Enhance Trivy integration: update email dispatch logic, add LLM prompt generation, and improve security context in deployments
This commit is contained in:
@@ -24,14 +24,17 @@ locals {
|
||||
|
||||
services_config = {
|
||||
for k, v in var.services : "${k}.conf" => coalesce(v.config, templatefile("${path.module}/resources/nginx/conf.d/default.conf.tpl", {
|
||||
errors = local.error_codes
|
||||
http_port = v.http_port
|
||||
https_port = v.https_port
|
||||
upstream = v.upstream
|
||||
resolver = v.resolver
|
||||
tls = v.tls
|
||||
fqdn = join(" ", v.fqdn)
|
||||
auth = length([for l in v.locations : true if l.private]) > 0
|
||||
errors = local.error_codes
|
||||
http_port = v.http_port
|
||||
https_port = v.https_port
|
||||
upstream = v.upstream
|
||||
resolver = v.resolver
|
||||
ingress = v.ingress
|
||||
service_http_port = v.service_http_port
|
||||
service_https_port = v.service_https_port
|
||||
tls = v.tls
|
||||
fqdn = length(v.fqdn) > 0 ? join(" ", v.fqdn) : k
|
||||
auth = length([for l in v.locations : true if l.private]) > 0
|
||||
locations = [for l in v.locations : {
|
||||
path = l.path
|
||||
headers = merge(l.headers, coalesce(v.default_headers, local.default_headers))
|
||||
|
||||
@@ -22,23 +22,23 @@ resource "kubernetes_service_account" "reverse-proxy_service_account" {
|
||||
automount_service_account_token = false
|
||||
}
|
||||
|
||||
resource "kubernetes_service" "reverse-proxy" {
|
||||
resource "kubernetes_service" "services" {
|
||||
for_each = var.services
|
||||
metadata {
|
||||
name = format("reverse-proxy-%s", replace(each.key, ".", "-"))
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
spec {
|
||||
port {
|
||||
name = "http"
|
||||
port = 80
|
||||
port = each.value.service_http_port
|
||||
target_port = substr(format("http-%s", replace(each.key, ".", "-")), 0, 15)
|
||||
}
|
||||
dynamic "port" {
|
||||
for_each = each.value.tls ? [1] : []
|
||||
content {
|
||||
name = "https"
|
||||
port = 443
|
||||
port = each.value.service_https_port
|
||||
target_port = substr(format("https-%s", replace(each.key, ".", "-")), 0, 15)
|
||||
}
|
||||
}
|
||||
@@ -137,10 +137,10 @@ resource "kubernetes_config_map" "auth_script" {
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_ingress_v1" "reverse-proxy_ingress" {
|
||||
for_each = var.services
|
||||
resource "kubernetes_ingress_v1" "ingress" {
|
||||
for_each = { for k, v in var.services : k => v if lookup(v, "ingress", true) && length(v.fqdn) > 0 }
|
||||
metadata {
|
||||
name = format("reverse-proxy-%s", replace(each.key, ".", "-"))
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
|
||||
annotations = merge({
|
||||
@@ -149,7 +149,7 @@ resource "kubernetes_ingress_v1" "reverse-proxy_ingress" {
|
||||
},
|
||||
each.value.custom_ingress_annotations,
|
||||
each.value.tls ? {
|
||||
"nginx.org/ssl-services" = format("reverse-proxy-%s", replace(each.key, ".", "-"))
|
||||
"nginx.org/ssl-services" = format("%s", replace(each.key, ".", "-"))
|
||||
"nginx.org/ssl-redirect" = "true"
|
||||
"nginx.org/redirect-to-https" = "true"
|
||||
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
|
||||
@@ -169,7 +169,7 @@ resource "kubernetes_ingress_v1" "reverse-proxy_ingress" {
|
||||
path {
|
||||
backend {
|
||||
service {
|
||||
name = format("reverse-proxy-%s", replace(each.key, ".", "-"))
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
port {
|
||||
name = each.value.tls ? "https" : "http"
|
||||
}
|
||||
@@ -535,35 +535,3 @@ resource "kubernetes_deployment" "reverse_proxy" {
|
||||
ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# resource "kubernetes_service" "reverse_proxy_streams" {
|
||||
# count = length(var.streams) > 0 ? 1 : 0
|
||||
# metadata {
|
||||
# name = "stream-ports"
|
||||
# namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
# }
|
||||
|
||||
# spec {
|
||||
# selector = {
|
||||
# app = "reverse-proxy"
|
||||
# }
|
||||
|
||||
# dynamic "port" {
|
||||
# for_each = var.streams
|
||||
# content {
|
||||
# name = format("%s-%s-%d", port.key, port.value.protocol, port.value.port)
|
||||
# port = port.value.port
|
||||
# target_port = port.value.port
|
||||
# protocol = upper(port.value.protocol)
|
||||
# }
|
||||
# }
|
||||
# type = "LoadBalancer"
|
||||
# }
|
||||
|
||||
# lifecycle {
|
||||
# ignore_changes = [
|
||||
# metadata[0].annotations
|
||||
# ]
|
||||
# }
|
||||
# }
|
||||
|
||||
@@ -29,7 +29,7 @@ variable "issuer_name" {
|
||||
variable "services" {
|
||||
description = "A list of services to be deployed"
|
||||
type = map(object({
|
||||
fqdn = list(string)
|
||||
fqdn = optional(list(string), [])
|
||||
custom_ingress_annotations = optional(map(string), {})
|
||||
annotations = optional(map(string), {})
|
||||
upstream = optional(string, "")
|
||||
@@ -38,6 +38,9 @@ variable "services" {
|
||||
http_port = optional(number, 80)
|
||||
https_port = optional(number, 443)
|
||||
tls = optional(bool, false)
|
||||
ingress = optional(bool, true)
|
||||
service_http_port = optional(number, 80)
|
||||
service_https_port = optional(number, 443)
|
||||
locations = optional(list(object({
|
||||
path = string,
|
||||
headers = optional(map(string), {}),
|
||||
|
||||
Reference in New Issue
Block a user