diff --git a/k8s/infra/auth/lldap/lldap-config.yaml b/k8s/infra/auth/lldap/lldap-config.yaml index eceed5b..76ed2a7 100644 --- a/k8s/infra/auth/lldap/lldap-config.yaml +++ b/k8s/infra/auth/lldap/lldap-config.yaml @@ -5,8 +5,8 @@ metadata: namespace: lldap spec: encryptedData: - groups.json: AgBlmtVJ26cptsxzMvCsGki9/DUCc5VjZvNBMYcLXNXarHB6nVjEj6VRkjB1mWRMczpbwxIQe5bq7wNdIegK/3eCO+BJSrizGwGMTabfhxg5Yj0cEltPTck3uGP69jeHDWfZbvNC1PFbWriZXEyhbsZfM7I7EStmjoyKvu5iXZf53cFZZ9Yculz2vYOmOJvB3DUCnc+HYOUi/T7PCsaDKohvXm7TtjpJv+L6PXc8aEI0efOZJz9rKNPlptO/iHFBtsYAOxezKR9j9xoFMK/R2w9O/hG/FykTuOndLNaPnSPSaSnQId+zTzXlMe7luLqbjWXNeC5YZJo+jT5GklkifhZ7tJc5yc8DFPpN0A89NayhkZE+eLM6eKgfWG7vnvYrfC20RbQSv8Cb8g3+PAgiGqQclkRa4OSUYMY4lJdxTuPKNY7kCPfo7Ezo2d8zMIQFxtwC+8jwYk/fP3s60ns1tDV/LaaP5C8M248Eq1kI7dtpOqmuyEA3lE3OsooUIMl8+Vk0JjoExTmdx1g1Dhj9EvfmciC5KhS09RC0nbtKnlvRSg2expgbZfk0yJn4edKOS/kwrqui5p97OLYa2CkY5nk/Oq0pywWErecNPRUq2OdrlFyQ7FcniW47TbwCt8uXwpqJkvQTts6eZNznUpIbgUqm5wUZaJqcJN9IcNzpkUFPEMvrcuqSKzau9Uf9eIZ06BkCH4dQmsu68myTcqf7q0yWm29snYbwJQMrYVgai3n7HawKN/Y83EQxzrgsBWmIceoFkKNFas1ghz7L - users.json: AgBng35j/k5Xqp3TsNQRz6UXrVFv34TCWIIcNn4C2mWQwmMdwYQVQBhbVIUGQjIGabOLHcj+iPIJvUqfk0RBo8bqjrDX8LPBeK4kJoP80X/qOl70AuHjOwA2uNtcyZX3SY5s1vpMyvdbA4wTV67v16uHitIAH7uC2rEVy3KlPvBhu75xmx/7ZaaG/hcvu+QZmrhLfn3Du9GoPctdxvUkjtyQVVOxm1cJb/+YrVi4au9Ea5zPV1NxBp32ZeiLw+NKS1mtBYo9pk0fb5UV/GYIzENtGwBwRNjretb6XQ0dFj1f8BlXWchnTH7CTJ5V5/G4CX4CtKuaX6dXxoQed25QDAFtYvnSJqsY/eOkdLVRFAfsLlYTHKicpaWf7g9TH4926cTN4TtUYtirxvZjVfjtqSrxzemqeJtJIS1EHpA8j6mOCBZ546ZPV5yvzpNH8XiyzcSHCbYK5zQ6+V9jDltxBuOMXjTLsxctNGRWaF5poMol/tbZbPySMnA2RQngccKlstpgLBCwySGG08aVN3ip2NFjYFRAedLT2XtBcNg7RWfkOIwCtFDuTbExDBiIc9DfuPwBe8iKoKTbxvIM09BBJgXU2gSS8osShrg/E0vvHoTz2iDBDlHHGG22nVtzPtsrfYhJ9rvx5opsc6Gex3cP4HMnFmFUrE/guVNPFzl8nUso+IBbCr6U/Ohyc6d9gMl+L7QQMDJ6xjSHXZsVTfRcw3X47BM+Erm4yxAx8TdNEgWXs6JwTeRRFBiGRvJUbXOXrrGDljxfkPv8wwivVuFc0ytTRHalJmPmHoPl8kF6QZ2Hf5giShBh+hWyAU66ZC05nW+L1Dp/pMeUKMv3+uTKBd/2XQxJYdcwbbgV6gBlea4DsvRRgTR6RrrIhJPfyRuZn3JcBVfXB4gmTZqC+/GSkJTHcj8F/ZWcJIkCKwHJ+yrFrX1rbfbbHdXtfyB1ANiFD4WM2cT+y51+XEhWYDvzzqjht1g7S83MfzBki/QQGL7Zfs2GyShjtAoN1Ws4n+bWoXPlZ+3tWiQ1zmoCRPsNN0GMXhPcrKVPP16ctqg+54vM1XW2YZZbeophVnd8uTMQCGOQnQ4IpFCj0ND/45xiKfeCYw930nZJhJrvOlCpuWcXK3/k689Y+riNFn0isMyy3P94ftO/LPCC8DtI2Ii4s+nu3+y/jEmMYGar/kD1w00TsXXOdy8wAt5Lj44mH2FYYZdYQoJblnEY4mq1fYaaBqTfJB1qPwwyONoTSeb8Zg9bsQoP4HpjbQm0ylNUOzGYp3zVz0eRXMj6po1lenOrYYtdmVhi+WMUCyKcC4bLcltYZqHx93TOgYg9C2wed4rm2sQTcULEJpDDnwkA3Es9T0NRdfdr8Wo+NQ6vc5lq3GVDshcEU2R9LMy/tnZ+7dqHxcA/lAeYF2TtBzs0R+lBwnqvEXE4YgHFcx8Q+9SgYyWaj8dzrriK8abZ/VhDT0olAy8pLPythqxXPW68MY/jHiPTe57RJb5ro09VUafPebD6X+onhchHSz8eCCfaSF8vJQzIzkSHRDHdPSx14783/yfJCykgS+aunxeTEUYuaT+60c1kGvgVDnsqKUTkcxUA0eam0CONs9YPbwLcCt3spDa0ouv3M3wkrOoqyhllTwnaB5Pb/aUh4VAVRDslmMTtB20fwmm09RO39zgLnYiGvmc= + groups.json: AgAOgDNkmUKQHm1C+tBbnZ8sqfv8un7bdxWl9QvE2/PQfPyUxcs47PElprEN7L7ff+Sts0zrw0z94jLVTR/ltD5TIL3nk6DKVXKNfaIdQ+9n/kIW5E52hsvijFHIeUm1EsC3MvpJZM0Nl1jfT6JOJIO9e8L+2uXJD6iZ65VUoaRbGCzWoquxWlzszVOA+nxABcZ842TAVlTIwqnLhQZfd8O2lJRBetAfVfN1l57q3pIi3i1cqxHtvXG0HnEuSFn0/ZBOlx2HkrmBFNI2nnMcQwf8hhISZxx6P9KKfSjiYSAUX27G4khxtUNUEYb6P03wjr+qsk6nkkDvo4o0N8rN7yoGemnO9Bj5kfPlY0Mh6sbNlTFzr8MAmTeUgdb8X5OaAvSUWsdVViL3nXjQgcU5FQaoDeXhgMlWjJ6Rtcxd7FF8AsV+vkwRv6WDq34gu2m7mPCUqx957yoGiKYUsn36fR7PNcq04EOzfoVEMyyy6sJXLOpvA2yk/Jw4NoKNAvXJGjaT2wL9nQpm6n0ei84BBpRf6IRufDRsmULA0TFlocynjUdbgJsp2FZm+2qcDaw2tG1UOFdio8Ms8eLr6GgMVxaHfyo2K/5gfZxlY7rvYdNVqQUd/9VL44BXpu8G5vu/JZBE9OExYOJdCDb1g88N7thW1U4qjVswjMfFfFWMwjjZysgWYBvaprgeG5igvu0AYUAov+RwkXt61e0BWdw4kNVZh0VUEMSZV9cKBoaxnAYi9LlHgu5fIqmFtoND/vSHJpi2hrJNK/Sx32mGvcPvAKWiBJDd1GcP/hsQ7UFB1HoC7Xpdyh5GsGiLlbU= + users.json: AgCd3dQ7uovuVYm4/0+vMj0ZG7kFgzxYqUqAY2gCRHHT4OgvLBWVSkFw+rHPh6Qs6XVWbKUGg3sKUA511t8E3DMOJwExGgJV0mjpAavSK+BimPjxZuxKCukrZREWXc/Hi623CB903jjsSVOPffmMBMP7ac3jEFBAFuUDkSOLNBd9vpYl/cWAe88hllJjoN3cIxL91FgHDVgN36pIVXqXF/oGfyiymiH6m1KpvE2elaJ+qHRYtDGrEKD7NuemzPFvwJogjG9qzkKUOyzLwvNsWg4R7JdlfKEqI7JIEU51KhYKC/aG6tjyRt/Vq1EOH1oQgSGnY7pC6u6zngnf8z60t6s7rzGc3IkPvZBrQHLjhCJfMQQY2+xoT01mJO67AFb2w7xT3nX1/10EpdTWwPAUnskGW7ugYoaMIQglrqr/+BG/BngVw+2WlM5IRACoV7toxlncSO4vgH1sE6DEWw04BZywyTb7QOhNkuTkIaPvtqbsJSK4me0YK+EgL5ySMgU0oEN46o6aWVN2Ih6HLQ4+DvGqemZJyINEUUK4Umpz+ebPJueXToIuQHvlG+sG/Zd93DuotR8iE8xIcDBDSQ62PbttJ9X6xnRW21ELh+JhrDLVxzUmCc/BhJf0YebMakE0xw6j6mN7ZMfGTiQ2HhNCpm6H4BaBVXjJLt5A/9Z/HJH5+Y2EW9Nmm81UITWqjyZzjz0q0R//xUh3CZm9ezy/n6ZpP8CbfNMZ0GNc6lH5fqcZyKhSoL0jTyrjBXVPixBG+Yr3PkpSYC7PfyXBAbXuQJe2VOzL5+2x1rxGGCCi7a5Tx+BX2gBmjQgYhY7F+k7O1xpX484/7Mr3ztgttUDUEsZ2liIMW5zAcqhoqQ+WkwkCUNzkvC+Y13rj2i1/KJA5E7NDaql+2DjrI8yC4Lj3VKyr9FvJe0Cex+TAPzq8S8QLWeWzgsqjbPFNo39hlHLSM2vqKkPN6EaoTWV5fwS24hhq/QFOcfBio+NNmG2dtp046V6QliU5exz/8Qh6ov2yJvQuh6IjlCysHUFEMXalLQ/On75jo5PVIvKalmszZ06VH0FK5RbzPVsgR7en9tXukioUBifZlgRSV47Dll6jJG5PBRZpbfReUf1WvO0mZBFAPC0uF8/n1Y8eNnR5HA55JpSg2f9vvBDC8t/5MsSL2rf8tt+g5N8Z3FdGhwTDBQkHQeeGFIWab0ZaC4FR6nCG4I0Ubxf5XmW/tJMqZQME/4QaJGUVIkIK51N96e676reSiakyEdTPTM1yy8H7Xx+pblZk+fMvHA4wF4NZX/Y+TakyqcECGsCTFiguQnE4IOafga+W94EFzfWFT71WiTg8gHX55UhC892/LTlVX5EbZ75yCTXKHgVmFkz2JhSOJhBzrBnRj8wO1C8UhVyojySoGkfzP9SIwIMEP0GNo5HXEqGrUp4CyYLylOav7eIcq3C1gdgQ54RP/D51DhqH65W8b4bSi1PAVPd/HhvMOs//O8V0Ty6m5KXtLmjM/fKRQv9zQ1gY+n57swqr5+4jie4XyZOlnvYEZPwjtt3ilp6pX+rr4nGSDXI7ytTWSrJXpku/R8SCZMVMxxc6v6j3YONGYmKRwh9P2pImVwGbpXEVJmdK8Cr9p8FKOgJ46KvIi5kSndHnZ3qum4bnZ/jEseKf5a5queuWw/Nt3+cM8DOZr7FTBXl24kQT2yYVkmBCnRpPsVhTGA4= template: metadata: name: lldap-config diff --git a/k8s/infra/users/extra-admin-cluster-role-binding.yaml b/k8s/infra/users/extra-admin-cluster-role-binding.yaml deleted file mode 100644 index f8d1150..0000000 --- a/k8s/infra/users/extra-admin-cluster-role-binding.yaml +++ /dev/null @@ -1,25 +0,0 @@ -#apiVersion: rbac.authorization.k8s.io/v1 -#kind: ClusterRoleBinding -#metadata: -# name: extra-cluster-admin -#roleRef: -# apiGroup: rbac.authorization.k8s.io -# kind: ClusterRole -# name: cluster-admin -#subjects: -# - apiGroup: rbac.authorization.k8s.io -# kind: Group -# name: extra:masters ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: extra-cluster-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: extra-admin - namespace: kube-system diff --git a/k8s/infra/users/extra-admin.yaml b/k8s/infra/users/extra-admin.yaml deleted file mode 100644 index 47bec79..0000000 --- a/k8s/infra/users/extra-admin.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: extra-admin - namespace: kube-system - -# TOKEN=$(kubectl -n kube-system create token extra-admin) -# kubectl config set-credentials admin --token=$TOKEN -# kubectl config set-context admin@kubernetes --cluster talos --user extra-admin \ No newline at end of file diff --git a/k8s/infra/users/kustomization.yaml b/k8s/infra/users/kustomization.yaml index 5f44b21..6658a5a 100644 --- a/k8s/infra/users/kustomization.yaml +++ b/k8s/infra/users/kustomization.yaml @@ -1,7 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# https://dev.to/danielkun/kubernetes-certificates-tokens-authentication-and-service-accounts-4fj7 resources: - - extra-admin.yaml - - extra-admin-cluster-role-binding.yaml \ No newline at end of file + - oidc-cluster-admin.yaml diff --git a/k8s/infra/users/oidc-cluster-admin.yaml b/k8s/infra/users/oidc-cluster-admin.yaml new file mode 100644 index 0000000..4999180 --- /dev/null +++ b/k8s/infra/users/oidc-cluster-admin.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: authelia:k8s:cluster-admin + - apiGroup: rbac.authorization.k8s.io + kind: User + name: authelia:veh diff --git a/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl b/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl index 7e01023..c419c28 100644 --- a/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl +++ b/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl @@ -11,6 +11,14 @@ machine: cluster: allowSchedulingOnControlPlanes: true + apiServer: + extraArgs: + oidc-issuer-url: https://authelia.stonegarden.dev + oidc-client-id: kubectl + oidc-username-claim: preferred_username + oidc-username-prefix: 'authelia:' + oidc-groups-claim: groups + oidc-groups-prefix: 'authelia:' network: cni: name: none