extract remaining 19 modules from platform, complete stack split [ci skip]
Phase 3: all 27 platform modules now run as independent stacks. Platform reduced to empty shell (outputs only) for backward compat with 72 app stacks that declare dependency "platform". Fixed technitium cross-module dashboard reference by copying file. Woodpecker pipeline applies all 27+1 stacks in parallel via loop. All applied with zero destroys.
This commit is contained in:
parent
ae36dc253b
commit
73511b1230
134 changed files with 7930 additions and 270 deletions
58
stacks/rbac/modules/rbac/apiserver-oidc.tf
Normal file
58
stacks/rbac/modules/rbac/apiserver-oidc.tf
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
# Configure kube-apiserver for OIDC authentication
|
||||
# This SSHs to k8s-master and adds OIDC flags to the static pod manifest.
|
||||
# Kubelet auto-restarts the API server when the manifest changes.
|
||||
|
||||
variable "k8s_master_host" {
|
||||
type = string
|
||||
default = "10.0.20.100"
|
||||
}
|
||||
|
||||
variable "ssh_private_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "oidc_issuer_url" {
|
||||
type = string
|
||||
default = "https://authentik.viktorbarzin.me/application/o/kubernetes/"
|
||||
}
|
||||
|
||||
variable "oidc_client_id" {
|
||||
type = string
|
||||
default = "kubernetes"
|
||||
}
|
||||
|
||||
resource "null_resource" "apiserver_oidc_config" {
|
||||
connection {
|
||||
type = "ssh"
|
||||
user = "wizard"
|
||||
host = var.k8s_master_host
|
||||
private_key = var.ssh_private_key
|
||||
}
|
||||
|
||||
provisioner "remote-exec" {
|
||||
inline = [
|
||||
# Check if OIDC flags already configured with the correct values
|
||||
"if grep -q 'oidc-issuer-url=${var.oidc_issuer_url}' /etc/kubernetes/manifests/kube-apiserver.yaml && grep -q 'oidc-client-id=${var.oidc_client_id}' /etc/kubernetes/manifests/kube-apiserver.yaml; then echo 'OIDC flags already configured with correct values'; exit 0; fi",
|
||||
|
||||
# Remove any existing OIDC flags (in case values changed)
|
||||
"sudo sed -i '/--oidc-issuer-url/d; /--oidc-client-id/d; /--oidc-username-claim/d; /--oidc-groups-claim/d' /etc/kubernetes/manifests/kube-apiserver.yaml",
|
||||
|
||||
# Backup the manifest
|
||||
"sudo cp /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml.bak",
|
||||
|
||||
# Add OIDC flags after the last --tls-private-key-file flag (safe insertion point)
|
||||
"sudo sed -i '/- --tls-private-key-file/a\\ - --oidc-issuer-url=${var.oidc_issuer_url}\\n - --oidc-client-id=${var.oidc_client_id}\\n - --oidc-username-claim=email\\n - --oidc-groups-claim=groups' /etc/kubernetes/manifests/kube-apiserver.yaml",
|
||||
|
||||
# Wait for API server to restart (kubelet watches the manifest)
|
||||
"echo 'Waiting for API server to restart...'",
|
||||
"sleep 30",
|
||||
"sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes || echo 'API server still restarting, check manually'",
|
||||
]
|
||||
}
|
||||
|
||||
triggers = {
|
||||
oidc_issuer_url = var.oidc_issuer_url
|
||||
oidc_client_id = var.oidc_client_id
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue