vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:main
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:feature/ak-gatekeeper
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

11 Commits
main ... feature/ak

Author SHA1 Message Date
Xavier Mortelette
e8d1c4e86a Reafacto OAuth2 
Add roles mappings
Remove legacy groups
 2025-01-06 18:14:31 +01:00
Xavier Mortelette
fa2a69c61e Fix breaking authentik 2024-11-27 17:27:41 +01:00
Xavier Mortelette
03698c2dc2 Refacto Oauht2 2024-11-08 21:09:05 +01:00
Xavier Mortelette
f4ac0c5ac3 Fix service Name 2024-10-12 20:32:12 +02:00
Xavier Mortelette
5dbc3bdea2 Add ak-gatekeeper 2024-10-08 16:41:52 +02:00
Xavier Mortelette
47776ea7bf Refacto Saml 2024-09-22 21:29:45 +02:00
Xavier Mortelette
5299267f47 Fix linter, improve rabbit 2024-08-26 21:13:24 +02:00
Xavier Mortelette
9f12af60bc Refacto OAuth2 2024-05-21 09:42:56 +02:00
Xavier Mortelette
82a179dad3 Optimize service port definition 2024-05-21 09:30:23 +02:00
Xavier Mortelette
bcdf666cc0 Refacto and add modules 2024-05-21 09:29:51 +02:00
Sébastien Huss
159b576b24 No more sercretString dans oauth2 2024-05-17 16:10:54 +02:00
63 changed files with 1489 additions and 542 deletions
Expand all files Collapse all files

5
.ci-img.yml Normal file
View File

@@ -0,0 +1,5 @@
---
lint:
image: ghcr.io/terraform-linters/tflint
opentofu:
image: ghcr.io/opentofu/opentofu:latest

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.terraform*

17
ak-gatekeeper/ak_provider.tf Normal file
View File

@@ -0,0 +1,17 @@
data "authentik_flow" "proxy_authorization_flow" {
depends_on = [data.kubernetes_secret_v1.authentik]
slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default_invalidation_flow" {
depends_on = [data.kubernetes_secret_v1.authentik]
slug = "default-provider-invalidation-flow"
}
resource "authentik_provider_proxy" "app_proxy_provider" {
name = "${local.app_slug}-provider"
external_host = local.external_url
authorization_flow = data.authentik_flow.proxy_authorization_flow.id
mode = "forward_single"
access_token_validity = var.access_token_validity
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
}

15
ak-gatekeeper/common.tf Normal file
View File

@@ -0,0 +1,15 @@
data "kubernetes_secret_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
ak_gatekeeper_labels = merge(var.labels, {
"app.kubernetes.io/component" = "ak-gatekeeper"
})
authentik_url = "http://authentik-authentik.${var.domain}-auth.svc"
authentik_token = try(data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"], "no-token")
external_url = format("https://%s", var.dns_name)
}

15
ak-gatekeeper/middleware.tf Normal file
View File

@@ -0,0 +1,15 @@
resource "kubectl_manifest" "middleware" {
yaml_body = <<-EOF
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: "${local.app_slug}-gatekeeper"
namespace: "${var.namespace}"
labels: ${jsonencode(local.ak_gatekeeper_labels)}
spec:
forwardAuth:
address: http://ak-${var.domain}-proxy-outpost.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders: ${jsonencode(var.response_headers)}
EOF
}

32
ak-gatekeeper/outpost.tf Normal file
View File

@@ -0,0 +1,32 @@
locals {
request_headers = {
"Content-Type" = "application/json"
Authorization = "Bearer ${local.authentik_token}"
}
outposts = jsondecode(data.http.get_proxy_outpost.response_body).results
outpost_providers = local.outposts[0].providers
outpost_pk = local.outposts[0].pk
}
data "http" "get_proxy_outpost" {
depends_on = [data.kubernetes_secret_v1.authentik]
url = "${local.authentik_url}/api/v3/outposts/instances/?name__iexact=${var.domain}-proxy-outpost"
method = "GET"
request_headers = local.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid, error: ${try(jsondecode(self.response_body).detail, "no-error")}"
}
}
}
resource "restapi_object" "proxy_outpost_binding" {
path = "/outposts/instances/${local.outpost_pk}/"
data = jsonencode({
name = "${var.domain}-proxy-outpost"
providers = contains(local.outpost_providers, authentik_provider_proxy.app_proxy_provider.id) ? local.outpost_providers : concat(local.outpost_providers, [authentik_provider_proxy.app_proxy_provider.id])
})
}

21
ak-gatekeeper/outpost_read.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
set -e
CURL_OPTIONS="-sL"
if [ ! -z ${INSECURE_CURL+x} ]; then
CURL_OPTIONS="${CURL_OPTIONS} -k"
fi
OUTPUT_FILE=$(mktemp)
HTTP_CODE=$(curl $CURL_OPTIONS \
--output $OUTPUT_FILE \
--write-out "%{http_code}" \
-H "Accept: application/json" \
-H "Authorization: Bearer ${AK_TOKEN}" \
"${AK_BASEURL}/api/v3/outposts/instances/${AK_OUTPOST_ID}/")
if [[ ${HTTP_CODE} -lt 200 || ${HTTP_CODE} -gt 299 ]] ; then
>&2 cat $OUTPUT_FILE
rm $OUTPUT_FILE
exit 2
fi
cat | jq -r ".results"
rm $OUTPUT_FILE

6
ak-gatekeeper/outputs.tf Normal file
View File

@@ -0,0 +1,6 @@
output "provider_id" {
value = authentik_provider_proxy.app_proxy_provider.id
}
output "middleware" {
value = kubectl_manifest.middleware.name
}

25
ak-gatekeeper/providers.tf Normal file
View File

@@ -0,0 +1,25 @@
terraform {
required_version = ">= 1.0"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "registry.terraform.io/goauthentik/authentik"
version = "2024.10.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

64
ak-gatekeeper/variables.tf Normal file
View File

@@ -0,0 +1,64 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "access_token_validity" {
type = string
default = "hours=10" // ;minutes=10
}
variable "response_headers" {
type = list(string)
description = "List of sended headers from authentik to web application"
default = [
"X-authentik-username",
"X-authentik-email",
"X-authentik-groups",
"X-authentik-name",
"X-authentik-uid",
"X-authentik-jwt",
"X-authentik-meta-jwks",
"X-authentik-meta-outpost",
"X-authentik-meta-provider",
"X-authentik-meta-app",
"X-authentik-meta-version",
]
validation {
condition = alltrue(
[for header in var.response_headers : contains([
"X-authentik-username",
"X-authentik-email",
"X-authentik-groups",
"X-authentik-name",
"X-authentik-uid",
"X-authentik-jwt",
"X-authentik-meta-jwks",
"X-authentik-meta-outpost",
"X-authentik-meta-provider",
"X-authentik-meta-app",
"X-authentik-meta-version",
], header)]
)
error_message = "Only som headers are allowed by authentik"
}
}

62
application/application.tf
View File

@@ -1,7 +1,45 @@
locals { locals {
app_name = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
main_group = format("app-%s", local.app_name) application_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-application"
})
app_name = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
main_group = format("app-%s", local.app_slug)
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
dns_name = var.dns_name != "" ? var.dns_name : var.rule_mapper.host
url_icon = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", local.dns_name, var.icon)
backend = var.rule_mapper.paths[0].backend
rules_icons = [{
"host" = local.dns_name
"http" = {
"paths" = [{
"path" = "/${var.icon}"
"pathType" = "Prefix"
"backend" = local.backend
}]
}
}]
} }
resource "kubectl_manifest" "ingress_icon" {
count = startswith(var.icon, "fa-") ? 0 : 1
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${local.app_slug}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(local.application_labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
tls:
- secretName: "${local.secret_name}"
hosts: ${jsonencode([local.dns_name])}
EOF
}
data "authentik_group" "akadmin" { data "authentik_group" "akadmin" {
name = "authentik Admins" name = "authentik Admins"
} }
@@ -16,31 +54,31 @@ resource "authentik_group" "subgroup" {
parent = authentik_group.groups.id parent = authentik_group.groups.id
} }
resource "authentik_application" "prj_app" { resource "authentik_application" "app" {
name = var.instance name = var.app_name
slug = "${var.component}-${var.instance}" slug = local.app_slug
group = var.app_group group = var.app_group
protocol_provider = var.protocol_provider protocol_provider = var.protocol_provider
backchannel_providers = var.backchannel_providers backchannel_providers = var.backchannel_providers
meta_launch_url = format("https://%s", var.dns_name) meta_launch_url = format("https://%s", local.dns_name)
meta_icon = format("https://%s/%s", var.dns_name, var.icon) meta_icon = local.url_icon
} }
resource "authentik_policy_expression" "policy" { resource "authentik_policy_expression" "policy" {
name = local.main_group name = "${local.app_slug}-${local.main_group}"
expression = <<-EOF expression = <<-EOF
attr = request.user.group_attributes() attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF EOF
} }
resource "authentik_policy_binding" "prj_access_users" { resource "authentik_policy_binding" "access_users" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
policy = authentik_policy_expression.policy.id policy = authentik_policy_expression.policy.id
order = 0 order = 0
} }
resource "authentik_policy_binding" "prj_access_vynil" { resource "authentik_policy_binding" "access_vynil" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
group = data.authentik_group.akadmin.id group = data.authentik_group.akadmin.id
order = 1 order = 1
} }

11
application/outputs.tf
View File

@@ -1,10 +1,15 @@
output "application-id" { output "application_id" {
value = authentik_application.prj_app.uuid value = authentik_application.app.uuid
} }
output "policy-id" { output "policy_id" {
value = authentik_policy_expression.policy.id value = authentik_policy_expression.policy.id
} }
output "main_group" { output "main_group" {
value = local.main_group value = local.main_group
} }
output "main_group_id" {
value = authentik_group.groups.id
}

9
application/providers.tf
View File

@@ -1,8 +1,13 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = { authentik = {
source = "goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "~> 2023.5.0" version = "2024.10.0"
} }
} }
} }

49
application/variables.tf
View File

@@ -16,6 +16,12 @@ variable "protocol_provider" {
} }
variable "dns_name" { variable "dns_name" {
type = string type = string
description = "Deprecated, use rule_mapper"
default = ""
}
variable "app_name" {
type = string
default = ""
} }
variable "sub_groups" { variable "sub_groups" {
type = list(string) type = list(string)
@@ -26,3 +32,46 @@ variable "backchannel_providers" {
type = list(number) type = list(number)
default = null default = null
} }
variable "ingress_class" {
type = string
default = "traefik"
}
variable "rule_mapper" {
type = object({
host = string
paths = list(object({
path = optional(string)
type = optional(string)
backend = object({
service = object({
name = string
port = object({
name = string
})
})
})
}))
})
default = {
host = "not.defined"
paths = []
}
}
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty will use the ingress cert_name"
}
variable "namespace" {
type = string
default = ""
}
variable "labels" {
type = map(string)
default = {}
}

19
backup/backup.tf
View File

@@ -1,16 +1,15 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
} }
resource "kubectl_manifest" "backup_schedule" { resource "kubectl_manifest" "backup_schedule" {
count = var.backups.enable ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: k8up.io/v1 apiVersion: k8up.io/v1
kind: Schedule kind: Schedule
metadata: metadata:
name: "${var.app_slug}-backup" name: "${local.app_slug}-backup"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.labels)} labels: ${jsonencode(var.labels)}
spec: spec:
backend: backend:
repoPasswordSecretRef: repoPasswordSecretRef:
@@ -20,11 +19,11 @@ resource "kubectl_manifest" "backup_schedule" {
accessKeyIDSecretRef: accessKeyIDSecretRef:
key: "${var.backups.key_id_key}" key: "${var.backups.key_id_key}"
name: "${var.backups.secret_name}" name: "${var.backups.secret_name}"
bucket: "${var.app_slug}-${var.namespace}" bucket: "${local.app_slug}-${var.namespace}"
endpoint: "${var.backups.endpoint}/restic" endpoint: "${var.backups.endpoint}/restic"
secretAccessKeySecretRef: secretAccessKeySecretRef:
key: "${var.backups.secret_key}" key: "${var.backups.secret_key}"
name: "${var.backups.secret-name}" name: "${var.backups.secret_name}"
backup: backup:
schedule: "${var.backups.schedule.backup}" schedule: "${var.backups.schedule.backup}"
failedJobsHistoryLimit: 2 failedJobsHistoryLimit: 2
@@ -33,10 +32,10 @@ resource "kubectl_manifest" "backup_schedule" {
schedule: "${var.backups.schedule.check}" schedule: "${var.backups.schedule.check}"
prune: prune:
retention: retention:
keepDaily: ${var.backups.retention.keepDaily} keepDaily: ${var.backups.retention.keep_daily}
keepMonthly: ${var.backups.retention.keepMonthly} keepMonthly: ${var.backups.retention.keep_monthly}
keepWeekly: ${var.backups.retention.keepWeekly} keepWeekly: ${var.backups.retention.keep_weekly}
keepYearly: ${var.backups.retention.keepYearly} keepYearly: ${var.backups.retention.keep_yearly}
schedule: "${var.backups.schedule.prune}" schedule: "${var.backups.schedule.prune}"
EOF EOF
} }

16
backup/variables.tf
View File

@@ -17,10 +17,10 @@ variable "backups" {
"key_id_key" = "s3-id" "key_id_key" = "s3-id"
"restic_key" = "bck-password" "restic_key" = "bck-password"
"retention" = { "retention" = {
"keepDaily" = 14 "keep_daily" = 14
"keepMonthly" = 12 "keep_monthly" = 12
"keepWeekly" = 6 "keep_weekly" = 6
"keepYearly" = 12 "keep_yearly" = 12
} }
"schedule" = { "schedule" = {
"backup" = "30 3 * * *" "backup" = "30 3 * * *"
@@ -38,10 +38,10 @@ variable "backups" {
key_id_key = optional(string), key_id_key = optional(string),
restic_key = optional(string), restic_key = optional(string),
retention = optional(object({ retention = optional(object({
keepDaily = optional(number), keep_daily = optional(number),
keepMonthly = optional(number), keep_monthly = optional(number),
keepWeekly = optional(number), keep_weekly = optional(number),
keepYearly = optional(number) keep_yearly = optional(number)
})), })),
schedule = optional(object({ schedule = optional(object({
backup = optional(string), backup = optional(string),

