From 8c8190c3af005954061f7cf695270a47483fb96e Mon Sep 17 00:00:00 2001 From: Jennifer Weir Date: Sat, 21 Feb 2026 15:31:34 -0500 Subject: [PATCH 1/5] feat(terraform): incept azuread --- .gitignore | 5 +++-- terraform/okd/main.tf | 14 +++++++++++++- terraform/okd/provider.tf | 6 +++++- terraform/okd/variables.tf | 9 +++++++++ 4 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 terraform/okd/variables.tf diff --git a/.gitignore b/.gitignore index 1654202..c690290 100644 --- a/.gitignore +++ b/.gitignore @@ -2,8 +2,9 @@ .kube/* # Terraform -.terraform -terraform.tfstate* +.terraform/ +*.tfvars +*.tfstate* *.hcl !.github/linters/.tflint.hcl diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index 3da9e11..6253838 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -1,3 +1,5 @@ +# Google ------------------------------------------------------------------------------------------------------------------ + locals { wif_pool = "okd-pool" wif_provider = "okd-provider" @@ -149,4 +151,14 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" { secret_id = "quay-jennweir-pull-secret" role = "roles/secretmanager.secretAccessor" member = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets" -} \ No newline at end of file +} + +# Azure ------------------------------------------------------------------------------------------------------------------ + +resource "azuread_application" "okd_cluster" { + display_name = "OKD Cluster" +} + +resource "azuread_service_principal" "okd_cluster" { + client_id = azuread_application.okd_cluster.client_id +} diff --git a/terraform/okd/provider.tf b/terraform/okd/provider.tf index 900f23e..a3f944f 100644 --- a/terraform/okd/provider.tf +++ b/terraform/okd/provider.tf @@ -1,4 +1,8 @@ provider "google" { - project = "homelab-mgmt" + project = var.homelab_project_id region = "us-east1" +} + +provider "azuread" { + tenant_id = var.azure_tenant_id } \ No newline at end of file diff --git a/terraform/okd/variables.tf b/terraform/okd/variables.tf new file mode 100644 index 0000000..e273a87 --- /dev/null +++ b/terraform/okd/variables.tf @@ -0,0 +1,9 @@ +variable "homelab_project_id" { + description = "The GCP project ID for homelab management." + type = string +} + +variable "azure_tenant_id" { + description = "The tenant ID for Azure Active Directory." + type = string +} From f9e2bdaec5f5d95088d027ab9da96cf239632ebd Mon Sep 17 00:00:00 2001 From: Jennifer Weir Date: Sat, 21 Feb 2026 15:34:09 -0500 Subject: [PATCH 2/5] feat(terraform): incept azuread --- terraform/okd/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index 6253838..776ae01 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -156,7 +156,7 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" { # Azure ------------------------------------------------------------------------------------------------------------------ resource "azuread_application" "okd_cluster" { - display_name = "OKD Cluster" + display_name = "okd-cluster" } resource "azuread_service_principal" "okd_cluster" { From 3df7236aa7e7b2e418c5cf70e15f250f01e0ea63 Mon Sep 17 00:00:00 2001 From: Jennifer Weir Date: Sat, 21 Feb 2026 18:01:58 -0500 Subject: [PATCH 3/5] feat(cluster-auth): byo oidc provider --- .../{cluster-configs.yaml => cluster-auth.yaml} | 4 ++-- .../platform/cluster-configs/authentication.yaml | 16 ---------------- .../platform/cluster-configs/kustomization.yaml | 4 ---- terraform/okd/main.tf | 11 +++++++++++ terraform/okd/versions.tf | 4 ++++ 5 files changed, 17 insertions(+), 22 deletions(-) rename manifests/platform/argocd/operator/applications/{cluster-configs.yaml => cluster-auth.yaml} (84%) delete mode 100644 manifests/platform/cluster-configs/authentication.yaml delete mode 100644 manifests/platform/cluster-configs/kustomization.yaml diff --git a/manifests/platform/argocd/operator/applications/cluster-configs.yaml b/manifests/platform/argocd/operator/applications/cluster-auth.yaml similarity index 84% rename from manifests/platform/argocd/operator/applications/cluster-configs.yaml rename to manifests/platform/argocd/operator/applications/cluster-auth.yaml index 434765a..2c1ad6f 100644 --- a/manifests/platform/argocd/operator/applications/cluster-configs.yaml +++ b/manifests/platform/argocd/operator/applications/cluster-auth.yaml @@ -1,7 +1,7 @@ kind: Application apiVersion: argoproj.io/v1alpha1 metadata: - name: cluster-configs + name: cluster-auth namespace: argocd spec: destination: @@ -9,7 +9,7 @@ spec: project: default source: repoURL: https://github.com/jennweir/HomeLab.git - path: manifests/platform/cluster-configs + path: manifests/platform/cluster-auth targetRevision: main syncPolicy: retry: diff --git a/manifests/platform/cluster-configs/authentication.yaml b/manifests/platform/cluster-configs/authentication.yaml deleted file mode 100644 index d2a5b12..0000000 --- a/manifests/platform/cluster-configs/authentication.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: Authentication -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - name: cluster -spec: - oauthMetadata: - name: "" - serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab - type: "" - webhookTokenAuthenticator: - kubeConfig: - name: webhook-authentication-integrated-oauth diff --git a/manifests/platform/cluster-configs/kustomization.yaml b/manifests/platform/cluster-configs/kustomization.yaml deleted file mode 100644 index d5c9c20..0000000 --- a/manifests/platform/cluster-configs/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - authentication.yaml diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index 776ae01..47d2bbd 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -157,8 +157,19 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" { resource "azuread_application" "okd_cluster" { display_name = "okd-cluster" + web { + redirect_uris = ["https://oauth-openshift.apps.okd.jenniferpweir.com/oauth2callback"] + } } resource "azuread_service_principal" "okd_cluster" { client_id = azuread_application.okd_cluster.client_id } + +resource "azuread_application_federated_identity_credential" "okd_cluster_byo_oidc" { + application_id = azuread_application.okd_cluster.id + display_name = "okd-cluster-byo-oidc" + issuer = "https://storage.googleapis.com/jennweir-homelab" + subject = "system:serviceaccount:*:*" + audiences = ["api://AzureADTokenExchange"] +} diff --git a/terraform/okd/versions.tf b/terraform/okd/versions.tf index 7b4e429..738141c 100644 --- a/terraform/okd/versions.tf +++ b/terraform/okd/versions.tf @@ -8,6 +8,10 @@ terraform { source = "hashicorp/google" version = "5.42.0" } + azuread = { + source = "hashicorp/azuread" + version = "3.8.0" + } } required_version = ">= 1.1.2" } From a419fad56378c470af3a019e53101e0b96848468 Mon Sep 17 00:00:00 2001 From: Jennifer Weir Date: Sat, 21 Feb 2026 18:03:21 -0500 Subject: [PATCH 4/5] feat(cluster-auth): byo oidc provider --- manifests/platform/cluster-auth/README.md | 12 ++++++++++ .../overlays/okd/authentication.yaml | 16 +++++++++++++ .../overlays/okd/kustomization.yaml | 6 +++++ .../cluster-auth/overlays/okd/oauth.yaml | 23 +++++++++++++++++++ .../overlays/okd/serviceaccount.yaml | 4 ++++ 5 files changed, 61 insertions(+) create mode 100644 manifests/platform/cluster-auth/README.md create mode 100644 manifests/platform/cluster-auth/overlays/okd/authentication.yaml create mode 100644 manifests/platform/cluster-auth/overlays/okd/kustomization.yaml create mode 100644 manifests/platform/cluster-auth/overlays/okd/oauth.yaml create mode 100644 manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml diff --git a/manifests/platform/cluster-auth/README.md b/manifests/platform/cluster-auth/README.md new file mode 100644 index 0000000..d719056 --- /dev/null +++ b/manifests/platform/cluster-auth/README.md @@ -0,0 +1,12 @@ +# AzureAD and az-cli Commands + +```bash +# View jwt token +export TENANT_ID="" +export TOKEN=$(az account get-access-token --query accessToken -o tsv) +echo $TOKEN | jwt decode - + +# View OIDC config and supported claims +export TENANT_ID="" +curl -s https://login.microsoftonline.com/${TENANT_ID}/v2.0/.well-known/openid-configuration +``` diff --git a/manifests/platform/cluster-auth/overlays/okd/authentication.yaml b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml new file mode 100644 index 0000000..d2a5b12 --- /dev/null +++ b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml @@ -0,0 +1,16 @@ +apiVersion: config.openshift.io/v1 +kind: Authentication +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/create-only: "true" + name: cluster +spec: + oauthMetadata: + name: "" + serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab + type: "" + webhookTokenAuthenticator: + kubeConfig: + name: webhook-authentication-integrated-oauth diff --git a/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml new file mode 100644 index 0000000..d81232b --- /dev/null +++ b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - authentication.yaml + - oauth.yaml + - serviceaccount.yaml diff --git a/manifests/platform/cluster-auth/overlays/okd/oauth.yaml b/manifests/platform/cluster-auth/overlays/okd/oauth.yaml new file mode 100644 index 0000000..c6c1fef --- /dev/null +++ b/manifests/platform/cluster-auth/overlays/okd/oauth.yaml @@ -0,0 +1,23 @@ +apiVersion: config.openshift.io/v1 +kind: OAuth +metadata: + annotations: + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/create-only: "true" + name: cluster +spec: + identityProviders: + - name: azuread + mappingMethod: claim + type: OpenID + openID: + clientID: + claims: + email: + - email + name: + - name + preferredUsername: + - preferred_username + issuer: https://login.microsoftonline.com//v2.0 diff --git a/manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml b/manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml new file mode 100644 index 0000000..76991f9 --- /dev/null +++ b/manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml @@ -0,0 +1,4 @@ +kind: ServiceAccount +metadata: + name: oauth-reader + namespace: openshift-config From 0dbb66249b286cfd7a038fe959d40645b0fc3c55 Mon Sep 17 00:00:00 2001 From: Jennifer Weir Date: Sat, 21 Feb 2026 20:01:35 -0500 Subject: [PATCH 5/5] feat(cluster-auth): BYO OIDC authentication --- manifests/platform/cluster-auth/README.md | 1 - .../cluster-auth/base/kustomization.yaml | 4 +++ .../okd => base}/serviceaccount.yaml | 1 + .../overlays/okd/authentication.yaml | 31 ++++++++++++++++--- .../overlays/okd/client-secret.yaml | 8 +++++ .../overlays/okd/kustomization.yaml | 3 +- .../cluster-auth/overlays/okd/oauth.yaml | 23 -------------- terraform/okd/main.tf | 7 +++-- 8 files changed, 47 insertions(+), 31 deletions(-) create mode 100644 manifests/platform/cluster-auth/base/kustomization.yaml rename manifests/platform/cluster-auth/{overlays/okd => base}/serviceaccount.yaml (84%) create mode 100644 manifests/platform/cluster-auth/overlays/okd/client-secret.yaml delete mode 100644 manifests/platform/cluster-auth/overlays/okd/oauth.yaml diff --git a/manifests/platform/cluster-auth/README.md b/manifests/platform/cluster-auth/README.md index d719056..acc59c8 100644 --- a/manifests/platform/cluster-auth/README.md +++ b/manifests/platform/cluster-auth/README.md @@ -2,7 +2,6 @@ ```bash # View jwt token -export TENANT_ID="" export TOKEN=$(az account get-access-token --query accessToken -o tsv) echo $TOKEN | jwt decode - diff --git a/manifests/platform/cluster-auth/base/kustomization.yaml b/manifests/platform/cluster-auth/base/kustomization.yaml new file mode 100644 index 0000000..cf30275 --- /dev/null +++ b/manifests/platform/cluster-auth/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - serviceaccount.yaml diff --git a/manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml b/manifests/platform/cluster-auth/base/serviceaccount.yaml similarity index 84% rename from manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml rename to manifests/platform/cluster-auth/base/serviceaccount.yaml index 76991f9..aac38c1 100644 --- a/manifests/platform/cluster-auth/overlays/okd/serviceaccount.yaml +++ b/manifests/platform/cluster-auth/base/serviceaccount.yaml @@ -1,4 +1,5 @@ kind: ServiceAccount +apiVersion: v1 metadata: name: oauth-reader namespace: openshift-config diff --git a/manifests/platform/cluster-auth/overlays/okd/authentication.yaml b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml index d2a5b12..e4301f5 100644 --- a/manifests/platform/cluster-auth/overlays/okd/authentication.yaml +++ b/manifests/platform/cluster-auth/overlays/okd/authentication.yaml @@ -10,7 +10,30 @@ spec: oauthMetadata: name: "" serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab - type: "" - webhookTokenAuthenticator: - kubeConfig: - name: webhook-authentication-integrated-oauth + type: "OIDC" + oidcProviders: + - name: azuread + issuer: + issuerURL: "https://login.microsoftonline.com//v2.0" + audiences: + - + claimMappings: + username: + claim: "preferred_username" + oidcClients: + - clientID: + clientSecret: + name: azure-client-secret + componentName: console + componentNamespace: openshift-console + extraScopes: + - email + - profile + - clientID: + clientSecret: + name: azure-client-secret + componentName: cli + componentNamespace: openshift-console + extraScopes: + - email + - profile diff --git a/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml b/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml new file mode 100644 index 0000000..e5c76da --- /dev/null +++ b/manifests/platform/cluster-auth/overlays/okd/client-secret.yaml @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: azure-client-secret + namespace: openshift-config +type: Opaque +stringData: + clientSecret: diff --git a/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml index d81232b..8ea426d 100644 --- a/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml +++ b/manifests/platform/cluster-auth/overlays/okd/kustomization.yaml @@ -1,6 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../base - authentication.yaml + - client-secret.yaml - oauth.yaml - - serviceaccount.yaml diff --git a/manifests/platform/cluster-auth/overlays/okd/oauth.yaml b/manifests/platform/cluster-auth/overlays/okd/oauth.yaml deleted file mode 100644 index c6c1fef..0000000 --- a/manifests/platform/cluster-auth/overlays/okd/oauth.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: OAuth -metadata: - annotations: - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/create-only: "true" - name: cluster -spec: - identityProviders: - - name: azuread - mappingMethod: claim - type: OpenID - openID: - clientID: - claims: - email: - - email - name: - - name - preferredUsername: - - preferred_username - issuer: https://login.microsoftonline.com//v2.0 diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index 47d2bbd..e76c544 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -158,7 +158,10 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" { resource "azuread_application" "okd_cluster" { display_name = "okd-cluster" web { - redirect_uris = ["https://oauth-openshift.apps.okd.jenniferpweir.com/oauth2callback"] + redirect_uris = [ + "https://oauth-openshift.apps.okd.jenniferpweir.com/oauth2callback/Azure_AD", + "https://console-openshift-console.apps.okd.jenniferpweir.com/auth/callback", + ] } } @@ -170,6 +173,6 @@ resource "azuread_application_federated_identity_credential" "okd_cluster_byo_oi application_id = azuread_application.okd_cluster.id display_name = "okd-cluster-byo-oidc" issuer = "https://storage.googleapis.com/jennweir-homelab" - subject = "system:serviceaccount:*:*" + subject = "system:serviceaccount:openshift-config:oauth-reader" audiences = ["api://AzureADTokenExchange"] }