viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]

Browse source 
6d224861 came from a --no-checkout worktree whose empty index made the
commit drop every file except two. This restores 05b50d2b's full tree and
correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su
entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the
live infra was never applied from the broken commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-09 08:45:33 +00:00
parent 6d224861c4
commit fd0f4a0365
1166 changed files with 358546 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

23
stacks/rbac/main.tf Normal file
View file

@ -0,0 +1,23 @@
variable "tls_secret_name" { type = string }
variable "ssh_private_key" {
type = string
default = ""
sensitive = true
}
data "vault_kv_secret_v2" "secrets" {
mount = "secret"
name = "platform"
}
locals {
k8s_users = jsondecode(data.vault_kv_secret_v2.secrets.data["k8s_users"])
}
module "rbac" {
source = "./modules/rbac"
tier = local.tiers.cluster
tls_secret_name = var.tls_secret_name
k8s_users = local.k8s_users
ssh_private_key = var.ssh_private_key
}

160
stacks/rbac/modules/rbac/apiserver-oidc.tf Normal file
View file

@ -0,0 +1,160 @@
# Configure kube-apiserver authentication via a structured
# AuthenticationConfiguration file (apiserver.config.k8s.io/v1, GA on k8s 1.30+).
#
# WHY structured config instead of the legacy --oidc-* flags: the apiserver can
# only carry ONE legacy issuer, but we need TWO the `kubernetes` app (kubectl
# / kubelogin CLI) AND the `k8s-dashboard` app (oauth2-proxy in front of the
# Kubernetes Dashboard). Structured config supports multiple JWT issuers.
#
# Both issuers map username<-email and groups<-groups with EMPTY prefixes, to
# match the existing RBAC subjects (kind: User, name: <raw email>; group names
# verbatim). Do NOT add a prefix or existing bindings break.
#
# DRIFT WARNING: this edits the kube-apiserver static-pod manifest on the single
# master. A `kubeadm upgrade` regenerates that manifest and DROPS this flag (this
# is exactly how OIDC silently broke before the flag was wiped and the
# content-hash trigger never re-fired). After any k8s control-plane upgrade,
# re-apply the rbac stack to restore apiserver OIDC. See
# docs/plans/2026-06-04-k8s-dashboard-sso-design.md.
#
# SAFETY: the remote script health-gates on /livez and AUTO-ROLLS-BACK the
# manifest from a timestamped backup if the apiserver does not recover, so a
# malformed config cannot leave the single master down.
variable "k8s_master_host" {
type = string
default = "10.0.20.100"
}
variable "ssh_private_key" {
type = string
sensitive = true
}
variable "oidc_issuer_url" {
type = string
default = "https://authentik.viktorbarzin.me/application/o/kubernetes/"
}
variable "oidc_client_id" {
type = string
default = "kubernetes"
}
variable "k8s_dashboard_issuer_url" {
type = string
default = "https://authentik.viktorbarzin.me/application/o/k8s-dashboard/"
}
variable "k8s_dashboard_audience" {
type = string
default = "k8s-dashboard"
}
locals {
apiserver_auth_config_yaml = <<-YAML
apiVersion: apiserver.config.k8s.io/v1
kind: AuthenticationConfiguration
jwt:
- issuer:
url: "${var.oidc_issuer_url}"