53
forward/forward.tf
View File

@@ -1,59 +1,28 @@
locals { locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
forward_labels = merge(var.labels, { forward_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-forward" "app.kubernetes.io/component" = "authentik-forward"
}) })
main_group = format("app-%s", var.app_name) external_url = format("https://%s", var.dns_name)
external_url = format("https://%s", var.dns_names[0]) forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
rules_icons = [for v in var.dns_names : { forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
"host" = "${v}"
"http" = {
"paths" = [{
"backend" = {
"service" = var.service
}
"path" = "/${var.icon}"
"pathType" = "Prefix"
}]
}
}]
} }
resource "kubectl_manifest" "prj_ingress_icon" { data "authentik_flow" "default_authorization_flow" {
force_conflicts = true
yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${local.app_slug}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(local.forward_labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
tls:
- hosts: ${jsonencode(var.dns_names)}
secretName: "${var.instance}-cert"
EOF
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
resource "authentik_provider_proxy" "prj_forward" { resource "authentik_provider_proxy" "forward" {
name = local.app_slug name = local.app_slug
external_host = local.external_url external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
mode = "forward_single" mode = "forward_single"
access_token_validity = var.access_token_validity access_token_validity = var.access_token_validity
} }
data "http" "get_forward_outpost" { data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.prj_forward] depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" url = "http://authentik-authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = var.request_headers
lifecycle { lifecycle {
@@ -68,11 +37,11 @@ resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/" path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({ data = jsonencode({
name = "forward" name = "forward"
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id]) providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
}) })
} }
resource "kubectl_manifest" "prj_middleware" { resource "kubectl_manifest" "middleware" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware

4
forward/outputs.tf
View File

@@ -1,5 +1,5 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_proxy.prj_forward.id value = authentik_provider_proxy.forward.id
} }
output "sso_logout" { output "sso_logout" {

20
forward/variables.tf
View File

@@ -6,10 +6,6 @@ variable "instance" {
type = string type = string
} }
variable "icon" {
type = string
}
variable "domain" { variable "domain" {
type = string type = string
} }
@@ -18,16 +14,12 @@ variable "namespace" {
type = string type = string
} }
variable "ingress_class" {
type = string
}
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "dns_names" { variable "dns_name" {
type = list(string) type = string
} }
variable "access_token_validity" { variable "access_token_validity" {
@@ -35,14 +27,6 @@ variable "access_token_validity" {
default = "hours=10" // ;minutes=10 default = "hours=10" // ;minutes=10
} }
variable "app_name" {
type = string
default = ""
}
variable "service" {
}
variable "request_headers" { variable "request_headers" {
type = map(string) type = map(string)
} }

40
ingress/ingress.tf
View File

@@ -1,25 +1,25 @@
locals { locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pres_labels = merge(var.labels, { pres_labels = merge(var.labels, {
"app.kubernetes.io/component" = "presentation" "app.kubernetes.io/component" = "presentation"
}) })
rules = [for v in var.dns_names : { rules = [for rule in var.rules_mapper : {
"host" = "${v}" "host" = rule.host
"http" = { "http" = {
"paths" = [for idx, svc in var.services : { "paths" = [for mapper in rule.paths : {
"path" = "/${var.sub_paths[idx]}" "path" = "/${mapper.path}"
"pathType" = "Prefix" "pathType" = mapper.type != null && mapper.type != "" ? mapper.type : "Prefix"
"backend" = { "backend" = mapper.backend
"service" = svc
}
}] }]
} }
}] }]
tls = var.enforce_tls ? [ dns_names = [for rule in var.rules_mapper : rule.host]
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
{ {
secretName = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert" secretName = local.secret_name
hosts = var.dns_names hosts = local.dns_names
} }
] : [] ] : []
middlewares = concat( middlewares = concat(
@@ -31,13 +31,13 @@ locals {
"traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint "traefik.ingress.kubernetes.io/router.entrypoints" = var.entrypoint
} : {}, } : {},
length(local.middlewares) > 0 ? { length(local.middlewares) > 0 ? {
"traefik.ingress.kubernetes.io/router.middlewares" : "${join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])}" "traefik.ingress.kubernetes.io/router.middlewares" : join(",", [for m in local.middlewares : format("%s-%s@kubernetescrd", var.namespace, m)])
} : {}, } : {},
) )
} }
resource "kubectl_manifest" "prj_certificate" { resource "kubectl_manifest" "certificate" {
count = var.create_cert ? 1 : 0 count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1" apiVersion: "cert-manager.io/v1"
kind: "Certificate" kind: "Certificate"
@@ -46,8 +46,8 @@ resource "kubectl_manifest" "prj_certificate" {
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pres_labels)} labels: ${jsonencode(local.pres_labels)}
spec: spec:
secretName: "${local.app_slug}-cert" secretName: "${local.secret_name}"
dnsNames: ${jsonencode(var.dns_names)} dnsNames: ${jsonencode(local.dns_names)}
issuerRef: issuerRef:
kind: "ClusterIssuer" kind: "ClusterIssuer"
name: "${var.issuer}" name: "${var.issuer}"
@@ -55,8 +55,8 @@ resource "kubectl_manifest" "prj_certificate" {
EOF EOF
} }
resource "kubectl_manifest" "prj_https_redirect" { resource "kubectl_manifest" "https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0 count = var.create_redirect ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "traefik.io/v1alpha1" apiVersion: "traefik.io/v1alpha1"
kind: "Middleware" kind: "Middleware"
@@ -71,7 +71,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
EOF EOF
} }
resource "kubectl_manifest" "prj_ingress" { resource "kubectl_manifest" "ingress" {
force_conflicts = true force_conflicts = true
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1" apiVersion: "networking.k8s.io/v1"

2
ingress/outputs.tf
View File

@@ -1,3 +1,3 @@
output "secret_name" { output "secret_name" {
value = var.create_cert ? "${local.app_slug}-cert":"" value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
} }

56
ingress/variables.tf
View File

@@ -17,42 +17,48 @@ variable "ingress_class" {
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "dns_names" {
type = list(string)
}
variable "middlewares" { variable "middlewares" {
type = list(string) type = list(string)
default = [] default = []
} }
variable "services" {
type = list(any) variable "rules_mapper" {
type = list(object({
host = string
paths = list(object({
path = optional(string)
type = optional(string)
backend = object({
service = object({
name = string
port = object({
name = string
})
})
})
}))
}))
description = "Simplified rules mapper for ingress"
} }
variable "create_redirect" {
type = bool
default = true
}
variable "create_cert" {
type = bool
default = true
}
variable "enforce_tls" {
type = bool
default = true
}
variable "sub_paths" {
type = list(string)
default = [""]
}
variable "cert_name" {
type = string
default = ""
}
variable "entrypoint" { variable "entrypoint" {
type = string type = string
default = "" default = ""
description = "Define ingres support, if empty or define to websecure, tls will be activate"
validation { validation {
condition = contains(["", "web", "websecure"], var.entrypoint) condition = contains(["", "web", "websecure"], var.entrypoint)
error_message = "Only empty \"\", web or websecure is allowed" error_message = "Only empty \"\", web or websecure is allowed"
} }
} }
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
}
variable "create_redirect" {
type = bool
default = true
description = "Enfore https redirection"
}

