Initial scaffold #1

Merged
benvin merged 11 commits from benvin/initial-scaffold into main 2026-07-06 23:52:05 +10:00
Owner

Summary

  • Terraform module for managing Authentik identity provider (identity.unkin.net)
  • Groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts
  • Data-driven YAML config with Terragrunt config loader
  • Consul backend for state storage
  • Provider: goauthentik/authentik 2026.5.0
  • Woodpecker CI pipelines (pre-commit on PR, plan on PR, apply on main)
  • Makefile with Vault AppRole (local) and K8s auth (CI) support

Dependencies

  • terraform-vault #78 (merged) — auth roles and Consul ACL
  • argocd-apps #211 (open) — Woodpecker ServiceAccount
## Summary - Terraform module for managing Authentik identity provider (identity.unkin.net) - Groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts - Data-driven YAML config with Terragrunt config loader - Consul backend for state storage - Provider: goauthentik/authentik 2026.5.0 - Woodpecker CI pipelines (pre-commit on PR, plan on PR, apply on main) - Makefile with Vault AppRole (local) and K8s auth (CI) support ## Dependencies - terraform-vault #78 (merged) — auth roles and Consul ACL - argocd-apps #211 (open) — Woodpecker ServiceAccount
unkinben added 1 commit 2026-06-28 11:55:43 +10:00
Initial scaffold
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
4042760a16
- Terraform module for groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts
- Data-driven YAML config with Terragrunt config loader
- Environment: identity.unkin.net with Consul backend
- Provider: goauthentik/authentik 2026.5.0
- Woodpecker CI pipelines (pre-commit, plan, apply)
- Makefile with Vault AppRole and K8s auth support
unkinben added 1 commit 2026-06-28 12:04:26 +10:00
Fix provider schema for goauthentik/authentik 2026.5.0
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline was successful
8aa2273dcf
- group: parent → parents (list)
- saml/oauth2: add required invalidation_flow
- oauth2: remove redirect_uris (use allowed_redirect_uris via config)
- ldap: replace authorization_flow/search_group with bind_flow/unbind_flow
- Add versions.tf with required_providers block
- Remove service_connection from outpost (auto-discovered)
unkinben added 1 commit 2026-06-28 12:11:59 +10:00
Use identity.k8s.syd1.au.unkin.net as provider endpoint
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline was successful
00a122135e
benvin added 8 commits 2026-07-06 23:50:15 +10:00
authentik: add Grafana OAuth2/OIDC provider + application
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
97be93a9ff
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
ci: re-run plan after terraform-vault kv policy applied
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
3d7131032f
fix: drop duplicate required_providers from generated backend.tf
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
d1aef45d1d
The module's versions.tf and the root.hcl-generated backend.tf both
declared required_providers, which OpenTofu rejects ("A module may have
only one required providers configuration"), so terragrunt init/plan
failed. Keep them in the module's versions.tf (authentik + vault) and
generate only the backend + provider blocks.
ci: re-run plan on fixed head (duplicate required_providers resolved)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
41cc0fce8b
makefile: source TF_VAR_authentik_token from vault (kv/service/terraform/authentik)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
d96d36a079
The authentik provider needs a token but nothing supplied it, so plan
failed with 'No value for required variable authentik_token'. Source it
from Vault in vault_env like the consul creds, from the dedicated
terraform-service path kv/service/terraform/authentik (field: token),
overridable via AUTHENTIK_TOKEN_KV_* vars.
fix: skip_child_token on vault provider
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
93742883a5
The CI VAULT_TOKEN (short-lived k8s-auth role token) can't create child
tokens, so the vault provider failed with 'failed to create limited child
token: permission denied'. Use the token directly.
ci: re-run after vault #82 applied (token + oauth read policy live)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
0b1b67fbd5
Merge pull request 'authentik: add Grafana OAuth2/OIDC provider' (#2) from benvin/grafana-oidc into benvin/initial-scaffold
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
11a25fdca0
Reviewed-on: #2
benvin merged commit 9e75f39a06 into main 2026-07-06 23:52:05 +10:00
benvin deleted branch benvin/initial-scaffold 2026-07-06 23:52:05 +10:00
Sign in to join this conversation.