vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:main
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:feature/refacto_underscore
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

1 Commits
main ... feature/re

Author SHA1 Message Date
Xavier Mortelette
1e1cedcaeb Refacto and add modules 2024-03-15 17:11:30 +01:00
47 changed files with 685 additions and 360 deletions
Expand all files Collapse all files

24
application/application.tf
View File

@@ -1,6 +1,8 @@
locals { locals {
app_name = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
main_group = format("app-%s", local.app_name) app_name = var.app_name != "" ? var.app_name : var.component == var.instance ? var.instance : format("%s-%s", var.instance, var.component)
main_group = format("app-%s", local.app_slug)
url_icon = startswith(var.icon, "fa-") ? "fa://${var.icon}" : format("https://%s/%s", var.dns_name, var.icon)
} }
data "authentik_group" "akadmin" { data "authentik_group" "akadmin" {
name = "authentik Admins" name = "authentik Admins"
@@ -16,31 +18,31 @@ resource "authentik_group" "subgroup" {
parent = authentik_group.groups.id parent = authentik_group.groups.id
} }
resource "authentik_application" "prj_app" { resource "authentik_application" "app" {
name = var.instance name = var.app_name
slug = "${var.component}-${var.instance}" slug = local.app_slug
group = var.app_group group = var.app_group
protocol_provider = var.protocol_provider protocol_provider = var.protocol_provider
backchannel_providers = var.backchannel_providers backchannel_providers = var.backchannel_providers
meta_launch_url = format("https://%s", var.dns_name) meta_launch_url = format("https://%s", var.dns_name)
meta_icon = format("https://%s/%s", var.dns_name, var.icon) meta_icon = local.url_icon
} }
resource "authentik_policy_expression" "policy" { resource "authentik_policy_expression" "policy" {
name = local.main_group name = "${local.app_slug}-${local.main_group}"
expression = <<-EOF expression = <<-EOF
attr = request.user.group_attributes() attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF EOF
} }
resource "authentik_policy_binding" "prj_access_users" { resource "authentik_policy_binding" "access_users" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
policy = authentik_policy_expression.policy.id policy = authentik_policy_expression.policy.id
order = 0 order = 0
} }
resource "authentik_policy_binding" "prj_access_vynil" { resource "authentik_policy_binding" "access_vynil" {
target = authentik_application.prj_app.uuid target = authentik_application.app.uuid
group = data.authentik_group.akadmin.id group = data.authentik_group.akadmin.id
order = 1 order = 1
} }

6
application/outputs.tf
View File

@@ -1,8 +1,8 @@
output "application-id" { output "application_id" {
value = authentik_application.prj_app.uuid value = authentik_application.app.uuid
} }
output "policy-id" { output "policy_id" {
value = authentik_policy_expression.policy.id value = authentik_policy_expression.policy.id
} }
output "main_group" { output "main_group" {

4
application/variables.tf
View File

@@ -17,6 +17,10 @@ variable "protocol_provider" {
variable "dns_name" { variable "dns_name" {
type = string type = string
} }
variable "app_name" {
type = string
default = ""
}
variable "sub_groups" { variable "sub_groups" {
type = list(string) type = list(string)
default = [] default = []

19
backup/backup.tf
View File

@@ -1,16 +1,15 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
} }
resource "kubectl_manifest" "backup_schedule" { resource "kubectl_manifest" "backup_schedule" {
count = var.backups.enable ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: k8up.io/v1 apiVersion: k8up.io/v1
kind: Schedule kind: Schedule
metadata: metadata:
name: "${var.app_slug}-backup" name: "${local.app_slug}-backup"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.labels)} labels: ${jsonencode(var.labels)}
spec: spec:
backend: backend:
repoPasswordSecretRef: repoPasswordSecretRef:
@@ -20,11 +19,11 @@ resource "kubectl_manifest" "backup_schedule" {
accessKeyIDSecretRef: accessKeyIDSecretRef:
key: "${var.backups.key_id_key}" key: "${var.backups.key_id_key}"
name: "${var.backups.secret_name}" name: "${var.backups.secret_name}"
bucket: "${var.app_slug}-${var.namespace}" bucket: "${local.app_slug}-${var.namespace}"
endpoint: "${var.backups.endpoint}/restic" endpoint: "${var.backups.endpoint}/restic"
secretAccessKeySecretRef: secretAccessKeySecretRef:
key: "${var.backups.secret_key}" key: "${var.backups.secret_key}"
name: "${var.backups.secret-name}" name: "${var.backups.secret_name}"
backup: backup:
schedule: "${var.backups.schedule.backup}" schedule: "${var.backups.schedule.backup}"
failedJobsHistoryLimit: 2 failedJobsHistoryLimit: 2
@@ -33,10 +32,10 @@ resource "kubectl_manifest" "backup_schedule" {
schedule: "${var.backups.schedule.check}" schedule: "${var.backups.schedule.check}"
prune: prune:
retention: retention:
keepDaily: ${var.backups.retention.keepDaily} keepDaily: ${var.backups.retention.keep_daily}
keepMonthly: ${var.backups.retention.keepMonthly} keepMonthly: ${var.backups.retention.keep_monthly}
keepWeekly: ${var.backups.retention.keepWeekly} keepWeekly: ${var.backups.retention.keep_weekly}
keepYearly: ${var.backups.retention.keepYearly} keepYearly: ${var.backups.retention.keep_yearly}
schedule: "${var.backups.schedule.prune}" schedule: "${var.backups.schedule.prune}"
EOF EOF
} }