157
ldap/ldap.tf Normal file
View File

@@ -0,0 +1,157 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
ldap_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-ldap"
})
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
base_group_dn = format("ou=groups,%s", local.base_dn)
base_user_dn = format("ou=users,%s", local.base_dn)
authentik_base_url = "http://authentik-authentik.${var.domain}-auth.svc"
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
sorted_group_names = reverse(distinct(sort([
for grp in var.user_groups : grp.name
])))
sorted_groups = flatten([
for name in local.sorted_group_names : [
for grp in var.user_groups :
grp if grp.name == name
]
])
}
data "authentik_group" "vynil_admin" {
name = "vynil-ldap-admins"
}
resource "authentik_group" "groups" {
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
attributes = jsonencode({ local.app_name = true })
}
data "authentik_group" "readed_groups" {
depends_on = [authentik_group.groups]
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
}
resource "authentik_application" "application_ldap" {
name = local.app_slug
slug = "${local.app_slug}-ldap"
protocol_provider = authentik_provider_ldap.provider_ldap.id
meta_launch_url = "blank://blank"
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "ldap_access_users" {
target = authentik_application.application_ldap.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "ldap_access_ldap" {
target = authentik_application.application_ldap.uuid
group = authentik_group.ldapsearch.id
order = 1
}
resource "authentik_policy_binding" "ldap_access_vynil" {
target = authentik_application.application_ldap.uuid
group = data.authentik_group.vynil_admin.id
order = 2
}
resource "kubectl_manifest" "ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-ldapsearch"
namespace: "${var.namespace}"
labels: ${jsonencode(local.ldap_labels)}
data:
LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
spec:
forceRegenerate: false
fields:
- fieldName: "LDAP_ADMIN_PASS"
length: "32"
EOF
}
data "kubernetes_secret_v1" "ldap_password" {
depends_on = [kubectl_manifest.ldap]
metadata {
name = kubectl_manifest.ldap.name
namespace = var.namespace
}
}
resource "authentik_user" "ldapsearch" {
username = "${local.app_slug}-ldapsearch"
name = "${local.app_slug}-ldapsearch"
}
resource "authentik_group" "ldapsearch" {
name = "${local.app_slug}-ldapsearch"
users = [authentik_user.ldapsearch.id]
}
data "http" "ldapsearch_password" {
url = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
method = "POST"
request_headers = var.request_headers
request_body = jsonencode({
password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
data "authentik_flow" "ldap_authentication_flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "provider_ldap" {
name = "${local.app_slug}-ldap"
base_dn = local.base_dn
search_group = authentik_group.ldapsearch.id
bind_flow = data.authentik_flow.ldap_authentication_flow.id
}
data "http" "get_ldap_outpost" {
depends_on = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
url = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = var.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap_outpost_pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
})
}

23
ldap/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "provider_id" {
value = authentik_provider_ldap.provider_ldap.id
}
output "ldap_address" {
value = "ak-outpost-ldap.${var.domain}-auth.svc"
}
output "ldap_search_account" {
value = "${local.app_slug}-ldapsearch"
}
output "base_dn" {
value = local.base_dn
}
output "base_group_dn" {
value = local.base_group_dn
}
output "base_user_dn" {
value = local.base_user_dn
}

24
ldap/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

25
ldap/variables.tf Normal file
View File

@@ -0,0 +1,25 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "request_headers" {
type = map(string)
}
variable "user_groups" {
type = map(string)
default = {}
}

46
mongo/mongo.tf
View File

@@ -1,13 +1,13 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"] mongo_labels = merge(var.labels, {
username = var.username==""?var.component==""?var.instance:var.component:var.username
db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name
mongo-labels = merge(var.labels, {
"app.kubernetes.io/component" = "mongo" "app.kubernetes.io/component" = "mongo"
}) })
db_name = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
username = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
} }
resource "kubectl_manifest" "prj_mongo_secret" { resource "kubectl_manifest" "mongo_secret" {
ignore_fields = ["metadata.annotations"] ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1" apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -15,7 +15,7 @@ resource "kubectl_manifest" "prj_mongo_secret" {
metadata: metadata:
name: "${local.app_slug}-mongo" name: "${local.app_slug}-mongo"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
spec: spec:
forceRegenerate: false forceRegenerate: false
fields: fields:
@@ -23,21 +23,21 @@ resource "kubectl_manifest" "prj_mongo_secret" {
length: "16" length: "16"
EOF EOF
} }
data "kubernetes_secret_v1" "prj_mongo_secret" { data "kubernetes_secret_v1" "mongo_secret" {
depends_on = [ kubectl_manifest.prj_mongo_secret ] depends_on = [kubectl_manifest.mongo_secret]
metadata { metadata {
name = "${local.app_slug}-mongo" name = "${local.app_slug}-mongo"
namespace = var.namespace namespace = var.namespace
} }
} }
resource "kubectl_manifest" "prj_mongo" { resource "kubectl_manifest" "mongo" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: mongodbcommunity.mongodb.com/v1 apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity kind: MongoDBCommunity
metadata: metadata:
name: "${local.app_slug}-mongo" name: "${local.app_slug}-mongo"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
spec: spec:
members: 1 members: 1
type: ${var.mongo_type} type: ${var.mongo_type}
@@ -52,7 +52,7 @@ resource "kubectl_manifest" "prj_mongo" {
spec: spec:
containers: containers:
- name: mongod - name: mongod
imagePullPolicy: "${var.pullPolicy}" imagePullPolicy: "${var.pull_policy}"
resources: ${jsonencode(var.resources)} resources: ${jsonencode(var.resources)}
env: env:
- name: MONGODB_NAME - name: MONGODB_NAME
@@ -80,24 +80,24 @@ resource "kubectl_manifest" "prj_mongo" {
scramCredentialsSecretName: "${local.app_slug}-mongo-scram" scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_sa" { resource "kubectl_manifest" "mongo_sa" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_role" { resource "kubectl_manifest" "mongo_role" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
@@ -107,20 +107,20 @@ resource "kubectl_manifest" "prj_mongo_role" {
verbs: ["patch", "delete", "get"] verbs: ["patch", "delete", "get"]
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_rb" { resource "kubectl_manifest" "mongo_rb" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: mongodb-database name: ${local.app_slug}-mongodb-database
roleRef: roleRef:
kind: Role kind: Role
name: mongodb-database name: ${local.app_slug}-mongodb-database
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
EOF EOF
} }

4
mongo/outputs.tf
View File

@@ -1,11 +1,11 @@
output "url" { output "url" {
value = "mongodb://${local.username}:${local.mongo-password}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}" value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
} }
output "service" { output "service" {
value = "${local.app_slug}-mongo-svc.${var.namespace}.svc" value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
} }
output "password" { output "password" {
value = local.mongo-password value = local.mongo_password
} }
output "username" { output "username" {
value = local.username value = local.username

2
mongo/variables.tf
View File

@@ -26,7 +26,7 @@ variable "mongo_type" {
type = string type = string
default = "ReplicaSet" default = "ReplicaSet"
} }
variable "pullPolicy" { variable "pull_policy" {
type = string type = string
default = "IfNotPresent" default = "IfNotPresent"
} }

2
mysql/mysql.tf
View File

@@ -1,8 +1,8 @@
locals { locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_labels = merge(var.labels, { mysql_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mysql" "app.kubernetes.io/component" = "mysql"
}) })
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc" mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"] mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"] mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]

17
mysql/outpost.tf
View File

@@ -1,12 +1,15 @@
output "dns_names" { output "conn_string" {
value = [ value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
"${local.app_slug}-mysql",
"${local.app_slug}-mysql-instances"
]
} }
output "mysql_host" {
value =" ${local.app_slug}-mysql" output "service" {
value = "${local.app_slug}-mysql.${var.namespace}.svc"
} }
output "host" {
value = "${local.app_slug}-mysql"
}
output "secret_name" { output "secret_name" {
value = "${local.app_slug}-db" value = "${local.app_slug}-db"
} }

184
oauth2/oauth2.tf
View File

@@ -1,88 +1,152 @@
locals { locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
main_group = format("kydah-%s", local.app_slug)
oauth2_labels = merge(var.labels, { oauth2_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-oauth2" "app.kubernetes.io/component" = "authentik-oauth2"
}) })
} cert_signing = var.cert_sign_secret_name != ""
resource "kubectl_manifest" "oauth2-secret" { signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
spec:
forceRegenerate: false
fields:
- fieldName: "client-id"
length: "32"
EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
depends_on = [kubectl_manifest.oauth2-secret]
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
labels = local.oauth2_labels
}
} }
resource "random_uuid" "client_id" {
}
# resource "kubectl_manifest" "secret_gen" {
# yaml_body = <<-EOF
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
# kind: "StringSecret"
# metadata:
# name: "${local.app_slug}-oauth2"
# namespace: "${var.namespace}"
# labels: ${jsonencode(local.oauth2_labels)}
# ownerReferences: ${jsonencode(var.owner_references)}
# spec:
# forceRegenerate: false
# fields:
# - fieldName: "client_id"
# length: "32"
# EOF
# }
# data "kubernetes_secret_v1" "secret_gen" {
# metadata {
# name = kubectl_manifest.secret_gen.name
# namespace = var.namespace
# }
# }
data "authentik_certificate_key_pair" "ca" { data "authentik_certificate_key_pair" "ca" {
name = "authentik Self-signed Certificate" name = "authentik Self-signed Certificate"
} }
data "authentik_scope_mapping" "oauth2" { resource "authentik_property_mapping_provider_scope" "app_scope" {
managed_list = [ count = var.scope_attributes != "" ? 1 : 0
"goauthentik.io/providers/oauth2/scope-email", name = local.app_slug
"goauthentik.io/providers/oauth2/scope-openid", scope_name = local.app_slug
"goauthentik.io/providers/oauth2/scope-profile" expression = var.scope_attributes
]
} }
data "authentik_flow" "default-authorization-flow" {
data "authentik_property_mapping_provider_scope" "oauth2" {
managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
}
data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
data "authentik_flow" "default_invalidation_flow" {
slug = "default-provider-invalidation-flow"
}
resource "authentik_group" "app_group" {
name = local.main_group
attributes = jsonencode({
"${local.app_slug}" = {
"kydah_instance" = var.instance
"kydah_component" = var.component
}
})
}
resource "authentik_group" "sub_groups" {
for_each = var.group_mapping
name = format("%s-%s", local.main_group, each.key)
parent = authentik_group.app_group.id
attributes = jsonencode({
"${local.app_slug}" = {
"kydah_instance" = var.instance
"kydah_component" = var.component
"kydah_app_group" = each.value
}
})
}
data "kubernetes_secret_v1" "signing_cert" {
count = var.cert_sign_secret_name != "" ? 1 : 0
metadata {
name = var.cert_sign_secret_name
namespace = var.namespace
}
}
resource "authentik_certificate_key_pair" "name" {
count = local.cert_signing ? 1 : 0
name = "${local.app_slug} Signing"
certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
key_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
}
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
name = "${local.app_slug}" depends_on = [authentik_property_mapping_provider_scope.app_scope]
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] name = local.app_slug
authentication_flow = data.authentik_flow.default-authentication-flow.id client_id = random_uuid.client_id.result
authorization_flow = data.authentik_flow.default-authorization-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
client_type = "confidential" authorization_flow = data.authentik_flow.default_authorization_flow.id
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
client_type = var.client_type
sub_mode = "user_username" sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id signing_key = local.signing_id
property_mappings = data.authentik_scope_mapping.oauth2.ids property_mappings = concat(
data.authentik_property_mapping_provider_scope.oauth2.ids,
var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
)
redirect_uris = [ redirect_uris = [
"https://${var.redirect_path!=""?"${var.dns_name}/${var.redirect_path}":"${var.dns_name}"}" "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
] ]
} }
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${local.app_slug}-secret"
namespace = var.namespace
labels = local.oauth2_labels
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret
}
}
data "kubernetes_secret_v1" "oauth2-client-secret" {
depends_on = [kubernetes_secret_v1.oauth2-client-secret]
metadata {
name = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name
namespace = var.namespace
}
}
data "kubernetes_ingress_v1" "authentik" { data "kubernetes_ingress_v1" "authentik" {
metadata { metadata {
name = "authentik" name = "authentik"
namespace = "${var.domain}-auth" namespace = "${var.domain}-auth"
} }
} }
resource "kubectl_manifest" "oauth2_client_secret" {
# force_new = true
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: "${local.app_slug}-oauth2"
namespace: "${var.namespace}"
labels: ${jsonencode(local.oauth2_labels)}
ownerReferences: ${jsonencode(var.owner_references)}
data:
oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
client_id: "${base64encode(random_uuid.client_id.result)}"
client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
EOF
}
# resource "kubernetes_secret" "oauth2_client_secret" {
# metadata {
# name = "${local.app_slug}-oauth2"
# namespace = var.namespace
# labels = local.oauth2_labels
# }
# data = {
# oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
# client_id = data.kubernetes_secret_v1.secret_gen.data["client_id"]
# client_secret = authentik_provider_oauth2.oauth2.client_secret
# }
# }

28
oauth2/outputs.tf
View File

@@ -1,38 +1,36 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_oauth2.oauth2.id value = authentik_provider_oauth2.oauth2.id
} }
output "sso_signout_url" { output "sso_signout_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/end-session/"
} }
output "sso_configuration_url" { output "sso_configuration_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
} }
output "sso_userinfo_url" { output "sso_userinfo_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/userinfo/"
} }
output "sso_authorize_url" { output "sso_authorize_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/authorize/"
} }
output "sso_token_url" { output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
} }
output "client_id" { output "client_id" {
value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] value = random_uuid.client_id.result
}
output "client_secret" {
value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"]
} }
output "secret_client_id_name" { output "client_secret" {
value = kubectl_manifest.oauth2-secret.name value = authentik_provider_oauth2.oauth2.client_secret
} }
output "secret_client_secret_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name output "oauth2_secret_name" {
} value = kubectl_manifest.oauth2_client_secret.name
output "secret_client_id_key" {
value = "client-id"
}
output "secret_client_secret_key" {
value = "client-secret"
} }

9
oauth2/providers.tf
View File

@@ -1,5 +1,6 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = { kubernetes = {
source = "hashicorp/kubernetes" source = "hashicorp/kubernetes"
@@ -10,8 +11,12 @@ terraform {
version = "~> 1.14.0" version = "~> 1.14.0"
} }
authentik = { authentik = {
source = "goauthentik/authentik" source = "registry.terraform.io/goauthentik/authentik"
version = "~> 2023.5.0" version = "2024.10.0"
}
random = {
source = "hashicorp/random"
version = "3.6.3"
} }
} }
} }

38
oauth2/variables.tf
View File

@@ -20,3 +20,41 @@ variable "redirect_path" {
type = string type = string
default = "" default = ""
} }
variable "group_mapping" {
type = map(string)
default = {}
description = "Group mapping where key is authentik suffix group name and value is the application group name"
}
variable "owner_references" {
type = list(object({}))
description = "Adding owner references"
default = []
}
variable "scopes" {
type = list(string)
description = "List of default scope allowed"
default = [
"scope-email",
"scope-openid",
"scope-profile",
]
}
variable "scope_attributes" {
type = string
description = "Authentik expression for scope mapping"
default = ""
}
variable "client_type" {
type = string
description = "OAuth client type confidential / public(PKCE)"
default = "confidential"
validation {
condition = contains(["confidential", "public"], var.client_type)
error_message = "Only empty confidential or public is allowed"
}
}
variable "cert_sign_secret_name" {
type = string
description = "The name of the secret for signing JWT (if empty use authentik default)"
default = ""
}

24
postgresql/outputs.tf
View File

@@ -1,3 +1,23 @@
output "host" { output "conn_string" {
value = "${var.app_slug}-redis.${var.namespace}.svc" value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
}
output "service" {
value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-pg-rw"
}
output "db_name" {
value = var.component
}
output "db_port" {
value = "5432"
}
output "secret_name" {
value = "${local.app_slug}-pg-app"
} }

