misc: zot registry, k8s OIDC, server configs, sandbox experiments, and notes

- docker-30/zot: add Zot OCI registry with on-demand sync to docker.io, registry.k8s.io, ghcr.io, quay.io - kubernetes-kvm-terraform: wire Kanidm OIDC via structured AuthenticationConfiguration; add reference apiserver manifest and join-node-02 helper - servers: reorganize shadow/ under servers/, add saint vhost config and utility-101 VM definition, add shadow hrajfrisbee.cz vhost and storage-23 notes - experiments: add notes and configs for e2b dev VM, kata + firecracker on kube, microsandbox, orb-stack k3s (terraform + cloud-init), rke2 - vms/docker: document tailscale + node-exporter setup - blog: stub post on Gateway API - chore: gitignore tmp/, smtp_password, and the two local-only credential caches; add per-project .claude/settings.json Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 18:12:38 +02:00
parent 5ca27a832b
commit 80d0cc1168
34 changed files with 2814 additions and 1 deletions
--- a/kubernetes-kvm-terraform/master.tf
+++ b/kubernetes-kvm-terraform/master.tf
@@ -115,6 +115,23 @@ locals {
            skip_verify = true
            override_path = true              

+      - path: /etc/kubernetes/auth-config.yaml
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1beta1
+          kind: AuthenticationConfiguration
+          jwt:
+            - issuer:
+                url: https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s
+                audiences:
+                  - k8s
+              claimMappings:
+                username:
+                  claim: preferred_username
+                  prefix: ""
+                groups:
+                  claim: groups
+                  prefix: ""
+      
      - path: /root/kubeadm-config.yaml
        content: |
          apiVersion: kubeadm.k8s.io/v1beta3
@@ -130,6 +147,13 @@ locals {
            oidc-signing-algs: "ES256"          
          networking:
            podSubnet: "10.244.0.0/16"
+          # /etc/kubernetes/auth-config.yaml has to be created on master node somehow
+          extraVolumes:
+            - name: auth-config
+              hostPath: /etc/kubernetes/auth-config.yaml
+              mountPath: /etc/kubernetes/auth-config.yaml
+              readOnly: true
+              pathType: File            
          ---
          apiVersion: kubelet.config.k8s.io/v1beta1
          kind: KubeletConfiguration