audiences:
- "${var.oidc_client_id}"
claimMappings:
username:
claim: email
prefix: ""
groups:
claim: groups
prefix: ""
- issuer:
url: "${var.k8s_dashboard_issuer_url}"
audiences:
- "${var.k8s_dashboard_audience}"
claimMappings:
username:
claim: email
prefix: ""
groups:
claim: groups
prefix: ""
YAML
# Indentation-safe manifest editor: appends the --authentication-config flag
# using the exact leading whitespace of the --authorization-mode line.
apiserver_flag_insert_py = <<-PY
import sys
p = sys.argv[1]
lines = open(p).read().splitlines(True)
out, done = [], False
for ln in lines:
out.append(ln)
if not done and '- --authorization-mode=' in ln:
indent = ln[:len(ln) - len(ln.lstrip())]
out.append(indent + '- --authentication-config=/etc/kubernetes/pki/auth-config.yaml\n')
done = True
open(p, 'w').writelines(out)
print('flag-inserted' if done else 'ANCHOR-NOT-FOUND')
PY
# Whole remote operation, base64-embedded for byte-exact transfer (no
# heredoc/escaping hazards across SSH).
apiserver_auth_remote_script = <<-SH
MANIFEST=/etc/kubernetes/manifests/kube-apiserver.yaml
AUTHCFG=/etc/kubernetes/pki/auth-config.yaml
TS=$(date +%s)
# 1. Write the structured AuthenticationConfiguration (hot-reloaded by the
# apiserver on change; mounted into the pod via the existing pki hostPath).
echo '${base64encode(local.apiserver_auth_config_yaml)}' | base64 -d | sudo tee "$AUTHCFG" >/dev/null
sudo chmod 600 "$AUTHCFG"
# 2. Ensure the apiserver references it. Only touch the manifest ( restart)
# when the flag is missing; otherwise the file write above hot-reloads.
if ! sudo grep -q -- '--authentication-config=' "$MANIFEST"; then
sudo cp "$MANIFEST" "$MANIFEST.bak.$TS"
sudo sed -i '/--oidc-issuer-url/d;/--oidc-client-id/d;/--oidc-username-claim/d;/--oidc-groups-claim/d' "$MANIFEST"
echo '${base64encode(local.apiserver_flag_insert_py)}' | base64 -d | sudo python3 - "$MANIFEST"
fi
# 3. Fail loudly if the flag still isn't present (e.g. anchor not found).
if ! sudo grep -q -- '--authentication-config=' "$MANIFEST"; then
echo "ERROR: --authentication-config absent after edit"; exit 1
fi
# 4. Health-gate on /livez; auto-rollback the manifest if it never recovers.
echo "Waiting for kube-apiserver /livez ..."
ok=0
for i in $(seq 1 60); do
sleep 2
if curl -sk https://localhost:6443/livez 2>/dev/null | grep -q '^ok'; then ok=1; break; fi
done
if [ "$ok" != "1" ]; then
echo "kube-apiserver UNHEALTHY after change — rolling back"
BAK=$(ls -t "$MANIFEST".bak.* 2>/dev/null | head -1)
if [ -n "$BAK" ]; then sudo cp "$BAK" "$MANIFEST"; fi
for i in $(seq 1 60); do sleep 2; if curl -sk https://localhost:6443/livez 2>/dev/null | grep -q '^ok'; then break; fi; done
echo "rolled back to previous manifest"; exit 1
fi
echo "kube-apiserver healthy with multi-issuer --authentication-config"
SH
}
resource "null_resource" "apiserver_oidc_config" {
connection {
type = "ssh"
user = "wizard"
host = var.k8s_master_host
private_key = var.ssh_private_key
}
provisioner "remote-exec" {
inline = [
"echo '${base64encode(local.apiserver_auth_remote_script)}' | base64 -d | bash",
]
}
triggers = {
auth_config = sha256(local.apiserver_auth_config_yaml)
}
}