30
postgresql/postgresql.tf
View File

@@ -1,21 +1,21 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pg-labels = merge(local.labels, { pg_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg" "app.kubernetes.io/component" = "pg"
}) })
pool-labels = merge(local.labels, { pool_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg-pool" "app.kubernetes.io/component" = "pg-pool"
}) })
} }
resource "kubectl_manifest" "prj_pg" { resource "kubectl_manifest" "pg" {
yaml_body = join("", concat([<<-EOF yaml_body = join("", concat([<<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)} labels: ${jsonencode(local.pg_labels)}
annotations: annotations:
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean" "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
"k8up.io/file-extension": ".sql" "k8up.io/file-extension": ".sql"
@@ -34,7 +34,7 @@ resource "kubectl_manifest" "prj_pg" {
], var.backups.enable&&var.backups.use_barman?[<<-EOF ], var.backups.enable&&var.backups.use_barman?[<<-EOF
backup: backup:
barmanObjectStore: barmanObjectStore:
destinationPath: "s3://${var.app_slug}-${var.namespace}/" destinationPath: "s3://${local.app_slug}-${var.namespace}/"
endpointURL: "${var.backups.endpoint}/barman" endpointURL: "${var.backups.endpoint}/barman"
s3Credentials: s3Credentials:
accessKeyId: accessKeyId:
@@ -47,7 +47,7 @@ resource "kubectl_manifest" "prj_pg" {
]:[""])) ]:[""]))
} }
resource "kubectl_manifest" "prj_pg_backup" { resource "kubectl_manifest" "pg_backup" {
count = var.backups.enable ? 1:0 count = var.backups.enable ? 1:0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
@@ -55,7 +55,7 @@ resource "kubectl_manifest" "prj_pg_backup" {
metadata: metadata:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)} labels: ${jsonencode(local.pg_labels)}
spec: spec:
schedule: "${var.backups.schedule.db}" schedule: "${var.backups.schedule.db}"
backupOwnerReference: self backupOwnerReference: self
@@ -64,15 +64,15 @@ resource "kubectl_manifest" "prj_pg_backup" {
EOF EOF
} }
resource "kubectl_manifest" "prj_pg_pool" { resource "kubectl_manifest" "pg_pool" {
depends_on = [kubectl_manifest.prj_pg] depends_on = [kubectl_manifest.pg]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Pooler kind: Pooler
metadata: metadata:
name: "${local.app_slug}-pool" name: "${local.app_slug}-pool"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pool-labels)} labels: ${jsonencode(local.pool_labels)}
spec: spec:
cluster: cluster:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
@@ -85,3 +85,11 @@ resource "kubectl_manifest" "prj_pg_pool" {
default_pool_size: "10" default_pool_size: "10"
EOF EOF
} }
data "kubernetes_secret_v1" "credentials" {
depends_on = [ kubectl_manifest.pg ]
metadata {
name = "${local.app_slug}-pg-app"
namespace = var.namespace
}
}

5
postgresql/providers.tf
View File

@@ -1,5 +1,10 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"

24
postgresql/variables.tf
View File

@@ -25,21 +25,25 @@ variable "backups" {
"use_barman" = false "use_barman" = false
} }
type = object({ type = object({
enable = optional(bool), enable = optional(bool, false),
endpoint = optional(string), endpoint = optional(string, ""),
key_id_key = optional(string), key_id_key = optional(string, "s3-id"),
restic_key = optional(string), restic_key = optional(string, "bck-password"),
schedule = optional(object({ schedule = optional(object({
db = optional(string), db = string,
})), }), { db = "30 3 * * *" }),
secret_key = optional(string), secret_key = optional(string, "s3-secret"),
secret_name = optional(string), secret_name = optional(string, "backup-settings"),
use_barman = optional(bool) use_barman = optional(bool, false)
}) })
} }
variable "images" { variable "images" {
type = object({ type = object({
postgresql = optional(object({registry = optional(string), repository = optional(string), tag = optional(number)})), postgresql = optional(object({
registry = optional(string),
repository = optional(string),
tag = optional(number)
})),
}) })
default = { default = {
"postgresql" = { "postgresql" = {

11
pvc/providers.tf
View File

@@ -1,8 +1,13 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = { kubernetes = {
source = "gavinbunney/kubectl" source = "hashicorp/kubernetes"
version = "~> 1.14.0" version = "~> 2.20.0"
} }
# kubectl = {
# source = "gavinbunney/kubectl"
# version = "~> 1.14.0"
# }
} }
} }

81
pvc/pvc.tf
View File

@@ -1,27 +1,62 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pvc_spec = merge({ pvc_labels = merge(var.labels, {
"accessModes" = [var.storage.accessMode] "app.kubernetes.io/component" = "pvc"
"volumeMode" = var.storage.type })
"resources" = { pvc_annotations = {
"requests" = { "k8up.io/backup" = var.backup
"storage" = "${var.storage.size}" "resize.kubesphere.io/storage_limit" = var.storage.max_size
}
# pvc_spec = merge({
# "accessModes" = [var.storage.access_mode]
# "volumeMode" = var.storage.type
# "resources" = {
# "requests" = {
# "storage" = var.storage.size
# }
# }
# }, var.storage.class != "" ? {
# "storageClassName" = var.storage.class
# } : {})
}
# resource "kubectl_manifest" "pvc" {
# ignore_fields = [
# "spec.resources.requests.storage",
# "spec.storageClassName",
# ]
# yaml_body = <<-EOF
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: ${local.app_slug}
# namespace: "${var.namespace}"
# annotations:
# k8up.io/backup: "${var.backup}"
# resize.kubesphere.io/storage_limit: "${var.storage.max_size}"
# labels: ${jsonencode(local.pvc_labels)}
# spec: ${jsonencode(local.pvc_spec)}
# EOF
# }
resource "kubernetes_persistent_volume_claim_v1" "pvc" {
metadata {
name = local.app_slug
namespace = var.namespace
annotations = local.pvc_annotations
labels = local.pvc_labels
}
spec {
access_modes = [var.storage.access_mode]
resources {
requests = {
storage = var.storage.size
} }
} }
}, var.storage.volume.class != "" ?{ storage_class_name = var.storage.class
"storageClassName" = var.storage.class }
}:{}) lifecycle {
} ignore_changes = [
resource "kubectl_manifest" "pvc" { spec[0].resources[0].requests[0],
yaml_body = <<-EOF spec[0].storage_class_name,
apiVersion: v1 ]
kind: PersistentVolumeClaim }
metadata:
name: ${local.app_slug}
namespace: "${var.namespace}"
annotations:
k8up.io/backup: "true"
labels: ${jsonencode(local.labels)}
spec: ${jsonencode(local.pvc_spec)}
EOF
} }

20
pvc/variables.tf
View File

@@ -12,15 +12,15 @@ variable "labels" {
} }
variable "storage" { variable "storage" {
type = object({ type = object({
accessMode = optional(string), access_mode = optional(string, "ReadWriteOnce"),
class = optional(string), class = optional(string, ""),
size = optional(string), size = optional(string, "2Gi"),
type = optional(string) max_size = optional(string, "10Gi"),
type = optional(string, "Filesystem")
}) })
default = { }
"accessMode" = "ReadWriteOnce"
"class" = "" variable "backup" {
"size" = "10Gi" type = bool
"type" = "Filesystem" default = true
}
} }

23
rabbitmq/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "conn_string" {
value = "mqtt://${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.rabbit_secret.data["password"])}@${local.app_slug}-mq.${var.namespace}.svc:1883"
}
output "service" {
value = "${local.app_slug}-mq.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-mq"
}
output "db_port" {
value = "1883"
}
output "cert_secret_name" {
value = local.secret_name
}
output "user_secret_name" {
value = "${local.app_slug}-user"
}

8
rabbitmq/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
}
}

101
rabbitmq/rabbitmq.tf Normal file
View File

@@ -0,0 +1,101 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
rabbit_labels = merge(var.labels, {
"app.kubernetes.io/component" = "rabbitmq"
})
secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
pvc_spec = merge({
"storage" = var.storage.size
}, var.storage.class != "" ? {
"storageClassName" = var.storage.class
} : {})
}
resource "kubectl_manifest" "certificate" {
count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
secretName: "${local.secret_name}"
dnsNames:
- "${local.app_slug}-mq.${var.namespace}.svc"
- "*.${local.app_slug}-mq-nodes.${var.namespace}.svc"
issuerRef:
kind: "ClusterIssuer"
name: "${var.issuer}"
group: "cert-manager.io"
EOF
}
resource "kubectl_manifest" "rabbit_secret" {
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-user"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
forceRegenerate: false
data:
username: "${var.instance}"
port: "5672"
host: "${local.app_slug}-mq.${var.namespace}.svc"
fields:
- fieldName: "password"
length: "32"
EOF
}
data "kubernetes_secret_v1" "rabbit_secret" {
depends_on = [kubectl_manifest.rabbit_secret]
metadata {
name = "${local.app_slug}-user"
namespace = var.namespace
labels = local.rabbit_labels
}
}
# based on https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples
resource "kubectl_manifest" "rabbitmq" {
depends_on = [
kubectl_manifest.certificate,
kubectl_manifest.rabbit_secret,
data.kubernetes_secret_v1.rabbit_secret,
]
yaml_body = <<-EOF
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: "${local.app_slug}-mq"
namespace: "${var.namespace}"
labels: ${jsonencode(local.rabbit_labels)}
spec:
replicas: ${var.replicas}
image: "${var.image.registry}/${var.image.repository}:${var.image.tag}"
imagePullPolicy: "${var.image.pull_policy}"
persistence: ${jsonencode(local.pvc_spec)}
resources: ${jsonencode(var.resources)}
tls:
secretName: ${local.secret_name}
rabbitmq:
erlangInetConfig: |
{inet6, true}.
envConfig: |
SERVER_ADDITIONAL_ERL_ARGS="-kernel inetrc '/etc/rabbitmq/erl_inetrc' -proto_dist inet6_tcp"
RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"
additionalConfig: |
cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
default_user=${data.kubernetes_secret_v1.rabbit_secret.data["username"]}
default_pass=${data.kubernetes_secret_v1.rabbit_secret.data["password"]}
additionalPlugins: ${jsonencode(var.plugins)}
service:
ipFamilyPolicy: "PreferDualStack"
EOF
}

78
rabbitmq/variables.tf Normal file
View File

@@ -0,0 +1,78 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "issuer" {
type = string
}
variable "replicas" {
type = number
default = 1
}
variable "image" {
type = object({
registry = optional(string),
repository = optional(string),
tag = optional(string),
pull_policy = optional(string)
})
description = "Image parameters"
default = {
"registry" = "docker.io"
"repository" = "rabbitmq"
"tag" = "3.11.28-management-alpine"
"pull_policy" = "IfNotPresent"
}
}
variable "storage" {
description = "Storage parameters"
type = object({
class = optional(string),
size = optional(string),
})
default = {
class = ""
size = "1Gi"
}
}
variable "resources" {
description = "Resources parameters"
type = object({
requests = optional(object({
cpu = optional(string),
memory = optional(string)
})),
limits = optional(object({
cpu = optional(string),
memory = optional(string)
}))
})
default = {
requests = {
cpu = "1000m",
memory = "2Gi"
},
limits = {
cpu = "1000m",
memory = "2Gi"
}
}
}
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty a new one will be created"
}
variable "plugins" {
description = "RabitMQ plugins"
type = list(string)
default = ["rabbitmq_mqtt", "rabbitmq_web_mqtt"]
}

19
redis/outputs.tf
View File

@@ -1,6 +1,19 @@
output "host" { output "conn_string" {
value = "tcp://${local.app_slug}-redis.${var.namespace}.svc:6379"
}
output "service" {
value = "${local.app_slug}-redis.${var.namespace}.svc" value = "${local.app_slug}-redis.${var.namespace}.svc"
} }
output "url" {
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379" output "port" {
value = 6379
}
output "db_host" {
value = "${local.app_slug}-redis"
}
output "secret_name" {
value = lookup(var.password, "name", "")
} }

12
redis/redis.tf
View File

@@ -1,17 +1,17 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
redis-labels = merge(var.labels, { redis_labels = merge(var.labels, {
"app.kubernetes.io/component" = "redis" "app.kubernetes.io/component" = "redis"
}) })
cfg = merge({ cfg = merge({
"image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}" "image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
"imagePullPolicy" = "${var.images.redis.pullPolicy}" "imagePullPolicy" = var.images.redis.pull_policy
},lookup(var.password, "enabled", false)?{ }, lookup(var.password, "enabled", false) ? {
redisSecret = { redisSecret = {
name = lookup(var.password, "name", var.component) name = lookup(var.password, "name", var.component)
key = lookup(var.password, "key", "redis-password") key = lookup(var.password, "key", "redis-password")
} }
}:{}) } : {})
} }
resource "kubectl_manifest" "redis" { resource "kubectl_manifest" "redis" {
@@ -21,7 +21,7 @@ resource "kubectl_manifest" "redis" {
metadata: metadata:
name: "${local.app_slug}-redis" name: "${local.app_slug}-redis"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.redis-labels)} labels: ${jsonencode(local.redis_labels)}
spec: spec:
kubernetesConfig: ${jsonencode(local.cfg)} kubernetesConfig: ${jsonencode(local.cfg)}
storage: storage:

12
redis/variables.tf
View File

@@ -10,25 +10,21 @@ variable "namespace" {
variable "labels" { variable "labels" {
type = map(string) type = map(string)
} }
variable "annotations" {
type = map(string)
default = {}
}
variable "images" { variable "images" {
type = object({ type = object({
redis = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})), redis = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
redis_exporter = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})) redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
}) })
default = { default = {
"redis" = { "redis" = {
"pullPolicy" = "IfNotPresent" "pull_policy" = "IfNotPresent"
"registry" = "quay.io" "registry" = "quay.io"
"repository" = "opstree/redis" "repository" = "opstree/redis"
"tag" = "v7.0.12" "tag" = "v7.0.12"
} }
"redis_exporter" = { "redis_exporter" = {
"pullPolicy" = "IfNotPresent" "pull_policy" = "IfNotPresent"
"registry" = "quay.io" "registry" = "quay.io"
"repository" = "opstree/redis-exporter" "repository" = "opstree/redis-exporter"
"tag" = "v1.44.0" "tag" = "v1.44.0"

10
saml/outputs.tf
View File

@@ -1,3 +1,11 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_saml.prj.id value = authentik_provider_saml.prj.id
} }
output "metadata_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/api/v3/providers/saml/${authentik_provider_saml.prj.id}/metadata/?download"
}
output "saml_certificate_secret_name" {
value = "${local.app_slug}-saml"
}

5
saml/providers.tf
View File

@@ -1,5 +1,10 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"
version = "~> 1.14.0" version = "~> 1.14.0"

