97be93a9ff
Adds an OIDC provider + application so the in-cluster Grafana (grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik. Extends the oauth2 module so provider config stays declarative and secret-free: - Resolve authorization/invalidation flows by slug (data.authentik_flow) and scope mappings by managed identifier (data.authentik_property_mapping_provider_scope). - Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/ VAULT_TOKEN from the Makefile). - Support allowed_redirect_uris on the oauth2 provider. config/providers_oauth2/grafana.yaml wires client_id `grafana`, the openid/email/profile scopes, the login/generic_oauth redirect URI, and points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
67 lines
2.1 KiB
Terraform
67 lines
2.1 KiB
Terraform
variable "groups" {
|
|
type = map(object({
|
|
name = string
|
|
is_superuser = optional(bool, false)
|
|
parents = optional(list(string), null)
|
|
attributes = optional(map(string), {})
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "providers_saml" {
|
|
type = map(object({
|
|
name = string
|
|
authorization_flow = string
|
|
invalidation_flow = string
|
|
acs_url = string
|
|
sp_binding = optional(string, "redirect")
|
|
audience = optional(string, "")
|
|
name_id_mapping = optional(string, null)
|
|
signing_kp = optional(string, null)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "providers_oauth2" {
|
|
type = map(object({
|
|
name = string
|
|
authorization_flow = string # flow slug, resolved to id via data.authentik_flow
|
|
invalidation_flow = string # flow slug, resolved to id via data.authentik_flow
|
|
client_type = optional(string, "confidential")
|
|
client_id = string
|
|
# client_secret is never committed. Point at a Vault kv-v2 secret whose
|
|
# `client_secret` key holds the value (seeded out of band); TF reads it.
|
|
client_secret_vault = optional(object({
|
|
mount = string
|
|
path = string
|
|
}), null)
|
|
# Managed identifiers of scope property mappings (e.g.
|
|
# goauthentik.io/providers/oauth2/scope-openid). Resolved to ids.
|
|
scope_mappings = optional(list(string), [])
|
|
redirect_uris = optional(list(object({
|
|
matching_mode = optional(string, "strict")
|
|
url = string
|
|
})), [])
|
|
signing_key = optional(string, null)
|
|
access_token_validity = optional(string, "minutes=10")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "providers_ldap" {
|
|
type = map(object({
|
|
name = string
|
|
bind_flow = string
|
|
unbind_flow = string
|
|
base_dn = string
|
|
certificate = optional(string, null)
|
|
tls_server_name = optional(string, null)
|
|
uid_start_number = optional(number, 2000)
|
|
gid_start_number = optional(number, 4000)
|
|
search_mode = optional(string, "direct")
|
|
bind_mode = optional(string, "direct")
|
|
mfa_support = optional(bool, true)
|
|
}))
|
|
default = {}
|
|
}
|