diff --git a/modules/kubernetes/headscale/main.tf b/modules/kubernetes/headscale/main.tf index 7452ea55..1236570b 100644 --- a/modules/kubernetes/headscale/main.tf +++ b/modules/kubernetes/headscale/main.tf @@ -345,6 +345,52 @@ resource "kubernetes_config_map" "headscale-config" { unix_socket_permission: "0770" randomize_client_port: false + + # headscale supports experimental OpenID connect support, + # it is still being tested and might have some bugs, please + # help us test it. + # OpenID Connect + oidc: + only_start_if_oidc_is_available: true + issuer: "https://accounts.google.com" + client_id: "533122798643-4ti3espgjqhfnop0rors9t7r4o5i8top.apps.googleusercontent.com" + client_secret: "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" + + # The amount of time from a node is authenticated with OpenID until it + # expires and needs to reauthenticate. + # Setting the value to "0" will mean no expiry. + expiry: 180d + + # Use the expiry from the token received from OpenID when the user logged + # in, this will typically lead to frequent need to reauthenticate and should + # only been enabled if you know what you are doing. + # Note: enabling this will cause `oidc.expiry` to be ignored. + use_expiry_from_token: false + + # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query + # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". + + scope: ["openid", "profile", "email"] + # extra_params: + # domain_hint: example.com + + # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the + # authentication request will be rejected. + + # allowed_domains: + # - example.com + # Note: Groups from keycloak have a leading '/' + # allowed_groups: + # - /headscale + allowed_users: + - vbarzin@gmail.com + + # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. + # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` + # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following + # user: `first-name.last-name.example.com` + + # strip_email_domain: true EOT } } diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf index 20de031e..fc673e0c 100644 --- a/modules/kubernetes/technitium/main.tf +++ b/modules/kubernetes/technitium/main.tf @@ -12,8 +12,8 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -# resource "kubernetes_deployment" "technitium" { -resource "kubernetes_daemonset" "technitium" { +resource "kubernetes_deployment" "technitium" { + # resource "kubernetes_daemonset" "technitium" { metadata { name = "technitium" namespace = "technitium" @@ -35,6 +35,7 @@ resource "kubernetes_daemonset" "technitium" { } } spec { + node_name = "k8s-node1" # Horrible hack but only way I found to preserve client ip container { image = "technitium/dns-server:latest" name = "technitium" @@ -111,18 +112,20 @@ resource "kubernetes_service" "technitium-dns" { } spec { - type = "LoadBalancer" + # type = "LoadBalancer" # external_traffic_policy = "Cluster" + type = "NodePort" + port { + name = "technitium-dns" + port = 53 + node_port = 30053 + protocol = "UDP" + } external_traffic_policy = "Local" selector = { app = "technitium" } - port { - name = "technitium-dns" - port = "53" - protocol = "UDP" - } } } @@ -131,8 +134,8 @@ resource "kubernetes_ingress_v1" "technitium" { name = "technitium-ingress" namespace = "technitium" annotations = { - "kubernetes.io/ingress.class" = "nginx" - "nginx.ingress.kubernetes.io/affinity" = "cookie" + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/affinity" = "cookie" "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" } diff --git a/terraform.tfstate b/terraform.tfstate index 879b185a..eccb3d06 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