feat: WIP on bringing OIDC to the talos cluster

Author: batleforc

.compose/authelia/configuration.yml

@@ -10,7 +10,7 @@ log:
   level: 'debug'
 
 totp:
-  issuer: 'authelia.com'
+  issuer: 'authelia.k8s.localhost'
 
 identity_validation:
   reset_password:
@@ -78,7 +78,7 @@ identity_providers:
     jwks:
       - key_id: "kube_login"
         key: |
-          {{ secret "/config/private.pem" | nindent 10 }}
+          {{- secret "/config/private.pem" | nindent 10 }}
 
 
 

.compose/compose.authelia.yaml

@@ -1,6 +1,9 @@
 services:
   authelia:
     image: "authelia/authelia"
+    networks:
+      default:
+        ipv4_address: 10.5.0.16
     container_name: authelia
     user: "${PUID}:${PGID}"
     volumes:
@@ -22,3 +25,4 @@ services:
       TZ: "Europe/Paris"
       PUID: "${PUID}"
       PGID: "${PGID}"
+      X_AUTHELIA_CONFIG_FILTERS: "template"

.compose/compose.otel.yaml

@@ -6,14 +6,23 @@ services:
       - ./tracing/otel-collector-config.yaml:/etc/otel-collector-config.yaml
     ports:
       - "4317:4317" # OTLP gRPC receiver
+    networks:
+      default:
+        ipv4_address: 10.5.0.13
   jaeger:
-    image: jaegertracing/all-in-one:latest
+    image: cr.jaegertracing.io/jaegertracing/jaeger:2.11.0
+    networks:
+      default:
+        ipv4_address: 10.5.0.14
     ports:
       - "6831:6831/udp" # UDP port for Jaeger agent
       - "16686:16686" # Web UI
       - "14268:14268" # HTTP port for spans
   prometheus:
     image: prom/prometheus:latest
+    networks:
+      default:
+        ipv4_address: 10.5.0.15
     volumes:
       - ./tracing/prometheus.yml:/etc/prometheus/prometheus.yml
     ports:

.compose/compose.redis.yaml

@@ -2,13 +2,19 @@ services:
   redis:
     image: ghcr.io/dragonflydb/dragonfly
     container_name: redis
+    networks:
+      default:
+        ipv4_address: 10.5.0.11
     environment:
       REDIS_HOST_PASSWORD: "${REDIS_PASSWORD}"
       DFLY_requirepass: "${REDIS_PASSWORD}"
     ports:
       - "6379:6379"
   dbgate:
     image: dbgate/dbgate
+    networks:
+      default:
+        ipv4_address: 10.5.0.12
     restart: always
     environment:
       CONNECTIONS: redis

.compose/compose.traefik.yaml

@@ -2,6 +2,9 @@ services:
   traefik:
     image: "traefik"
     container_name: "traefik"
+    networks:
+      default:
+        ipv4_address: 10.5.0.10
     volumes:
       - "./traefik:/etc/traefik"
       - "/var/run/docker.sock:/var/run/docker.sock"

.gitignore

@@ -5,6 +5,7 @@ dist
 tmp
 out-tsc
 .tls
+.compose/traefik/certs
 
 # dependencies
 node_modules

.talos/.gitignore

@@ -0,0 +1,4 @@
+patch_host.yaml
+patch_cert.yaml
+patch_cert.yaml.tmp
+patch_auth.yaml.tmp

.talos/patch_auth.yaml .talos/patch_auth.yaml.tpl.talos/patch_auth.yaml renamed to .talos/patch_auth.yaml.tpl

@@ -1,16 +1,14 @@
-- op: add
-  path: /cluster/apiServer/extraArgs
-  value:
-    authentication-config: /var/lib/apiserver/authentication.yaml
-- op: add
-  path: /cluster/apiServer/extraVolumes
-  value:
-    - hostPath: /var/lib/apiserver
-      mountPath: /var/lib/apiserver
-      readonly: true
-- op: add
-  path: /machine/files
-  value:
+cluster:
+  apiServer:
+    extraArgs:
+      authentication-config: /var/lib/apiserver/authentication.yaml
+    extraVolumes:
+      - hostPath: /var/lib/apiserver
+        mountPath: /var/lib/apiserver
+        readonly: true
+
+machine:
+  files:
     - content: |
         apiVersion: apiserver.config.k8s.io/v1beta1
         kind: AuthenticationConfiguration
@@ -20,6 +18,8 @@
               audiences:
                 - 'kube_login'
               audienceMatchPolicy: MatchAny
+              certificateAuthority: |
+                CERTIFICATE
             claimValidationRules:
               - expression: "claims.email_verified == true"
                 message: "email must be verified"
@@ -37,4 +37,4 @@
                 message: "groups cannot used reserved system: prefix"
       permissions: 0o444
       path: /var/lib/apiserver/authentication.yaml
-      op: create
+      op: create

.talos/patch_host.yaml.tpl

@@ -0,0 +1,8 @@
+machine:
+  network:
+    extraHostEntries:
+      - ip: TRAEFIK_IP
+        aliases:
+          - authelia.k8s.localhost
+          - traefik.k8s.localhost
+          - k8s.localhost

.taskfile/talos.yaml

@@ -1,28 +1,67 @@
-version: '3'
+version: "3"
 
 tasks:
   up:
     desc: "Start Talos cluster"
+    vars:
+      TRAEFIK_IP:
+        sh: task talos:get-traefik-ip
+    cmds:
+      - cp .talos/patch_host.yaml.tpl .talos/patch_host.yaml && sed -i 's/TRAEFIK_IP/{{ .TRAEFIK_IP }}/g' .talos/patch_host.yaml
+      - task talos:up:cert
+      - talosctl cluster create --workers 1 --config-patch-control-plane @.talos/patch_auth.yaml --config-patch @.talos/patch_host.yaml
+      - task talos:kubeconfig
+      - task talos:crd
+      - task talos:k -- apply -f ./deploy/exemple/min-local-talos.crd.yaml
+      - task talos:create-kubeconfig-proxy
+      - task talos:create-kubeconfig-oidc
+  up:cert:
     cmds:
-      - talosctl cluster create --workers 1 --config-patch-control-plane @.talos/patch_auth.yaml
+      - cp .talos/patch_auth.yaml.tpl .talos/patch_auth.yaml
+      - |
+        awk '/CERTIFICATE/ {
+          while ((getline line < ".compose/traefik/certs/cert.pem") > 0) {
+          print "                " line
+          }
+          close(".compose/traefik/certs/cert.pem")
+          next
+          }
+        { print }' .talos/patch_auth.yaml > .talos/patch_auth.yaml.tmp
+      - mv .talos/patch_auth.yaml.tmp .talos/patch_auth.yaml
   down:
     desc: "Destroy Talos cluster"
     cmds:
       - talosctl cluster destroy
   kubeconfig:
     desc: "Get kubeconfig for Talos cluster"
     cmds:
+      - rm -f kubeconfig.local.yaml
       - talosctl kubeconfig 'kubeconfig.local.yaml' -n 10.5.0.2
   dashboard:
     desc: "Open Talos dashboard"
     cmds:
       - talosctl dashboard -n 10.5.0.2
   k:
     desc: "Shortcut for kubectl"
+    silent: true
     env:
       KUBECONFIG: kubeconfig.local.yaml
     cmds:
       - kubectl {{ .CLI_ARGS }}
+  k-proxy:
+    desc: "Shortcut for kubectl using ProxyauthK8s"
+    silent: true
+    env:
+      KUBECONFIG: kubeconfig.local-proxy.yaml
+    cmds:
+      - kubectl {{ .CLI_ARGS }}
+  k-oidc:
+    desc: "Shortcut for kubectl using OIDC"
+    silent: true
+    env:
+      KUBECONFIG: kubeconfig.local-oidc.yaml
+    cmds:
+      - kubectl {{ .CLI_ARGS }}
   k9s:
     desc: "Shortcut for k9s"
     env:
@@ -36,12 +75,30 @@ tasks:
     cmds:
       - kubectl apply -f ./deploy/crds.yaml
   create-kubeconfig-oidc:
+    desc: "Create kubeconfig to use with OIDC and ProxyauthK8s"
+    silent: true
+    vars:
+      server_url: "https://localhost:5437/clusters/default/local"
+    cmds:
+      - cp kubeconfig-template.oidc.yaml kubeconfig.local-oidc.yaml
+      - yq e -i '.clusters[0].cluster.server = "{{ .server_url }}"' kubeconfig.local-oidc.yaml
+  create-kubeconfig-proxy:
+    desc: "Create kubeconfig to use with ProxyauthK8s"
+    silent: true
     vars:
-      server_url:
-        sh: cat kubeconfig.local.yaml | yq .clusters[0].cluster.server
-      server_ca:
-        sh: cat kubeconfig.local.yaml | yq .clusters[0].cluster."certificate-authority-data"
-    cmds:
-    - cp kubeconfig-template.oidc.yaml kubeconfig.local-oidc.yaml
-    - yq e -i '.clusters[0].cluster.server = "{{ .server_url }}"' kubeconfig.local-oidc.yaml
-    - yq e -i '.clusters[0].cluster."certificate-authority-data" = "{{ .server_ca }}"' kubeconfig.local-oidc.yaml
+      server_url: "https://localhost:5437/clusters/default/local"
+      token:
+        sh: task talos:k -- create token default
+    cmds:
+      - cp kubeconfig.local.yaml kubeconfig.local-proxy.yaml
+      - yq e -i '.clusters[0].cluster.server = "{{ .server_url }}"' kubeconfig.local-proxy.yaml
+      - yq e -i 'del(.clusters[0].cluster."certificate-authority-data")' kubeconfig.local-proxy.yaml
+      - yq e -i '.users[0].user.token = "{{ .token }}"' kubeconfig.local-proxy.yaml
+      - yq e -i 'del(.users[0].user."client-certificate-data")' kubeconfig.local-proxy.yaml
+      - yq e -i 'del(.users[0].user."client-key-data")' kubeconfig.local-proxy.yaml
+  get-traefik-ip:
+    desc: "Get Traefik Docker IP"
+    silent: true
+    cmds:
+      - docker inspect traefik | jq -r '.[0].NetworkSettings.Networks["talos-default"].IPAddress'
+      # https://docs.siderolabs.com/talos/v1.6/reference/configuration/v1alpha1/config#extrahostentries%5B%5D