16
backup/variables.tf
View File

@@ -17,10 +17,10 @@ variable "backups" {
"key_id_key" = "s3-id" "key_id_key" = "s3-id"
"restic_key" = "bck-password" "restic_key" = "bck-password"
"retention" = { "retention" = {
"keepDaily" = 14 "keep_daily" = 14
"keepMonthly" = 12 "keep_monthly" = 12
"keepWeekly" = 6 "keep_weekly" = 6
"keepYearly" = 12 "keep_yearly" = 12
} }
"schedule" = { "schedule" = {
"backup" = "30 3 * * *" "backup" = "30 3 * * *"
@@ -38,10 +38,10 @@ variable "backups" {
key_id_key = optional(string), key_id_key = optional(string),
restic_key = optional(string), restic_key = optional(string),
retention = optional(object({ retention = optional(object({
keepDaily = optional(number), keep_daily = optional(number),
keepMonthly = optional(number), keep_monthly = optional(number),
keepWeekly = optional(number), keep_weekly = optional(number),
keepYearly = optional(number) keep_yearly = optional(number)
})), })),
schedule = optional(object({ schedule = optional(object({
backup = optional(string), backup = optional(string),

18
forward/forward.tf
View File

@@ -1,6 +1,4 @@
locals { locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}" app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
forward_labels = merge(var.labels, { forward_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-forward" "app.kubernetes.io/component" = "authentik-forward"
@@ -19,9 +17,11 @@ locals {
}] }]
} }
}] }]
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
} }
resource "kubectl_manifest" "prj_ingress_icon" { resource "kubectl_manifest" "ingress_icon" {
force_conflicts = true force_conflicts = true
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1" apiVersion: "networking.k8s.io/v1"
@@ -39,20 +39,20 @@ resource "kubectl_manifest" "prj_ingress_icon" {
EOF EOF
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
resource "authentik_provider_proxy" "prj_forward" { resource "authentik_provider_proxy" "forward" {
name = local.app_slug name = local.app_slug
external_host = local.external_url external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
mode = "forward_single" mode = "forward_single"
access_token_validity = var.access_token_validity access_token_validity = var.access_token_validity
} }
data "http" "get_forward_outpost" { data "http" "get_forward_outpost" {
depends_on = [authentik_provider_proxy.prj_forward] depends_on = [authentik_provider_proxy.forward]
url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward" url = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
method = "GET" method = "GET"
request_headers = var.request_headers request_headers = var.request_headers
@@ -68,11 +68,11 @@ resource "restapi_object" "forward_outpost_binding" {
path = "/outposts/instances/${local.forward_outpost_pk}/" path = "/outposts/instances/${local.forward_outpost_pk}/"
data = jsonencode({ data = jsonencode({
name = "forward" name = "forward"
providers = contains(local.forward_outpost_providers, authentik_provider_proxy.prj_forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.prj_forward.id]) providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
}) })
} }
resource "kubectl_manifest" "prj_middleware" { resource "kubectl_manifest" "middleware" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware

4
forward/outputs.tf
View File

@@ -1,5 +1,5 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_proxy.prj_forward.id value = authentik_provider_proxy.forward.id
} }
output "sso_logout" { output "sso_logout" {

18
forward/variables.tf
View File

@@ -6,10 +6,6 @@ variable "instance" {
type = string type = string
} }
variable "icon" {
type = string
}
variable "domain" { variable "domain" {
type = string type = string
} }
@@ -18,12 +14,16 @@ variable "namespace" {
type = string type = string
} }
variable "labels" {
type = map(string)
}
variable "ingress_class" { variable "ingress_class" {
type = string type = string
} }
variable "labels" { variable "icon" {
type = map(string) type = string
} }
variable "dns_names" { variable "dns_names" {
@@ -41,6 +41,12 @@ variable "app_name" {
} }
variable "service" { variable "service" {
type = object({
name = string
port = object({
number = number
})
})
} }
variable "request_headers" { variable "request_headers" {

