ab/homelab
1
1
Fork 1
Code Issues Pull Requests 70 Actions Packages Wiki Activity

added auth-proxy dashboard
Check with kubeconform / lint (push) Successful in 8s
Details
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s
Details
Auto-update README / Generate README and Create MR (push) Successful in 11s
Details

Browse Source
This commit is contained in:
Ultradesu
2026-05-05 18:57:05 +01:00
parent cdf836afd3
commit cd45c64457
5 changed files with 123 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files
terraform/keycloak/main.tf
+68 -43
View File
@@ -92,48 +92,6 @@ resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
]
}
# =============================================================================
# rsauth2-proxy client (localhost testing)
# =============================================================================
resource "keycloak_openid_client" "rsauth2_proxy_dev" {
realm_id = keycloak_realm.hexor.id
client_id = "rsauth2-proxy-dev"
name = "rsauth2-proxy (dev)"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
direct_access_grants_enabled = false
valid_redirect_uris = [
"http://localhost:8080/callback",
]
web_origins = [
"http://localhost:8080",
]
}
resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy_dev.id
name = "groups"
claim_name = "groups"
full_path = false
}
resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.rsauth2_proxy_dev.id
default_scopes = [
"openid",
"profile",
"email",
]
}
# =============================================================================
# Proxy applications — auto-created groups + routes ConfigMap
# =============================================================================
@@ -154,7 +112,74 @@ locals {
}
}
resource "kubernetes_config_map" "auth_proxy_routes" {
# =============================================================================
# OAuth2 applications — full OIDC clients for apps that handle auth themselves
# =============================================================================
resource "keycloak_openid_client" "oauth2_app" {
for_each = var.oauth2_applications
realm_id = keycloak_realm.hexor.id
client_id = each.key
name = each.key
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
direct_access_grants_enabled = false
valid_redirect_uris = each.value.redirect_uris
valid_post_logout_redirect_uris = each.value.post_logout_redirect_uris
web_origins = each.value.web_origins
}
resource "keycloak_openid_group_membership_protocol_mapper" "oauth2_app_groups" {
for_each = var.oauth2_applications
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.oauth2_app[each.key].id
name = "groups"
claim_name = "groups"
full_path = false
}
resource "keycloak_openid_client_default_scopes" "oauth2_app" {
for_each = var.oauth2_applications
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.oauth2_app[each.key].id
default_scopes = concat(
["openid", "profile", "email"],
each.value.extra_default_scopes
)
}
resource "keycloak_openid_client_optional_scopes" "oauth2_app" {
for_each = {
for k, v in var.oauth2_applications : k => v if length(v.extra_optional_scopes) > 0
}
realm_id = keycloak_realm.hexor.id
client_id = keycloak_openid_client.oauth2_app[each.key].id
optional_scopes = each.value.extra_optional_scopes
}
resource "keycloak_group" "oauth2_app" {
for_each = {
for k, v in var.oauth2_applications : k => v if length(v.allowed_groups) > 0
}
realm_id = keycloak_realm.hexor.id
name = "app-${each.key}"
}
# =============================================================================
# Proxy applications — routes ConfigMap
# =============================================================================
resource "kubernetes_config_map_v1" "auth_proxy_routes" {
metadata {
name = "auth-proxy-routes"
namespace = "auth-proxy"