174
stacks/rbac/modules/rbac/audit-policy.tf Normal file
View file

@ -0,0 +1,174 @@
# Deploy audit policy to k8s-master and configure kube-apiserver to use it.
# Audit logs are written to /var/log/kubernetes/audit.log on the master node.
# Alloy (log collector DaemonSet) will pick them up and ship to Loki.
resource "null_resource" "audit_policy" {
connection {
type = "ssh"
user = "wizard"
host = var.k8s_master_host
private_key = var.ssh_private_key
}
# Upload audit policy file
provisioner "file" {
content = yamlencode({
apiVersion = "audit.k8s.io/v1"
kind = "Policy"
rules = [
{
# Don't log requests to the API discovery endpoints (very noisy)
level = "None"
resources = [{
group = ""
resources = ["endpoints", "services", "services/status"]
}]
users = ["system:kube-proxy"]
},
{
# Don't log watch requests (very noisy)
level = "None"
verbs = ["watch"]
},
{
# Don't log health checks
level = "None"
nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
},
{
# Log secret access at Metadata level only (no request/response bodies)
level = "Metadata"
resources = [{
group = ""
resources = ["secrets"]
}]
},
{
# Log all other mutating requests at RequestResponse level
level = "RequestResponse"
verbs = ["create", "update", "patch", "delete"]
},
{
# Log read requests at Metadata level
level = "Metadata"
verbs = ["get", "list"]
},
]
})
destination = "/tmp/audit-policy.yaml"
}
provisioner "remote-exec" {
inline = [
# Move audit policy to proper location
"sudo mkdir -p /etc/kubernetes/policies",
"sudo mv /tmp/audit-policy.yaml /etc/kubernetes/policies/audit-policy.yaml",
"sudo chown root:root /etc/kubernetes/policies/audit-policy.yaml",
# Create audit log directory
"sudo mkdir -p /var/log/kubernetes",
# Idempotently add audit flags, volumes, and volumeMounts using Python
# to avoid sed duplication bugs on re-runs
<<-SCRIPT
sudo python3 -c "
import yaml
path = '/etc/kubernetes/manifests/kube-apiserver.yaml'
with open(path) as f:
doc = yaml.safe_load(f)
container = doc['spec']['containers'][0]
cmd = container['command']
# Add audit flags if missing
audit_flags = {
'--audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml': True,
'--audit-log-path=/var/log/kubernetes/audit.log': True,
'--audit-log-maxage=7': True,
'--audit-log-maxbackup=3': True,
'--audit-log-maxsize=100': True,
}
existing = set(cmd)
for flag in audit_flags:
if flag not in existing:
cmd.append(flag)
# Add volumes if missing (deduplicate by name)
vol_names = {v['name'] for v in doc['spec']['volumes']}
for vol in [
{'name': 'audit-policy', 'hostPath': {'path': '/etc/kubernetes/policies', 'type': 'DirectoryOrCreate'}},
{'name': 'audit-log', 'hostPath': {'path': '/var/log/kubernetes', 'type': 'DirectoryOrCreate'}},
]:
if vol['name'] not in vol_names:
doc['spec']['volumes'].append(vol)
vol_names.add(vol['name'])
# Add volumeMounts if missing (deduplicate by mountPath)
mount_paths = {vm['mountPath'] for vm in container['volumeMounts']}
for vm in [
{'mountPath': '/etc/kubernetes/policies', 'name': 'audit-policy', 'readOnly': True},
{'mountPath': '/var/log/kubernetes', 'name': 'audit-log'},
]:
if vm['mountPath'] not in mount_paths:
container['volumeMounts'].append(vm)
mount_paths.add(vm['mountPath'])
with open(path, 'w') as f:
yaml.dump(doc, f, default_flow_style=False, sort_keys=False)
print('Audit config applied (idempotent)')
"
SCRIPT
,
# Wait for API server to restart
"echo 'Waiting for API server to restart with audit logging...'",
"sleep 30",
"sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes || echo 'API server still restarting'",
]
}
triggers = {
policy_version = "v1" # Bump to force re-apply of manifest flags
policy_hash = sha256(yamlencode({
apiVersion = "audit.k8s.io/v1"
kind = "Policy"
rules = [
{
level = "None"
resources = [{
group = ""
resources = ["endpoints", "services", "services/status"]
}]
users = ["system:kube-proxy"]
},
{
level = "None"
verbs = ["watch"]
},
{
level = "None"
nonResourceURLs = ["/healthz*", "/readyz*", "/livez*"]
},
{
level = "Metadata"
resources = [{
group = ""
resources = ["secrets"]
}]
},
{
level = "RequestResponse"
verbs = ["create", "update", "patch", "delete"]
},
{
level = "Metadata"
verbs = ["get", "list"]
},
]
}))
}
depends_on = [null_resource.apiserver_oidc_config]
}

97
stacks/rbac/modules/rbac/dashboard-sa.tf Normal file
View file

@ -0,0 +1,97 @@
# Per-namespace-owner ServiceAccount + long-lived token for Kubernetes Dashboard
# token-paste access.
#
# WHY: seamless OIDC SSO into the dashboard is blocked the apiserver currently
# rejects all Authentik OIDC tokens (see docs/plans/2026-06-04-k8s-dashboard-sso-design.md
# §12). Until that's solved, each namespace-owner gets a ServiceAccount scoped to
# `admin` on their namespace(s) + cluster read-only, and a long-lived token they
# paste into the dashboard "Token" login. Real per-namespace isolation, no OIDC
# dependency. Rotate a token by deleting+recreating its `dashboard-<user>-token`
# Secret. Retrieve with:
# kubectl -n <ns> get secret dashboard-<user>-token -o jsonpath='{.data.token}' | base64 -d
#
# Driven by the same `local.namespace_owner_pairs` as the OIDC bindings, so every
# namespace-owner in k8s_users automatically gets one.
resource "kubernetes_service_account" "dashboard_owner" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "dashboard-${each.value.user_key}"
namespace = each.value.namespace
}
}
# Full admin within the owner's namespace (same scope as their OIDC RoleBinding).
resource "kubernetes_role_binding" "dashboard_owner_admin" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "dashboard-owner-${each.value.user_key}"
namespace = each.value.namespace
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "admin"
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.dashboard_owner[each.key].metadata[0].name
namespace = each.value.namespace
}
}
# Minimal cluster-read for the dashboard nav ONLY: the namespace picker needs to
# list namespaces, and the Nodes view needs nodes. Deliberately does NOT grant
# cluster-wide read of pods/services/configmaps/etc a namespace-owner can see
# the namespace LIST but can only read resources INSIDE their own namespace
# (where they have `admin`). Keeps tenants from reading each other's workloads
# and configmaps. (Separate from the broader OIDC `namespace_owner_readonly`.)
resource "kubernetes_cluster_role" "dashboard_nav_readonly" {
metadata {
name = "dashboard-nav-readonly"
}
rule {
api_groups = [""]
resources = ["namespaces", "nodes"]
verbs = ["get", "list", "watch"]
}
}
resource "kubernetes_cluster_role_binding" "dashboard_owner_readonly" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "dashboard-readonly-${each.value.user_key}-${each.value.namespace}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.dashboard_nav_readonly.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.dashboard_owner[each.key].metadata[0].name
namespace = each.value.namespace
}
}
# Long-lived (non-expiring) token the user pastes into the dashboard login.
resource "kubernetes_secret" "dashboard_owner_token" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "dashboard-${each.value.user_key}-token"
namespace = each.value.namespace
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.dashboard_owner[each.key].metadata[0].name
}
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}

