[ci skip] Add one-command setup scripts to k8s-portal

- Add /setup/script?os=mac and /setup/script?os=linux endpoints
- Scripts install kubectl, kubelogin, write kubeconfig, update shell rc
- Unprotected ingress for /setup/script (curl-able without auth)
- Fix kubeconfig to include --oidc-extra-scope for email/profile/groups

modules/kubernetes/k8s-portal/files/.gitignore

@@ -0,0 +1,23 @@
+node_modules
+
+# Output
+.output
+.vercel
+.netlify
+.wrangler
+/.svelte-kit
+/build
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Env
+.env
+.env.*
+!.env.example
+!.env.test
+
+# Vite
+vite.config.js.timestamp-*
+vite.config.ts.timestamp-*

modules/kubernetes/k8s-portal/files/.npmrc

@@ -0,0 +1 @@
+engine-strict=true

modules/kubernetes/k8s-portal/files/Dockerfile

@@ -0,0 +1,15 @@
+FROM node:22-alpine AS build
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+FROM node:22-alpine
+WORKDIR /app
+COPY --from=build /app/build ./build
+COPY --from=build /app/package.json ./
+COPY --from=build /app/node_modules ./node_modules
+ENV PORT=3000
+EXPOSE 3000
+CMD ["node", "build"]

modules/kubernetes/k8s-portal/files/README.md

@@ -0,0 +1,42 @@
+# sv
+
+Everything you need to build a Svelte project, powered by [`sv`](https://github.com/sveltejs/cli).
+
+## Creating a project
+
+If you're seeing this, you've probably already done this step. Congrats!
+
+```sh
+# create a new project
+npx sv create my-app
+```
+
+To recreate this project with the same configuration:
+
+```sh
+# recreate this project
+npx sv create --template minimal --types ts --install npm .
+```
+
+## Developing
+
+Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
+
+```sh
+npm run dev
+
+# or start the server and open the app in a new browser tab
+npm run dev -- --open
+```
+
+## Building
+
+To create a production version of your app:
+
+```sh
+npm run build
+```
+
+You can preview the production build with `npm run preview`.
+
+> To deploy your app, you may need to install an [adapter](https://svelte.dev/docs/kit/adapters) for your target environment.

modules/kubernetes/k8s-portal/files/package.json

@@ -0,0 +1,24 @@
+{
+	"name": "files",
+	"private": true,
+	"version": "0.0.1",
+	"type": "module",
+	"scripts": {
+		"dev": "vite dev",
+		"build": "vite build",
+		"preview": "vite preview",
+		"prepare": "svelte-kit sync || echo ''",
+		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch"
+	},
+	"devDependencies": {
+		"@sveltejs/adapter-auto": "^7.0.0",
+		"@sveltejs/adapter-node": "^5.5.3",
+		"@sveltejs/kit": "^2.50.2",
+		"@sveltejs/vite-plugin-svelte": "^6.2.4",
+		"svelte": "^5.49.2",
+		"svelte-check": "^4.3.6",
+		"typescript": "^5.9.3",
+		"vite": "^7.3.1"
+	}
+}

modules/kubernetes/k8s-portal/files/src/app.d.ts

@@ -0,0 +1,13 @@
+// See https://svelte.dev/docs/kit/types#app.d.ts
+// for information about these interfaces
+declare global {
+	namespace App {
+		// interface Error {}
+		// interface Locals {}
+		// interface PageData {}
+		// interface PageState {}
+		// interface Platform {}
+	}
+}
+
+export {};

modules/kubernetes/k8s-portal/files/src/app.html

@@ -0,0 +1,11 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		%sveltekit.head%
+	</head>
+	<body data-sveltekit-preload-data="hover">
+		<div style="display: contents">%sveltekit.body%</div>
+	</body>
+</html>

modules/kubernetes/k8s-portal/files/src/lib/assets/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="107" height="128" viewBox="0 0 107 128"><title>svelte-logo</title><path d="M94.157 22.819c-10.4-14.885-30.94-19.297-45.792-9.835L22.282 29.608A29.92 29.92 0 0 0 8.764 49.65a31.5 31.5 0 0 0 3.108 20.231 30 30 0 0 0-4.477 11.183 31.9 31.9 0 0 0 5.448 24.116c10.402 14.887 30.942 19.297 45.791 9.835l26.083-16.624A29.92 29.92 0 0 0 98.235 78.35a31.53 31.53 0 0 0-3.105-20.232 30 30 0 0 0 4.474-11.182 31.88 31.88 0 0 0-5.447-24.116" style="fill:#ff3e00"/><path d="M45.817 106.582a20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.503 18 18 0 0 1 .624-2.435l.49-1.498 1.337.981a33.6 33.6 0 0 0 10.203 5.098l.97.294-.09.968a5.85 5.85 0 0 0 1.052 3.878 6.24 6.24 0 0 0 6.695 2.485 5.8 5.8 0 0 0 1.603-.704L69.27 76.28a5.43 5.43 0 0 0 2.45-3.631 5.8 5.8 0 0 0-.987-4.371 6.24 6.24 0 0 0-6.698-2.487 5.7 5.7 0 0 0-1.6.704l-9.953 6.345a19 19 0 0 1-5.296 2.326 20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.502 17.99 17.99 0 0 1 8.13-12.052l26.081-16.623a19 19 0 0 1 5.3-2.329 20.72 20.72 0 0 1 22.237 8.243 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-.624 2.435l-.49 1.498-1.337-.98a33.6 33.6 0 0 0-10.203-5.1l-.97-.294.09-.968a5.86 5.86 0 0 0-1.052-3.878 6.24 6.24 0 0 0-6.696-2.485 5.8 5.8 0 0 0-1.602.704L37.73 51.72a5.42 5.42 0 0 0-2.449 3.63 5.79 5.79 0 0 0 .986 4.372 6.24 6.24 0 0 0 6.698 2.486 5.8 5.8 0 0 0 1.602-.704l9.952-6.342a19 19 0 0 1 5.295-2.328 20.72 20.72 0 0 1 22.237 8.242 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-8.13 12.053l-26.081 16.622a19 19 0 0 1-5.3 2.328" style="fill:#fff"/></svg>

modules/kubernetes/k8s-portal/files/src/lib/index.ts

@@ -0,0 +1 @@
+// place files you want to import through the `$lib` alias in this folder.

modules/kubernetes/k8s-portal/files/src/routes/+layout.svelte

@@ -0,0 +1,11 @@
+<script lang="ts">
+	import favicon from '$lib/assets/favicon.svg';
+
+	let { children } = $props();
+</script>
+
+<svelte:head>
+	<link rel="icon" href={favicon} />
+</svelte:head>
+
+{@render children()}

modules/kubernetes/k8s-portal/files/src/routes/+page.server.ts

@@ -0,0 +1,33 @@
+import type { PageServerLoad } from './$types';
+import { readFileSync } from 'fs';
+
+interface UserRole {
+	role: string;
+	namespaces: string[];
+}
+
+export const load: PageServerLoad = async ({ request }) => {
+	const email = request.headers.get('x-authentik-email') || 'unknown';
+	const username = request.headers.get('x-authentik-username') || 'unknown';
+	const groups = request.headers.get('x-authentik-groups') || '';
+
+	// Read user roles from ConfigMap-mounted file
+	let userRole: UserRole = { role: 'unknown', namespaces: [] };
+	try {
+		const usersJson = readFileSync('/config/users.json', 'utf-8');
+		const users = JSON.parse(usersJson);
+		if (users[email]) {
+			userRole = users[email];
+		}
+	} catch {
+		// ConfigMap not mounted or parse error
+	}
+
+	return {
+		email,
+		username,
+		groups: groups.split('|').filter(Boolean),
+		role: userRole.role,
+		namespaces: userRole.namespaces
+	};
+};

modules/kubernetes/k8s-portal/files/src/routes/+page.svelte

@@ -0,0 +1,42 @@
+<script lang="ts">
+	let { data } = $props();
+</script>
+
+<main>
+	<h1>Kubernetes Access Portal</h1>
+
+	<section>
+		<h2>Your Identity</h2>
+		<p><strong>Username:</strong> {data.username}</p>
+		<p><strong>Email:</strong> {data.email}</p>
+		<p><strong>Role:</strong> {data.role}</p>
+		{#if data.namespaces.length > 0}
+			<p><strong>Namespaces:</strong> {data.namespaces.join(', ')}</p>
+		{/if}
+	</section>
+
+	<section>
+		<h2>Get Started</h2>
+		<ol>
+			<li><a href="/setup">Install kubectl and kubelogin</a></li>
+			<li><a href="/download">Download your kubeconfig</a></li>
+			<li>Run <code>kubectl get pods</code> to verify access</li>
+		</ol>
+	</section>
+</main>
+
+<style>
+	main {
+		max-width: 640px;
+		margin: 2rem auto;
+		font-family: system-ui;
+	}
+	code {
+		background: #f0f0f0;
+		padding: 2px 6px;
+		border-radius: 3px;
+	}
+	section {
+		margin: 2rem 0;
+	}
+</style>

modules/kubernetes/k8s-portal/files/src/routes/download/+server.ts

@@ -0,0 +1,58 @@
+import type { RequestHandler } from './$types';
+import { readFileSync } from 'fs';
+
+const CLUSTER_SERVER = 'https://10.0.20.100:6443';
+const OIDC_ISSUER = 'https://authentik.viktorbarzin.me/application/o/kubernetes/';
+const OIDC_CLIENT_ID = 'kubernetes';
+
+export const GET: RequestHandler = async ({ request }) => {
+	const email = request.headers.get('x-authentik-email') || 'user';
+
+	// Read CA cert from mounted ConfigMap
+	let caCert = '';
+	try {
+		caCert = readFileSync('/config/ca.crt', 'utf-8');
+	} catch {
+		// CA cert not available
+	}
+
+	const caCertBase64 = Buffer.from(caCert).toString('base64');
+	const sanitizedEmail = email.replace(/[^a-zA-Z0-9@._-]/g, '');
+
+	const kubeconfig = `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: ${CLUSTER_SERVER}
+    certificate-authority-data: ${caCertBase64}
+  name: home-cluster
+contexts:
+- context:
+    cluster: home-cluster
+    user: oidc-${sanitizedEmail}
+  name: home-cluster
+current-context: home-cluster
+users:
+- name: oidc-${sanitizedEmail}
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+        - oidc-login
+        - get-token
+        - --oidc-issuer-url=${OIDC_ISSUER}
+        - --oidc-client-id=${OIDC_CLIENT_ID}
+        - --oidc-extra-scope=email
+        - --oidc-extra-scope=profile
+        - --oidc-extra-scope=groups
+      interactiveMode: IfAvailable
+`;
+
+	return new Response(kubeconfig, {
+		headers: {
+			'Content-Type': 'application/yaml',
+			'Content-Disposition': `attachment; filename="kubeconfig-home-cluster.yaml"`
+		}
+	});
+};

modules/kubernetes/k8s-portal/files/src/routes/setup/+page.svelte

@@ -0,0 +1,69 @@
+<main>
+	<h1>Setup Instructions</h1>
+
+	<section>
+		<h2>Quick Setup (one command)</h2>
+		<p>Run this in your terminal to install everything and configure kubectl automatically:</p>
+		<h3>macOS</h3>
+		<pre>bash &lt;(curl -fsSL https://k8s-portal.viktorbarzin.me/setup/script?os=mac)</pre>
+		<h3>Linux</h3>
+		<pre>bash &lt;(curl -fsSL https://k8s-portal.viktorbarzin.me/setup/script?os=linux)</pre>
+	</section>
+
+	<section>
+		<h2>Manual Setup</h2>
+
+		<h3>1. Install kubectl</h3>
+		<h4>macOS</h4>
+		<pre>brew install kubectl</pre>
+		<h4>Linux</h4>
+		<pre>curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+chmod +x kubectl && sudo mv kubectl /usr/local/bin/</pre>
+
+		<h3>2. Install kubelogin (OIDC plugin)</h3>
+		<h4>macOS</h4>
+		<pre>brew install int128/kubelogin/kubelogin</pre>
+		<h4>Linux</h4>
+		<pre>curl -LO https://github.com/int128/kubelogin/releases/latest/download/kubelogin_linux_amd64.zip
+unzip kubelogin_linux_amd64.zip && sudo mv kubelogin /usr/local/bin/kubectl-oidc_login
+rm kubelogin_linux_amd64.zip</pre>
+
+		<h3>3. Download and use your kubeconfig</h3>
+		<pre>
+mkdir -p ~/.kube
+
+# Download from the portal (requires auth cookie from browser)
+# Or use the download button on the portal homepage
+
+# Set the KUBECONFIG environment variable
+export KUBECONFIG=~/.kube/config-home
+
+# Test access (opens browser for login)
+kubectl get namespaces
+		</pre>
+	</section>
+
+	<p><a href="/">&#8592; Back to portal</a></p>
+</main>
+
+<style>
+	main {
+		max-width: 640px;
+		margin: 2rem auto;
+		font-family: system-ui;
+	}
+	pre {
+		background: #1e1e1e;
+		color: #d4d4d4;
+		padding: 1rem;
+		border-radius: 6px;
+		overflow-x: auto;
+	}
+	section {
+		margin: 2rem 0;
+	}
+	h4 {
+		margin: 0.5rem 0 0.25rem;
+		color: #666;
+	}
+</style>

modules/kubernetes/k8s-portal/files/src/routes/setup/script/+server.ts

@@ -0,0 +1,167 @@
+import type { RequestHandler } from './$types';
+import { readFileSync } from 'fs';
+
+const CLUSTER_SERVER = 'https://10.0.20.100:6443';
+const OIDC_ISSUER = 'https://authentik.viktorbarzin.me/application/o/kubernetes/';
+const OIDC_CLIENT_ID = 'kubernetes';
+const PORTAL_URL = 'https://k8s-portal.viktorbarzin.me';
+
+export const GET: RequestHandler = async ({ url }) => {
+	const os = url.searchParams.get('os') || 'mac';
+
+	let caCert = '';
+	try {
+		caCert = readFileSync('/config/ca.crt', 'utf-8');
+	} catch {
+		// CA cert not available
+	}
+	const caCertBase64 = Buffer.from(caCert).toString('base64');
+
+	const kubeconfigContent = `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: ${CLUSTER_SERVER}
+    certificate-authority-data: ${caCertBase64}
+  name: home-cluster
+contexts:
+- context:
+    cluster: home-cluster
+    user: oidc-user
+  name: home-cluster
+current-context: home-cluster
+users:
+- name: oidc-user
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+        - oidc-login
+        - get-token
+        - --oidc-issuer-url=${OIDC_ISSUER}
+        - --oidc-client-id=${OIDC_CLIENT_ID}
+        - --oidc-extra-scope=email
+        - --oidc-extra-scope=profile
+        - --oidc-extra-scope=groups
+      interactiveMode: IfAvailable`;
+
+	const escapedKubeconfig = kubeconfigContent.replace(/'/g, "'\\''");
+
+	let script: string;
+
+	if (os === 'linux') {
+		script = `#!/bin/bash
+set -e
+
+echo "=== Kubernetes Cluster Setup ==="
+echo ""
+
+# Install kubectl
+if command -v kubectl &>/dev/null; then
+    echo "[OK] kubectl already installed ($(kubectl version --client -o json 2>/dev/null | grep -o '"gitVersion":"[^"]*"' | cut -d'"' -f4))"
+else
+    echo "[..] Installing kubectl..."
+    KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt)
+    curl -fsSLO "https://dl.k8s.io/release/\${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
+    chmod +x kubectl && sudo mv kubectl /usr/local/bin/
+    echo "[OK] kubectl installed"
+fi
+
+# Install kubelogin
+if command -v kubectl-oidc_login &>/dev/null; then
+    echo "[OK] kubelogin already installed"
+else
+    echo "[..] Installing kubelogin..."
+    KUBELOGIN_VERSION=$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/int128/kubelogin/releases/latest | grep -o '[^/]*$')
+    curl -fsSLO "https://github.com/int128/kubelogin/releases/download/\${KUBELOGIN_VERSION}/kubelogin_linux_amd64.zip"
+    unzip -o kubelogin_linux_amd64.zip kubelogin -d /tmp
+    sudo mv /tmp/kubelogin /usr/local/bin/kubectl-oidc_login
+    rm kubelogin_linux_amd64.zip
+    echo "[OK] kubelogin installed"
+fi
+
+# Write kubeconfig
+mkdir -p ~/.kube
+cat > ~/.kube/config-home << 'KUBECONFIG_EOF'
+${escapedKubeconfig}
+KUBECONFIG_EOF
+echo "[OK] Kubeconfig written to ~/.kube/config-home"
+
+# Add KUBECONFIG to shell profile
+SHELL_RC=~/.bashrc
+[ -f ~/.zshrc ] && SHELL_RC=~/.zshrc
+if ! grep -q 'config-home' "\$SHELL_RC" 2>/dev/null; then
+    echo 'export KUBECONFIG=~/.kube/config-home' >> "\$SHELL_RC"
+    echo "[OK] Added KUBECONFIG to \$SHELL_RC"
+fi
+export KUBECONFIG=~/.kube/config-home
+
+echo ""
+echo "=== Setup complete! ==="
+echo ""
+echo "Run 'kubectl get namespaces' to test (opens browser for login)."
+echo "You may need to restart your shell or run: export KUBECONFIG=~/.kube/config-home"
+`;
+	} else {
+		script = `#!/bin/bash
+set -e
+
+echo "=== Kubernetes Cluster Setup ==="
+echo ""
+
+# Check for Homebrew
+if ! command -v brew &>/dev/null; then
+    echo "[!!] Homebrew not found. Install it first:"
+    echo '     /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'
+    exit 1
+fi
+
+# Install kubectl
+if command -v kubectl &>/dev/null; then
+    echo "[OK] kubectl already installed ($(kubectl version --client -o json 2>/dev/null | grep -o '"gitVersion":"[^"]*"' | cut -d'"' -f4))"
+else
+    echo "[..] Installing kubectl..."
+    brew install kubectl
+    echo "[OK] kubectl installed"
+fi
+
+# Install kubelogin
+if command -v kubectl-oidc_login &>/dev/null; then
+    echo "[OK] kubelogin already installed"
+else
+    echo "[..] Installing kubelogin..."
+    brew install int128/kubelogin/kubelogin
+    echo "[OK] kubelogin installed"
+fi
+
+# Write kubeconfig
+mkdir -p ~/.kube
+cat > ~/.kube/config-home << 'KUBECONFIG_EOF'
+${escapedKubeconfig}
+KUBECONFIG_EOF
+echo "[OK] Kubeconfig written to ~/.kube/config-home"
+
+# Add KUBECONFIG to shell profile
+SHELL_RC=~/.zshrc
+[ ! -f ~/.zshrc ] && SHELL_RC=~/.bashrc
+if ! grep -q 'config-home' "\$SHELL_RC" 2>/dev/null; then
+    echo 'export KUBECONFIG=~/.kube/config-home' >> "\$SHELL_RC"
+    echo "[OK] Added KUBECONFIG to \$SHELL_RC"
+fi
+export KUBECONFIG=~/.kube/config-home
+
+echo ""
+echo "=== Setup complete! ==="
+echo ""
+echo "Run 'kubectl get namespaces' to test (opens browser for login)."
+echo "You may need to restart your shell or run: export KUBECONFIG=~/.kube/config-home"
+`;
+	}
+
+	return new Response(script, {
+		headers: {
+			'Content-Type': 'text/plain; charset=utf-8'
+		}
+	});
+};

