This module create a TheIdServer cluster using the TheIdServer helm chart with its MySql DB, Redis cluster and Seq server.
- DNS record pointing to NGINX ingress controller public IP.
- cert-manager
- A certificate issuer
You can follow the Create an HTTPS ingress controller on Azure Kubernetes Service (AKS) to install this prerequise on your kubernetes cluster.
The module setup ingresses for TheIdServer and Seq using the host input variable.
provider "helm" {
kubernetes {
config_path = var.kubeconfig_path
}
}
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = "theidserver.com"
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
}This will setup TheIdServer on https://www.theidserver.com with the admin user admin@theidserver.com and its Seq server on https://seq.theidserver.com.
By default resouces are created in the theidserver namespace.
We recommande to protect the Seq server with a user/pwd.
By default the TheIdServer helm chart install the IdentityServer4 version.
If you prefer to use the Duende IdentityServer version configure the image input to override the default docker image configuration.
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = "theidserver.com"
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
image = {
repository = "aguacongas/theidserver.duende"
pullPolicy = "Always"
tag = "next"
}
}For a commercial use of Duende IdentityServer you need to acquire a license.
The initial admin user passowrd is store in the configMap <release_name>-config at InitialData__Users__0__Password key.
❯ kubectl get configMap theidserver-config -n theidserver -o jsonpath="{.data['InitialData__Users__0__Password']}"
SE!OfFGOm}(5v3wFThe admin user is stored if not exists, we recommande to change its password at 1st login or register a new one and disable this one. Don't delete it or it will be recreated.
TheIdServer needs to send email to verify users emails or for CIBA. The default Email service implementation use SendGrid and read user and API key from configuration.
The env_settings input can be use to pass environments variables to containers, so we can ovveride the configuration using environment variables.
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = "theidserver.com"
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
env_settings = {
SendGridUser = "<SENDGRID_USER>"
SendGridKey = "<SENDGRID_API_KEY>"
}
}This sample setup SendGrid environment variables used by TheIdServer.
If you want to use your Email sender, you need to implement a web api and setup its url. Read the doc.
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = "theidserver.com"
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
env_settings = {
EmailApiAuthentication__ApiUrl = "<YOUR_EMAIL_SENDER_WEB_API>"
}
}This sampel setup the Email Sender url using environment variable.
You can use the override_settings input to override the TheIdServer helm chart.
module "theidserver" {
source = "Aguafrommars/theidserver/helm"
host = "theidserver.com"
tls_issuer_name = "letsencrypt"
tls_issuer_kind = "ClusterIssuer"
override_settings = {
appSettings = {
file = {
EmailApiAuthentication = {
ApiUrl = "<YOUR_EMAIL_SENDER_WEB_API>"
}
}
}
}
}This sample setup the Email Sender url using the appsettings.json file.
| Name | Description | Type | Default |
|---|---|---|---|
| host | The host | string | |
| tls_issuer_name | The name of the certificat issuer to use | string | |
| tls_issuer_kind | The kind of the certificat issuer to use (Issuer or ClusterIssuer) | string | |
| chart | (Optional) The Helm chart | string | "theidserver" |
| chart_version | (Optional) The Helm chart version | string | "4.7.0" |
| namespace | (Optional) Kubernetes namespace | string | "theidserver" |
| create_namespace | (Optional) Creates the kubernetes namespace if not exists | bool | true |
| release_name | (Optional) Helm release name | string | "theidserver" |
| reuse_values | (Optional) reuse value for helm chart | bool | false |
| recreate_pods | (Optional) recreate pods | bool | false |
| wait | (Optional) Wait for helm release to be ready | bool | true |
| replica_count | (Optional) Number of server pod | number | 3 |
| env_settings | (Optional) Env var settings | map(string) | {} |
| override_settings | (Optional) Override helm chart settings | any | {} |
| image | (Optional) Override Helm chart image | map(string) | {} |
| Name | Description | Type | Sensitive |
|---|---|---|---|
| admin_name | The generated admin user name | string | false |
| admin_password | The generated admin user password | string | true |
Stores protections keys duration was not long enough in version 1.0.x. since version 2.0.0 the duration 1000 years but to upgrade from 1.0.x you must save stores protection keys in .pem files at your terraform root or the server will not be able to read your dataprotection keys and signing keys any more :
kubectl get secrets theidserver-certs -n theidserver -o jsonpath="{.data['dataProtection\.crt']}" | base64 -d >> data_protection.pem
kubectl get secrets theidserver-certs -n theidserver -o jsonpath="{.data['dataProtection\.key']}" | base64 -d >> data_protection_private_key.pem
kubectl get secrets theidserver-certs -n theidserver -o jsonpath="{.data['signingKey\.crt']}" | base64 -d >> signing_key.pem
kubectl get secrets theidserver-certs -n theidserver -o jsonpath="{.data['signingKey\.key']}" | base64 -d >> signing_key_private_key.pemThe version 2.0.0 and above check if those files exists and use them instead of generated certificates.