50
stacks/rbac/modules/rbac/etcd-tuning.tf Normal file
View file

@ -0,0 +1,50 @@
# Tune etcd for reduced disk writes on k8s-master.
# Increases snapshot-count from 10000 (default) to 50000 to reduce WAL snapshot frequency.
# etcd writes ~37.5 GB/day; less frequent snapshots reduce this by ~30-40%.
# This patches the kubeadm-managed static pod manifest. Note: kubeadm upgrades
# will reset this, so re-apply after any kubeadm upgrade.
resource "null_resource" "etcd_tuning" {
connection {
type = "ssh"
user = "wizard"
host = var.k8s_master_host
private_key = var.ssh_private_key
}
provisioner "remote-exec" {
inline = [
<<-SCRIPT
sudo python3 -c "
import yaml
path = '/etc/kubernetes/manifests/etcd.yaml'
with open(path) as f:
doc = yaml.safe_load(f)
container = doc['spec']['containers'][0]
args = container['command']
# Update or add --snapshot-count=50000
new_args = [a for a in args if not a.startswith('--snapshot-count=')]
new_args.append('--snapshot-count=50000')
# Update or add --quota-backend-bytes (256MB, default is 2GB which is fine)
# Keep default for now
container['command'] = new_args
with open(path, 'w') as f:
yaml.dump(doc, f, default_flow_style=False)
print('etcd manifest updated: --snapshot-count=50000')
"
SCRIPT
]
}
# Re-run if the configuration changes
triggers = {
snapshot_count = "50000"
}
}

