extract remaining 19 modules from platform, complete stack split [ci skip]

Phase 3: all 27 platform modules now run as independent stacks.
Platform reduced to empty shell (outputs only) for backward compat
with 72 app stacks that declare dependency "platform".
Fixed technitium cross-module dashboard reference by copying file.
Woodpecker pipeline applies all 27+1 stacks in parallel via loop.
All applied with zero destroys.

stacks/rbac/modules/rbac/apiserver-oidc.tf

@@ -0,0 +1,58 @@
+# Configure kube-apiserver for OIDC authentication
+# This SSHs to k8s-master and adds OIDC flags to the static pod manifest.
+# Kubelet auto-restarts the API server when the manifest changes.
+
+variable "k8s_master_host" {
+  type    = string
+  default = "10.0.20.100"
+}
+
+variable "ssh_private_key" {
+  type      = string
+  sensitive = true
+}
+
+variable "oidc_issuer_url" {
+  type    = string
+  default = "https://authentik.viktorbarzin.me/application/o/kubernetes/"
+}
+
+variable "oidc_client_id" {
+  type    = string
+  default = "kubernetes"
+}
+
+resource "null_resource" "apiserver_oidc_config" {
+  connection {
+    type        = "ssh"
+    user        = "wizard"
+    host        = var.k8s_master_host
+    private_key = var.ssh_private_key
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      # Check if OIDC flags already configured with the correct values
+      "if grep -q 'oidc-issuer-url=${var.oidc_issuer_url}' /etc/kubernetes/manifests/kube-apiserver.yaml && grep -q 'oidc-client-id=${var.oidc_client_id}' /etc/kubernetes/manifests/kube-apiserver.yaml; then echo 'OIDC flags already configured with correct values'; exit 0; fi",
+
+      # Remove any existing OIDC flags (in case values changed)
+      "sudo sed -i '/--oidc-issuer-url/d; /--oidc-client-id/d; /--oidc-username-claim/d; /--oidc-groups-claim/d' /etc/kubernetes/manifests/kube-apiserver.yaml",
+
+      # Backup the manifest
+      "sudo cp /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml.bak",
+
+      # Add OIDC flags after the last --tls-private-key-file flag (safe insertion point)
+      "sudo sed -i '/- --tls-private-key-file/a\\    - --oidc-issuer-url=${var.oidc_issuer_url}\\n    - --oidc-client-id=${var.oidc_client_id}\\n    - --oidc-username-claim=email\\n    - --oidc-groups-claim=groups' /etc/kubernetes/manifests/kube-apiserver.yaml",
+
+      # Wait for API server to restart (kubelet watches the manifest)
+      "echo 'Waiting for API server to restart...'",
+      "sleep 30",
+      "sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes || echo 'API server still restarting, check manually'",
+    ]
+  }
+
+  triggers = {
+    oidc_issuer_url = var.oidc_issuer_url
+    oidc_client_id  = var.oidc_client_id
+  }
+}

