From 10f816118b2a0243f2f74e41ce01377be30b107d Mon Sep 17 00:00:00 2001 From: Olivier Lefebvre Date: Sat, 19 Mar 2022 10:23:52 +0100 Subject: [PATCH 1/2] refactor: add ouputs and options --- .terraform.lock.hcl | 56 ------- README.md | 162 ++++++++++++++++++- certificates.tf | 54 ++----- main.tf | 334 ++++++++++++++++++++++++++++++++-------- outputs.tf | 10 ++ theidserver-values.yaml | 50 ------ variables.tf | 94 ++++++----- 7 files changed, 506 insertions(+), 254 deletions(-) delete mode 100644 .terraform.lock.hcl create mode 100644 outputs.tf delete mode 100644 theidserver-values.yaml diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index 0735da2..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,56 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.4.1" - hashes = [ - "h1:eh+hK4L6fSBZ0pjozJ18H2rTRiXYHFrqRS6b1wquwNc=", - "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14", - "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5", - "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526", - "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772", - "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd", - "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e", - "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0", - "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3", - "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f", - "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67", - "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.1.0" - hashes = [ - "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=", - "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", - "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", - "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", - "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", - "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", - "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", - "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", - "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", - "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", - "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", - "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "3.1.0" - hashes = [ - "h1:ekOxs6MjdIElt8h9crEVaOwWbEqtfUUfArtA13Jkk6A=", - "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6", - "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2", - "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e", - "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca", - "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698", - "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d", - "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841", - "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989", - "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5", - "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d", - "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", - ] -} diff --git a/README.md b/README.md index 8d2a830..657accf 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,160 @@ -# Terraform -TheidServer Terraform module +# TheidServer Helm Terraform module + +This module create a [TheIdServer](https://github.com/Aguafrommars/TheIdServer) cluster using the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver) with its MySql DB, Redis cluster and [Seq](https://datalust.co/) server. + +## Prerequises + +- DNS record pointing to [NGINX ingress controller](https://github.com/kubernetes/ingress-nginx) public IP. +- [cert-manager](https://github.com/cert-manager/cert-manager) +- A certificate issuer + +You can follow the [Create an HTTPS ingress controller on Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli#add-an-a-record-to-your-dns-zone) to install this prerequise on your kubernetes cluster. + +## Usage + +The module setup ingresses for [TheIdServer](https://github.com/Aguafrommars/TheIdServer) and [Seq](https://datalust.co/) using the **host** input variable. + +``` +provider "helm" { + kubernetes { + config_path = "C:/Users/LefebvreO/.kube/config" + } +} + +module "theidserver" { + source = "terraform-helm-theidserver" + + host = "theidserver.com" + tls_issuer_name = "letsencrypt" + tls_issuer_kind = "ClusterIssuer" +} +``` + +This will setup [TheIdServer](https://github.com/Aguafrommars/TheIdServer) on **https://www.theidserver.com** with the admin user **admin@theidserver.com** and its [Seq](https://datalust.co/) server on **https://seq.theidserver.com**. +By default resouces are created in the *theidserver* namespace. + +### Docker image + +By default the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver) install the [IdentityServer4](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.IS4/README.md) version. +If you prefer to use the [Duende IdentityServer](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.Duende/README.md) version configure the **image** input to override the default docker image configuration. + +``` +module "theidserver" { + source = "terraform-helm-theidserver" + + host = "theidserver.com" + tls_issuer_name = "letsencrypt" + tls_issuer_kind = "ClusterIssuer" + + image = { + repository = "aguacongas/theidserver.duende" + pullPolicy = "Always" + tag = "next" + } +} +``` + +> For a commercial use of [Duende IdentityServer](https://duendesoftware.com/products/identityserver) you need to [acquire a license](https://duendesoftware.com/products/identityserver#pricing). + +### Initial admin user password + +The initial admin user passowrd is store in the configMap -config at **InitialData__Users__0__Password** key. + +``` bash +❯ kubectl get configMap theidserver-config -n theidserver -o jsonpath="{.data['InitialData__Users__0__Password']}" +SE!OfFGOm}(5v3wF +``` + +> The admin user is stored if not exists, we recommande to change its password at 1st login or register a new one and disable this one. Don't delete it or it will be recreated. + +### Email server configuration + +[TheIdServer](https://github.com/Aguafrommars/TheIdServer) needs to send email to verify users emails or for CIBA. The default Email service implementation use [SendGrid](https://sendgrid.com/) and read user and API key from configuration. +The **env_settings** input can be use to pass environments variables to containers, so we can ovveride the configuration using environment variables. + +``` +module "theidserver" { + source = "terraform-helm-theidserver" + + host = "theidserver.com" + tls_issuer_name = "letsencrypt" + tls_issuer_kind = "ClusterIssuer" + + env_settings = { + SendGridUser = "" + SendGridKey = "" + } +} +``` +This sample setup [SendGrid](https://sendgrid.com/) environment variables used by [TheIdServer](https://github.com/Aguafrommars/TheIdServer). + +If you want to use your Email sender, you need to implement a web api and setup its url. [Read the doc](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.Duende/README.md#use-your-api). + +``` +module "theidserver" { + source = "terraform-helm-theidserver" + + host = "theidserver.com" + tls_issuer_name = "letsencrypt" + tls_issuer_kind = "ClusterIssuer" + + env_settings = { + EmailApiAuthentication__ApiUrl = "" + } +} +``` +This sampel setup the Email Sender url using environment variable. + + +### Override config + +You can use the **override_setting** input to override the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver). + +``` +module "theidserver" { + source = "terraform-helm-theidserver" + + host = "theidserver.com" + tls_issuer_name = "letsencrypt" + tls_issuer_kind = "ClusterIssuer" + + override_setting = { + appSettings = { + file = { + EmailApiAuthentication = { + ApiUrl = "" + } + } + } + } +} +``` +This sample setup the Email Sender url using the appsettings.json file. + +## Inputs + +|Name|Description|Type|Default| +|-|-|-|-| +|host|The host|string|| +|tls_issuer_name|The name of the certificat issuer to use|string|| +|tls_issuer_kind|The kind of the certificat issuer to use (Issuer or ClusterIssuer)|string|| +|chart_version|(Optional) The Helm chart version|string|"4.6.0"| +|namespace|(Optional) Kubernetes namespace|string|"theidserver"| +|create_namespace|(Optional) Creates the kubernetes namespace if not exists|bool|true| +|release_name|(Optional) Helm release name|string|"theidserver"| +|reuse_values|(Optional) reuse value for helm chart|bool|false| +|recreate_pods|(Optional) recreate pods|bool|false| +|wait|(Optional) Wait for helm release to be ready|bool|true| +|replica_count|(Optional) Number of server pod|number|3| +|env_settings|(Optional) Env var settings|map(string)|{}| +|override_setting|(Optional) Override