Compare commits
5 commits
2bcdad2e6f
...
339439529f
Author | SHA1 | Date | |
---|---|---|---|
Tobias Brunner | 339439529f | ||
Tobias Brunner | 4c2010098b | ||
Tobias Brunner | e7ec8e11c6 | ||
Tobias Brunner | 53d6cb5173 | ||
Tobias Brunner | 4e13811612 |
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +0,0 @@
|
|||
kubeconfig.yaml
|
26
control-api/openapispec.yaml
Normal file
26
control-api/openapispec.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
openapi: "3.0.2"
|
||||
info:
|
||||
title: CRD
|
||||
version: 1.0.0
|
||||
components:
|
||||
schemas:
|
||||
CRD:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
displayName:
|
||||
type: string
|
||||
username:
|
||||
type: string
|
||||
email:
|
||||
type: string
|
||||
defaultOrganizationRef:
|
||||
type: string
|
||||
paths:
|
||||
/:
|
||||
get:
|
||||
responses:
|
||||
"200":
|
||||
description: OK
|
47
control-api/rbac-test.yaml
Normal file
47
control-api/rbac-test.yaml
Normal file
|
@ -0,0 +1,47 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
|
||||
rules:
|
||||
- apiGroups: ["appuio.io"]
|
||||
resources: ["users"]
|
||||
resourceNames: ["d9050409-b5a2-4058-815e-b5dbead893ed"]
|
||||
verbs: ["get", "update", "patch", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
|
||||
subjects:
|
||||
- kind: User
|
||||
name: appuio#d9050409-b5a2-4058-815e-b5dbead893ed
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: d9050409-b5a2-4058-815e-b5dbead893ed-owner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: acme-corp-members-viewer
|
||||
rules:
|
||||
- apiGroups: ["appuio.io"]
|
||||
resources: ["users"]
|
||||
resourceNames:
|
||||
- d9050409-b5a2-4058-815e-b5dbead893ed
|
||||
- bec0d928-2ae2-4cec-94a0-5f72f12b8b39
|
||||
verbs: ["get", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: acme-corp-members
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: developer
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: acme-corp-members-viewer
|
||||
apiGroup: rbac.authorization.k8s.io
|
28
control-api/user-xrd.yaml
Normal file
28
control-api/user-xrd.yaml
Normal file
|
@ -0,0 +1,28 @@
|
|||
apiVersion: apiextensions.crossplane.io/v1
|
||||
kind: CompositeResourceDefinition
|
||||
metadata:
|
||||
name: users.appuio.io
|
||||
spec:
|
||||
group: appuio.io
|
||||
names:
|
||||
kind: User
|
||||
plural: users
|
||||
versions:
|
||||
- name: v1
|
||||
served: true
|
||||
referenceable: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
displayName:
|
||||
type: string
|
||||
username:
|
||||
type: string
|
||||
email:
|
||||
type: string
|
||||
defaultOrganizationRef:
|
||||
type: string
|
19
control-api/users.yaml
Normal file
19
control-api/users.yaml
Normal file
|
@ -0,0 +1,19 @@
|
|||
apiVersion: appuio.io/v1
|
||||
kind: User
|
||||
metadata:
|
||||
name: bec0d928-2ae2-4cec-94a0-5f72f12b8b39
|
||||
spec:
|
||||
displayName: Kate Demo
|
||||
username: kate.demo
|
||||
email: kate@demo.com
|
||||
defaultOrganizationRef: acme-corp
|
||||
---
|
||||
apiVersion: appuio.io/v1
|
||||
kind: User
|
||||
metadata:
|
||||
name: d9050409-b5a2-4058-815e-b5dbead893ed
|
||||
spec:
|
||||
displayName: Fredi Hinz
|
||||
username: fredi.hinz
|
||||
email: fredi@demo.com
|
||||
defaultOrganizationRef: acme-corp
|
|
@ -10,14 +10,14 @@ spec:
|
|||
tls:
|
||||