stacks/rbac/modules/rbac/audit-policy.tf

@@ -0,0 +1,174 @@
+# Deploy audit policy to k8s-master and configure kube-apiserver to use it.
+# Audit logs are written to /var/log/kubernetes/audit.log on the master node.
+# Alloy (log collector DaemonSet) will pick them up and ship to Loki.
+
+resource "null_resource" "audit_policy" {
+  connection {
+    type        = "ssh"
+    user        = "wizard"
+    host        = var.k8s_master_host
+    private_key = var.ssh_private_key
+  }
+
+  # Upload audit policy file
+  provisioner "file" {
+    content = yamlencode({
+      apiVersion = "audit.k8s.io/v1"
+      kind       = "Policy"
+      rules = [
+        {
+          # Don't log requests to the API discovery endpoints (very noisy)
+          level = "None"
+          resources = [{
+            group     = ""
+            resources = ["endpoints", "services", "services/status"]
+          }]
+          users = ["system:kube-proxy"]
+        },
+        {
+          # Don't log watch requests (very noisy)
+          level = "None"
+          verbs = ["watch"]
+        },
+        {
+          # Don't log health checks
+          level           = "None"
+          nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
+        },
+        {
+          # Log secret access at Metadata level only (no request/response bodies)
+          level = "Metadata"
+          resources = [{
+            group     = ""
+            resources = ["secrets"]
+          }]
+        },
+        {
+          # Log all other mutating requests at RequestResponse level
+          level = "RequestResponse"
+          verbs = ["create", "update", "patch", "delete"]
+        },
+        {
+          # Log read requests at Metadata level
+          level = "Metadata"
+          verbs = ["get", "list"]
+        },
+      ]
+    })
+    destination = "/tmp/audit-policy.yaml"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      # Move audit policy to proper location
+      "sudo mkdir -p /etc/kubernetes/policies",
+      "sudo mv /tmp/audit-policy.yaml /etc/kubernetes/policies/audit-policy.yaml",
+      "sudo chown root:root /etc/kubernetes/policies/audit-policy.yaml",
+
+      # Create audit log directory
+      "sudo mkdir -p /var/log/kubernetes",
+
+      # Idempotently add audit flags, volumes, and volumeMounts using Python
+      # to avoid sed duplication bugs on re-runs
+      <<-SCRIPT
+      sudo python3 -c "
+import yaml
+
+path = '/etc/kubernetes/manifests/kube-apiserver.yaml'
+with open(path) as f:
+    doc = yaml.safe_load(f)
+
+container = doc['spec']['containers'][0]
+cmd = container['command']
+
+# Add audit flags if missing
+audit_flags = {
+    '--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml': True,
+    '--audit-log-path=/var/log/kubernetes/audit.log': True,
+    '--audit-log-maxage=7': True,
+    '--audit-log-maxbackup=3': True,
+    '--audit-log-maxsize=100': True,
+}
+existing = set(cmd)
+for flag in audit_flags:
+    if flag not in existing:
+        cmd.append(flag)
+
+# Add volumes if missing (deduplicate by name)
+vol_names = {v['name'] for v in doc['spec']['volumes']}
+for vol in [
+    {'name': 'audit-policy', 'hostPath': {'path': '/etc/kubernetes/policies', 'type': 'DirectoryOrCreate'}},
+    {'name': 'audit-log', 'hostPath': {'path': '/var/log/kubernetes', 'type': 'DirectoryOrCreate'}},
+]:
+    if vol['name'] not in vol_names:
+        doc['spec']['volumes'].append(vol)
+        vol_names.add(vol['name'])
+
+# Add volumeMounts if missing (deduplicate by mountPath)
+mount_paths = {vm['mountPath'] for vm in container['volumeMounts']}
+for vm in [
+    {'mountPath': '/etc/kubernetes/policies', 'name': 'audit-policy', 'readOnly': True},
+    {'mountPath': '/var/log/kubernetes', 'name': 'audit-log'},
+]:
+    if vm['mountPath'] not in mount_paths:
+        container['volumeMounts'].append(vm)
+        mount_paths.add(vm['mountPath'])
+
+with open(path, 'w') as f:
+    yaml.dump(doc, f, default_flow_style=False, sort_keys=False)
+
+print('Audit config applied (idempotent)')
+"
+      SCRIPT
+      ,
+
+      # Wait for API server to restart
+      "echo 'Waiting for API server to restart with audit logging...'",
+      "sleep 30",
+      "sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes || echo 'API server still restarting'",
+    ]
+  }
+
+  triggers = {
+    policy_version = "v1" # Bump to force re-apply of manifest flags
+    policy_hash = sha256(yamlencode({
+      apiVersion = "audit.k8s.io/v1"
+      kind       = "Policy"
+      rules = [
+        {
+          level = "None"
+          resources = [{
+            group     = ""
+            resources = ["endpoints", "services", "services/status"]
+          }]
+          users = ["system:kube-proxy"]
+        },
+        {
+          level = "None"
+          verbs = ["watch"]
+        },
+        {
+          level           = "None"
+          nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
+        },
+        {
+          level = "Metadata"
+          resources = [{
+            group     = ""
+            resources = ["secrets"]
+          }]
+        },
+        {
+          level = "RequestResponse"
+          verbs = ["create", "update", "patch", "delete"]
+        },
+        {
+          level = "Metadata"
+          verbs = ["get", "list"]
+        },
+      ]
+    }))
+  }
+
+  depends_on = [null_resource.apiserver_oidc_config]
+}

