feat(gitea): refactor configuration to use structured app_config and add TLS support

This commit is contained in:
2025-05-09 22:21:33 +02:00
parent 9de7d52192
commit 17a54f6792
13 changed files with 487 additions and 206 deletions
+18 -6
View File
@@ -64,19 +64,31 @@ module "gitea" {
backup_retention_days = local.local_backup_retention_days backup_retention_days = local.local_backup_retention_days
backup_cron_schedule = local.gitea_sql_backup_cron_schedule backup_cron_schedule = local.gitea_sql_backup_cron_schedule
db_password = var.gitea_mysql_password
db_root_password = var.mysql_root_password db_root_password = var.mysql_root_password
tag = local.gitea_version tag = local.gitea_version
fqdn = local.gitea_fqdn fqdn = local.gitea_fqdn
app_name = "A13Labs git repository"
app_config = {
app_name = "A13Labs git repository"
domain = local.gitea_fqdn
lfs_jwt_secret = var.gitea_lfs_jwt_secret
db_passwd = var.gitea_mysql_password
jwt_secret = var.gitea_jwt_secret
mail_from = "gitea@${local.primary_domain}"
no_reply_address = "no-reply@${local.primary_domain}"
smtp_user = var.scaleway_project_id
db_password = var.gitea_mysql_password
smtp_host = local.scaleway_smtp_host smtp_host = local.scaleway_smtp_host
smtp_port = local.scaleway_smtp_port smtp_port = local.scaleway_smtp_port
smtp_username = var.scaleway_project_id smtp_user = var.scaleway_project_id
smtp_password = scaleway_iam_api_key.mail_app_api.secret_key smtp_passwd = scaleway_iam_api_key.mail_app_api.secret_key
secret_key = var.gitea_secret_key
from_email = "gitea@${local.primary_domain}" internal_token = var.gitea_internal_token
disable_ssh = false
ssh_port = 22
disable_registration = true
}
} }
module "sftpgo" { module "sftpgo" {
+24
View File
@@ -82,3 +82,27 @@ variable "root_ca_key" {
type = string type = string
sensitive = true sensitive = true
} }
variable "gitea_lfs_jwt_secret" {
description = "Gitea LFS JWT secret"
type = string
sensitive = true
}
variable "gitea_secret_key" {
description = "Gitea secret key"
type = string
sensitive = true
}
variable "gitea_internal_token" {
description = "Gitea internal token"
type = string
sensitive = true
}
variable "gitea_jwt_secret" {
description = "Gitea JWT secret"
type = string
sensitive = true
}
+4
View File
@@ -24,3 +24,7 @@ TF_VAR_mail_crypt_public_key=$DOVECOT_CRYPT_PUB_KEY_FILE
TF_VAR_sftpgo_admin_password=$SFTPGO_ADMIN_PASSWORD TF_VAR_sftpgo_admin_password=$SFTPGO_ADMIN_PASSWORD
TF_VAR_root_ca_pem=$K8S_ROOT_CA_PEM TF_VAR_root_ca_pem=$K8S_ROOT_CA_PEM
TF_VAR_root_ca_key=$K8S_ROOT_CA_KEY TF_VAR_root_ca_key=$K8S_ROOT_CA_KEY
TF_VAR_gitea_lfs_jwt_secret=$GITEA_LFS_JWT_SECRET
TF_VAR_gitea_secret_key=$GITEA_SECRET_KEY
TF_VAR_gitea_internal_token=$GITEA_INTERNAL_TOKEN
TF_VAR_gitea_jwt_secret=$GITEA_JWT_SECRET
+34 -38
View File
@@ -1,43 +1,39 @@
locals { locals {
gitea_env_vars = {
APP_NAME = var.app_name
HTTP_PORT = "3000"
RUN_MODE = "prod"
LFS_START_SERVER = "true"
SSH_DOMAIN = var.fqdn
DISABLE_REGISTRATION = true
INSTALL_LOCK = "true"
DB_TYPE = "mysql"
DB_NAME = "gitea"
DB_HOST = module.gitea_database.host
SSH_LISTEN_PORT = 22
GITEA__mailer__ENABLED = true
GITEA__mailer__FROM = var.from_email
GITEA__mailer__SMTP_ADDR = var.smtp_host
GITEA__mailer__SMTP_PORT = var.smtp_port
GITEA__mailer__PROTOCOL = "smtps"
}
gitea_secrets = {
DB_USER = {
key = "username"
name = module.gitea_database.app_crendentials_name
}
DB_PASSWD = {
key = "password"
name = module.gitea_database.app_crendentials_name
}
GITEA__mailer__USER = {
key = "username"
name = kubernetes_secret.gitea_mail_credentials.metadata[0].name
}
GITEA__mailer__PASSWD = {
key = "password"
name = kubernetes_secret.gitea_mail_credentials.metadata[0].name
}
}
gitea_path = "${var.persistent_folder}/gitea" gitea_path = "${var.persistent_folder}/gitea"
gitea_db_path = "${var.database_folder}/mysql.gitea" gitea_db_path = "${var.database_folder}/mysql.gitea"
config = templatefile("${path.module}/resources/app.ini.tpl", {