318
stacks/rbac/modules/rbac/main.tf Normal file
View file

@ -0,0 +1,318 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "k8s_users" {
type = map(object({
role = string # "admin", "power-user", "namespace-owner"
email = string # OIDC email claim
namespaces = optional(list(string), []) # for namespace-owners
domains = optional(list(string), []) # subdomains for user apps
quota = optional(object({
cpu_requests = optional(string, "2")
memory_requests = optional(string, "4Gi")
memory_limits = optional(string, "8Gi")
pods = optional(string, "20")
}), {})
}))
default = {}
}
# --- Admin role ---
# Binds to built-in cluster-admin ClusterRole
resource "kubernetes_cluster_role_binding" "admin_users" {
for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "admin" })
metadata {
name = "oidc-admin-${each.key}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = each.value.email
api_group = "rbac.authorization.k8s.io"
}
}
# --- Power-user role (read+write+secrets) RETAINED BUT UNBOUND ---
# Superseded by oidc-power-user-readonly (below) per ADR-0005: power-users are bound
# to the read-only role, NOT this one. Kept defined for reference/rollback; do NOT
# bind it without a deliberate decision (it grants cluster-wide write + secrets).
resource "kubernetes_cluster_role" "power_user" {
metadata {
name = "oidc-power-user"
}
# Core resources
rule {
api_groups = [""]
resources = ["pods", "pods/log", "pods/exec", "services", "endpoints", "configmaps", "secrets", "persistentvolumeclaims", "events", "namespaces"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = [""]
resources = ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"]
verbs = ["create", "update", "patch", "delete"]
}
# Apps
rule {
api_groups = ["apps"]
resources = ["deployments", "statefulsets", "daemonsets", "replicasets"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
# Batch
rule {
api_groups = ["batch"]
resources = ["jobs", "cronjobs"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
# Networking
rule {
api_groups = ["networking.k8s.io"]
resources = ["ingresses", "networkpolicies"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
# Autoscaling
rule {
api_groups = ["autoscaling"]
resources = ["horizontalpodautoscalers"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
}
# Read-only on cluster-level resources
rule {
api_groups = [""]
resources = ["nodes"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["storage.k8s.io"]
resources = ["storageclasses"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["rbac.authorization.k8s.io"]
resources = ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs = ["get", "list", "watch"]
}
}
# --- Power-user READ-ONLY role (ADR-0005) ---
# Cluster-wide get/list/watch, explicitly NO secrets and NO pods/exec. This is the
# role power-users are actually bound to (workstation tier: "cluster-wide read,
# no Secrets"). Mirrors power_user's resource breadth minus writes/secrets/exec.
resource "kubernetes_cluster_role" "power_user_readonly" {
metadata {
name = "oidc-power-user-readonly"
}
rule {
api_groups = [""]
resources = ["pods", "pods/log", "services", "endpoints", "configmaps", "persistentvolumeclaims", "events", "namespaces", "nodes"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["apps"]
resources = ["deployments", "statefulsets", "daemonsets", "replicasets"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["batch"]
resources = ["jobs", "cronjobs"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["networking.k8s.io"]
resources = ["ingresses", "networkpolicies"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["autoscaling"]
resources = ["horizontalpodautoscalers"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["storage.k8s.io"]
resources = ["storageclasses"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["rbac.authorization.k8s.io"]
resources = ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs = ["get", "list", "watch"]
}
}
# Power-users are bound to the READ-ONLY role above (NOT the read+write+secrets one).
resource "kubernetes_cluster_role_binding" "power_users" {
for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "power-user" })
metadata {
name = "oidc-power-user-readonly-${each.key}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.power_user_readonly.metadata[0].name
}
subject {
kind = "User"
name = each.value.email
api_group = "rbac.authorization.k8s.io"
}
}
# --- Namespace-owner role ---
# Full admin within assigned namespaces + read-only cluster-wide
locals {
# Flatten user->namespace pairs for iteration
namespace_owner_pairs = flatten([
for name, user in var.k8s_users : [
for ns in user.namespaces : {
user_key = name
namespace = ns
email = user.email
quota = user.quota
}
] if user.role == "namespace-owner"
])
}
resource "kubernetes_role_binding" "namespace_owner" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "namespace-owner-${each.value.user_key}"
namespace = each.value.namespace
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "admin" # Built-in ClusterRole with full namespace access
}
subject {
kind = "User"
name = each.value.email
api_group = "rbac.authorization.k8s.io"
}
}
# Read-only cluster-wide access for namespace owners
resource "kubernetes_cluster_role" "namespace_owner_readonly" {
metadata {
name = "oidc-namespace-owner-readonly"
}
rule {
api_groups = [""]
resources = ["namespaces", "nodes"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = [""]
resources = ["pods", "services", "configmaps", "events"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["apps"]
resources = ["deployments", "statefulsets", "daemonsets"]
verbs = ["get", "list", "watch"]
}
}
resource "kubernetes_cluster_role_binding" "namespace_owner_readonly" {
for_each = nonsensitive({ for name, user in var.k8s_users : name => user if user.role == "namespace-owner" })
metadata {
name = "oidc-ns-owner-readonly-${each.key}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.namespace_owner_readonly.metadata[0].name
}
subject {
kind = "User"
name = each.value.email
api_group = "rbac.authorization.k8s.io"
}
}
# Resource quotas per user namespace
resource "kubernetes_resource_quota" "user_namespace_quota" {
for_each = nonsensitive({ for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair })
metadata {
name = "user-quota"
namespace = each.value.namespace
}
spec {
hard = {
"requests.cpu" = each.value.quota.cpu_requests
"requests.memory" = each.value.quota.memory_requests
"limits.memory" = each.value.quota.memory_limits
"pods" = each.value.quota.pods
}
}
depends_on = [kubernetes_role_binding.namespace_owner]
}
# ConfigMap with user-role mapping for the self-service portal
resource "kubernetes_config_map" "user_roles" {
metadata {
name = "k8s-user-roles"
namespace = "k8s-portal"
}
data = {
"users.json" = jsonencode({
for name, user in var.k8s_users : user.email => {
role = user.role
namespaces = user.namespaces
}
})
}
}
# TLS secret in each user namespace (so they can create HTTPS ingresses)
module "user_namespace_tls" {
for_each = nonsensitive(toset(flatten([
for name, user in var.k8s_users : user.namespaces
if user.role == "namespace-owner"
])))
source = "../../../../modules/kubernetes/setup_tls_secret"
namespace = each.value
tls_secret_name = var.tls_secret_name
}

1
stacks/rbac/secrets Symbolic link
View file

@ -0,0 +1 @@
../../secrets

8
stacks/rbac/terragrunt.hcl Normal file
View file

@ -0,0 +1,8 @@
include "root" {
path = find_in_parent_folders()
}
dependency "infra" {
config_path = "../infra"
skip_outputs = true
}