96ba77a606
vault: - Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys) - Add gitea-ci-read policy scoped to secret/data/gitea/* - Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL) - Add AppRole gitea-ci as alternative auth method for the same policy - Add gitea-access-into-vault.md documenting the setup end-to-end - Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources) kanidm: - Add run.sh with docker run command (pinned to v1.9.1) - Add gitea-action-kubernetes-access.md documenting how to set up a Kanidm service account and OAuth2 client for Gitea CI k8s access - readme: add upgrade procedure, recover-account command, and service account + API token setup for gitea-ci-token maru-hleda-byt: - Add --restart=always to docker run command fuj-management: - Add run.sh (new service config) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.2 KiB
5.2 KiB
Upgrade
docker exec -it kanidmd kanidmd domain upgrade-check
# make sure backup exists: /srv/docker/kanidm/data/kanidm/backups
# change container image in: /srv/docker/kanidm/run.sh
# kanidm data restore
docker stop kanidmd
docker run --rm -it \
-v kanidmd:/data \
-v kanidmd_backups:/backup \
kanidm/server:latest \
/sbin/kanidmd database restore -c /data/server.toml /backup/kanidm.backup.json
docker start kanidmd
Recover passwords from kanidm instance
docker exec -i -t kanidmd kanidmd recover-account idm_admin
add user to k8s group
based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/
export GROUP_NAME=k8s_users
kanidm group create ${GROUP_NAME}
kanidm group add-members ${GROUP_NAME} novakj
export OAUTH2_NAME=k8s
kanidm system oauth2 create-public ${OAUTH2_NAME} ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 add-redirect-url ${OAUTH2_NAME} http://localhost:8000
kanidm system oauth2 update-scope-map ${OAUTH2_NAME} ${GROUP_NAME} email openid profile groups
kanidm system oauth2 enable-localhost-redirects ${OAUTH2_NAME}
kubectl oidc-login setup \
--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s \
--oidc-client-id=k8s
kubectl config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1 \
--exec-interactive-mode=Never \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg="--oidc-issuer-url=https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s" \
--exec-arg="--oidc-client-id=k8s"
kubectl create clusterrolebinding oidc-cluster-admin \
--clusterrole=cluster-admin \
--user='https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84'
commands
# recover admin password
# on the docker host
docker exec -i -t kanidmd kanidmd recover-account admin
docker exec -i -t kanidmd kanidmd recover-account idm_admin
# kanidm mangement commands (could be run on any logged in client)
kanidm person credential create-reset-token novakj
kanidm person get novakj | grep memberof
kanidm group get kanidm group get
kanidm group get idm_all_accounts
kanidm group get idm_all_persons
kanidm group account-policy credential-type-minimum idm_all_accounts any
kanidm person get novakj | grep memberof
kanidm group get idm_people_self_name_write
configure oauth proxy
kanidm system oauth2 create oauth2-proxy "OAuth2 Proxy" https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
kanidm system oauth2 enable-pkce oauth2-proxy
kanidm system oauth2 warning-insecure-client-disable-pkce oauth2-proxy # if proxy doesn't support PKCE
kanidm system oauth2 get oauth2-proxy # note the client secret
# update incorrect urls if needed
remove-redirect-url
kanidm system oauth2 add-redirect-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
# output
✔ Multiple authentication tokens exist. Please select one · idm_admin@idm.home.hrajfrisbee.cz
---
class: account
class: key_object
class: key_object_internal
class: key_object_jwe_a128gcm
class: key_object_jwt_es256
class: memberof
class: oauth2_resource_server
class: oauth2_resource_server_basic
class: object
displayname: OAuth2 Proxy
key_internal_data: 69df0a387991455f7c9800f13b881803: valid jwe_a128gcm 0
key_internal_data: c5f61c48a9c0eb61ba993a36748826cc: valid jws_es256 0
name: oauth2-proxy
oauth2_allow_insecure_client_disable_pkce: true
oauth2_rs_basic_secret: hidden
oauth2_rs_origin_landing: https://oauth2-proxylab.home.hrajfrisbee.cz/
oauth2_strict_redirect_uri: true
spn: oauth2-proxy@idm.home.hrajfrisbee.cz
uuid: d0dcbad5-90e4-4e36-a51b-653624069009
secret: 7KJbUe5x35NVCT1VbzZfhYBU19cz9Xe9Z1fvw4WazrkHX2c8
kanidm system oauth2 update-scope-map oauth2-proxy k8s_users openid profile email
docker run -d --name=kanidmd --restart=always \
-p '8443:8443' \
-p '3636:3636' \
--volume /srv/docker/kanidm/data:/data \
docker.io/kanidm/server:latest
docker run --rm -i -t -v --restart=always \
-p '8443:8443' \
-p '3636:3636' \
--volume /srv/docker/kanidm/data:/data \
docker.io/kanidm/server:latest \
kanidmd cert-generate
Service account for gitea runner
# create service account
#kanidm service-account create \
# gitea_ci \ # account name
# "Gitea CI Deploy" \ # display name
# idm_admins \ # entry-managed-by (delegation group)
# --name idm_admin # authenticate as this user
kanidm service-account create gitea_ci "Gitea CI Deploy" idm_admins --name idm_admin
# Create a group and add the service account
kanidm group create k8s_deployers
kanidm group add-members k8s_deployers gitea_ci
# Create the OAuth2 client (or reuse existing k8s one)
# If you already have a k8s OIDC client, just add scope maps:
kanidm system oauth2 update-scope-map k8s k8s_deployers openid groups
# Generate an API token for the service account
kanidm service-account api-token generate --name idm_admin gitea_ci "gitea-ci-token"
# ⚠️ Save the output token — this is the subject_token for exchange