APP_NAME = var.app_config.app_name
RUN_MODE = var.app_config.run_mode
DOMAIN = var.app_config.domain
HTTP_PORT = var.app_config.http_port
TLS_ENABLED = var.tls_enabled
DISABLE_SSH = var.app_config.disable_ssh
SSH_PORT = var.app_config.ssh_port
LFS_JWT_SECRET = var.app_config.lfs_jwt_secret
DB_HOST = var.app_config.db_host
DB_PORT = var.app_config.db_port
DB_NAME = var.app_config.db_name
DB_USER = var.app_config.db_user
DB_PASSWD = var.app_config.db_passwd
DB_SSL_MODE = var.tls_enabled ? "skip-verify" : "false"
SECRET_KEY = var.app_config.secret_key
INTERNAL_TOKEN = var.app_config.internal_token
DISABLE_REGISTRATION = var.app_config.disable_registration
REQUIRE_SIGNIN_VIEW = var.app_config.require_signin_view
REGISTER_EMAIL_CONFIRM = var.app_config.register_email_confirm
ENABLE_NOTIFY_MAIL = var.app_config.enable_notify_mail
ALLOW_ONLY_EXTERNAL_REGISTRATION = var.app_config.allow_only_external_registration
ENABLE_CAPTCHA = var.app_config.enable_captcha
NO_REPLY_ADDRESS = var.app_config.no_reply_address
JWT_SECRET = var.app_config.jwt_secret
MAIL_FROM = var.app_config.mail_from
SMTP_USER = var.app_config.smtp_user
SMTP_PASSWD = var.app_config.smtp_passwd
SMTP_PROTOCOL = var.app_config.smtp_protocol
SMTP_HOST = var.app_config.smtp_host
SMTP_PORT = var.app_config.smtp_port
})
config_checksum = sha256(local.config)
} }
+5 -2
View File
@@ -2,9 +2,9 @@ module "gitea_database" {
source = "../../db/mariadb" source = "../../db/mariadb"
namespace = kubernetes_namespace.gitea.metadata[0].name namespace = kubernetes_namespace.gitea.metadata[0].name
app_name = "gitea" app_name = var.app_config.db_name
app_password = var.db_password app_password = var.app_config.db_passwd
root_password = var.db_root_password root_password = var.db_root_password
retention_days = var.backup_retention_days retention_days = var.backup_retention_days
@@ -12,4 +12,7 @@ module "gitea_database" {
database_folder = local.gitea_db_path database_folder = local.gitea_db_path
backup_folder = var.backup_folder backup_folder = var.backup_folder
tls_enabled = var.tls_enabled
issuer = var.issuer
} }
+63
View File
@@ -0,0 +1,63 @@
resource "kubernetes_service" "gitea_http" {
metadata {
name = "http"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
spec {
port {
port = var.tls_enabled ? 443 : 80
target_port = "http"
}
selector = {
app = "gitea"
}
cluster_ip = "None"
}
}
resource "kubernetes_ingress_v1" "gitea_ingress" {
metadata {
name = "gitea-ingress"
namespace = kubernetes_namespace.gitea.metadata[0].name
annotations = merge({
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
"nginx.ingress.kubernetes.io/ssl-redirect" = "true"
"nginx.ingress.kubernetes.io/proxy-body-size" = "8m"
"nginx.ingress.kubernetes.io/proxy-request-buffering" = "on"
"nginx.ingress.kubernetes.io/proxy-buffer-size" = "32k"
"nginx.ingress.kubernetes.io/proxy-buffers-number" = "16"
},
var.tls_enabled ? {
"nginx.org/ssl-services" = "http"
"nginx.org/ssl-redirect" = "true"
"nginx.org/redirect-to-https" = "true"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
} : {}
)
}
spec {
tls {
hosts = [var.fqdn]
secret_name = "gitea-tls"
}
rule {
host = var.fqdn
http {
path {
backend {
service {
name = "http"
port {
number = var.tls_enabled ? 443 : 80
}
}
}
}
}
}
}
}
+65 -123
View File
@@ -12,18 +12,38 @@ resource "kubernetes_namespace" "gitea" {
} }
} }
resource "kubernetes_secret" "gitea_mail_credentials" { resource "kubernetes_manifest" "internal_cert" {
count = var.tls_enabled ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "internal-cert"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
spec = {
secretName = "internal-cert"
issuerRef = {
name = var.issuer
kind = "ClusterIssuer"
}
commonName = var.fqdn
dnsNames = [var.fqdn]
}
}
}
resource "kubernetes_config_map" "gitea_config" {
metadata { metadata {
name = "gitea-mail-credentials" name = "gitea-config"
