feat(k8s-oidc): add bare-metal k8s oidc github pages

meysam81 · Dec 1, 2024 · a18a830 · a18a830
1 parent 655346a
commit a18a830
Show file tree

Hide file tree

Showing 15 changed files with 449 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,6 +41,8 @@ jobs:
             ~/.cache/trivy
             ~/work/temp
           key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-trivy-db-
       - name: Run Trivy vulnerability scanner in fs mode
         uses: aquasecurity/trivy-action@master
         with:
@@ -94,6 +96,8 @@ jobs:
             ~/.ansible/collections
             ~/.ansible/plugins
           key: ${{ runner.os }}-ansible-${{ hashFiles('**/requirements.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
       - name: Prepare localhost inventory
         run: |
           cat << 'EOF' > localhost.yml

diff --git a/playbook.yml b/playbook.yml
@@ -2,6 +2,8 @@
   hosts: all
   gather_facts: true
   become: true
+  vars_files:
+    - vars.yml
   pre_tasks:
     - name: Ping
       ansible.builtin.ping:
@@ -20,3 +22,5 @@
         promtail_remote_write_url: "{{ lookup('env', 'PROMTAIL_REMOTE_WRITE_URL') | default('http://localhost:3100/loki/api/v1/push', true) }}"
     - role: pushgateway
       tags: pushgateway
+    - role: k8s_oidc_github_pages
+      tags: k8s_oidc_github_pages
diff --git a/roles/k8s_oidc_github_pages/README.md b/roles/k8s_oidc_github_pages/README.md
@@ -0,0 +1,193 @@
+# k8s_oidc_github_pages
+
+Fetch Kubernetes OpenID Configuration and JWKs keys and push and deploy them to GitHub Pages as static files.
+
+Grab the OIDC configuration file from K8s API server and push it into a
+GitHub repository with Pages enabled.
+
+This will ultimately result in serving static files from a public URL with TLS
+enabled.
+
+As a result, the administrator can set up trust relationship with other
+service providers, such as AWS, to allow pods inside the Kubernetes cluster
+access to third-party cloud services.
+
+Although this is tailored for K3d Kubernetes cluster, there is nothing stopping
+it from being used on other Kubernetes clusters.
+
+
+## Table of content
+
+- [Requirements](#requirements)
+- [Default Variables](#default-variables)
+  - [k8s_oidc_github_pages_commit_email](#k8s_oidc_github_pages_commit_email)
+  - [k8s_oidc_github_pages_commit_name](#k8s_oidc_github_pages_commit_name)
+  - [k8s_oidc_github_pages_debug](#k8s_oidc_github_pages_debug)
+  - [k8s_oidc_github_pages_environments](#k8s_oidc_github_pages_environments)
+  - [k8s_oidc_github_pages_github_deploy_key](#k8s_oidc_github_pages_github_deploy_key)
+  - [k8s_oidc_github_pages_github_known_hosts_path](#k8s_oidc_github_pages_github_known_hosts_path)
+  - [k8s_oidc_github_pages_gpg_private_key_path](#k8s_oidc_github_pages_gpg_private_key_path)
+  - [k8s_oidc_github_pages_random_sleep_enabled](#k8s_oidc_github_pages_random_sleep_enabled)
+  - [k8s_oidc_github_pages_repository_name](#k8s_oidc_github_pages_repository_name)
+  - [k8s_oidc_github_pages_repository_owner](#k8s_oidc_github_pages_repository_owner)
+  - [k8s_oidc_github_pages_repository_ssh_url](#k8s_oidc_github_pages_repository_ssh_url)
+  - [k8s_oidc_github_pages_sign_gpg_private_key](#k8s_oidc_github_pages_sign_gpg_private_key)
+  - [k8s_oidc_github_pages_ssh_config_host](#k8s_oidc_github_pages_ssh_config_host)
+  - [k8s_oidc_github_pages_ssh_config_path](#k8s_oidc_github_pages_ssh_config_path)
+  - [k8s_oidc_github_pages_ssh_private_key_path](#k8s_oidc_github_pages_ssh_private_key_path)
+  - [k8s_oidc_github_pages_timer_calendar](#k8s_oidc_github_pages_timer_calendar)
+- [Dependencies](#dependencies)
+- [License](#license)
+- [Author](#author)
+
+---
+
+## Requirements
+
+- Minimum Ansible version: `2.17`
+
+## Default Variables
+
+### k8s_oidc_github_pages_commit_email
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_commit_email: k8s-oidc-github-pages[bot]@users.noreply.github.com
+```
+
+### k8s_oidc_github_pages_commit_name
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_commit_name: K8s OIDC GitHub Pages
+```
+
+### k8s_oidc_github_pages_debug
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_debug: true
+```
+
+### k8s_oidc_github_pages_environments
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_environments: |