stacks/rbac/modules/rbac/main.tf

@@ -0,0 +1,263 @@
+variable "tls_secret_name" {}
+variable "tier" { type = string }
+
+variable "k8s_users" {
+  type = map(object({
+    role       = string                     # "admin", "power-user", "namespace-owner"
+    email      = string                     # OIDC email claim
+    namespaces = optional(list(string), []) # for namespace-owners
+    domains    = optional(list(string), []) # subdomains for user apps
+    quota = optional(object({
+      cpu_requests    = optional(string, "2")
+      memory_requests = optional(string, "4Gi")
+      memory_limits   = optional(string, "8Gi")
+      pods            = optional(string, "20")
+    }), {})
+  }))
+  default = {}
+}
+
+# --- Admin role ---
+# Binds to built-in cluster-admin ClusterRole
+
+resource "kubernetes_cluster_role_binding" "admin_users" {
+  for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "admin" })
+
+  metadata {
+    name = "oidc-admin-${each.key}"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  subject {
+    kind      = "User"
+    name      = each.value.email
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+# --- Power-user role ---
+# Can manage workloads cluster-wide but cannot modify RBAC, nodes, or persistent volumes
+
+resource "kubernetes_cluster_role" "power_user" {
+  metadata {
+    name = "oidc-power-user"
+  }
+
+  # Core resources
+  rule {
+    api_groups = [""]
+    resources  = ["pods", "pods/log", "pods/exec", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims", "events", "namespaces"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"]
+    verbs      = ["create", "update", "patch", "delete"]
+  }
+
+  # Apps
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+
+  # Batch
+  rule {
+    api_groups = ["batch"]
+    resources  = ["jobs", "cronjobs"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+
+  # Networking
+  rule {
+    api_groups = ["networking.k8s.io"]
+    resources  = ["ingresses", "networkpolicies"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+
+  # Autoscaling
+  rule {
+    api_groups = ["autoscaling"]
+    resources  = ["horizontalpodautoscalers"]
+    verbs      = ["get", "list", "watch", "create", "update", "patch", "delete"]
+  }
+
+  # Read-only on cluster-level resources
+  rule {
+    api_groups = [""]
+    resources  = ["nodes"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["storageclasses"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "power_users" {
+  for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "power-user" })
+
+  metadata {
+    name = "oidc-power-user-${each.key}"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.power_user.metadata[0].name
+  }
+
+  subject {
+    kind      = "User"
+    name      = each.value.email
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+# --- Namespace-owner role ---
+# Full admin within assigned namespaces + read-only cluster-wide
+
+locals {
+  # Flatten user->namespace pairs for iteration
+  namespace_owner_pairs = flatten([
+    for name, user in var.k8s_users : [
+      for ns in user.namespaces : {
+        user_key  = name
+        namespace = ns
+        email     = user.email
+        quota     = user.quota
+      }
+    ] if user.role == "namespace-owner"
+  ])
+}
+
+resource "kubernetes_role_binding" "namespace_owner" {
+  for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
+
+  metadata {
+    name      = "namespace-owner-${each.value.user_key}"
+    namespace = each.value.namespace
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "admin" # Built-in ClusterRole with full namespace access
+  }
+
+  subject {
+    kind      = "User"
+    name      = each.value.email
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+# Read-only cluster-wide access for namespace owners
+resource "kubernetes_cluster_role" "namespace_owner_readonly" {
+  metadata {
+    name = "oidc-namespace-owner-readonly"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces", "nodes"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["pods", "services", "configmaps", "events"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "statefulsets", "daemonsets"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "namespace_owner_readonly" {
+  for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "namespace-owner" })
+
+  metadata {
+    name = "oidc-ns-owner-readonly-${each.key}"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.namespace_owner_readonly.metadata[0].name
+  }
+
+  subject {
+    kind      = "User"
+    name      = each.value.email
+    api_group = "rbac.authorization.k8s.io"
+  }
+}
+
+# Resource quotas per user namespace
+resource "kubernetes_resource_quota" "user_namespace_quota" {
+  for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
+
+  metadata {
+    name      = "user-quota"
+    namespace = each.value.namespace
+  }
+
+  spec {
+    hard = {
+      "requests.cpu"    = each.value.quota.cpu_requests
+      "requests.memory" = each.value.quota.memory_requests
+      "limits.memory"   = each.value.quota.memory_limits
+      "pods"            = each.value.quota.pods
+    }
+  }
+
+  depends_on = [kubernetes_role_binding.namespace_owner]
+}
+
+# ConfigMap with user-role mapping for the self-service portal
+resource "kubernetes_config_map" "user_roles" {
+  metadata {
+    name      = "k8s-user-roles"
+    namespace = "k8s-portal"
+  }
+
+  data = {
+    "users.json" = jsonencode({
+      for name, user in var.k8s_users : user.email => {
+        role       = user.role
+        namespaces = user.namespaces
+      }
+    })
+  }
+}
+
+# TLS secret in each user namespace (so they can create HTTPS ingresses)
+module "user_namespace_tls" {
+  for_each = nonsensitive(toset(flatten([
+    for name, user in var.k8s_users : user.namespaces
+    if user.role == "namespace-owner"
+  ])))
+
+  source          = "../../../../modules/kubernetes/setup_tls_secret"
+  namespace       = each.value
+  tls_secret_name = var.tls_secret_name
+}