add option to specify which ingresses are protected and also expose list of paths to allow [ci skip]

2023-11-03 23:27:12 +00:00 · 2023-11-03 23:27:12 +00:00 · 3f809e946a
commit 3f809e946a
parent 255eb1e2db
3 changed files with 38 additions and 9 deletions
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@ -10,6 +10,14 @@ variable "tls_secret_name" {}
 variable "backend_protocol" {
  default = "HTTP"
 }
+variable "protected" {
+  type    = bool
+  default = true
+}
+variable "ingress_path" {
+  type    = list(string)
+  default = ["/"]
+}


 resource "kubernetes_service" "proxied-service" {
@ -41,8 +49,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
    annotations = {
      "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
      "kubernetes.io/ingress.class"                  = "nginx"
-      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
-      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+      "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/auth" : null
+      "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" : null
    }
  }

@ -54,18 +62,27 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
    rule {
      host = "${var.name}.viktorbarzin.me"
      http {
-        path {
-          path = "/"
-          backend {
-            service {
+        dynamic "path" {
+          # for_each = { for pr in var.ingress_path : pr => pr }
+          for_each = var.ingress_path

-              name = var.name
-              port {
-                number = var.port
+          content {
+            path = path.value
+            backend {
+              service {
+
+                name = var.name
+                port {
+                  number = var.port
+                }
              }
            }
          }
        }
+        # path {
+        #   # path = var.ingress_path
+        #   path = each.value
+        # }
      }
    }
  }
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@ -35,6 +35,18 @@ module "nas" {
  backend_protocol = "HTTPS"
 }

+# https://files.viktorbarzin.me/
+module "nas-files" {
+  source           = "./factory"
+  name             = "files"
+  external_name    = "nas.viktorbarzin.lan"
+  port             = 5001
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+  protected        = false # allow anyone to download files
+  ingress_path     = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js"]
+}
+
 # https://idrac.viktorbarzin.me/
 module "idrac" {
  source           = "./factory"
--- a/terraform.tfstate
+++ b/terraform.tfstate