viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add oidc to headscale and move technitium to a nodeport service [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2023-09-15 22:55:13 +00:00
parent 28107b7328
commit 5061eb590b
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
3 changed files with 59 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

46
modules/kubernetes/headscale/main.tf
View file

@ -345,6 +345,52 @@ resource "kubernetes_config_map" "headscale-config" {
unix_socket_permission: "0770"
randomize_client_port: false
# headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
oidc:
only_start_if_oidc_is_available: true
issuer: "https://accounts.google.com"
client_id: "533122798643-4ti3espgjqhfnop0rors9t7r4o5i8top.apps.googleusercontent.com"
client_secret: "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"
# The amount of time from a node is authenticated with OpenID until it
# expires and needs to reauthenticate.
# Setting the value to "0" will mean no expiry.
expiry: 180d
# Use the expiry from the token received from OpenID when the user logged
# in, this will typically lead to frequent need to reauthenticate and should
# only been enabled if you know what you are doing.
# Note: enabling this will cause `oidc.expiry` to be ignored.
use_expiry_from_token: false
# Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
# parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
scope: ["openid", "profile", "email"]
# extra_params:
# domain_hint: example.com
# List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
# authentication request will be rejected.
# allowed_domains:
# - example.com
# Note: Groups from keycloak have a leading '/'
# allowed_groups:
# - /headscale
allowed_users:
- vbarzin@gmail.com
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
# This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
# user: `first-name.last-name.example.com`
# strip_email_domain: true
EOT
}
}

23
modules/kubernetes/technitium/main.tf
View file

@ -12,8 +12,8 @@ module "tls_secret" {
tls_secret_name = var.tls_secret_name
}
# resource "kubernetes_deployment" "technitium" {
resource "kubernetes_daemonset" "technitium" {
resource "kubernetes_deployment" "technitium" {
# resource "kubernetes_daemonset" "technitium" {
metadata {
name = "technitium"
namespace = "technitium"
@ -35,6 +35,7 @@ resource "kubernetes_daemonset" "technitium" {
}
}
spec {
node_name = "k8s-node1" # Horrible hack but only way I found to preserve client ip
container {
image = "technitium/dns-server:latest"
name = "technitium"
@ -111,18 +112,20 @@ resource "kubernetes_service" "technitium-dns" {
}
spec {
type = "LoadBalancer"
# type = "LoadBalancer"
# external_traffic_policy = "Cluster"
type = "NodePort"
port {
name = "technitium-dns"
port = 53
node_port = 30053
protocol = "UDP"
}
external_traffic_policy = "Local"
selector = {
app = "technitium"
}
port {
name = "technitium-dns"
port = "53"
protocol = "UDP"
}
}
}
@ -131,8 +134,8 @@ resource "kubernetes_ingress_v1" "technitium" {
name = "technitium-ingress"
namespace = "technitium"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
"nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
}