destinationCACertificate: |-
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
|
||||
dmVyLWNhQDE2MzU5NzA2NTQwHhcNMjExMTAzMjAxNzM0WhcNMzExMTAxMjAxNzM0
|
||||
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzU5NzA2NTQwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAAQJf/T5/QpKMo4rbhcUno793nA5gIROsw46MxCKV5Tb
|
||||
MqUQzKKTppV6b/AqK8x3UyLP/yB+1SYYT7RL0cANx8Nro0IwQDAOBgNVHQ8BAf8E
|
||||
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUa1TQKu4lZaHvRiG9MrWZ
|
||||
0V47IRAwCgYIKoZIzj0EAwIDSAAwRQIgOXRCBZjnSk6QzR1PbRbIfw2aINxkDYuR
|
||||
jUaS4406W04CIQDFn4hAYDiS6s0Filf9XmpSkNNyUM/3adKFJPkTlndXLA==
|
||||
MIIBeDCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
|
||||
dmVyLWNhQDE2MzYzOTA2MTEwHhcNMjExMTA4MTY1NjUxWhcNMzExMTA2MTY1NjUx
|
||||
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2MzYzOTA2MTEwWTATBgcqhkjO
|
||||
PQIBBggqhkjOPQMBBwNCAAQUY6aBTDQeOcEGlLV3yDZYd2Rgz2I34jurSSmOhPAn
|
||||
71W/Re06nutSjskt5efzfYjFclHVhKS1XI57F70hxtrwo0IwQDAOBgNVHQ8BAf8E
|
||||
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUNyWs5Jxa/pFx42EZNoYs
|
||||
FL5Q6RUwCgYIKoZIzj0EAwIDSQAwRgIhAMKzw7YDZMUPH2qV1s0/id0uhtPREkhN
|
||||
ecUTsNO0/carAiEAsiXCWd7oFjDmPLIUWTAUnqyeDWfjei8luft4whlUsUk=
|
||||
-----END CERTIFICATE-----
|
||||
insecureEdgeTerminationPolicy: None
|
||||
termination: reencrypt
|
||||
|
|
46
kubeconfig.yaml
Normal file
46
kubeconfig.yaml
Normal file
|
@ -0,0 +1,46 @@
|
|||
apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://vcluster-poc.apps.cloudscale-lpg-1.appuio.cloud
|
||||
name: local
|
||||
contexts:
|
||||
- context:
|
||||
cluster: local
|
||||
namespace: default
|
||||
user: oidc
|
||||
name: Default
|
||||
current-context: Default
|
||||
kind: Config
|
||||
preferences: {}
|
||||
users:
|
||||
- name: oidc
|
||||
user:
|
||||
exec:
|
||||
apiVersion: client.authentication.k8s.io/v1beta1
|
||||
args:
|
||||
- oidc-login
|
||||
- get-token
|
||||
- --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
|
||||
- --oidc-client-id=tobru-vcluster-test
|
||||
- --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
|
||||
command: kubectl
|
||||
env: null
|
||||
interactiveMode: IfAvailable
|
||||
provideClusterInfo: false
|
||||
- name: normaluser
|
||||
user:
|
||||
exec:
|
||||
apiVersion: client.authentication.k8s.io/v1beta1
|
||||
args:
|
||||
- oidc-login
|
||||
- get-token
|
||||
- --oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
|
||||
- --oidc-client-id=tobru-vcluster-test
|
||||
- --oidc-client-secret=63410f24-0721-447b-a290-4b0169c414e0
|
||||
- --token-cache-dir=~/.kube/cache/oidc-login2
|
||||
- --skip-open-browser
|
||||
- --oidc-auth-request-extra-params=login_hint=fredi.hinz
|
||||
command: kubectl
|
||||
env: null
|
||||
interactiveMode: IfAvailable
|
||||
provideClusterInfo: false
|
|
@ -14,7 +14,8 @@ vcluster:
|
|||
- --kube-apiserver-arg=oidc-client-id=tobru-vcluster-test
|
||||
- --kube-apiserver-arg=oidc-groups-claim=groups
|
||||
- --kube-apiserver-arg=oidc-issuer-url=https://id.dev.appuio.cloud/auth/realms/appuio-cloud-dev
|
||||
- --kube-apiserver-arg=oidc-username-claim=preferred_username
|
||||
- --kube-apiserver-arg=oidc-username-claim=sub
|
||||
- --kube-apiserver-arg=oidc-username-prefix=appuio#
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
Loading…
Reference in a new issue