kydah-modules/forward/forward.tf

locals {
  app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  forward_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-forward"
  })
  external_url              = format("https://%s", var.dns_name)
  forward_outpost_results   = jsondecode(data.http.get_forward_outpost.response_body).results
  forward_outpost_providers = local.forward_outpost_results[0].providers
  forward_outpost_pk        = local.forward_outpost_results[0].pk
}

data "authentik_flow" "default_authorization_flow" {
  slug = "default-provider-authorization-implicit-consent"
}

resource "authentik_provider_proxy" "forward" {
  name                  = local.app_slug
  external_host         = local.external_url
  authorization_flow    = data.authentik_flow.default_authorization_flow.id
  mode                  = "forward_single"
  access_token_validity = var.access_token_validity
}

data "http" "get_forward_outpost" {
  depends_on      = [authentik_provider_proxy.forward]
  url             = "http://authentik.${var.domain}-auth.svc/api/v3/outposts/instances/?name__iexact=forward"
  method          = "GET"
  request_headers = var.request_headers
  lifecycle {
    postcondition {
      condition     = contains([200], self.status_code)
      error_message = "Status code invalid"
    }
  }
}

data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
}

## Begin modification
data "kubernetes_secret_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
}

resource "authentik_service_connection_kubernetes" "local" {
  # count      = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
  depends_on = [data.kubernetes_secret_v1.authentik]
  name       = "${var.domain}-local-forward"
  local      = true
}

# data "authentik_flow" "default_authorization_flow" {
#   count      = length(local.forward_outpost_results) == 0 ? 1 : 0
#   depends_on = [authentik_service_connection_kubernetes.local]
#   slug       = "default-provider-authorization-implicit-consent"
# }

resource "authentik_provider_proxy" "provider_forward" {
  # count              = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
  name               = "authentik-${var.domain}-forward-provider"
  internal_host      = "http://authentik-authentik"
  external_host      = "http://authentik-authentik"
  authorization_flow = data.authentik_flow.default_authorization_flow.id
}

resource "authentik_outpost" "output_forward" {
  # count              = length(jsondecode(data.http.get_forward_outpost.response_body).results) == 0 ? 1 : 0
  name               = "forward"
  type               = "proxy"
  service_connection = authentik_service_connection_kubernetes.local.id
  config = jsonencode({
    "log_level" : "info",
    "authentik_host" : "http://authentik",
    "docker_map_ports" : true,
    "kubernetes_replicas" : 1,
    "kubernetes_namespace" : var.namespace,
    "authentik_host_browser" : "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}",
    "object_naming_template" : "ak-outpost-%(name)s",
    "authentik_host_insecure" : false,
    "kubernetes_service_type" : "ClusterIP",
    "kubernetes_image_pull_secrets" : [],
    "kubernetes_disabled_components" : [],
    "kubernetes_ingress_annotations" : {},
    "kubernetes_ingress_secret_name" : var.ingress_certificat_secret_name
  })
  protocol_providers = local.forward_outpost_providers
}
## End modification

resource "restapi_object" "forward_outpost_binding" {
  path = "/outposts/instances/${local.forward_outpost_pk}/"
  data = jsonencode({
    name      = "forward"
    providers = contains(local.forward_outpost_providers, authentik_provider_proxy.forward.id) ? local.forward_outpost_providers : concat(local.forward_outpost_providers, [authentik_provider_proxy.forward.id])
  })
}

resource "kubectl_manifest" "middleware" {
  yaml_body = <<-EOF
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
        name: "${local.app_slug}-forward"
        namespace: "${var.namespace}"
        labels: ${jsonencode(local.forward_labels)}
    spec:
      forwardAuth:
        address: http://ak-outpost-forward.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
        - X-authentik-username
        - X-authentik-email
        - X-authentik-groups
        - X-authentik-name
        - X-authentik-uid
        - X-authentik-jwt
        - X-authentik-meta-jwks
        - X-authentik-meta-outpost
        - X-authentik-meta-provider
        - X-authentik-meta-app
        - X-authentik-meta-version
  EOF
}