23
ingress/ingress.tf
View File

@@ -7,18 +7,19 @@ locals {
rules = [for v in var.dns_names : { rules = [for v in var.dns_names : {
"host" = "${v}" "host" = "${v}"
"http" = { "http" = {
"paths" = [for idx, svc in var.services : { "paths" = [for mapper in var.services_mapping : {
"path" = "/${var.sub_paths[idx]}" "path" = "/${mapper.path}"
"pathType" = "Prefix" "pathType" = "Prefix"
"backend" = { "backend" = {
"service" = svc "service" = mapper.service
} }
}] }]
} }
}] }]
tls = var.enforce_tls ? [ secret_name = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
tls = var.entrypoint == "" || length(regexall(".*websecure.*", var.entrypoint)) > 0 ? [
{ {
secretName = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert" secretName = local.secret_name
hosts = var.dns_names hosts = var.dns_names
} }
] : [] ] : []
@@ -36,8 +37,8 @@ locals {
) )
} }
resource "kubectl_manifest" "prj_certificate" { resource "kubectl_manifest" "certificate" {
count = var.create_cert ? 1 : 0 count = var.cert_name == "" ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "cert-manager.io/v1" apiVersion: "cert-manager.io/v1"
kind: "Certificate" kind: "Certificate"
@@ -46,7 +47,7 @@ resource "kubectl_manifest" "prj_certificate" {
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pres_labels)} labels: ${jsonencode(local.pres_labels)}
spec: spec:
secretName: "${local.app_slug}-cert" secretName: "${local.secret_name}"
dnsNames: ${jsonencode(var.dns_names)} dnsNames: ${jsonencode(var.dns_names)}
issuerRef: issuerRef:
kind: "ClusterIssuer" kind: "ClusterIssuer"
@@ -55,8 +56,8 @@ resource "kubectl_manifest" "prj_certificate" {
EOF EOF
} }
resource "kubectl_manifest" "prj_https_redirect" { resource "kubectl_manifest" "https_redirect" {
count = var.create_redirect || var.component == "" ? 1 : 0 count = var.create_redirect ? 1 : 0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "traefik.io/v1alpha1" apiVersion: "traefik.io/v1alpha1"
kind: "Middleware" kind: "Middleware"
@@ -71,7 +72,7 @@ resource "kubectl_manifest" "prj_https_redirect" {
EOF EOF
} }
resource "kubectl_manifest" "prj_ingress" { resource "kubectl_manifest" "ingress" {
force_conflicts = true force_conflicts = true
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "networking.k8s.io/v1" apiVersion: "networking.k8s.io/v1"

2
ingress/outputs.tf
View File

@@ -1,3 +1,3 @@
output "secret_name" { output "secret_name" {
value = var.create_cert ? "${local.app_slug}-cert":"" value = var.cert_name == "" ? "${local.app_slug}-cert" : var.cert_name
} }

46
ingress/variables.tf
View File

@@ -24,35 +24,37 @@ variable "middlewares" {
type = list(string) type = list(string)
default = [] default = []
} }
variable "services" {
type = list(any) variable "services_mapping" {
type = list(object({
path = optional(string)
service = object({
name= string
port = object({
number = number
})
})
}))
} }
variable "create_redirect" {
type = bool
default = true
}
variable "create_cert" {
type = bool
default = true
}
variable "enforce_tls" {
type = bool
default = true
}
variable "sub_paths" {
type = list(string)
default = [""]
}
variable "cert_name" {
type = string
default = ""
}
variable "entrypoint" { variable "entrypoint" {
type = string type = string
default = "" default = ""
description = "Define ingres support, if empty or define to websecure, tls will be activate"
validation { validation {
condition = contains(["", "web", "websecure"], var.entrypoint) condition = contains(["", "web", "websecure"], var.entrypoint)
error_message = "Only empty \"\", web or websecure is allowed" error_message = "Only empty \"\", web or websecure is allowed"
} }
} }
variable "cert_name" {
type = string
default = ""
description = "Give a secret name for tls, if empty and entrypointis websecure or empty, one will be created"
}
variable "create_redirect" {
type = bool
default = true
description = "Enfore https redirection"
}

157
ldap/ldap.tf Normal file
View File

@@ -0,0 +1,157 @@
locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
ldap_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-ldap"
})
base_dn = format("dc=%s", join(",dc=", split(".", var.dns_name)))
base_group_dn = format("ou=groups,%s", local.base_dn)
base_user_dn = format("ou=users,%s", local.base_dn)
authentik_base_url = "http://authentik.${var.domain}-auth.svc"
ldap_outpost_providers = jsondecode(data.http.get_ldap_outpost.response_body).results[0].providers
ldap_outpost_pk = jsondecode(data.http.get_ldap_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
sorted_group_names = reverse(distinct(sort([
for grp in var.user_groups : grp.name
])))
sorted_groups = flatten([
for name in local.sorted_group_names : [
for grp in var.user_groups :
grp if grp.name == name
]
])
}
data "authentik_group" "vynil_admin" {
name = "vynil-ldap-admins"
}
resource "authentik_group" "groups" {
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
attributes = jsonencode({ "${local.app_name}" = true })
}
data "authentik_group" "readed_groups" {
depends_on = [authentik_group.groups]
count = length(local.sorted_groups)
name = local.sorted_groups[count.index].name
}
resource "authentik_application" "application_ldap" {
name = local.app_slug
slug = "${local.app_slug}-ldap"
protocol_provider = authentik_provider_ldap.provider_ldap.id
meta_launch_url = "blank://blank"
}
resource "authentik_policy_expression" "policy" {
name = local.main_group
expression = <<-EOF
attr = request.user.group_attributes()
return attr['${local.app_name}'] if '${local.app_name}' in attr else False
EOF
}
resource "authentik_policy_binding" "ldap_access_users" {
target = authentik_application.application_ldap.uuid
policy = authentik_policy_expression.policy.id
order = 0
}
resource "authentik_policy_binding" "ldap_access_ldap" {
target = authentik_application.application_ldap.uuid
group = authentik_group.ldapsearch.id
order = 1
}
resource "authentik_policy_binding" "ldap_access_vynil" {
target = authentik_application.application_ldap.uuid
group = data.authentik_group.vynil_admin.id
order = 2
}
resource "kubectl_manifest" "ldap" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${local.app_slug}-ldapsearch"
namespace: "${var.namespace}"
labels: ${jsonencode(local.ldap_labels)}
data:
LDAP_ADMIN_USR: "${local.app_slug}-ldapsearch"
spec:
forceRegenerate: false
fields:
- fieldName: "LDAP_ADMIN_PASS"
length: "32"
EOF
}
data "kubernetes_secret_v1" "ldap_password" {
depends_on = [kubectl_manifest.ldap]
metadata {
name = kubectl_manifest.ldap.name
namespace = var.namespace
}
}
resource "authentik_user" "ldapsearch" {
username = "${local.app_slug}-ldapsearch"
name = "${local.app_slug}-ldapsearch"
}
resource "authentik_group" "ldapsearch" {
name = "${local.app_slug}-ldapsearch"
users = [authentik_user.ldapsearch.id]
}
data "http" "ldapsearch_password" {
url = "${local.authentik_base_url}/api/v3/core/users/${authentik_user.ldapsearch.id}/set_password/"
method = "POST"
request_headers = var.request_headers
request_body = jsonencode({
password = data.kubernetes_secret_v1.ldap_password.data["LDAP_ADMIN_PASS"]
})
lifecycle {
postcondition {
condition = contains([201, 204], self.status_code)
error_message = "Status code invalid"
}
}
}
data "authentik_flow" "ldap_authentication_flow" {
slug = "ldap-authentication-flow"
}
resource "authentik_provider_ldap" "provider_ldap" {
name = "${local.app_slug}-ldap"
base_dn = local.base_dn
search_group = authentik_group.ldapsearch.id
bind_flow = data.authentik_flow.ldap_authentication_flow.id
}
data "http" "get_ldap_outpost" {
depends_on = [authentik_policy_binding.ldap_access_users] # fake dependency so it is not evaluated at plan stage
url = "${local.authentik_base_url}/api/v3/outposts/instances/?name__iexact=ldap"
method = "GET"
request_headers = var.request_headers
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "Status code invalid"
}
}
}
resource "restapi_object" "ldap_outpost_binding" {
path = "/outposts/instances/${local.ldap_outpost_pk}/"
data = jsonencode({
name = "ldap"
providers = contains(local.ldap_outpost_providers, authentik_provider_ldap.provider_ldap.id) ? local.ldap_outpost_providers : concat(local.ldap_outpost_providers, [authentik_provider_ldap.provider_ldap.id])
})
}

23
ldap/outputs.tf Normal file
View File

@@ -0,0 +1,23 @@
output "provider_id" {
value = authentik_provider_ldap.provider_ldap.id
}
output "ldap_address" {
value = "ak-outpost-ldap.${var.domain}-auth.svc"
}
output "ldap_search_account" {
value = "${local.app_slug}-ldapsearch"
}
output "base_dn" {
value = local.base_dn
}
output "base_group_dn" {
value = local.base_group_dn
}
output "base_user_dn" {
value = local.base_user_dn
}

24
ldap/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.20.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "~> 1.14.0"
}
authentik = {
source = "goauthentik/authentik"
version = "~> 2023.5.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.3.0"
}
restapi = {
source = "Mastercard/restapi"
version = "~> 1.18.0"
}
}
}

25
ldap/variables.tf Normal file
View File

@@ -0,0 +1,25 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_name" {
type = string
}
variable "request_headers" {
type = map(string)
}
variable "user_groups" {
type = map(string)
default = {}
}

46
mongo/mongo.tf
View File

@@ -1,13 +1,13 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"] mongo_labels = merge(var.labels, {
username = var.username==""?var.component==""?var.instance:var.component:var.username
db_name = var.db_name==""?var.component==""?var.instance:var.component:var.db_name
mongo-labels = merge(var.labels, {
"app.kubernetes.io/component" = "mongo" "app.kubernetes.io/component" = "mongo"
}) })
db_name = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
username = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
} }
resource "kubectl_manifest" "prj_mongo_secret" { resource "kubectl_manifest" "mongo_secret" {
ignore_fields = ["metadata.annotations"] ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1" apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -15,7 +15,7 @@ resource "kubectl_manifest" "prj_mongo_secret" {
metadata: metadata:
name: "${local.app_slug}-mongo" name: "${local.app_slug}-mongo"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
spec: spec:
forceRegenerate: false forceRegenerate: false
fields: fields:
@@ -23,21 +23,21 @@ resource "kubectl_manifest" "prj_mongo_secret" {
length: "16" length: "16"
EOF EOF
} }
data "kubernetes_secret_v1" "prj_mongo_secret" { data "kubernetes_secret_v1" "mongo_secret" {
depends_on = [ kubectl_manifest.prj_mongo_secret ] depends_on = [kubectl_manifest.mongo_secret]
metadata { metadata {
name = "${local.app_slug}-mongo" name = "${local.app_slug}-mongo"
namespace = var.namespace namespace = var.namespace
} }
} }
resource "kubectl_manifest" "prj_mongo" { resource "kubectl_manifest" "mongo" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: mongodbcommunity.mongodb.com/v1 apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity kind: MongoDBCommunity
metadata: metadata:
name: "${local.app_slug}-mongo" name: "${local.app_slug}-mongo"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
spec: spec:
members: 1 members: 1
type: ${var.mongo_type} type: ${var.mongo_type}
@@ -52,7 +52,7 @@ resource "kubectl_manifest" "prj_mongo" {
spec: spec:
containers: containers:
- name: mongod - name: mongod
imagePullPolicy: "${var.pullPolicy}" imagePullPolicy: "${var.pull_policy}"
resources: ${jsonencode(var.resources)} resources: ${jsonencode(var.resources)}
env: env:
- name: MONGODB_NAME - name: MONGODB_NAME
@@ -80,24 +80,24 @@ resource "kubectl_manifest" "prj_mongo" {
scramCredentialsSecretName: "${local.app_slug}-mongo-scram" scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_sa" { resource "kubectl_manifest" "mongo_sa" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_role" { resource "kubectl_manifest" "mongo_role" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
@@ -107,20 +107,20 @@ resource "kubectl_manifest" "prj_mongo_role" {
verbs: ["patch", "delete", "get"] verbs: ["patch", "delete", "get"]
EOF EOF
} }
resource "kubectl_manifest" "prj_mongo_rb" { resource "kubectl_manifest" "mongo_rb" {
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: "mongodb-database" name: "${local.app_slug}-mongodb-database"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.mongo-labels)} labels: ${jsonencode(local.mongo_labels)}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: mongodb-database name: ${local.app_slug}-mongodb-database
roleRef: roleRef:
kind: Role kind: Role
name: mongodb-database name: ${local.app_slug}-mongodb-database
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
EOF EOF
} }

4
mongo/outputs.tf
View File

@@ -1,11 +1,11 @@
output "url" { output "url" {
value = "mongodb://${local.username}:${local.mongo-password}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}" value = "mongodb://${urlencode(local.username)}:${urlencode(local.mongo_password)}@${local.app_slug}-mongo-svc.${var.namespace}.svc:27017/${local.db_name}"
} }
output "service" { output "service" {
value = "${local.app_slug}-mongo-svc.${var.namespace}.svc" value = "${local.app_slug}-mongo-svc.${var.namespace}.svc"
} }
output "password" { output "password" {
value = local.mongo-password value = local.mongo_password
} }
output "username" { output "username" {
value = local.username value = local.username

2
mongo/variables.tf
View File

@@ -26,7 +26,7 @@ variable "mongo_type" {
type = string type = string
default = "ReplicaSet" default = "ReplicaSet"
} }
variable "pullPolicy" { variable "pull_policy" {
type = string type = string
default = "IfNotPresent" default = "IfNotPresent"
} }

2
mysql/mysql.tf
View File

@@ -1,8 +1,8 @@
locals { locals {
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_labels = merge(var.labels, { mysql_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mysql" "app.kubernetes.io/component" = "mysql"
}) })
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc" mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"] mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"] mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]

15
mysql/outpost.tf
View File

@@ -1,12 +1,15 @@
output "dns_names" { output "conn_string" {
value = [ value = "mysql://${urlencode(data.kubernetes_secret_v1.mysql_secret.data["username"])}:${urlencode(data.kubernetes_secret_v1.mysql_secret.data["password"])}@${local.app_slug}-mysql.${var.namespace}.svc:3306/${var.database}"
"${local.app_slug}-mysql",
"${local.app_slug}-mysql-instances"
]
} }
output "mysql_host" {
output "service" {
value = "${local.app_slug}-mysql.${var.namespace}.svc"
}
output "host" {
value = "${local.app_slug}-mysql" value = "${local.app_slug}-mysql"
} }
output "secret_name" { output "secret_name" {
value = "${local.app_slug}-db" value = "${local.app_slug}-db"
} }

28
oauth2/oauth2.tf
View File

@@ -4,7 +4,7 @@ locals {
"app.kubernetes.io/component" = "authentik-oauth2" "app.kubernetes.io/component" = "authentik-oauth2"
}) })
} }
resource "kubectl_manifest" "oauth2-secret" { resource "kubectl_manifest" "oauth2_secret" {
ignore_fields = ["metadata.annotations"] ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1" apiVersion: "secretgenerator.mittwald.de/v1alpha1"
@@ -20,10 +20,10 @@ resource "kubectl_manifest" "oauth2-secret" {
length: "32" length: "32"
EOF EOF
} }
data "kubernetes_secret_v1" "oauth2-client-id" { data "kubernetes_secret_v1" "oauth2_client_id" {
depends_on = [kubectl_manifest.oauth2-secret] depends_on = [kubectl_manifest.oauth2_secret]
metadata { metadata {
name = kubectl_manifest.oauth2-secret.name name = kubectl_manifest.oauth2_secret.name
namespace = var.namespace namespace = var.namespace
labels = local.oauth2_labels labels = local.oauth2_labels
} }
@@ -40,18 +40,18 @@ data "authentik_scope_mapping" "oauth2" {
"goauthentik.io/providers/oauth2/scope-profile" "goauthentik.io/providers/oauth2/scope-profile"
] ]
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
resource "authentik_provider_oauth2" "oauth2" { resource "authentik_provider_oauth2" "oauth2" {
name = "${local.app_slug}" name = local.app_slug
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] client_id = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
client_type = "confidential" client_type = "confidential"
sub_mode = "user_username" sub_mode = "user_username"
signing_key = data.authentik_certificate_key_pair.ca.id signing_key = data.authentik_certificate_key_pair.ca.id
@@ -61,7 +61,7 @@ resource "authentik_provider_oauth2" "oauth2" {
] ]
} }
resource "kubernetes_secret_v1" "oauth2-client-secret" { resource "kubernetes_secret_v1" "oauth2_client_secret" {
metadata { metadata {
name = "${local.app_slug}-secret" name = "${local.app_slug}-secret"
namespace = var.namespace namespace = var.namespace
@@ -72,10 +72,10 @@ resource "kubernetes_secret_v1" "oauth2-client-secret" {
} }
} }
data "kubernetes_secret_v1" "oauth2-client-secret" { data "kubernetes_secret_v1" "oauth2_client_secret" {
depends_on = [kubernetes_secret_v1.oauth2-client-secret] depends_on = [kubernetes_secret_v1.oauth2_client_secret]
metadata { metadata {
name = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name name = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
namespace = var.namespace namespace = var.namespace
} }
} }