namespace = kubernetes_namespace.gitea.metadata[0].name namespace = kubernetes_namespace.gitea.metadata[0].name
} }
data = { data = {
username = var.smtp_username "app.ini" = local.config
password = var.smtp_password
} }
type = "Opaque"
} }
resource "kubernetes_service_account" "gitea_service_account" { resource "kubernetes_service_account" "gitea_service_account" {
metadata { metadata {
@@ -34,61 +54,6 @@ resource "kubernetes_service_account" "gitea_service_account" {
automount_service_account_token = false automount_service_account_token = false
} }
resource "kubernetes_service" "gitea_http" {
metadata {
name = "http"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
spec {
port {
port = 80
target_port = "http"
}
selector = {
app = "gitea"
}
cluster_ip = "None"
}
}
resource "kubernetes_ingress_v1" "gitea_ingress" {
metadata {
name = "gitea-ingress"
namespace = kubernetes_namespace.gitea.metadata[0].name
annotations = {
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
"nginx.ingress.kubernetes.io/ssl-redirect" = "true"
"nginx.ingress.kubernetes.io/proxy-body-size" = "8m"
"nginx.ingress.kubernetes.io/proxy-request-buffering" = "on"
"nginx.ingress.kubernetes.io/proxy-buffer-size" = "32k"
"nginx.ingress.kubernetes.io/proxy-buffers-number" = "16"
}
}
spec {
tls {
hosts = [var.fqdn]
secret_name = "gitea-tls"
}
rule {
host = var.fqdn
http {
path {
backend {
service {
name = "http"
port {
number = 80
}
}
}
}
}
}
}
}
resource "kubernetes_deployment" "gitea" { resource "kubernetes_deployment" "gitea" {
depends_on = [module.gitea_database] depends_on = [module.gitea_database]
@@ -111,6 +76,9 @@ resource "kubernetes_deployment" "gitea" {
labels = { labels = {
app = "gitea" app = "gitea"
} }
annotations = {
"checksum/config" = local.config_checksum
}
} }
spec { spec {
service_account_name = kubernetes_service_account.gitea_service_account.metadata[0].name service_account_name = kubernetes_service_account.gitea_service_account.metadata[0].name
@@ -149,30 +117,10 @@ resource "kubernetes_deployment" "gitea" {
failure_threshold = 3 failure_threshold = 3
} }
dynamic "env" {
for_each = local.gitea_env_vars
content {
name = env.key
value = env.value
}
}
security_context { security_context {
allow_privilege_escalation = false allow_privilege_escalation = false
} }
dynamic "env" {
for_each = local.gitea_secrets
content {
name = env.key
value_from {
secret_key_ref {
key = env.value.key
name = env.value.name
}
}
}
}
port { port {
container_port = 3000 container_port = 3000
name = "http" name = "http"
@@ -186,6 +134,19 @@ resource "kubernetes_deployment" "gitea" {
mount_path = "/data" mount_path = "/data"
name = "persistent-storage" name = "persistent-storage"
} }
volume_mount {
mount_path = "/data/gitea/conf/app.ini"
name = "gitea-config"
sub_path = "app.ini"
}
dynamic "volume_mount" {
for_each = var.tls_enabled ? [1] : []
content {
mount_path = "/etc/ssl/certs/private"
name = "internal-cert"
read_only = true
}
}
} }
volume { volume {
name = "persistent-storage" name = "persistent-storage"
@@ -193,54 +154,35 @@ resource "kubernetes_deployment" "gitea" {
path = local.gitea_path path = local.gitea_path
} }
} }
volume {
name = "gitea-config"
config_map {
name = kubernetes_config_map.gitea_config.metadata[0].name
}
}
dynamic "volume" {
for_each = var.tls_enabled ? [1] : []
content {
name = "internal-cert"
secret {
secret_name = kubernetes_manifest.internal_cert[0].manifest["metadata"]["name"]
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
} }
} }
} }
} }
resource "kubernetes_role" "gitea_ssh_access" { lifecycle {
metadata { ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
rule {
api_groups = [""]
resources = ["pods", "pods/log"]
verbs = ["get", "list"]
}
rule {
api_groups = [""]
resources = ["pods/exec"]
verbs = ["create"]
} }
} }
resource "kubernetes_role_binding" "gitea_ssh_access" {
metadata {
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.gitea_ssh_access.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.gitea_service_account.metadata[0].name
namespace = kubernetes_namespace.gitea.metadata[0].name
}
}
resource "kubernetes_secret" "gitea_access_token" {
metadata {
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.gitea_service_account.metadata[0].name
}
name = "git-token"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}
+46
View File
@@ -0,0 +1,46 @@
resource "kubernetes_role" "gitea_ssh_access" {
metadata {
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
rule {
api_groups = [""]
resources = ["pods", "pods/log"]
verbs = ["get", "list"]
}
rule {
api_groups = [""]
resources = ["pods/exec"]
verbs = ["create"]
}
}
resource "kubernetes_role_binding" "gitea_ssh_access" {
metadata {
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.gitea_ssh_access.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.gitea_service_account.metadata[0].name
namespace = kubernetes_namespace.gitea.metadata[0].name
}
}
resource "kubernetes_secret" "gitea_access_token" {
metadata {
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.gitea_service_account.metadata[0].name
}
name = "git-token"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}
@@ -0,0 +1,92 @@
APP_NAME = ${APP_NAME}
RUN_MODE = ${RUN_MODE}
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = ${DOMAIN}
HTTP_PORT = ${HTTP_PORT}
%{ if TLS_ENABLED ~}
PROTOCOL = https
ROOT_URL = https://${DOMAIN}
CERT_FILE = /etc/ssl/certs/private/tls.crt
KEY_FILE = /etc/ssl/certs/private/tls.key
%{ else ~}
PROTOCOL = http
ROOT_URL = http://${DOMAIN}
%{ endif ~}
DISABLE_SSH = ${DISABLE_SSH}
SSH_PORT = ${SSH_PORT}
SSH_LISTEN_PORT = ${SSH_PORT}
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/git/lfs
LFS_JWT_SECRET = ${LFS_JWT_SECRET}
DOMAIN = ${DOMAIN}
OFFLINE_MODE = false
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = mysql
HOST = ${DB_HOST}:${DB_PORT}
NAME = ${DB_NAME}
USER = ${DB_USER}
PASSWD = ${DB_PASSWD}
SSL_MODE = ${DB_SSL_MODE}
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY = ${SECRET_KEY}
INTERNAL_TOKEN = ${INTERNAL_TOKEN}
[service]
DISABLE_REGISTRATION = ${DISABLE_REGISTRATION}
REQUIRE_SIGNIN_VIEW = ${REQUIRE_SIGNIN_VIEW}
REGISTER_EMAIL_CONFIRM = ${REGISTER_EMAIL_CONFIRM}
ENABLE_NOTIFY_MAIL = ${ENABLE_NOTIFY_MAIL}
ALLOW_ONLY_EXTERNAL_REGISTRATION = ${ALLOW_ONLY_EXTERNAL_REGISTRATION}
ENABLE_CAPTCHA = ${ENABLE_CAPTCHA}
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = ${NO_REPLY_ADDRESS}
[oauth2]
JWT_SECRET = ${JWT_SECRET}
[mailer]
ENABLED = true
FROM = ${MAIL_FROM}
USER = ${SMTP_USER}
PASSWD = ${SMTP_PASSWD}
PROTOCOL = ${SMTP_PROTOCOL}
SMTP_ADDR = ${SMTP_HOST}
SMTP_PORT = ${SMTP_PORT}
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = false
+40 -31
View File
@@ -23,12 +23,6 @@ variable "backup_cron_schedule" {
type = string type = string
} }
variable "db_password" {
description = "The password for the Gitea MySQL database"
type = string
sensitive = true
}
variable "db_root_password" { variable "db_root_password" {
description = "The root password for the MySQL database" description = "The root password for the MySQL database"
type = string type = string
@@ -46,34 +40,49 @@ variable "fqdn" {
type = string type = string
} }
variable "app_name" {
description = "The name of the application" variable "tls_enabled" {
type = string description = "Enable TLS for the SFTPGo server"
type = bool
default = true
} }
variable "smtp_host" { variable "issuer" {
description = "The SMTP relay host" description = "The issuer for the certificate"
type = string type = string
default = "internal-ca"
} }
variable "smtp_port" { variable "app_config" {
description = "The SMTP relay port" description = "The configuration for the SFTPGo server"
type = number type = object({
} app_name = string
domain = string
variable "smtp_username" { lfs_jwt_secret = string
description = "The SMTP relay username" db_passwd = string
type = string jwt_secret = string
sensitive = true mail_from = string
