Add minio to authentik
This commit is contained in:
parent
0b838b52cc
commit
979a386831
GPG key ID:
13AD60C237A28DFE
3 changed files with 47 additions and 2 deletions
|
|
@ -14,6 +14,39 @@ data "authentik_property_mapping_provider_scope" "default_scopes" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "authentik_user" "default" {
|
||||||
|
username = "serguzim"
|
||||||
|
name = "Tobias Reisinger"
|
||||||
|
email = "tobias@msrg.cc"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "authentik_property_mapping_provider_scope" "minio" {
|
||||||
|
name = "minio"
|
||||||
|
scope_name = "minio"
|
||||||
|
expression = <<EOF
|
||||||
|
if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
|
||||||
|
return {
|
||||||
|
"minio_policy": "consoleAdmin",
|
||||||
|
}
|
||||||
|
elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
|
||||||
|
return {
|
||||||
|
"minio_policy": "readonly"
|
||||||
|
}
|
||||||
|
return None
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "authentik_group" "minio_admins" {
|
||||||
|
name = "Minio admins"
|
||||||
|
users = [authentik_user.default.id]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "authentik_group" "minio_users" {
|
||||||
|
name = "Minio users"
|
||||||
|
users = []
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
resource "authentik_provider_oauth2" "service_providers" {
|
resource "authentik_provider_oauth2" "service_providers" {
|
||||||
for_each = local.services_auth
|
for_each = local.services_auth
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
|
|
@ -21,7 +54,10 @@ resource "authentik_provider_oauth2" "service_providers" {
|
||||||
client_id = each.value.name
|
client_id = each.value.name
|
||||||
authorization_flow = data.authentik_flow.default_authorization_flow.id
|
authorization_flow = data.authentik_flow.default_authorization_flow.id
|
||||||
redirect_uris = each.value.auth_redirects
|
redirect_uris = each.value.auth_redirects
|
||||||
property_mappings = data.authentik_property_mapping_provider_scope.default_scopes.ids
|
property_mappings = flatten([
|
||||||
|
data.authentik_property_mapping_provider_scope.default_scopes.ids,
|
||||||
|
each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
|
||||||
|
])
|
||||||
signing_key = data.authentik_certificate_key_pair.default.id
|
signing_key = data.authentik_certificate_key_pair.default.id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,14 @@ minio_env:
|
||||||
MINIO_ROOT_USER: "{{ vault_minio.user }}"
|
MINIO_ROOT_USER: "{{ vault_minio.user }}"
|
||||||
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
|
MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
|
||||||
|
|
||||||
|
MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
|
||||||
|
MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
|
||||||
|
MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
|
||||||
|
MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
|
||||||
|
MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
|
||||||
|
MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
|
||||||
|
|
||||||
|
|
||||||
minio_compose:
|
minio_compose:
|
||||||
watchtower: true
|
watchtower: true
|
||||||
image: minio/minio
|
image: minio/minio
|
||||||
|
|
|
||||||
|
|
@ -280,7 +280,8 @@ services = {
|
||||||
url = "/minio/health/live"
|
url = "/minio/health/live"
|
||||||
group = "7-support"
|
group = "7-support"
|
||||||
}
|
}
|
||||||
auth = false
|
auth = true
|
||||||
|
auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
|
||||||
database = false
|
database = false
|
||||||
s3 = false
|
s3 = false
|
||||||
},
|
},
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue