Enable Authelia OIDC for Nomad
This commit is contained in:
parent
0ceb513216
commit
60a4051988
26
core/.terraform.lock.hcl
generated
26
core/.terraform.lock.hcl
generated
@ -2,20 +2,20 @@
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/nomad" {
|
||||
version = "1.4.19"
|
||||
version = "1.4.20"
|
||||
hashes = [
|
||||
"h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
|
||||
"zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
|
||||
"zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
|
||||
"zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
|
||||
"zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
|
||||
"zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
|
||||
"zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
|
||||
"zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
|
||||
"h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
|
||||
"zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
|
||||
"zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
|
||||
"zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
|
||||
"zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
|
||||
"zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
|
||||
"zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
|
||||
"zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
|
||||
"zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
|
||||
"zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
|
||||
"zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
|
||||
"zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
|
||||
"zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
|
||||
"zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
|
||||
"zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
|
||||
]
|
||||
}
|
||||
|
42
core/main.tf
42
core/main.tf
@ -154,3 +154,45 @@ module "authelia" {
|
||||
},
|
||||
]
|
||||
}
|
||||
|
||||
resource "nomad_acl_auth_method" "nomad_authelia" {
|
||||
name = "authelia"
|
||||
type = "OIDC"
|
||||
token_locality = "global"
|
||||
max_token_ttl = "10m0s"
|
||||
default = true
|
||||
|
||||
config {
|
||||
oidc_discovery_url = "https://authelia.thefij.rocks"
|
||||
oidc_client_id = "nomad"
|
||||
oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"]
|
||||
bound_audiences = ["nomad"]
|
||||
oidc_scopes = [
|
||||
"groups",
|
||||
"openid",
|
||||
]
|
||||
allowed_redirect_uris = [
|
||||
"https://nomad.thefij.rocks/oidc/callback",
|
||||
"https://nomad.thefij.rocks/ui/settings/tokens",
|
||||
]
|
||||
list_claim_mappings = {
|
||||
"groups" : "roles"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "nomad_acl_binding_rule" "nomad_authelia_admin" {
|
||||
description = "engineering rule"
|
||||
auth_method = nomad_acl_auth_method.nomad_authelia.name
|
||||
selector = "\"nomad-deploy\" in list.roles"
|
||||
bind_type = "role"
|
||||
bind_name = "admin" # acls.nomad_acl_role.admin.name
|
||||
}
|
||||
|
||||
resource "nomad_acl_binding_rule" "nomad_authelia_deploy" {
|
||||
description = "engineering rule"
|
||||
auth_method = nomad_acl_auth_method.nomad_authelia.name
|
||||
selector = "\"nomad-deploy\" in list.roles"
|
||||
bind_type = "role"
|
||||
bind_name = "deploy" # acls.nomad_acl_role.deploy.name
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user