Mode auth implementation into a module (#182)

* move auth into module for better portability

to allow spining up multiple auth setup in one cluster

* fixup! move auth into module for better portability

* move user-auth to terraform-aws-zero

* fixup! move user-auth to terraform-aws-zero

* remove auth-domain from user-auth

currently all the auth requests are going through oathkeeper
using the api ingress to route to the kratos service

* customizable list of whitelisted return urls

* add cookie signing secret key

* fixup! add cookie signing secret key

* fixup! fixup! add cookie signing secret key

* fixup! fixup! fixup! add cookie signing secret key

* fixup! fixup! fixup! fixup! add cookie signing secret key

* fixup! fixup! fixup! fixup! fixup! add cookie signing secret key

* fixup! fixup! fixup! fixup! fixup! fixup! add cookie signing secret key

Author: davidcheung

.github/workflows/terraform.yml

@@ -13,9 +13,6 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: hashicorp/setup-terraform@v1
-      with:
-        terraform_version: 0.13.5
-
     - name: Install Zero
       id: install_zero
       run: |

templates/kubernetes/terraform/environments/prod/main.tf

@@ -75,13 +75,23 @@ module "kubernetes" {
   ]
 
   domain_name                 = local.domain_name
-  auth_enabled                = <% if eq (index .Params `userAuth`) "yes" %>true<% else %>false<% end %>
-  auth_domain                 = "auth.${local.domain_name}"
-  backend_service_domain      = "<% index .Params `productionBackendSubdomain` %>${local.domain_name}"
-  frontend_service_domain     = "<% index .Params `productionFrontendSubdomain` %>${local.domain_name}"
-  # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
-  user_auth_mail_from_address = "noreply@${local.domain_name}"
-
+  <% if eq (index .Params `userAuth`) "yes" %>user_auth = [
+    {
+      name = local.project
+      auth_namespace                = "user-auth"
+      frontend_service_domain       = "<% index .Params `productionFrontendSubdomain` %>.${local.domain_name}"
+      backend_service_domain        = "<% index .Params `productionBackendSubdomain` %>.${local.domain_name}"
+      whitelisted_return_urls       = ["https://<% index .Params `productionFrontendSubdomain` %>.${local.domain_name}"]
+      jwks_secret_name              = "${local.project}-${local.environment}-oathkeeper-jwks-${local.random_seed}"
+      # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
+      user_auth_mail_from_address   = "noreply@${local.domain_name}"
+      cookie_sigining_secret_key    = "${local.project}-${local.environment}-${local.random_seed}"
+    }
+    ## User auth: Kratos requires database and a secret (as: `user_auth[0].name`)
+    ## Oathkeeper requires a private key (as `user_auth[0].jwks_secret_name`)
+    ## per environment one of each (database/database secret/private key) is created in the pre-k8s step
+    ## If you need to add another user-auth instance you will have to create another set of these resources
+  ]<% end %>
   notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
   notification_service_highly_available = true
 

templates/kubernetes/terraform/environments/stage/main.tf

@@ -74,13 +74,23 @@ module "kubernetes" {
   ]
 
   domain_name                 = local.domain_name
-  auth_enabled                = <% if eq (index .Params `userAuth`) "yes" %>true<% else %>false<% end %>
-  auth_domain                 = "auth.${local.domain_name}"
-  backend_service_domain      = "<% index .Params `stagingBackendSubdomain` %>${local.domain_name}"
-  frontend_service_domain     = "<% index .Params `stagingFrontendSubdomain` %>${local.domain_name}"
-  # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
-  user_auth_mail_from_address = "noreply@${local.domain_name}"
-
+  <% if eq (index .Params `userAuth`) "yes" %>user_auth = [
+    {
+      name = local.project
+      auth_namespace                = "user-auth"
+      frontend_service_domain       = "<% index .Params `stagingFrontendSubdomain` %>.${local.domain_name}"
+      backend_service_domain        = "<% index .Params `stagingBackendSubdomain` %>.${local.domain_name}"
+      whitelisted_return_urls       = ["https://<% index .Params `stagingFrontendSubdomain` %>.${local.domain_name}"]
+      jwks_secret_name              = "${local.project}-${local.environment}-oathkeeper-jwks-${local.random_seed}"
+      # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
+      user_auth_mail_from_address   = "noreply@${local.domain_name}"
+      cookie_sigining_secret_key    = "${local.project}-${local.environment}-${local.random_seed}"
+    }
+    ## User auth: Kratos requires database and a secret (as: `user_auth[0].name`)
+    ## Oathkeeper requires a private key (as `user_auth[0].jwks_secret_name`)
+    ## per environment one of each (database/database secret/private key) is created in the pre-k8s step
+    ## If you need to add another user-auth instance you will have to create another set of these resources
+  ]<% end %>
   notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
   notification_service_highly_available = false
 

templates/kubernetes/terraform/modules/kubernetes/cert_manager.tf

@@ -126,7 +126,7 @@ resource "null_resource" "cert_manager_dns_issuer" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_cert_manager" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.14.0"
+  version                       = "~> v3.12.0"
   create_role                   = true
   role_name                     = "${var.project}-k8s-${var.environment}-cert-manager"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/cluster_autoscaler.tf

@@ -37,7 +37,7 @@ resource "helm_release" "cluster_autoscaler" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_cluster_autoscaler" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.14.0"
+  version                       = "~> v3.12.0"
   create_role                   = true
   role_name                     = "${var.project}-k8s-${var.environment}-cluster-autoscaler"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/external_dns.tf

@@ -1,7 +1,7 @@
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_external_dns" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.14.0"
+  version                       = "~> v3.12.0"
   create_role                   = true
   role_name                     = "${var.project}-k8s-${var.environment}-external-dns"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")