helm chart settings|map|{}| +|image|(Optional) Override Helm chart image|map(string)|{}| + +## Outputs + +|Name|Description|Type|Sensitive| +|-|-|-|-| +|admin_name|The generated admin user name|string|false| +|admin_password|The generated admin user password|string|true| + + diff --git a/certificates.tf b/certificates.tf index 3b99a68..32b6665 100644 --- a/certificates.tf +++ b/certificates.tf @@ -1,8 +1,9 @@ -resource "tls_private_key" "ca_private_key" { - algorithm = "RSA" +locals { + common_name = "aguafommmars CA" + organization = "Agua from Mars" } -resource "tls_private_key" "ssl_private_key" { +resource "tls_private_key" "ca_private_key" { algorithm = "RSA" } @@ -21,8 +22,8 @@ resource "tls_self_signed_cert" "ca" { is_ca_certificate = true subject { - common_name = "${var.ca_common_name}" - organization = "${var.ca_organization}" + common_name = local.common_name + organization = local.organization } validity_period_hours = 26280 @@ -34,30 +35,14 @@ resource "tls_self_signed_cert" "ca" { ] } -resource "tls_cert_request" "cert_request" { - key_algorithm = "RSA" - private_key_pem = fileexists("private_key.pem") ? "${file("private_key.pem")}" : "${tls_private_key.ssl_private_key.private_key_pem}" - - subject { - common_name = "${var.ssl_common_name}" - organization = "${var.ssl_organization}" - } - - dns_names = var.cert_dns_names - uris = var.cert_uris -} - resource "tls_cert_request" "data_protection_cert_request" { key_algorithm = "RSA" private_key_pem = fileexists("data_protection_private_key.pem") ? "${file("data_protection_private_key.pem")}" : "${tls_private_key.data_protection_private_key.private_key_pem}" - subject { - common_name = "${var.ssl_common_name}" - organization = "${var.ssl_organization}" + subject { + common_name = local.common_name + organization = local.organization } - - dns_names = var.cert_dns_names - uris = var.cert_uris } resource "tls_cert_request" "signing_key_cert_request" { @@ -65,26 +50,9 @@ resource "tls_cert_request" "signing_key_cert_request" { private_key_pem = fileexists("signing_key_private_key.pem") ? "${file("signing_key_private_key.pem")}" : "${tls_private_key.signing_key_private_key.private_key_pem}" subject { - common_name = "${var.ssl_common_name}" - organization = "${var.ssl_organization}" + common_name = local.common_name + organization = local.organization } - - dns_names = var.cert_dns_names - uris = var.cert_uris -} - -resource "tls_locally_signed_cert" "ssl" { - cert_request_pem = fileexists("cert_request.pem") ? "${file("cert_request.pem")}" : "${tls_cert_request.cert_request.cert_request_pem}" - ca_key_algorithm = "RSA" - ca_private_key_pem = fileexists("cert_request.pem") ? "${file("ca_private_key.pem")}" : "${tls_private_key.ca_private_key.private_key_pem}" - ca_cert_pem = fileexists("ca_cert.pem") ? "${file("ca_cert.pem")}" : "${tls_self_signed_cert.ca.cert_pem}" - - validity_period_hours = 365 - - allowed_uses = [ - "client_auth", - "server_auth" - ] } resource "tls_locally_signed_cert" "data_protection" { diff --git a/main.tf b/main.tf index 5fc3566..9af157f 100644 --- a/main.tf +++ b/main.tf @@ -1,9 +1,3 @@ -provider "helm" { - kubernetes { - config_path = "C:/Users/LefebvreO/.kube/config" - } -} - resource "random_password" "mysql_password" { length = 16 special = false @@ -14,79 +8,285 @@ resource "random_password" "mysql_root_password" { special = false } -resource "random_password" "api_secret" { +resource "random_password" "mysql_replication_password" { length = 16 special = true } -resource "helm_release" "theidserver" { - name = "theidserver" - chart = "C:\\Projects\\Perso\\helm\\charts\\theidserver" - - values = [ - "${file("theidserver-values.yaml")}" - ] - - reuse_values = var.reuse_values - recreate_pods = var.recreate_pods - - set_sensitive { - name = "ssl.ca.crt" - value = fileexists("ca.pem") ? "${file("ca.pem")}" : "${base64encode(tls_self_signed_cert.ca.cert_pem)}" - } - - set_sensitive { - name = "ssl.ca.key" - value = fileexists("ca.key") ? "${file("ca.key")}" : "${base64encode(tls_private_key.ca_private_key.private_key_pem)}" - } - - set_sensitive { - name = "ssl.crt" - value = fileexists("ca.pem") ? "${file("ca.pem")}" : "${base64encode(tls_locally_signed_cert.ssl.cert_pem)}" - } - - set_sensitive { - name = "ssl.key" - value = fileexists("ssl.key") ? "${file("ssl.key")}" : "${base64encode(tls_private_key.ssl_private_key.private_key_pem)}" - } - - set_sensitive { - name = "dataProtection.crt" - value = fileexists("data_protection.pem") ? "${file("data_protection.pem")}" : "${base64encode(tls_locally_signed_cert.data_protection.cert_pem)}" - } +resource "random_password" "api_secret" { + length = 16 + special = true +} - set_sensitive { - name = "dataProtection.key" - value = fileexists("data_protection.key") ? "${file("data_protection.key")}" : "${base64encode(tls_private_key.data_protection_private_key.private_key_pem)}" - } +resource "random_password" "redis_password" { + length = 16 + special = true +} - set_sensitive { - name = "signingKey.crt" - value = fileexists("signing_key.pem") ? "${file("signing_key.pem")}" : "${base64encode(tls_locally_signed_cert.signing_key.cert_pem)}" - } +resource "random_password" "public_server_secret" { + length = 16 + special = true +} - set_sensitive { - name = "signingKey.key" - value = fileexists("signing_key.key") ? "${file("signing_key.key")}" : "${base64encode(tls_private_key.signing_key_private_key.private_key_pem)}" - } +resource "random_password" "admin_password" { + length = 16 + special = true + min_numeric = 1 + min_special = 1 + min_upper = 1 +} - set_sensitive { - name = "mysql.auth.rootPassword" - value = "${random_password.mysql_root_password.result}" +locals { + settings = { + image = var.image + service = { + ports = { + https = 443 + } + } + appSettings = { + env = var.env_settings + file = { + ApiAuthentication = { + Authority = format("https://www.%s", var.host) + ApiSecret = "${random_password.api_secret.result}" + } + EmailApiAuthentication = { + Authority = format("https://www.%s", var.host) + ApiUrl = format("https://www.%s/api/email", var.host) + ClientSecret = "${random_password.public_server_secret.result}" + } + BackchannelAuthenticationUserNotificationServiceOptions = { + Authority = format("https://www.%s", var.host) + ApiUrl = format("https://www.%s/api/email", var.host) + ClientSecret = "${random_password.public_server_secret.result}" + } + InitialData = { + Clients = [ + { + ClientId = "theidserveradmin" + ClientName = "TheIdServer admin SPA Client" + ClientUri = "https://localhost:{{ .Values.service.ports.https }}" + ClientClaimsPrefix = null + AllowedGrantTypes = [ "authorization_code" ] + RequirePkce = true + RequireClientSecret = false + BackChannelLogoutSessionRequired = false + FrontChannelLogoutSessionRequired = false + ClientUri = format("https://www.%s", var.host) + AllowedCorsOrigins = [ + format("https://www.%s", var.host) + ] + RedirectUris = [ + format("https://www.%s/authentication/login-callback", var.host) + ] + PostLogoutRedirectUris = [ + format("https://www.%s/authentication/logout-callback", var.host) + ] + AllowedScopes = [ "openid", "profile", "theidserveradminapi" ] + AccessTokenType = "Reference" + }, + { + ClientId = "public-server" + ClientName = "Public server Credentials Client" + ClientClaimsPrefix = null + AllowedGrantTypes = [ "client_credentials" ] + Claims = [ + { + Type = "role" + Value = "Is4-Writer" + }, + { + Type = "role" + Value = "Is4-Reader" + } + ] + BackChannelLogoutSessionRequired = false + FrontChannelLogoutSessionRequired = false + AllowedScopes = [ "openid", "profile", "theidserveradminapi" ] + AccessTokenType = "Reference" + ClientSecrets = [{ + Type = "SharedSecret" + Value = "${random_password.public_server_secret.result}" + }] + }, + { + ClientId = "theidserver-swagger" + ClientName = "TheIdServer Swagger UI" + ClientClaimsPrefix = null + AllowedGrantTypes = [ "implicit" ] + AllowAccessTokensViaBrowser = true + RequireClientSecret = false + BackChannelLogoutSessionRequired = false + FrontChannelLogoutSessionRequired = false + AllowedCorsOrigins = [ + format("https://www.%s", var.host) + ] + RedirectUris = [ + format("https://www.%s/authentication/login-callback", var.host) + ] + } + ] + Apis = [ + { + Name = "theidserveradminapi" + DisplayName = "TheIdServer admin API" + UserClaims = [ "name", "role" ] + Scopes = [ "theidserveradminapi", "theidservertokenapi" ] + ApiSecrets = [{ + Type = "SharedSecret" + Value = "${random_password.api_secret.result}" + }] + } + ] + Users = [ + { + UserName = "${format("admin@%s", var.host)}" + Email = "${format("admin@%s", var.host)}" + EmailConfirmed = true + Roles = [ + "Is4-Writer", + "Is4-Reader" + ] + Claims = [ + { + ClaimType = "name" + ClaimValue = "TheIdServer Admin" + }, + { + ClaimType = "given_name" + ClaimValue = "Admin" + }, + { + ClaimType = "nickname" + ClaimValue = "Admin" + } + ] + } + ] + } + } + } + adminSettings = { + apiBaseUrl = format("https://www.