diff --git a/modules/user_auth/README.md b/modules/user_auth/README.md index 02bbcc0..a23cff2 100644 --- a/modules/user_auth/README.md +++ b/modules/user_auth/README.md @@ -35,9 +35,11 @@ No requirements. | backend\_service\_domain | Domain of the backend service | `string` | n/a | yes | | cookie\_signing\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes | | create\_namespace | Whether to create the auth namespace(defaults to true), otherwise just references the namespace | `bool` | `true` | no | +| disable\_oathkeeper | To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos | `bool` | `false` | no | | external\_secret\_backend | The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually. | `string` | `"secretsManager"` | no | | external\_secret\_name | Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use | `string` | n/a | yes | | frontend\_service\_domain | Domain of the frontend | `string` | n/a | yes | +| frontend\_use\_https | Whether frontend URLs should be https, unless your developing locally you should leave the default as is. | `bool` | `true` | no | | jwks\_content | The content of a JWKS file for Oathkeeper | `string` | n/a | yes | | k8s\_local\_exec\_context | Custom resource (Oathkeeper Rules are created using local-exec with kubectl), if not specified it will target your current context from kubeconfig | `string` | `""` | no | | kratos\_default\_redirect\_ui\_path | Setting the default path after self-service flows(login/signup/verify/settings), kratos will redirect you to frontend | `string` | `"/dashboard"` | no | diff --git a/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl b/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl index 6f8dfdc..926c478 100644 --- a/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl +++ b/modules/user_auth/files/oathkeeper_kratos_proxy_rules.yaml.tpl @@ -6,10 +6,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: kratos-${name}-public - namespace: user-auth + namespace: ${auth_namespace} spec: upstream: - url: http://kratos-${name}-public.user-auth + url: http://kratos-${name}-public.${auth_namespace} stripPath: ${public_selfserve_endpoint} preserveHost: true match: @@ -36,10 +36,10 @@ apiVersion: oathkeeper.ory.sh/v1alpha1 kind: Rule metadata: name: kratos-${name}-form-data - namespace: user-auth + namespace: ${auth_namespace} spec: upstream: - url: http://kratos-${name}-admin.user-auth + url: http://kratos-${name}-admin.${auth_namespace} stripPath: ${admin_selfserve_endpoint} preserveHost: true match: diff --git a/modules/user_auth/main.tf b/modules/user_auth/main.tf index 53b0217..d7c68d4 100644 --- a/modules/user_auth/main.tf +++ b/modules/user_auth/main.tf @@ -14,7 +14,8 @@ locals { } } - default_flow_return_url = "https://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}" + frontend_scheme = var.frontend_use_https ? "https" : "http" + default_flow_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}${var.kratos_default_redirect_ui_path}" kratos_values_override = { secret = { nameOverride = var.kratos_secret_name @@ -32,38 +33,38 @@ locals { selfservice = { whitelisted_return_urls = var.whitelisted_return_urls - default_browser_return_url = "https://${var.frontend_service_domain}/" + default_browser_return_url = "${local.frontend_scheme}://${var.frontend_service_domain}/" flows = { settings = { - ui_url = "https://${var.frontend_service_domain}/auth/settings" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/settings" after = { default_browser_return_url = local.default_flow_return_url } } verification = { - ui_url = "https://${var.frontend_service_domain}/auth/verify" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/verify" after = { default_browser_return_url = local.default_flow_return_url } } recovery = { - ui_url = "https://${var.frontend_service_domain}/auth/recovery" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/recovery" after = { default_browser_return_url = local.default_flow_return_url } } login = { - ui_url = "https://${var.frontend_service_domain}/auth/login" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login" after = { default_browser_return_url = local.default_flow_return_url } } registration = { - ui_url = "https://${var.frontend_service_domain}/auth/registration" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/registration" after = { default_browser_return_url = local.default_flow_return_url password = { @@ -76,7 +77,7 @@ locals { } error = { - ui_url = "https://${var.frontend_service_domain}/auth/errors" + ui_url = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/errors" } } @@ -95,17 +96,17 @@ locals { # https://github.com/ory/k8s/blob/master/helm/charts/oathkeeper/templates/ingress-proxy.yaml proxy = { hosts = [{ - host = var.backend_service_domain + host = var.backend_service_domain paths = ["/"] }] tls = [{ - hosts = [var.backend_service_domain] + hosts = [var.backend_service_domain] secretName = "oathkeeper-proxy-tls-secret" }] annotations = { - "nginx.ingress.kubernetes.io/cors-allow-origin" : "https://${var.frontend_service_domain}" + "nginx.ingress.kubernetes.io/cors-allow-origin" : "${local.frontend_scheme}://${var.frontend_service_domain}" } } } @@ -131,7 +132,7 @@ locals { handlers = { redirect = { config = { - to = "https://${var.frontend_service_domain}/auth/login" + to = "${local.frontend_scheme}://${var.frontend_service_domain}/auth/login" } } } @@ -205,6 +206,7 @@ data "template_file" "oathkeeper_kratos_proxy_rules" { backend_service_domain = var.backend_service_domain public_selfserve_endpoint = "/.ory/kratos/public" admin_selfserve_endpoint = "/.ory/kratos" + auth_namespace = var.auth_namespace } } @@ -220,6 +222,8 @@ resource "null_resource" "oathkeeper_kratos_proxy_rules" { } module "oathkeeper_config" { + count = var.disable_oathkeeper ? 0 : 1 + source = "cloudposse/config/yaml" version = "0.7.0" @@ -229,6 +233,7 @@ module "oathkeeper_config" { } resource "helm_release" "oathkeeper" { + count = var.disable_oathkeeper ? 0 : 1 name = "oathkeeper-${var.name}" repository = "https://k8s.ory.sh/helm/charts" @@ -238,7 +243,7 @@ resource "helm_release" "oathkeeper" { depends_on = [kubernetes_namespace.user_auth] values = [ - jsonencode(module.oathkeeper_config.map_configs) + jsonencode(module.oathkeeper_config[0].map_configs) ] # Clean up and set the JWKS content. This will become a secret mounted into the pod diff --git a/modules/user_auth/variables.tf b/modules/user_auth/variables.tf index d5561a9..6175495 100644 --- a/modules/user_auth/variables.tf +++ b/modules/user_auth/variables.tf @@ -93,3 +93,15 @@ variable "kratos_default_redirect_ui_path" { type = string default = "/dashboard" } + +variable "disable_oathkeeper" { + description = "To not provision Oathkeeper, this is useful when you want multiple Kratos setup, while only 1 Oathkeeper proxy to route to them, for example sharing Oathkeeper between a Dev and Staging Kratos" + type = bool + default = false +} + +variable "frontend_use_https" { + description = "Whether frontend URLs should be https, unless your developing locally you should leave the default as is." + type = bool + default = true +}