feat: add oidc to apiserver and crb

2024-04-20 08:17:32 +02:00
parent 361d067638
commit 32dbc9b4d2
1 changed files with 17 additions and 1 deletions
@@ -31,7 +31,11 @@ spec:
            - name: K3S_DATASTORE_ENDPOINT
              value: "postgres://k3s:$(PG_PASSWORD)@{{ $fullname }}-db-rw:5432/k3s"
        {{ end }}
-
+            extraArgs:
+              - "--kube-apiserver-arg=oidc-client-id=9b6daef0-02fa-4574-8949-f7c1b5fccd15"
+              - "--kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
+              - "--kube-apiserver-arg=oidc-groups-claim=roles"
+              - "--kube-apiserver-arg=oidc-username-claim=sub"
          ingress:
            enabled: true
            ingressClassName: nginx
@@ -116,6 +120,18 @@ spec:
          init:
            manifests: |-
              ---
+              kind: ClusterRoleBinding
+              apiVersion: rbac.authorization.k8s.io/v1
+              metadata:
+                name: oidc-cluster-admin
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: cluster-admin
+              subjects:
+              - kind: Group
+                name: eb17a659-4ce6-41bc-9153-d9b117c44479
+              ---
              apiVersion: v1
              kind: ServiceAccount
              metadata: