From d89ba200ba54a3673e402e502265a7e982987db8 Mon Sep 17 00:00:00 2001
From: Dan Ankers <md1clv@md1clv.com>
Date: Mon, 23 Oct 2023 21:53:05 +0100
Subject: [PATCH] WIP: Federating FreeIPA and Keycloak

---
 main.tf | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index b8daab0..7216f3b 100644
--- a/main.tf
+++ b/main.tf
@@ -24,6 +24,10 @@ terraform {
       source = "rework-space-com/freeipa"
       version = "4.0.0"
     }
+#    ldap = {
+#      source  = "l-with/ldap"
+#      version = ">= 0.4"
+#    }
   }
   backend "kubernetes" {
     secret_suffix    = "tfstate"
@@ -70,6 +74,14 @@ provider "freeipa" {
   insecure = true
 }
 
+#provider "ldap" {
+#  alias = "ldap_provisioner"
+#  host = "${helm_release.freeipa.name}.${var.domain_suffix}"
+#  bind_user = "admin"
+#  bind_password = "${var.freeipa_ds_password}"
+#  port = 389
+#}
+
 resource "helm_release" "keycloak" {
   name                       = "keycloak"
   namespace                  = var.keycloak_namespace
@@ -569,15 +581,16 @@ resource "helm_release" "grafana" {
 resource "helm_release" "freeipa" {
   name = "freeipa"
   namespace = var.freeipa_namespace
-  repository = "https://improwised.github.io/charts/"
+  # repository = "https://improwised.github.io/charts/"
+  repository = "https://git.k8s.md1clv.im/api/packages/dan/helm"
   chart = "freeipa"
   create_namespace = true
   values = [
 <<EOT
 hostname: freeipa.${var.domain_suffix}
 args:
-  realm: MD1CLV.IM
-  domain: md1clv.im
+  realm: ${var.ldap.realm}
+  domain: ${var.ldap.domain}
   dspassword: ${var.freeipa_ds_password}
   adminpassword: ${var.freeipa_admin_password}
   nohostdns: true
@@ -592,11 +605,6 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
   tls: true
-  extraPaths:
-  - path: /
-    backend:
-      service:
-        port: https
   backendProtocol: https
 service:
   annotations:
@@ -606,6 +614,17 @@ EOT
   ]
 }
 
+#resource "ldap_entry" "bind_user" {
+#  provider = ldap.ldap_provisioner
+#  dn = "uid=system,cn=sysaccounts,cn=etc,${var.ldap.base_dn}"
+#  data_json = jsonencode({
+#    objectClass = ["account","simplesecurityobject"]
+#    uid         = [var.ldap.bind_user]
+#    userPassword= [var.ldap.bind_password]
+#  })
+#}
+
+
 # resource freeipa_user "freeipa_users" {
 #   first_name = var.keycloak_user.firstname
 #   last_name = var.keycloak_user.lastname