Files
terraform-authentik/environments/root.hcl
T
unkinben 97be93a9ff
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
authentik: add Grafana OAuth2/OIDC provider + application
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
2026-07-06 22:06:48 +10:00

41 lines
927 B
HCL

generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
provider "authentik" {
url = "https://${path_relative_to_include()}"
token = var.authentik_token
}
# Reads client secrets seeded in Vault (kv-v2). Auth via VAULT_ADDR + VAULT_TOKEN
# from the environment (set by the Makefile vault_env helper).
provider "vault" {}
variable "authentik_token" {
type = string
sensitive = true
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
path = "infra/terraform/authentik/${path_relative_to_include()}/state"
scheme = "https"
lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
}
required_version = ">= 1.10"
required_providers {
authentik = {
source = "goauthentik/authentik"
version = "2026.5.0"
}
vault = {
source = "hashicorp/vault"
version = ">= 4.0.0"
}
}
}
EOF
}