kydah-modules/oauth2/oauth2.tf

locals {
  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  main_group = format("kydah-%s", local.app_slug)
  oauth2_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-oauth2"
  })
  cert_signing = var.cert_sign_secret_name != ""
  signing_id   = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
}

resource "random_uuid" "client_id" {
}

# resource "kubectl_manifest" "secret_gen" {
#   yaml_body = <<-EOF
#     apiVersion: "secretgenerator.mittwald.de/v1alpha1"
#     kind: "StringSecret"
#     metadata:
#       name: "${local.app_slug}-oauth2"
#       namespace: "${var.namespace}"
#       labels: ${jsonencode(local.oauth2_labels)}
#       ownerReferences: ${jsonencode(var.owner_references)}
#     spec:
#       forceRegenerate: false
#       fields:
#       - fieldName: "client_id"
#         length: "32"
#   EOF
# }
# data "kubernetes_secret_v1" "secret_gen" {
#   metadata {
#     name      = kubectl_manifest.secret_gen.name
#     namespace = var.namespace
#   }
# }
data "authentik_certificate_key_pair" "ca" {
  name = "authentik Self-signed Certificate"
}

resource "authentik_property_mapping_provider_scope" "app_scope" {
  count      = var.scope_attributes != "" ? 1 : 0
  name       = local.app_slug
  scope_name = local.app_slug
  expression = var.scope_attributes
}

data "authentik_property_mapping_provider_scope" "oauth2" {
  managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
}
data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default_authentication_flow" {
  slug = "default-authentication-flow"
}
data "authentik_flow" "default_invalidation_flow" {
  slug = "default-provider-invalidation-flow"
}

resource "authentik_group" "app_group" {
  name       = local.main_group
  attributes = jsonencode({
    "${local.app_slug}" = {
      "kydah_instance"  = var.instance
      "kydah_component" = var.component
    }
  })
}

resource "authentik_group" "sub_groups" {
  for_each = var.group_mapping
  name     = format("%s-%s", local.main_group, each.key)
  parent   = authentik_group.app_group.id
  attributes = jsonencode({
    "${local.app_slug}" = {
      "kydah_instance"  = var.instance
      "kydah_component" = var.component
      "kydah_app_group" = each.value
    }
  })
}

data "kubernetes_secret_v1" "signing_cert" {
  count = var.cert_sign_secret_name != "" ? 1 : 0
  metadata {
    name      = var.cert_sign_secret_name
    namespace = var.namespace
  }
}

resource "authentik_certificate_key_pair" "name" {
  count            = local.cert_signing ? 1 : 0
  name             = "${local.app_slug} Signing"
  certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
  key_data         = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
}

resource "authentik_provider_oauth2" "oauth2" {
  depends_on          = [authentik_property_mapping_provider_scope.app_scope]
  name                = local.app_slug
  client_id           = random_uuid.client_id.result
  authentication_flow = data.authentik_flow.default_authentication_flow.id
  authorization_flow  = data.authentik_flow.default_authorization_flow.id
  invalidation_flow   = data.authentik_flow.default_invalidation_flow.id
  client_type         = var.client_type
  sub_mode            = "user_username"
  signing_key         = local.signing_id
  property_mappings = concat(
    data.authentik_property_mapping_provider_scope.oauth2.ids,
    var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
  )
  redirect_uris = [
    "https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
  ]
}

data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
}

resource "kubectl_manifest" "oauth2_client_secret" {
  # force_new = true
  yaml_body = <<-EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: "${local.app_slug}-oauth2"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.oauth2_labels)}
      ownerReferences: ${jsonencode(var.owner_references)}
    data:
      oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
      client_id: "${base64encode(random_uuid.client_id.result)}"
      client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
  EOF
}

# resource "kubernetes_secret" "oauth2_client_secret" {
#   metadata {
#     name      = "${local.app_slug}-oauth2"
#     namespace = var.namespace
#     labels    = local.oauth2_labels
#   }
#   data = {
#     oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
#     client_id     = data.kubernetes_secret_v1.secret_gen.data["client_id"]
#     client_secret = authentik_provider_oauth2.oauth2.client_secret
#   }
# }