10
oauth2/outputs.tf
View File

@@ -1,4 +1,4 @@
output "provider-id" { output "provider_id" {
value = authentik_provider_oauth2.oauth2.id value = authentik_provider_oauth2.oauth2.id
} }
@@ -18,17 +18,17 @@ output "sso_token_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/" value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/token/"
} }
output "client_id" { output "client_id" {
value = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"] value = data.kubernetes_secret_v1.oauth2_client_id.data["client-id"]
} }
output "client_secret" { output "client_secret" {
value = data.kubernetes_secret_v1.oauth2-client-secret.data["client-secret"] value = data.kubernetes_secret_v1.oauth2_client_secret.data["client-secret"]
} }
output "secret_client_id_name" { output "secret_client_id_name" {
value = kubectl_manifest.oauth2-secret.name value = kubectl_manifest.oauth2_secret.name
} }
output "secret_client_secret_name" { output "secret_client_secret_name" {
value = kubernetes_secret_v1.oauth2-client-secret.metadata[0].name value = kubernetes_secret_v1.oauth2_client_secret.metadata[0].name
} }
output "secret_client_id_key" { output "secret_client_id_key" {
value = "client-id" value = "client-id"

24
postgresql/outputs.tf
View File

@@ -1,3 +1,23 @@
output "host" { output "conn_string" {
value = "${var.app_slug}-redis.${var.namespace}.svc" value = "postgres://${urlencode(data.kubernetes_secret_v1.credentials.data["username"])}:${urlencode(data.kubernetes_secret_v1.credentials.data["password"])}@${local.app_slug}-pg-rw.${var.namespace}.svc:5432/${var.component}"
}
output "service" {
value = "${local.app_slug}-pg-rw.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-pg-rw"
}
output "db_name" {
value = var.component
}
output "db_port" {
value = "5432"
}
output "secret_name" {
value = "${local.app_slug}-pg-app"
} }

30
postgresql/postgresql.tf
View File

@@ -1,21 +1,21 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pg-labels = merge(local.labels, { pg_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg" "app.kubernetes.io/component" = "pg"
}) })
pool-labels = merge(local.labels, { pool_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pg-pool" "app.kubernetes.io/component" = "pg-pool"
}) })
} }
resource "kubectl_manifest" "prj_pg" { resource "kubectl_manifest" "pg" {
yaml_body = join("", concat([<<-EOF yaml_body = join("", concat([<<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)} labels: ${jsonencode(local.pg_labels)}
annotations: annotations:
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean" "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
"k8up.io/file-extension": ".sql" "k8up.io/file-extension": ".sql"
@@ -34,7 +34,7 @@ resource "kubectl_manifest" "prj_pg" {
], var.backups.enable&&var.backups.use_barman?[<<-EOF ], var.backups.enable&&var.backups.use_barman?[<<-EOF
backup: backup:
barmanObjectStore: barmanObjectStore:
destinationPath: "s3://${var.app_slug}-${var.namespace}/" destinationPath: "s3://${local.app_slug}-${var.namespace}/"
endpointURL: "${var.backups.endpoint}/barman" endpointURL: "${var.backups.endpoint}/barman"
s3Credentials: s3Credentials:
accessKeyId: accessKeyId:
@@ -47,7 +47,7 @@ resource "kubectl_manifest" "prj_pg" {
]:[""])) ]:[""]))
} }
resource "kubectl_manifest" "prj_pg_backup" { resource "kubectl_manifest" "pg_backup" {
count = var.backups.enable ? 1:0 count = var.backups.enable ? 1:0
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
@@ -55,7 +55,7 @@ resource "kubectl_manifest" "prj_pg_backup" {
metadata: metadata:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pg-labels)} labels: ${jsonencode(local.pg_labels)}
spec: spec:
schedule: "${var.backups.schedule.db}" schedule: "${var.backups.schedule.db}"
backupOwnerReference: self backupOwnerReference: self
@@ -64,15 +64,15 @@ resource "kubectl_manifest" "prj_pg_backup" {
EOF EOF
} }
resource "kubectl_manifest" "prj_pg_pool" { resource "kubectl_manifest" "pg_pool" {
depends_on = [kubectl_manifest.prj_pg] depends_on = [kubectl_manifest.pg]
yaml_body = <<-EOF yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Pooler kind: Pooler
metadata: metadata:
name: "${local.app_slug}-pool" name: "${local.app_slug}-pool"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.pool-labels)} labels: ${jsonencode(local.pool_labels)}
spec: spec:
cluster: cluster:
name: "${local.app_slug}-pg" name: "${local.app_slug}-pg"
@@ -85,3 +85,11 @@ resource "kubectl_manifest" "prj_pg_pool" {
default_pool_size: "10" default_pool_size: "10"
EOF EOF
} }
data "kubernetes_secret_v1" "credentials" {
depends_on = [ kubectl_manifest.pg ]
metadata {
name = "${local.app_slug}-pg-app"
namespace = var.namespace
}
}

