feat(cluster-auth): BYO OIDC provider

.gitignore

@@ -2,8 +2,9 @@
 .kube/*
 
 # Terraform
-.terraform
-terraform.tfstate*
+.terraform/
+*.tfvars
+*.tfstate*
 *.hcl
 !.github/linters/.tflint.hcl
 

manifests/platform/argocd/operator/applications/cluster-configs.yaml → manifests/platform/argocd/operator/applications/cluster-auth.yaml

@@ -1,15 +1,15 @@
 kind: Application
 apiVersion: argoproj.io/v1alpha1
 metadata:
-  name: cluster-configs
+  name: cluster-auth
   namespace: argocd
 spec:
   destination:
     server: https://kubernetes.default.svc
   project: default
   source:
     repoURL: https://github.com/jennweir/HomeLab.git
-    path: manifests/platform/cluster-configs
+    path: manifests/platform/cluster-auth
     targetRevision: main
   syncPolicy:
     retry:

manifests/platform/cluster-auth/README.md

@@ -0,0 +1,11 @@
+# AzureAD and az-cli Commands
+
+```bash
+# View jwt token
+export TOKEN=$(az account get-access-token --query accessToken -o tsv)
+echo $TOKEN | jwt decode -
+
+# View OIDC config and supported claims
+export TENANT_ID=""
+curl -s https://login.microsoftonline.com/${TENANT_ID}/v2.0/.well-known/openid-configuration
+```

manifests/platform/cluster-configs/kustomization.yaml → manifests/platform/cluster-auth/base/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - authentication.yaml
+  - serviceaccount.yaml

manifests/platform/cluster-auth/base/serviceaccount.yaml

@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: oauth-reader
+  namespace: openshift-config

manifests/platform/cluster-auth/overlays/okd/authentication.yaml

@@ -0,0 +1,39 @@
+apiVersion: config.openshift.io/v1
+kind: Authentication
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/create-only: "true"
+  name: cluster
+spec:
+  oauthMetadata:
+    name: ""
+  serviceAccountIssuer: https://storage.googleapis.com/jennweir-homelab
+  type: "OIDC"
+  oidcProviders:
+  - name: azuread
+    issuer:
+      issuerURL: "https://login.microsoftonline.com/<path:projects/648542105177/secrets/azure_tenant_id#azure_tenant_id>/v2.0"
+      audiences:
+        - <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+    claimMappings:
+      username:
+        claim: "preferred_username"
+    oidcClients:
+      - clientID: <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+        clientSecret:
+          name: azure-client-secret
+        componentName: console
+        componentNamespace: openshift-console
+        extraScopes:
+        - email
+        - profile
+      - clientID: <path:projects/648542105177/secrets/azure_client_id#azure_client_id>
+        clientSecret:
+          name: azure-client-secret
+        componentName: cli
+        componentNamespace: openshift-console
+        extraScopes:
+        - email
+        - profile

manifests/platform/cluster-auth/overlays/okd/client-secret.yaml

@@ -0,0 +1,8 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: azure-client-secret
+  namespace: openshift-config
+type: Opaque
+stringData:
+  clientSecret: <path:projects/648542105177/secrets/azure_client_secret#azure_client_secret>

manifests/platform/cluster-auth/overlays/okd/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+  - authentication.yaml
+  - client-secret.yaml
+  - oauth.yaml

terraform/okd/main.tf

@@ -1,3 +1,5 @@
+# Google ------------------------------------------------------------------------------------------------------------------
+
 locals {
     wif_pool = "okd-pool"
     wif_provider = "okd-provider"
@@ -149,4 +151,28 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" {
     secret_id = "quay-jennweir-pull-secret"
     role      = "roles/secretmanager.secretAccessor"
     member    = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets"
-}
+}
+
+# Azure ------------------------------------------------------------------------------------------------------------------
+
+resource "azuread_application" "okd_cluster" {
+    display_name = "okd-cluster"
+    web {
+        redirect_uris = [
+            "https://oauth-openshift.apps.okd.jenniferpweir.com/oauth2callback/Azure_AD",
+            "https://console-openshift-console.apps.okd.jenniferpweir.com/auth/callback",
+        ]
+    }
+}
+
+resource "azuread_service_principal" "okd_cluster" {
+    client_id = azuread_application.okd_cluster.client_id
+}
+
+resource "azuread_application_federated_identity_credential" "okd_cluster_byo_oidc" {
+    application_id = azuread_application.okd_cluster.id
+    display_name   = "okd-cluster-byo-oidc"
+    issuer         = "https://storage.googleapis.com/jennweir-homelab"
+    subject        = "system:serviceaccount:openshift-config:oauth-reader"
+    audiences      = ["api://AzureADTokenExchange"]
+}

terraform/okd/provider.tf

@@ -1,4 +1,8 @@
 provider "google" {
-  project = "homelab-mgmt"
+  project = var.homelab_project_id
   region  = "us-east1"
+}
+
+provider "azuread" {
+  tenant_id = var.azure_tenant_id
 }

terraform/okd/variables.tf

@@ -0,0 +1,9 @@
+variable "homelab_project_id" {
+  description = "The GCP project ID for homelab management."
+  type        = string
+}
+
+variable "azure_tenant_id" {
+  description = "The tenant ID for Azure Active Directory."
+  type        = string
+}

terraform/okd/versions.tf

@@ -8,6 +8,10 @@ terraform {
       source = "hashicorp/google"
       version = "5.42.0"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.8.0"
+    }
   }
   required_version = ">= 1.1.2"
 }