18
saml/saml.tf
View File

@@ -1,13 +1,13 @@
locals{ locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
saml_labels = merge(var.labels, { saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml" "app.kubernetes.io/component" = "authentik-saml"
}) })
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
@@ -51,8 +51,8 @@ resource "kubectl_manifest" "saml_certificate" {
resource "authentik_provider_saml" "prj" { resource "authentik_provider_saml" "prj" {
name = "${local.app_slug}-saml" name = "${local.app_slug}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}" acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id name_id_mapping = data.authentik_property_mapping_saml.saml_name.id
@@ -60,3 +60,9 @@ resource "authentik_provider_saml" "prj" {
sp_binding = var.binding sp_binding = var.binding
} }
data "kubernetes_ingress_v1" "authentik" {
metadata {
name = "authentik"
namespace = "${var.domain}-auth"
}
}

6
saml/variables.tf
View File

@@ -4,6 +4,12 @@ variable "component" {
variable "instance" { variable "instance" {
type = string type = string
} }
variable "namespace" {
type = string
}
variable "domain" {
type = string
}
variable "issuer" { variable "issuer" {
type = string type = string
} }

14
service/outputs.tf
View File

@@ -1,11 +1,15 @@
output "name" { output "name" {
value = "${local.app_slug}" value = local.app_slug
} }
output "default_definition" { output "ingress_backend_exposure" {
value = { value = [for port_map in var.port_mapper :
"name" = "${local.app_slug}" {
"service" = {
"name" = local.app_slug
"port" = { "port" = {
"number" = var.ports[0] "name" = port_map.name
} }
} }
}
]
} }

1
service/providers.tf
View File

@@ -1,4 +1,5 @@
terraform { terraform {
required_version = ">= 1.0"
required_providers { required_providers {
kubectl = { kubectl = {
source = "gavinbunney/kubectl" source = "gavinbunney/kubectl"

65
service/svc.tf
View File

@@ -1,58 +1,51 @@
locals { locals {
selector = var.selector==null?var.labels:var.selector app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}" selector = length(var.selector) > 0 ? var.selector : var.labels
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : { default_ports = var.svc_type != "NodePort" ? [for port_map in var.port_mapper : {
"name" = target "name" = lower(port_map.name != null && port_map.name != "" ? port_map.name : "${port_map.port}-${port_map.protocol}")
"port" = var.ports[idx] "port" = port_map.port
"protocol" = var.protocols[idx] "protocol" = port_map.protocol
"targetPort" = target "targetPort" = port_map.target
}] : [] }] : []
ext_ports = var.svc_type == "ExternalName" ? [for idx, target in var.targets : { node_ports = var.svc_type == "NodePort" ? [for port_map in var.port_mapper : {
"name" = target "port" = port_map.port
"port" = var.ports[idx] "targetPort" = port_map.target
"protocol" = var.protocols[idx] "nodePort" = port_map.port
"targetPort" = var.ports[idx]
}] : []
lb_ports = var.svc_type == "LoadBalancer" ? [for idx, port in var.lb_ports : {
"port" = port
"targetPort" = var.ports[idx]
}] : []
node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
"port" = port
"targetPort" = port
"nodePort" = var.node_ports[idx]
}] : [] }] : []
metadata = merge( metadata = merge(
{ {
"name"= "${local.app_slug}" "name" = local.app_slug
"namespace"= var.namespace "namespace" = var.namespace
"labels"= var.labels "labels" = var.labels
}, },
length(var.annotations) > 0 ? { length(var.annotations) > 0 ? {
"annotations"= var.annotations "annotations" = var.annotations
} : {} } : {}
) )
spec = { spec = {
"ClusterIP" = { "ClusterIP" = {
type = "ClusterIP" type = "ClusterIP"
ports = local.cluster_ports ports = local.default_ports
selector = local.selector selector = local.selector
ipFamilyPolicy = var.ip_family
}, },
"ExternalName" = { "ExternalName" = {
type = "ExternalName" type = "ExternalName"
externalName = var.target_host externalName = var.target_host
ports = local.ext_ports ports = local.default_ports
}, },
"NodePort" = { "NodePort" = {
type = "NodePort" type = "NodePort"
selector = local.selector selector = local.selector
ports = local.node_ports ports = local.node_ports
ipFamilyPolicy = var.ip_family
}, },
"LoadBalancer" = { "LoadBalancer" = {
type = "LoadBalancer" type = "LoadBalancer"
selector = local.selector selector = local.selector
ports = local.lb_ports ports = local.default_ports
externalTrafficPolicy = var.lb_policy externalTrafficPolicy = var.lb_policy
ipFamilyPolicy = var.ip_family
} }
} }
} }
@@ -64,3 +57,19 @@ resource "kubectl_manifest" "service" {
spec: ${jsonencode(local.spec[var.svc_type])} spec: ${jsonencode(local.spec[var.svc_type])}
EOF EOF
} }
resource "kubectl_manifest" "endpoint" {
count = var.svc_type == "ExternalName" ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Endpoints
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
ownerReferences: ${jsonencode(var.owner_references)}
subsets:
- addresses:
- ip: ${var.target_host}
ports: ${jsonencode([for port_map in var.port_mapper : { "port" = port_map.port }])}
EOF
}

71
service/variables.tf
View File

@@ -9,10 +9,12 @@ variable "namespace" {
} }
variable "labels" { variable "labels" {
type = map(string) type = map(string)
description = "Service labels"
} }
variable "selector" { variable "selector" {
type = map(string) type = map(string)
default = null description = "Service selector labels (default same as labels)"
default = {}
} }
variable "annotations" { variable "annotations" {
type = map(string) type = map(string)
@@ -26,38 +28,49 @@ variable "svc_type" {
error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed" error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
} }
} }
variable "ports" {
type = list(number) variable "ip_family" {
default = [80] type = string
} default = "PreferDualStack"
variable "targets" {
type = list(string)
default = ["http"]
}
variable "protocols" {
type = list(any)
default = ["TCP"]
validation { validation {
condition = alltrue([for proto in var.protocols : contains(["TCP", "UDP"], proto)]) condition = contains(["SingleStack", "PreferDualStack"], var.ip_family)
error_message = "Only TCP or UDP is allowed" error_message = "Only SingleStack or PreferDualStack is allowed"
} }
} }
variable "port_mapper" {
description = "List information for port mapping in the service"
type = list(object({
name = optional(string)
port = number
protocol = string
target = string
}))
default = [{
"name" = "80-TCP",
"port" = 80,
"protocol" = "TCP"
"target" = "80-TCP"
}]
validation {
condition = alltrue(
[for port_map in var.port_mapper : contains(["TCP", "UDP"], port_map.protocol)]
)
error_message = "Only numeric on containerPort and TCP or UDP on protocol is allowed"
}
# validation {
# condition = (var.svc_type == "NodePort") == alltrue(
# [for port_map in var.port_mapper : port_map.port >= 30000 && port_map.port <= 32767]
# )
# error_message = "The range of valid ports is 30000-32767 for a NodePort type"
# }
}
variable "target_host" { variable "target_host" {
type = string type = string
default = "" default = ""
} }
variable "node_ports" {
type = list(number)
default = [30080]
validation {
condition = alltrue([for port in var.node_ports : port >= 30000 && port <= 32767])
error_message = "The range of valid ports is 30000-32767"
}
}
variable "lb_ports" {
type = list(number)
default = [8080]
}
variable "lb_policy" { variable "lb_policy" {
type = string type = string
default = "Cluster" default = "Cluster"
@@ -66,3 +79,9 @@ variable "lb_policy" {
error_message = "Only Cluster or Local is allowed" error_message = "Only Cluster or Local is allowed"
} }
} }
variable "owner_references" {
type = list(object({}))
description = "Adding owner references"
default = []
}