153 lines
5.0 KiB
HCL
153 lines
5.0 KiB
HCL
locals {
|
|
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
|
|
main_group = format("kydah-%s", local.app_slug)
|
|
oauth2_labels = merge(var.labels, {
|
|
"app.kubernetes.io/component" = "authentik-oauth2"
|
|
})
|
|
cert_signing = var.cert_sign_secret_name != ""
|
|
signing_id = local.cert_signing ? authentik_certificate_key_pair.name[0].id : data.authentik_certificate_key_pair.ca.id
|
|
}
|
|
|
|
resource "random_uuid" "client_id" {
|
|
}
|
|
|
|
# resource "kubectl_manifest" "secret_gen" {
|
|
# yaml_body = <<-EOF
|
|
# apiVersion: "secretgenerator.mittwald.de/v1alpha1"
|
|
# kind: "StringSecret"
|
|
# metadata:
|
|
# name: "${local.app_slug}-oauth2"
|
|
# namespace: "${var.namespace}"
|
|
# labels: ${jsonencode(local.oauth2_labels)}
|
|
# ownerReferences: ${jsonencode(var.owner_references)}
|
|
# spec:
|
|
# forceRegenerate: false
|
|
# fields:
|
|
# - fieldName: "client_id"
|
|
# length: "32"
|
|
# EOF
|
|
# }
|
|
# data "kubernetes_secret_v1" "secret_gen" {
|
|
# metadata {
|
|
# name = kubectl_manifest.secret_gen.name
|
|
# namespace = var.namespace
|
|
# }
|
|
# }
|
|
data "authentik_certificate_key_pair" "ca" {
|
|
name = "authentik Self-signed Certificate"
|
|
}
|
|
|
|
resource "authentik_property_mapping_provider_scope" "app_scope" {
|
|
count = var.scope_attributes != "" ? 1 : 0
|
|
name = local.app_slug
|
|
scope_name = local.app_slug
|
|
expression = var.scope_attributes
|
|
}
|
|
|
|
data "authentik_property_mapping_provider_scope" "oauth2" {
|
|
managed_list = [for scope in var.scopes : "goauthentik.io/providers/oauth2/${scope}"]
|
|
}
|
|
data "authentik_flow" "default_authorization_flow" {
|
|
slug = "default-provider-authorization-implicit-consent"
|
|
}
|
|
data "authentik_flow" "default_authentication_flow" {
|
|
slug = "default-authentication-flow"
|
|
}
|
|
data "authentik_flow" "default_invalidation_flow" {
|
|
slug = "default-provider-invalidation-flow"
|
|
}
|
|
|
|
resource "authentik_group" "app_group" {
|
|
name = local.main_group
|
|
attributes = jsonencode({
|
|
"${local.app_slug}" = {
|
|
"kydah_instance" = var.instance
|
|
"kydah_component" = var.component
|
|
}
|
|
})
|
|
}
|
|
|
|
resource "authentik_group" "sub_groups" {
|
|
for_each = var.group_mapping
|
|
name = format("%s-%s", local.main_group, each.key)
|
|
parent = authentik_group.app_group.id
|
|
attributes = jsonencode({
|
|
"${local.app_slug}" = {
|
|
"kydah_instance" = var.instance
|
|
"kydah_component" = var.component
|
|
"kydah_app_group" = each.value
|
|
}
|
|
})
|
|
}
|
|
|
|
data "kubernetes_secret_v1" "signing_cert" {
|
|
count = var.cert_sign_secret_name != "" ? 1 : 0
|
|
metadata {
|
|
name = var.cert_sign_secret_name
|
|
namespace = var.namespace
|
|
}
|
|
}
|
|
|
|
resource "authentik_certificate_key_pair" "name" {
|
|
count = local.cert_signing ? 1 : 0
|
|
name = "${local.app_slug} Signing"
|
|
certificate_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.crt" = "" })["tls.crt"]
|
|
key_data = try(data.kubernetes_secret_v1.signing_cert[0].data, { "tls.key" = "" })["tls.key"]
|
|
}
|
|
|
|
resource "authentik_provider_oauth2" "oauth2" {
|
|
depends_on = [authentik_property_mapping_provider_scope.app_scope]
|
|
name = local.app_slug
|
|
client_id = random_uuid.client_id.result
|
|
authentication_flow = data.authentik_flow.default_authentication_flow.id
|
|
authorization_flow = data.authentik_flow.default_authorization_flow.id
|
|
invalidation_flow = data.authentik_flow.default_invalidation_flow.id
|
|
client_type = var.client_type
|
|
sub_mode = "user_username"
|
|
signing_key = local.signing_id
|
|
property_mappings = concat(
|
|
data.authentik_property_mapping_provider_scope.oauth2.ids,
|
|
var.scope_attributes != "" ? [authentik_property_mapping_provider_scope.app_scope[0].id] : []
|
|
)
|
|
redirect_uris = [
|
|
"https://${var.redirect_path != "" ? "${var.dns_name}/${var.redirect_path}" : var.dns_name}"
|
|
]
|
|
}
|
|
|
|
data "kubernetes_ingress_v1" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
namespace = "${var.domain}-auth"
|
|
}
|
|
}
|
|
|
|
resource "kubectl_manifest" "oauth2_client_secret" {
|
|
# force_new = true
|
|
yaml_body = <<-EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: "${local.app_slug}-oauth2"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.oauth2_labels)}
|
|
ownerReferences: ${jsonencode(var.owner_references)}
|
|
data:
|
|
oidc_endpoint: "${base64encode("https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/")}"
|
|
client_id: "${base64encode(random_uuid.client_id.result)}"
|
|
client_secret: "${base64encode(authentik_provider_oauth2.oauth2.client_secret)}"
|
|
EOF
|
|
}
|
|
|
|
# resource "kubernetes_secret" "oauth2_client_secret" {
|
|
# metadata {
|
|
# name = "${local.app_slug}-oauth2"
|
|
# namespace = var.namespace
|
|
# labels = local.oauth2_labels
|
|
# }
|
|
# data = {
|
|
# oidc_endpoint = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${local.app_slug}/"
|
|
# client_id = data.kubernetes_secret_v1.secret_gen.data["client_id"]
|
|
# client_secret = authentik_provider_oauth2.oauth2.client_secret
|
|
# }
|
|
# }
|