} no_reply_address = string
smtp_user = string
variable "smtp_password" { smtp_passwd = string
description = "The SMTP relay password" smtp_host = string
type = string secret_key = string
sensitive = true internal_token = string
} disable_registration = optional(bool, true)
require_signin_view = optional(bool, false)
variable "from_email" { register_email_confirm = optional(bool, false)
description = "The email address to use as the sender" enable_notify_mail = optional(bool, true)
type = string allow_only_external_registration = optional(bool, false)
enable_captcha = optional(bool, true)
run_mode = optional(string, "prod")
http_port = optional(string, "3000")
disable_ssh = optional(bool, false)
ssh_port = optional(number, 22)
db_host = optional(string, "mariadb")
db_port = optional(string, "3306")
db_name = optional(string, "gitea")
db_user = optional(string, "gitea")
smtp_protocol = optional(string, "SMTPS")
smtp_port = optional(string, "587")
})
} }
+75 -1
View File
@@ -10,6 +10,37 @@ resource "kubernetes_secret" "root_password" {
type = "Opaque" type = "Opaque"
} }
resource "kubernetes_manifest" "internal_cert" {
count = var.tls_enabled ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "mariadb-cert"
namespace = var.namespace
}
spec = {
secretName = "mariadb-cert"
issuerRef = {
name = var.issuer
kind = "ClusterIssuer"
}
commonName = "${var.app_name}-db-cert"
}
}
}
resource "kubernetes_config_map" "ssl_config" {
count = var.tls_enabled ? 1 : 0
metadata {
name = "${var.app_name}-mariadb-config"
namespace = var.namespace
}
data = {
"tls.cnf" = file("${path.module}/resources/tls.cnf")
}
}
resource "kubernetes_service_account" "service_account" { resource "kubernetes_service_account" "service_account" {
metadata { metadata {
@@ -94,7 +125,7 @@ resource "kubernetes_deployment" "deployment" {
exec { exec {
command = ["sh", "-c", "mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"] command = ["sh", "-c", "mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD"]
} }
initial_delay_seconds = 120 initial_delay_seconds = 30
period_seconds = 10 period_seconds = 10
timeout_seconds = 1 timeout_seconds = 1
failure_threshold = 15 failure_threshold = 15
@@ -147,6 +178,23 @@ resource "kubernetes_deployment" "deployment" {
mount_path = "/docker-entrypoint-initdb.d" mount_path = "/docker-entrypoint-initdb.d"
name = "initdb-storage" name = "initdb-storage"
} }
dynamic "volume_mount" {
for_each = var.tls_enabled ? [1] : []
content {
mount_path = "/etc/ssl/certs/private"
name = "mariadb-cert"
read_only = true
}
}
dynamic "volume_mount" {
for_each = var.tls_enabled ? [1] : []
content {
mount_path = "/etc/mysql/conf.d/tls.cnf"
name = "ssl-config"
sub_path = "tls.cnf"
read_only = true
}
}
} }
volume { volume {
name = "persistent-storage" name = "persistent-storage"
@@ -160,6 +208,32 @@ resource "kubernetes_deployment" "deployment" {
path = "${var.database_folder}/${var.app_name}.initdb.d" path = "${var.database_folder}/${var.app_name}.initdb.d"
} }
} }
dynamic "volume" {
for_each = var.tls_enabled ? [1] : []
content {
name = "mariadb-cert"
secret {
secret_name = kubernetes_manifest.internal_cert[0].manifest["metadata"]["name"]
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
}
dynamic "volume" {
for_each = var.tls_enabled ? [1] : []
content {
name = "ssl-config"
config_map {
name = kubernetes_config_map.ssl_config[0].metadata[0].name
}
}
}
} }
} }
} }
@@ -0,0 +1,4 @@
[mysqld]
ssl-cert = /etc/ssl/certs/private/tls.crt
ssl-key = /etc/ssl/certs/private/tls.key
tls-version = TLSv1.2,TLSv1.3
+12
View File
@@ -49,3 +49,15 @@ variable "backup_folder" {
description = "Backup source location" description = "Backup source location"
type = string type = string
} }
variable "tls_enabled" {
description = "Enable SSL for MariaDB"
default = false
type = bool
}
variable "issuer" {
description = "Issuer for SSL certificate"
default = "internal-ca"
type = string
}