavier Mortelette	2eafb09fa6	Refacto forward	2024-09-29 23:42:40 +02:00
Xavier Mortelette	47776ea7bf	Refacto Saml	2024-09-22 21:29:45 +02:00
Xavier Mortelette	5299267f47	Fix linter, improve rabbit	2024-08-26 21:13:24 +02:00
Xavier Mortelette	9f12af60bc	Refacto OAuth2	2024-05-21 09:42:56 +02:00
Xavier Mortelette	82a179dad3	Optimize service port definition	2024-05-21 09:30:23 +02:00
Xavier Mortelette	bcdf666cc0	Refacto and add modules	2024-05-21 09:29:51 +02:00
Sébastien Huss	159b576b24	No more sercretString dans oauth2	2024-05-17 16:10:54 +02:00