locals { app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}" oauth2_labels = merge(var.labels, { "app.kubernetes.io/component" = "authentik-oauth2" }) cert_signing = var.cert_sign_secret_name != "" signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id } resource "kubectl_manifest" "secret_gen" { yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1" kind: "StringSecret" metadata: name: "${local.app_slug}-oauth2" namespace: "${var.namespace}" labels: ${jsonencode(local.oauth2_labels)} ownerReferences: ${jsonencode(var.owner_references)} spec: forceRegenerate: false fields: - fieldName: "client_id" length: "32" EOF } data "kubernetes_secret_v1" "secret_gen" { metadata { name = kubectl_manifest.secret_gen.name namespace = var.namespace } } data "authentik_certificate_key_pair" "ca" { name = "authentik Self-signed Certificate" } data "authentik_property_mapping_provider_scope" "oauth2" { managed_list = [ for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}" ] } data "authentik_flow" "default_authorization_flow" { slug = "default-provider-authorization-implicit-consent" } data "authentik_flow" "default_authentication_flow" { slug = "default-authentication-flow" } data "authentik_flow" "default_invalidation_flow" { slug = "default-provider-invalidation-flow" } resource "authentik_group" "app_group" { name = local.app_slug attributes = jsonencode({ "app_slug" = local.app_slug }) } resource "authentik_group" "groups" { for_each = var.group_mapping name = each.key parent = authentik_group.app_group.id attributes = jsonencode({ "app_slug" = local.app_slug "gen_group_name" = each.value }) } data "kubernetes_secret_v1" "signing_cert" { count = var.cert_sign_secret_name != "" ? 1 : 0 metadata { name = var.cert_sign_secret_name namespace = var.namespace } } resource "authentik_certificate_key_pair" "name" { count = local.cert_signing ? 1 : 0 name = "${local.app_slug} Signing" certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"] key_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"] } resource "authentik_provider_oauth2" "oauth2" { name = local.app_slug client_id = data.kubernetes_secret_v1.secret_gen.data.client_id authentication_flow = data.authentik_flow.default_authentication_flow.id authorization_flow = data.authentik_flow.default_authorization_flow.id invalidation_flow = data.authentik_flow.default_invalidation_flow.id client_type = var.client_type sub_mode = "user_username" signing_key = local.signing_id property_mappings = data.authentik_property_mapping_provider_scope.oauth2.ids redirect_uris = [ "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}" ] } data "kubernetes_ingress_v1" "authentik" { metadata { name = "authentik" namespace = "${var.domain}-auth" } } resource "kubectl_manifest" "oauth2_client_secret" { force_new = true yaml_body = <<-EOF apiVersion: v1 kind: Secret metadata: name: "${local.app_slug}-oauth2" namespace: "${var.namespace}" labels: ${jsonencode(local.oauth2_labels)} ownerReferences: ${jsonencode(var.owner_references)} data: oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}" client_id: "${base64encode(data.kubernetes_secret_v1.secret_gen.data.client_id)}" client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}" EOF } # resource "kubernetes_secret" "oauth2_client_secret" { # metadata { # name = "${local.app_slug}-oauth2" # namespace = var.namespace # labels = local.oauth2_labels # } # data = { # oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/" # client_id = data.kubernetes_secret_v1.secret_gen.data["client_id"] # client_secret = authentik_provider_oauth2.oauth2.client_secret # } # }