modules/kubernetes/k8s-portal/files/static/robots.txt

@@ -0,0 +1,3 @@
+# allow crawling everything by default
+User-agent: *
+Disallow:

modules/kubernetes/k8s-portal/files/svelte.config.js

@@ -0,0 +1,10 @@
+import adapter from '@sveltejs/adapter-node';
+
+/** @type {import('@sveltejs/kit').Config} */
+const config = {
+	kit: {
+		adapter: adapter()
+	}
+};
+
+export default config;

modules/kubernetes/k8s-portal/files/tsconfig.json

@@ -0,0 +1,20 @@
+{
+	"extends": "./.svelte-kit/tsconfig.json",
+	"compilerOptions": {
+		"rewriteRelativeImportExtensions": true,
+		"allowJs": true,
+		"checkJs": true,
+		"esModuleInterop": true,
+		"forceConsistentCasingInFileNames": true,
+		"resolveJsonModule": true,
+		"skipLibCheck": true,
+		"sourceMap": true,
+		"strict": true,
+		"moduleResolution": "bundler"
+	}
+	// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
+	// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files
+	//
+	// To make changes to top-level options such as include and exclude, we recommend extending
+	// the generated config; see https://svelte.dev/docs/kit/configuration#typescript
+}

modules/kubernetes/k8s-portal/files/vite.config.ts

@@ -0,0 +1,6 @@
+import { sveltekit } from '@sveltejs/kit/vite';
+import { defineConfig } from 'vite';
+
+export default defineConfig({
+	plugins: [sveltekit()]
+});

modules/kubernetes/k8s-portal/main.tf

@@ -103,3 +103,15 @@ module "ingress" {
   tls_secret_name = var.tls_secret_name
   protected       = true # Require Authentik login
 }
+
+# Unprotected ingress for the setup script (needs to be curl-able without auth)
+module "ingress_setup_script" {
+  source          = "../ingress_factory"
+  namespace       = kubernetes_namespace.k8s_portal.metadata[0].name
+  name            = "k8s-portal-setup"
+  host            = "k8s-portal"
+  service_name    = "k8s-portal"
+  ingress_path    = ["/setup/script"]
+  tls_secret_name = var.tls_secret_name
+  protected       = false
+}