%s/api", var.host) + settingsOptions = { + apiUrl = format("https://www.%s/api/api/configuration", var.host) + } + providerOptions = { + authority = format("https://www.%s", var.host) + postLogoutRedirectUri = format("https://www.%s/authentication/logout-callback", var.host) + redirectUri = format("https://www.%s/authentication/login-callback", var.host) + } + welcomeContenUrl = format("https://www.%s/api/welcomefragment", var.host) + } + replicaCount = var.replica_count + podAnnotations = { + deployment-date = timestamp() + } + ingress = { + enabled = true + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "cert-manager.io/cluster-issuer" = "letsencrypt" + } + tls = { + hosts = [ + "${format("www.%s", var.host)}" + ] + } + hosts = [ + { + host = "${format("www.%s", var.host)}" + } + ] + } + ssl = { + create = false + ca = { + create = false + trust = false + } + issuer = { + enabled = true + ref = var.tls_issuer_name + kind = var.tls_issuer_kind + } + } + dataProtection = { + create = false + crt = "${base64encode(tls_locally_signed_cert.data_protection.cert_pem)}" + key = "${base64encode(tls_private_key.data_protection_private_key.private_key_pem)}" + } + signingKey = { + create = false + crt = "${base64encode(tls_locally_signed_cert.signing_key.cert_pem)}" + key = "${base64encode(tls_private_key.signing_key_private_key.private_key_pem)}" + } + mysql = { + architecture = "replication" + auth = { + username = "theidserver" + database = "theidserver" + replicationUser = "theidserverReplication" + rootPassword = "${random_password.mysql_root_password.result}" + password = "${random_password.mysql_password.result}" + replicationPassword = "${random_password.mysql_replication_password.result}" + } + } + redis = { + replica = { + replicaCount = 1 + } + auth = { + password = "${random_password.redis_password.result}" + } + } + seq = { + ingress = { + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/ssl-redirect" = "true" + "cert-manager.io/cluster-issuer" = "letsencrypt" + } + tls = [{ + hosts = [ + "${format("seq.%s", var.host)}" + ] + secretName = "${format("%s-seq", var.release_name)}" + }] + } + ui = { + ingress = { + enabled = true + path = "/" + hosts = [ + "${format("seq.%s", var.host)}" + ] + } + } + } } +} - set_sensitive { - name = "mysql.auth.password" - value = "${random_password.mysql_password.result}" - } +resource "helm_release" "theidserver" { + name = var.release_name + repository = "https://aguafrommars.github.io/helm" + chart = "theidserver" + version = var.chart_version + namespace = var.namespace + create_namespace = var.create_namespace + + values = [ + yamlencode(local.settings), + yamlencode(var.override_setting) + ] - set_sensitive { - name = "appSettings.file.InitialData.Apis[0].ApiSecrets[0].Value" - value = "${random_password.api_secret.result}" - } + reuse_values = var.reuse_values + recreate_pods = var.recreate_pods + wait = var.wait set_sensitive { - name = "appSettings.file.ApiAuthentication.ApiSecret" - value = "${random_password.api_secret.result}" + name = "appSettings.env.InitialData__Users__0__Password" + value = random_password.admin_password.result } } diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..89b1c36 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,10 @@ +output "admin_name" { + value = format("admin@%s", var.host) + description = "The TheIdServer admin name" +} + +output "admin_password" { + value = random_password.admin_password + description = "The TheIdServer admin password" + sensitive = true +} diff --git a/theidserver-values.yaml b/theidserver-values.yaml deleted file mode 100644 index dc9ad62..0000000 --- a/theidserver-values.yaml +++ /dev/null @@ -1,50 +0,0 @@ -replicaCount: 1 - -ssl: - create: false - ca: - create: false - -dataProtection: - create: false - -signingKey: - create: false - -image: - repository: "aguacongas/theidserver.duende" - pullPolicy: "Always" - tag: "next" - -seq: - enabled: false - -mysql: - image: - tag: 8.0.28 - auth: - username: "theidserver" - database: "theidserver" - -appSettings: - file: - Serilog: - WriteTo: - - Name: Seq - Args: - serverUrl: http://seq:5341 - controlLevelSwitch: "$controlSwitch" - apiKey: DVYuookX2vOq078fuOyJ - - Name: Console - Args: - outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}" - theme: Serilog.Sinks.SystemConsole.Themes.AnsiConsoleTheme::Literate, Serilog.Sinks.Console - InitialData: - Apis: - - Name: "theidserveradminapi" - DisplayName: "TheIdServer admin API" - UserClaims: [ "name", "role" ] - ApiSecrets: - - Type: "SharedSecret" - Scopes: [ "theidserveradminapi", "theidservertokenapi" ] - diff --git a/variables.tf b/variables.tf index 46f4617..66feea9 100644 --- a/variables.tf +++ b/variables.tf @@ -1,61 +1,83 @@ -variable "ssl_common_name"{ +variable "host" { type = string - description = "TheIdServer SSL common name" - default = "theidserver" + description = "The host" } -variable "ssl_organization"{ +variable "tls_issuer_name" { type = string - description = "TheIdServer SSL organization" - default = "TheIdServer" + description = "The name of the certificat issuer to use" } -variable "ca_common_name"{ +variable "tls_issuer_kind" { type = string - description = "ca certificates common name" - default = "aguafommmars CA" + description = "The kind of the certificat issuer to use (Issuer or ClusterIssuer)" } -variable "ca_organization"{ +variable "chart_version" { type = string - description = "ca certificates organization" - default = "Agua from Mars" -} - -variable "cert_dns_names" { - type = list(string) - description = "certificates request dns names list" - default = [ "theidserver.com", "localhost", "localhost:5443" ] + description = "(Optional) The Helm chart version" + default = "4.6.0" } -variable "cert_uris" { - type = list(string) - description = "certificates request uri list" - default = [ "127.0.0.1" ] +variable "namespace" { + type = string + description = "(Optional) Kubernetes namespace" + default = "theidserver" } -variable "kubernetes" { - type = any - description = "kubernetes configuration" - default = { - config_path = "~/.kube/config" - } +variable "create_namespace" { + type = bool + description = "(Optional) Creates the kubernetes namespace if not exists" + default = true } -variable "replicaCount" { - type = number - description = "replica count" - default = 1 +variable "release_name" { + type = string + description = "(Optional) Helm release name" + default = "theidserver" } variable "reuse_values" { type = bool - description = "reuse value for helm chart" - default = true + description = "(Optional) reuse value for helm chart" + default = false } variable "recreate_pods" { type = bool - description = "recreate pods" + description = "(Optional) recreate pods" + default = false +} + +variable "wait" { + type = bool + description = "(Optional) Wait for helm release to be ready" default = true -} \ No newline at end of file +} + +variable "replica_count" { + type = number + description = "(Optional) Number of server pod" + default = 3 +} + +variable "env_settings" { + type = map(string) + description = "Env var setting" + sensitive = true + default = {} +} + +variable "override_setting" { + type = map + description = "Override helm settings" + sensitive = true + default = {} +} + +variable "image" { + type = map(string) + description = "The docker image" + default = { + } +} From 871ac36f38a03fd6b304f4d8a942e3183c0336ff Mon Sep 17 00:00:00 2001 From: Olivier Lefebvre Date: Sat, 19 Mar 2022 10:26:22 +0100 Subject: [PATCH 2/2] doc: update readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 657accf..0dfac9c 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ module "theidserver" { This will setup [TheIdServer](https://github.com/Aguafrommars/TheIdServer) on **https://www.theidserver.com** with the admin user **admin@theidserver.com** and its [Seq](https://datalust.co/) server on **https://seq.theidserver.com**. By default resouces are created in the *theidserver* namespace. +> We recommande to protect the Seq server with a user/pwd. + ### Docker image By default the [TheIdServer helm chart](https://artifacthub.io/packages/helm/aguafrommars/theidserver) install the [IdentityServer4](https://github.com/Aguafrommars/TheIdServer/blob/master/src/Aguacongas.TheIdServer.IS4/README.md) version.