13
pvc/pvc.tf
View File

@@ -1,14 +1,17 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
pvc_labels = merge(var.labels, {
"app.kubernetes.io/component" = "pvc"
})
pvc_spec = merge({ pvc_spec = merge({
"accessModes" = [var.storage.accessMode] "accessModes" = [var.storage.access_mode]
"volumeMode" = var.storage.type "volumeMode" = var.storage.type
"resources" = { "resources" = {
"requests" = { "requests" = {
"storage" = "${var.storage.size}" "storage" = "${var.storage.size}"
} }
} }
}, var.storage.volume.class != "" ?{ }, var.storage.class != "" ? {
"storageClassName" = var.storage.class "storageClassName" = var.storage.class
} : {}) } : {})
} }
@@ -20,8 +23,8 @@ resource "kubectl_manifest" "pvc" {
name: ${local.app_slug} name: ${local.app_slug}
namespace: "${var.namespace}" namespace: "${var.namespace}"
annotations: annotations:
k8up.io/backup: "true" k8up.io/backup: "${var.backup}"
labels: ${jsonencode(local.labels)} labels: ${jsonencode(local.pvc_labels)}
spec: ${jsonencode(local.pvc_spec)} spec: ${jsonencode(local.pvc_spec)}
EOF EOF
} }

9
pvc/variables.tf
View File

@@ -12,15 +12,20 @@ variable "labels" {
} }
variable "storage" { variable "storage" {
type = object({ type = object({
accessMode = optional(string), access_mode = optional(string),
class = optional(string), class = optional(string),
size = optional(string), size = optional(string),
type = optional(string) type = optional(string)
}) })
default = { default = {
"accessMode" = "ReadWriteOnce" "access_mode" = "ReadWriteOnce"
"class" = "" "class" = ""
"size" = "10Gi" "size" = "10Gi"
"type" = "Filesystem" "type" = "Filesystem"
} }
} }
variable "backup" {
type = bool
default = true
}

17
redis/outputs.tf
View File

@@ -1,6 +1,15 @@
output "host" { output "conn_string" {
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "url" {
value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379" value = "redis://${local.app_slug}-redis.${var.namespace}.svc:6379"
} }
output "service" {
value = "${local.app_slug}-redis.${var.namespace}.svc"
}
output "db_host" {
value = "${local.app_slug}-redis"
}
output "secret_name" {
value = lookup(var.password, "name", "")
}

8
redis/redis.tf
View File

@@ -1,11 +1,11 @@
locals { locals {
app_slug = (var.component == var.instance || var.component=="") ? var.instance : format("%s-%s", var.component, var.instance) app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
redis-labels = merge(var.labels, { redis_labels = merge(var.labels, {
"app.kubernetes.io/component" = "redis" "app.kubernetes.io/component" = "redis"
}) })
cfg = merge({ cfg = merge({
"image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}" "image" = "${var.images.redis.registry}/${var.images.redis.repository}:${var.images.redis.tag}"
"imagePullPolicy" = "${var.images.redis.pullPolicy}" "imagePullPolicy" = "${var.images.redis.pull_policy}"
}, lookup(var.password, "enabled", false) ? { }, lookup(var.password, "enabled", false) ? {
redisSecret = { redisSecret = {
name = lookup(var.password, "name", var.component) name = lookup(var.password, "name", var.component)
@@ -21,7 +21,7 @@ resource "kubectl_manifest" "redis" {
metadata: metadata:
name: "${local.app_slug}-redis" name: "${local.app_slug}-redis"
namespace: "${var.namespace}" namespace: "${var.namespace}"
labels: ${jsonencode(local.redis-labels)} labels: ${jsonencode(local.redis_labels)}
spec: spec:
kubernetesConfig: ${jsonencode(local.cfg)} kubernetesConfig: ${jsonencode(local.cfg)}
storage: storage:

8
redis/variables.tf
View File

@@ -17,18 +17,18 @@ variable "annotations" {
variable "images" { variable "images" {
type = object({ type = object({
redis = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})), redis = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) })),
redis_exporter = optional(object({pullPolicy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string)})) redis_exporter = optional(object({ pull_policy = optional(string), registry = optional(string), repository = optional(string), tag = optional(string) }))
}) })
default = { default = {
"redis" = { "redis" = {
"pullPolicy" = "IfNotPresent" "pull_policy" = "IfNotPresent"
"registry" = "quay.io" "registry" = "quay.io"
"repository" = "opstree/redis" "repository" = "opstree/redis"
"tag" = "v7.0.12" "tag" = "v7.0.12"
} }
"redis_exporter" = { "redis_exporter" = {
"pullPolicy" = "IfNotPresent" "pull_policy" = "IfNotPresent"
"registry" = "quay.io" "registry" = "quay.io"
"repository" = "opstree/redis-exporter" "repository" = "opstree/redis-exporter"
"tag" = "v1.44.0" "tag" = "v1.44.0"

8
saml/saml.tf
View File

@@ -4,10 +4,10 @@ locals{
"app.kubernetes.io/component" = "authentik-saml" "app.kubernetes.io/component" = "authentik-saml"
}) })
} }
data "authentik_flow" "default-authorization-flow" { data "authentik_flow" "default_authorization_flow" {
slug = "default-provider-authorization-implicit-consent" slug = "default-provider-authorization-implicit-consent"
} }
data "authentik_flow" "default-authentication-flow" { data "authentik_flow" "default_authentication_flow" {
slug = "default-authentication-flow" slug = "default-authentication-flow"
} }
@@ -51,8 +51,8 @@ resource "kubectl_manifest" "saml_certificate" {
resource "authentik_provider_saml" "prj" { resource "authentik_provider_saml" "prj" {
name = "${local.app_slug}-saml" name = "${local.app_slug}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id authentication_flow = data.authentik_flow.default_authentication_flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}" acs_url = "https://${var.dns_names[0]}/${var.acs_path}"
property_mappings = data.authentik_property_mapping_saml.saml_maps.ids property_mappings = data.authentik_property_mapping_saml.saml_maps.ids
name_id_mapping = data.authentik_property_mapping_saml.saml_name.id name_id_mapping = data.authentik_property_mapping_saml.saml_name.id

2
service/outputs.tf
View File

@@ -1,5 +1,5 @@
output "name" { output "name" {
value = "${local.app_slug}" value = local.app_slug
} }
output "default_definition" { output "default_definition" {
value = { value = {

27
service/svc.tf
View File

@@ -12,9 +12,10 @@ locals {
"protocol" = var.protocols[idx] "protocol" = var.protocols[idx]
"targetPort" = var.ports[idx] "targetPort" = var.ports[idx]
}] : [] }] : []
lb_ports = var.svc_type == "LoadBalancer" ? [for idx, port in var.lb_ports : { lb_ports = var.svc_type == "LoadBalancer" ? [for port in var.lb_ports : {
"port" = port "port" = port.port.number
"targetPort" = var.ports[idx] "name" = port.name
"targetPort" = port.port.number
}] : [] }] : []
node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : { node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
"port" = port "port" = port
@@ -23,7 +24,7 @@ locals {
}] : [] }] : []
metadata = merge( metadata = merge(
{ {
"name"= "${local.app_slug}" "name" = local.app_slug
"namespace" = var.namespace "namespace" = var.namespace
"labels" = var.labels "labels" = var.labels
}, },
@@ -36,6 +37,7 @@ locals {
type = "ClusterIP" type = "ClusterIP"
ports = local.cluster_ports ports = local.cluster_ports
selector = var.labels selector = var.labels
ipFamilyPolicy = var.ip_family
}, },
"ExternalName" = { "ExternalName" = {
type = "ExternalName" type = "ExternalName"
@@ -46,12 +48,14 @@ locals {
type = "NodePort" type = "NodePort"
selector = var.labels selector = var.labels
ports = local.node_ports ports = local.node_ports
ipFamilyPolicy = var.ip_family
}, },
"LoadBalancer" = { "LoadBalancer" = {
type = "LoadBalancer" type = "LoadBalancer"
selector = var.labels selector = var.labels
ports = local.lb_ports ports = local.lb_ports
externalTrafficPolicy = var.lb_policy externalTrafficPolicy = var.lb_policy
ipFamilyPolicy = var.ip_family
} }
} }
} }
@@ -63,3 +67,18 @@ resource "kubectl_manifest" "service" {
spec: ${jsonencode(local.spec[var.svc_type])} spec: ${jsonencode(local.spec[var.svc_type])}
EOF EOF
} }
resource "kubectl_manifest" "endpoint" {
count = var.svc_type == "ExternalName" ? 1 : 0
yaml_body = <<-EOF
apiVersion: v1
kind: Endpoints
metadata:
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
subsets:
- addresses:
- ip: ${var.target_host}
ports: ${jsonencode([for port in var.ports : { "port" = port }])}
EOF
}

19
service/variables.tf
View File

@@ -22,6 +22,16 @@ variable "svc_type" {
error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed" error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
} }
} }
variable "ip_family" {
type = string
default = "PreferDualStack"
validation {
condition = contains(["SingleStack", "PreferDualStack"], var.ip_family)
error_message = "Only SingleStack or PreferDualStack is allowed"
}
}
variable "ports" { variable "ports" {
type = list(number) type = list(number)
default = [80] default = [80]
@@ -51,8 +61,13 @@ variable "node_ports" {
} }
} }
variable "lb_ports" { variable "lb_ports" {
type = list(number) type = list(object({
default = [8080] name = string
port = object({
number = number
})
}))
default = []
} }
variable "lb_policy" { variable "lb_policy" {
type = string type = string