add some control api pocs

add username prefix and use sub as claim
update ca
2021-11-09 09:33:55 +01:00 · 2021-11-09 09:33:37 +01:00 · 2021-11-09 09:33:10 +01:00 · 2021-11-09 09:32:56 +01:00 · 2021-11-09 09:32:41 +01:00
9 changed files with 176 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
-kubeconfig.yaml
--- a/control-api/openapispec.yaml
+++ b/control-api/openapispec.yaml
@ -0,0 +1,26 @@
+openapi: "3.0.2"
+info:
+  title: CRD
+  version: 1.0.0
+components:
+  schemas:
+    CRD:
+      type: object
+      properties:
+        spec:
+          type: object
+          properties:
+            displayName:
+              type: string
+            username:
+              type: string
+            email:
+              type: string
+            defaultOrganizationRef:
+              type: string
+paths:
+  /:
+    get:
+      responses:
+        "200":
+          description: OK
--- a/control-api/rbac-test.yaml
+++ b/control-api/rbac-test.yaml
@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+rules:
+  - apiGroups: ["appuio.io"]
+    resources: ["users"]
+    resourceNames: ["d9050409-b5a2-4058-815e-b5dbead893ed"]
+    verbs: ["get", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+subjects:
+  - kind: User
+    name: appuio#d9050409-b5a2-4058-815e-b5dbead893ed
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: acme-corp-members-viewer
+rules:
+  - apiGroups: ["appuio.io"]
+    resources: ["users"]
+    resourceNames:
+      - d9050409-b5a2-4058-815e-b5dbead893ed
+      - bec0d928-2ae2-4cec-94a0-5f72f12b8b39
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: acme-corp-members
+subjects:
+  - kind: Group
+    name: developer
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: acme-corp-members-viewer
+  apiGroup: rbac.authorization.k8s.io
--- a/control-api/user-xrd.yaml
+++ b/control-api/user-xrd.yaml
@ -0,0 +1,28 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: users.appuio.io
+spec:
+  group: appuio.io
+  names:
+    kind: User
+    plural: users
+  versions:
+    - name: v1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                displayName:
+                  type: string
+                username:
+                  type: string
+                email:
+                  type: string
+                defaultOrganizationRef:
+                  type: string
--- a/control-api/users.yaml
+++ b/control-api/users.yaml
@ -0,0 +1,19 @@
+apiVersion: appuio.io/v1
+kind: User
+metadata:
+  name: bec0d928-2ae2-4cec-94a0-5f72f12b8b39
+spec:
+  displayName: Kate Demo
+  username: kate.demo
+  email: kate@demo.com
+  defaultOrganizationRef: acme-corp
+---
+apiVersion: appuio.io/v1
+kind: User
+metadata:
+  name: d9050409-b5a2-4058-815e-b5dbead893ed
+spec:
+  displayName: Fredi Hinz
+  username: fredi.hinz
+  email: fredi@demo.com
+  defaultOrganizationRef: acme-corp
--- a/host-cluster/route.yaml
+++ b/host-cluster/route.yaml
@ -10,14 +10,14 @@ spec:
  tls:
    destinationCACertificate: |-
      -----BEGIN CERTIFICATE-----
-      MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
-      dmVyLWNhQDE2MzU5NzA2NTQwHhcNMjExMTAzMjAxNzM0WhcNMzExMTAxMjAxNzM0
-      WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NzA2NTQwWTATBgcqhkjO
-      PQIBBggqhkjOPQMBBwNCAAQJf/T5/QpKMo4rbhcUno793nA5gIROsw46MxCKV5Tb
-      MqUQzKKTppV6b/AqK8x3UyLP/yB+1SYYT7RL0cANx8Nro0IwQDAOBgNVHQ8BAf8E
-      BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUa1TQKu4lZaHvRiG9MrWZ
-      0V47IRAwCgYIKoZIzj0EAwIDSAAwRQIgOXRCBZjnSk6QzR1PbRbIfw2aINxkDYuR
-      jUaS4406W04CIQDFn4hAYDiS6s0Filf9XmpSkNNyUM/3adKFJPkTlndXLA==
+      MIIBeDCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
+      dmVyLWNhQDE2MzYzOTA2MTEwHhcNMjExMTA4MTY1NjUxWhcNMzExMTA2MTY1NjUx
+      WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzYzOTA2MTEwWTATBgcqhkjO
+      PQIBBggqhkjOPQMBBwNCAAQUY6aBTDQeOcEGlLV3yDZYd2Rgz2I34jurSSmOhPAn
+      71W/Re06nutSjskt5efzfYjFclHVhKS1XI57F70hxtrwo0IwQDAOBgNVHQ8BAf8E
+      BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNyWs5Jxa/pFx42EZNoYs
+      FL5Q6RUwCgYIKoZIzj0EAwIDSQAwRgIhAMKzw7YDZMUPH2qV1s0/id0uhtPREkhN
+      ecUTsNO0/carAiEAsiXCWd7oFjDmPLIUWTAUnqyeDWfjei8luft4whlUsUk=
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: None
    termination: reencrypt
--- a/in-cluster/coredns-orig.yaml.disabled
+++ b/in-cluster/coredns-orig.yaml.disabled
--- a/kubeconfig.yaml
+++ b/kubeconfig.yaml
@ -0,0 +1,46 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
+  name: local
+contexts:
+- context:
+    cluster: local
+    namespace: default
+    user: oidc
+  name: Default
+current-context: Default
+kind: Config
+preferences: {}
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
+      - --oidc-client-id=tobru-vcluster-test
+      - --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
+      command: kubectl
+      env: null
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
+- name: normaluser
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
+      - --oidc-client-id=tobru-vcluster-test
+      - --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
+      - --token-cache-dir=~/.kube/cache/oidc-login2
+      - --skip-open-browser
+      - --oidc-auth-request-extra-params=login_hint=fredi.hinz
+      command: kubectl
+      env: null
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
--- a/values.yaml
+++ b/values.yaml
@ -14,7 +14,8 @@ vcluster:
    - --kube-apiserver-arg=oidc-client-id=tobru-vcluster-test
    - --kube-apiserver-arg=oidc-groups-claim=groups
    - --kube-apiserver-arg=oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
-    - --kube-apiserver-arg=oidc-username-claim=preferred_username
+    - --kube-apiserver-arg=oidc-username-claim=sub
+    - --kube-apiserver-arg=oidc-username-prefix=appuio#
  volumeMounts:
    - mountPath: /data
      name: data
Author	SHA1	Message	Date
Tobias Brunner	339439529f	add some control api pocs	2021-11-09 09:33:55 +01:00
Tobias Brunner	4c2010098b	add username prefix and use sub as claim	2021-11-09 09:33:37 +01:00
Tobias Brunner	e7ec8e11c6	update ca	2021-11-09 09:33:10 +01:00
Tobias Brunner	53d6cb5173	rename file to not apply	2021-11-09 09:32:56 +01:00
Tobias Brunner	4e13811612	add kubeconfig to git to have a good example	2021-11-09 09:32:41 +01:00