+  KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+```
+
+### k8s_oidc_github_pages_github_deploy_key
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_github_deploy_key:
+```
+
+### k8s_oidc_github_pages_github_known_hosts_path
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_github_known_hosts_path: .ssh/known_hosts
+```
+
+### k8s_oidc_github_pages_gpg_private_key_path
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_gpg_private_key_path: .gnupg/github-signing-key.asc
+```
+
+### k8s_oidc_github_pages_random_sleep_enabled
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_random_sleep_enabled: false
+```
+
+### k8s_oidc_github_pages_repository_name
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_repository_name:
+```
+
+### k8s_oidc_github_pages_repository_owner
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_repository_owner:
+```
+
+### k8s_oidc_github_pages_repository_ssh_url
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_repository_ssh_url: git@github.com:{{ k8s_oidc_github_pages_repository_owner
+  }}/{{ k8s_oidc_github_pages_repository_name }}.git
+```
+
+### k8s_oidc_github_pages_sign_gpg_private_key
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_sign_gpg_private_key:
+```
+
+### k8s_oidc_github_pages_ssh_config_host
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_ssh_config_host: k8s-oidc-github-pages
+```
+
+### k8s_oidc_github_pages_ssh_config_path
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_ssh_config_path: .ssh/config
+```
+
+### k8s_oidc_github_pages_ssh_private_key_path
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_ssh_private_key_path: .ssh/github-deploy-key
+```
+
+### k8s_oidc_github_pages_timer_calendar
+
+#### Default value
+
+```YAML
+k8s_oidc_github_pages_timer_calendar: '*:0/5'
+```
+
+
+
+## Dependencies
+
+None.
+
+## License
+
+Apache-2.0
+
+## Author
+
+Meysam Azad
diff --git a/roles/k8s_oidc_github_pages/defaults/main.yml b/roles/k8s_oidc_github_pages/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+k8s_oidc_github_pages_commit_email: k8s-oidc-github-pages[bot]@users.noreply.github.com
+k8s_oidc_github_pages_commit_name: K8s OIDC GitHub Pages
+k8s_oidc_github_pages_debug: true
+k8s_oidc_github_pages_environments: |
+  KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+k8s_oidc_github_pages_github_deploy_key: null
+k8s_oidc_github_pages_github_known_hosts_path: .ssh/known_hosts
+k8s_oidc_github_pages_gpg_private_key_path: .gnupg/github-signing-key.asc
+k8s_oidc_github_pages_random_sleep_enabled: false
+k8s_oidc_github_pages_repository_name: null
+k8s_oidc_github_pages_repository_owner: null
+k8s_oidc_github_pages_repository_ssh_url: git@github.com:{{ k8s_oidc_github_pages_repository_owner }}/{{ k8s_oidc_github_pages_repository_name }}.git
+k8s_oidc_github_pages_sign_gpg_private_key: null
+k8s_oidc_github_pages_ssh_config_host: k8s-oidc-github-pages
+k8s_oidc_github_pages_ssh_config_path: .ssh/config
+k8s_oidc_github_pages_ssh_private_key_path: .ssh/github-deploy-key
+k8s_oidc_github_pages_timer_calendar: "*:0/5"
diff --git a/roles/k8s_oidc_github_pages/files/github-known-hosts b/roles/k8s_oidc_github_pages/files/github-known-hosts
@@ -0,0 +1,3 @@
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
diff --git a/roles/k8s_oidc_github_pages/handlers/main.yml b/roles/k8s_oidc_github_pages/handlers/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/k8s_oidc_github_pages/meta/main.yml b/roles/k8s_oidc_github_pages/meta/main.yml
@@ -0,0 +1,49 @@
+galaxy_info:
+  author: Meysam Azad
+  description: |
+    Fetch Kubernetes OpenID Configuration and JWKs keys and push and deploy them to GitHub Pages as static files.
+
+
+    Grab the OIDC configuration file from K8s API server and push it into a
+    GitHub repository with Pages enabled.
+
+
+    This will ultimately result in serving static files from a public URL with TLS
+    enabled.
+
+
+    As a result, the administrator can set up trust relationship with other
+    service providers, such as AWS, to allow pods inside the Kubernetes cluster
+    access to third-party cloud services.
+
+
+    Although this is tailored for K3d Kubernetes cluster, there is nothing stopping
+    it from being used on other Kubernetes clusters.
+  company: Self employed
+
+  issue_tracker_url: http://github.com/meysam81/ansible-collections/issues
+  license: Apache-2.0
+
+  min_ansible_version: "2.17"
+
+  galaxy_tags:
+    - kubernetes
+    - oidc
+    - github
+    - pages
+    - openid
+    - jwks
+    - security
+    - authentication
+    - authorization
+    - identity
+    - federation
+    - sso
+    - saml
+    - oauth
+    - jwt
+    - jwe
+    - jws
+    - jwk
+
+dependencies: []
diff --git a/roles/k8s_oidc_github_pages/tasks/main.yml b/roles/k8s_oidc_github_pages/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- name: Setup Debian
+  ansible.builtin.include_tasks: setup-Debian.yml
+  when: ansible_os_family == 'Debian'
diff --git a/roles/k8s_oidc_github_pages/tasks/setup-Debian.yml b/roles/k8s_oidc_github_pages/tasks/setup-Debian.yml
@@ -0,0 +1,88 @@
+---
+- name: Assert required vars are defined
+  ansible.builtin.assert:
+    that:
+      - k8s_oidc_github_pages_repository_name | default('', true) | length > 0
+      - k8s_oidc_github_pages_repository_owner | default('', true) | length > 0
+      - k8s_oidc_github_pages_github_deploy_key | default('', true) | length > 0
+- name: Ensure /root/.ssh exists
+  ansible.builtin.file:
+    group: root
+    mode: "0700"
+    owner: root
+    path: /root/.ssh
+    state: directory
+- name: Ensure /root/.gnupg exists
+  ansible.builtin.file:
+    group: root
+    mode: "0700"
+    owner: root
+    path: /root/.gnupg
+    state: directory
+- name: Copy GitHub Deploy key
+  ansible.builtin.copy:
+    content: "{{ k8s_oidc_github_pages_github_deploy_key }}"
+    dest: /root/{{ k8s_oidc_github_pages_ssh_private_key_path }}
+    group: root
+    mode: "0600"
+    owner: root
+  no_log: true
+- name: Add GitHub Known hosts entry
+  ansible.builtin.blockinfile:
+    path: "/root/{{ k8s_oidc_github_pages_github_known_hosts_path }}"
+    create: true
+    mode: "0644"
+    block: "{{ lookup('file', 'github-known-hosts') }}"
+    marker: "# {mark} GITHUB KNOWN HOSTS"
+    state: present
+- name: Create SSH config block for GitHub Pages
+  ansible.builtin.blockinfile:
+    path: "/root/{{ k8s_oidc_github_pages_ssh_config_path }}"
+    create: true
+    mode: "0600"
+    block: "{{ lookup('template', 'ssh-config.j2') }}"
+    marker: "# {mark} K8S OIDC GITHUB PAGES SSH CONFIG"
+    state: present
+- name: Copy Sign GPG private key
+  ansible.builtin.copy:
+    content: "{{ k8s_oidc_github_pages_sign_gpg_private_key }}"
+    dest: /root/{{ k8s_oidc_github_pages_gpg_private_key_path }}
+    group: root
+    mode: "0600"
+    owner: root
+  no_log: true
+  when: k8s_oidc_github_pages_sign_gpg_private_key | default('', true) | length > 0
+- name: Copy the K8s OIDC GitHub Pages shell script
+  ansible.builtin.template:
+    src: k8s-oidc-github-pages.sh.j2
+    dest: /usr/local/bin/k8s-oidc-github-pages
+    owner: root
+    group: root
+    mode: "0755"
+- name: Copy environment variable file
+  ansible.builtin.copy:
+    content: "{{ k8s_oidc_github_pages_environments }}"
+    dest: /etc/default/k8s-oidc-github-pages
+    owner: root
+    group: root
+    mode: "0640"
+- name: Copy k8s oidc github pages service file
+  ansible.builtin.template:
+    src: k8s-oidc-github-pages.service.j2
+    dest: /etc/systemd/system/k8s-oidc-github-pages.service
+    owner: root
+    group: root
+    mode: "0644"
+- name: Copy k8s oidc github pages timer file
+  ansible.builtin.template:
+    src: k8s-oidc-github-pages.timer.j2
+    dest: /etc/systemd/system/k8s-oidc-github-pages.timer
+    owner: root
+    group: root
+    mode: "0644"
+- name: Start the k8s oidc github pages systemd timer
+  ansible.builtin.systemd:
+    name: k8s-oidc-github-pages.timer
+    enabled: true
+    daemon_reload: true
+    state: started