icecheng/freeleaps-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(k8s): enhance freeleaps cluster login script and add RBAC bindings

Browse Source 
Signed-off-by: 孙振宇 <>
This commit is contained in:
孙振宇 2025-01-13 19:10:06 +08:00
parent cfa135eff5
commit 6574c07350
5 changed files with 31 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
bin/freeleaps-cluster-login
View File

@ -80,7 +80,7 @@ function main() {
--oidc-client-id ${MATHMAST_AD_CLIENT_ID} \ --oidc-client-id ${MATHMAST_AD_CLIENT_ID} \
--oidc-client-secret ${MATHMAST_AD_CLIENT_SECRET} \ --oidc-client-secret ${MATHMAST_AD_CLIENT_SECRET} \
--oidc-extra-scope="profile,email,offline_access" \ --oidc-extra-scope="profile,email,offline_access" \
--log_file=/dev/null --log_file=/dev/null \
# Prompt user to input username # Prompt user to input username
echo "Please enter your username: " echo "Please enter your username: "
@ -99,11 +99,15 @@ function main() {
--exec-arg=get-token \ --exec-arg=get-token \
--exec-arg="--oidc-issuer-url=${MATHMAST_AD_ISSUER}" \ --exec-arg="--oidc-issuer-url=${MATHMAST_AD_ISSUER}" \
--exec-arg="--oidc-client-id=${MATHMAST_AD_CLIENT_ID}" \ --exec-arg="--oidc-client-id=${MATHMAST_AD_CLIENT_ID}" \
--exec-arg="--oidc-client-secret=${MATHMAST_AD_CLIENT_SECRET}" --exec-arg="--oidc-client-secret=${MATHMAST_AD_CLIENT_SECRET}" \
--exec-arg="--oidc-extra-scope=offline_access" \
--exec-arg="--oidc-extra-scope=profile" \
--exec-arg="--oidc-extra-scope=email" \
echo "Set cluster..." echo "Set cluster..."
kubectl config set-cluster freeleaps-cluster \ kubectl config set-cluster freeleaps-cluster \
--server=https://${CLUSTER_API_LB_IP}:6443 --server=https://${CLUSTER_API_LB_IP}:6443 \
--insecure-skip-tls-verify=true
echo "Create context..." echo "Create context..."
kubectl config set-context "$username@freeleaps-cluster" \ kubectl config set-context "$username@freeleaps-cluster" \

22
cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
View File

@ -1,22 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: microsoft-entra-id-selfsigned
namespace: freeleaps-controls-system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: microsoft-entra-id-selfsigned
namespace: freeleaps-controls-system
spec:
dnsNames:
- login.microsoftonline.com
- 4.155.160.32
secretName: microsoft-entra-id-selfsigned
issuerRef:
name: microsoft-entra-id-selfsigned
kind: Issuer
group: cert-manager.io

11
cluster/manifests/freeleaps-devops-system/namespace.yaml
View File

@ -4,14 +4,3 @@ metadata:
name: freeleaps-devops-system name: freeleaps-devops-system
labels: labels:
name: freeleaps-devops-system name: freeleaps-devops-system
---
apiVersion: v1
kind: ResourceQuota
metadata:
name: freeleaps-devops-system
namespace: freeleaps-devops-system
spec:
hard:
requests.cpu: "4"

12
cluster/manifests/rbac/mathmast-admin-cr-binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: mathmast-admin-cr-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: mathmast:admin

12
cluster/manifests/rbac/mathmast-regular-cr-binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: mathmast-regular-cr-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: mathmast:basic-user