vynil/kydah-modules
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: vynil:main
Branches Tags
vynil:main vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0
...
pull from: vynil:feature/svc_lb
Branches Tags
vynil:feature/ak-gatekeeper vynil:feature/forward vynil:feature/service_improvement vynil:main vynil:feature/refacto_underscore vynil:feature/svc_lb vynil:feature/improve_ingress
vynil:0.3.0 vynil:0.2.0-rc vynil:0.1.0

1 Commits
main ... feature/sv

Author SHA1 Message Date
Xavier Mortelette
9b53fa3eac Refacto and add lb 2024-01-24 15:29:36 +01:00
13 changed files with 168 additions and 69 deletions
Expand all files Collapse all files

3
application/variables.tf
View File

@@ -17,6 +17,9 @@ variable "protocol_provider" {
variable "dns_name" {
type = string
}
variable "app_name" {
type = string
}
variable "sub_groups" {
type = list(string)
default = []

17
forward/forward.tf
View File

@@ -1,8 +1,11 @@
locals {
forward_outpost_providers = jsondecode(data.http.get_forward_outpost.response_body).results[0].providers
forward_outpost_pk = jsondecode(data.http.get_forward_outpost.response_body).results[0].pk
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
main_group = format("app-%s", local.app_name)
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
forward_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-forward"
})
main_group = format("app-%s", var.app_name)
external_url = format("https://%s", var.dns_names[0])
rules_icons = [for v in var.dns_names : {
"host" = "${v}"
@@ -24,9 +27,9 @@ resource "kubectl_manifest" "prj_ingress_icon" {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${var.instance}-icons"
name: "${local.app_slug}-icons"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.forward_labels)}
spec:
ingressClassName: "${var.ingress_class}"
rules: ${jsonencode(local.rules_icons)}
@@ -41,7 +44,7 @@ data "authentik_flow" "default-authorization-flow" {
}
resource "authentik_provider_proxy" "prj_forward" {
name = local.app_name
name = local.app_slug
external_host = local.external_url
authorization_flow = data.authentik_flow.default-authorization-flow.id
mode = "forward_single"
@@ -74,9 +77,9 @@ resource "kubectl_manifest" "prj_middleware" {
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: "forward-${local.app_name}"
name: "${local.app_slug}-forward"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.forward_labels)}
spec:
forwardAuth:
address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik

6
forward/outputs.tf
View File

@@ -3,5 +3,9 @@ output "provider-id" {
}
output "sso_logout" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${var.component}-${var.instance}/end-session/"
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/o/${local.app_slug}/end-session/"
}
output "middleware" {
value = "${local.app_slug}-forward"
}

15
forward/variables.tf
View File

@@ -1,33 +1,48 @@
variable "component" {
type = string
}
variable "instance" {
type = string
}
variable "icon" {
type = string
}
variable "domain" {
type = string
}
variable "namespace" {
type = string
}
variable "ingress_class" {
type = string
}
variable "labels" {
type = map(string)
}
variable "dns_names" {
type = list(string)
}
variable "access_token_validity" {
type = string
default = "hours=10" // ;minutes=10
}
variable "app_name" {
type = string
default = ""
}
variable "service" {
}
variable "request_headers" {
type = map(string)
}

23
ingress/ingress.tf
View File

@@ -1,6 +1,9 @@
locals {
name = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
pres_labels = merge(var.labels, {
"app.kubernetes.io/component" = "presentation"
})
rules = [for v in var.dns_names : {
"host" = "${v}"
"http" = {
@@ -15,12 +18,12 @@ locals {
}]
tls = var.enforce_tls ? [
{
secretName = var.cert_name != "" ? var.cert_name : "${local.name}-cert"
secretName = var.cert_name != "" ? var.cert_name : "${local.app_slug}-cert"
hosts = var.dns_names
}
] : []
middlewares = concat(
var.create_redirect ? ["${local.name}-https"] : [],
var.create_redirect ? ["${local.app_slug}-https"] : [],
var.middlewares
)
annotations = merge(
@@ -39,11 +42,11 @@ resource "kubectl_manifest" "prj_certificate" {
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${local.name}"
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.pres_labels)}
spec:
secretName: "${local.name}-cert"
secretName: "${local.app_slug}-cert"
dnsNames: ${jsonencode(var.dns_names)}
issuerRef:
kind: "ClusterIssuer"
@@ -58,9 +61,9 @@ resource "kubectl_manifest" "prj_https_redirect" {
apiVersion: "traefik.containo.us/v1alpha1"
kind: "Middleware"
metadata:
name: "${local.name}-https"
name: "${local.app_slug}-https"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.pres_labels)}
spec:
redirectScheme:
scheme: "https"
@@ -74,9 +77,9 @@ resource "kubectl_manifest" "prj_ingress" {
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
metadata:
name: "${local.name}"
name: "${local.app_slug}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.pres_labels)}
annotations: ${jsonencode(local.annotations)}
spec:
ingressClassName: "${var.ingress_class}"

70
mysql/mysql.tf
View File

@@ -1,17 +1,21 @@
locals {
mysql_host = "${var.instance}-${var.component}-db.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.prj_mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.prj_mysql_secret.data["rootPassword"]
mysql_labels = merge(var.labels, {
"app.kubernetes.io/component" = "mysql"
})
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
mysql_host = "${local.app_slug}-mysql.${var.namespace}.svc"
mysql_username = data.kubernetes_secret_v1.mysql_secret.data["rootUser"]
mysql_password = data.kubernetes_secret_v1.mysql_secret.data["rootPassword"]
}
resource "kubectl_manifest" "prj_mysql_secret" {
resource "kubectl_manifest" "mysql_secret" {
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.instance}-${var.component}-db"
name: "${local.app_slug}-mysql"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.mysql_labels)}
spec:
forceRegenerate: false
data:
@@ -27,19 +31,26 @@ resource "kubectl_manifest" "prj_mysql_secret" {
EOF
}
resource "kubectl_manifest" "prj_mysql" {
depends_on = [kubectl_manifest.prj_mysql_secret]
data "kubernetes_secret_v1" "mysql_secret" {
depends_on = [kubectl_manifest.mysql_secret]
metadata {
name = "${local.app_slug}-mysql"
namespace = var.namespace
labels = local.mysql_labels
}
}
resource "kubectl_manifest" "mysql" {
yaml_body = <<-EOF
apiVersion: mysql.oracle.com/v2
kind: InnoDBCluster
metadata:
name: "${var.instance}-${var.component}-db"
name: "${local.app_slug}-mysql"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.mysql_labels)}
spec:
secretName: ${kubectl_manifest.prj_mysql_secret.name}
secretName: ${data.kubernetes_secret_v1.mysql_secret.metadata[0].name}
tlsUseSelfSigned: true
# tlsSecretName: "${var.instance}-db-cert"
instances: 1
router:
instances: 1
@@ -55,38 +66,29 @@ resource "kubectl_manifest" "prj_mysql" {
}
resource "time_sleep" "wait_mysql_ready" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql]
depends_on = [kubectl_manifest.mysql]
create_duration = "45s"
}
data "kubernetes_secret_v1" "prj_mysql_secret" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
metadata {
name = "${var.instance}-${var.component}-db"
namespace = var.namespace
}
}
resource "mysql_database" "app" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
name = var.database
depends_on = [
kubectl_manifest.mysql,
time_sleep.wait_mysql_ready
]
name = var.database
}
resource "mysql_user" "app_user" {
depends_on = [kubectl_manifest.prj_mysql_secret, kubectl_manifest.prj_mysql, time_sleep.wait_mysql_ready]
host = data.kubernetes_secret_v1.prj_mysql_secret.data["userHost"]
user = data.kubernetes_secret_v1.prj_mysql_secret.data["username"]
plaintext_password = data.kubernetes_secret_v1.prj_mysql_secret.data["password"]
depends_on = [
time_sleep.wait_mysql_ready,
mysql_database.app,
]
host = data.kubernetes_secret_v1.mysql_secret.data["userHost"]
user = data.kubernetes_secret_v1.mysql_secret.data["username"]
plaintext_password = data.kubernetes_secret_v1.mysql_secret.data["password"]
}
resource "mysql_grant" "app_user_grant" {
depends_on = [
kubectl_manifest.prj_mysql_secret,
kubectl_manifest.prj_mysql,
time_sleep.wait_mysql_ready,
mysql_database.app,
mysql_user.app_user
]
user = mysql_user.app_user.user
host = mysql_user.app_user.host
database = mysql_database.app.name

12
mysql/outpost.tf Normal file
View File

@@ -0,0 +1,12 @@
output "dns_names" {
value = [
"${local.app_slug}-mysql",
"${local.app_slug}-mysql-instances"
]
}
output "mysql_host" {
value =" ${local.app_slug}-mysql"
}
output "secret_name" {
value = "${local.app_slug}-db"
}

17
oauth2/oauth2.tf
View File

@@ -1,12 +1,18 @@
locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
oauth2_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-oauth2"
})
}
resource "kubectl_manifest" "oauth2-secret" {
ignore_fields = ["metadata.annotations"]
yaml_body = <<-EOF
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
kind: "StringSecret"
metadata:
name: "${var.component}-${var.instance}-id"
name: "${local.app_slug}-id"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.oauth2_labels)}
spec:
forceRegenerate: false
fields:
@@ -19,6 +25,7 @@ data "kubernetes_secret_v1" "oauth2-client-id" {
metadata {
name = kubectl_manifest.oauth2-secret.name
namespace = var.namespace
labels = local.oauth2_labels
}
}
@@ -41,7 +48,7 @@ data "authentik_flow" "default-authentication-flow" {
}
resource "authentik_provider_oauth2" "oauth2" {
name = "${var.component}-${var.instance}"
name = "${local.app_slug}"
client_id = data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
@@ -56,9 +63,9 @@ resource "authentik_provider_oauth2" "oauth2" {
resource "kubernetes_secret_v1" "oauth2-client-secret" {
metadata {
name = "${var.component}-${var.instance}-secret"
name = "${local.app_slug}-secret"
namespace = var.namespace
labels = var.labels
labels = local.oauth2_labels
}
data = {
client-secret = authentik_provider_oauth2.oauth2.client_secret

2
oauth2/outputs.tf
View File

@@ -3,5 +3,5 @@ output "provider-id" {
}
output "sso_configuration_url" {
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}"
value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
}

16
saml/saml.tf
View File

@@ -1,3 +1,9 @@
locals{
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
saml_labels = merge(var.labels, {
"app.kubernetes.io/component" = "authentik-saml"
})
}
data "authentik_flow" "default-authorization-flow" {
slug = "default-provider-authorization-implicit-consent"
}
@@ -30,21 +36,21 @@ resource "kubectl_manifest" "saml_certificate" {
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "${var.instance}-${var.component}-saml"
name: "${local.app_slug}-saml"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
labels: ${jsonencode(local.saml_labels)}
spec:
secretName: "${var.instance}-${var.component}-saml"
secretName: "${local.app_slug}-saml"
dnsNames: ${jsonencode(var.dns_names)}
issuerRef:
name: "self-sign"
name: "${var.issuer}"
kind: "ClusterIssuer"
group: "cert-manager.io"
EOF
}
resource "authentik_provider_saml" "prj" {
name = "${var.component}-${var.instance}-saml"
name = "${local.app_slug}-saml"
authentication_flow = data.authentik_flow.default-authentication-flow.id
authorization_flow = data.authentik_flow.default-authorization-flow.id
acs_url = "https://${var.dns_names[0]}/${var.acs_path}"

3
saml/variables.tf
View File

@@ -4,6 +4,9 @@ variable "component" {
variable "instance" {
type = string
}
variable "issuer" {
type = string
}
variable "dns_names" {
type = list(string)
}

33
service/svc.tf
View File

@@ -1,15 +1,36 @@
locals {
app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
cluster_ports = var.svc_type == "ClusterIP" ? [for idx, target in var.targets : {
"name" = target
"port" = var.ports[idx]
"protocol" = var.protocols[idx]
"targetPort" = target
}] : []
ext_ports = var.svc_type == "ExternalName" ? [for idx, target in var.targets : {
"name" = target
"port" = var.ports[idx]
"protocol" = var.protocols[idx]
"targetPort" = var.ports[idx]
}] : []
lb_ports = var.svc_type == "LoadBalancer" ? [for idx, port in var.lb_ports : {
"port" = port
"targetPort" = var.ports[idx]
}] : []
node_ports = var.svc_type == "NodePort" ? [for idx, port in var.ports : {
"port" = port
"targetPort" = port
"nodePort" = var.node_ports[idx]
}] : []
metadata = merge(
{
"name"= "${local.app_slug}"
"namespace"= var.namespace
"labels"= var.labels
},
length(var.annotations) > 0 ? {
"annotations"= var.annotations
} : {}
)
spec = {
"ClusterIP" = {
type = "ClusterIP"
@@ -19,11 +40,18 @@ locals {
"ExternalName" = {
type = "ExternalName"
externalName = var.target_host
ports = local.ext_ports
},
"NodePort" = {
type = "NodePort"
selector = var.labels
ports = local.node_ports
},
"LoadBalancer" = {
type = "LoadBalancer"
selector = var.labels
ports = local.lb_ports
externalTrafficPolicy = var.lb_policy
}
}
}
@@ -31,10 +59,7 @@ resource "kubectl_manifest" "service" {
yaml_body = <<-EOF
apiVersion: v1
kind: Service
metadata:
name: "${var.instance}-${var.component}"
namespace: "${var.namespace}"
labels: ${jsonencode(var.labels)}
metadata: ${jsonencode(local.metadata)}
spec: ${jsonencode(local.spec[var.svc_type])}
EOF
}

20
service/variables.tf
View File

@@ -10,12 +10,16 @@ variable "namespace" {
variable "labels" {
type = map(string)
}
variable "annotations" {
type = map(string)
default = {}
}
variable "svc_type" {
type = string
default = "ClusterIP"
validation {
condition = contains(["ClusterIP", "ExternalName", "NodePort"], var.svc_type)
error_message = "Only ClusterIP or ExternalName is allowed"
condition = contains(["ClusterIP", "ExternalName", "NodePort", "LoadBalancer"], var.svc_type)
error_message = "Only ClusterIP, ExternalName, NodePort or LoadBalancer is allowed"
}
}
variable "ports" {
@@ -46,3 +50,15 @@ variable "node_ports" {
error_message = "The range of valid ports is 30000-32767"
}
}
variable "lb_ports" {
type = list(number)
default = [8080]
}
variable "lb_policy" {
type = string
default = "Cluster"
validation {
condition = contains(["Cluster", "Local"], var.lb_policy)
error_message = "Only Cluster or Local is allowed"
}
}