feat(k8s): enhance freeleaps cluster login script and add RBAC bindings

Signed-off-by: 孙振宇 <>
2025-01-13 19:10:06 +08:00 · 2025-01-13 19:10:06 +08:00 · 6574c07350
commit 6574c07350
parent cfa135eff5
5 changed files with 31 additions and 36 deletions
--- a/bin/freeleaps-cluster-login
+++ b/bin/freeleaps-cluster-login
@ -80,7 +80,7 @@ function main() {
     --oidc-client-id ${MATHMAST_AD_CLIENT_ID} \
     --oidc-client-secret ${MATHMAST_AD_CLIENT_SECRET} \
     --oidc-extra-scope="profile,email,offline_access" \
-     --log_file=/dev/null
+     --log_file=/dev/null \

  # Prompt user to input username
  echo "Please enter your username: "
@ -99,11 +99,15 @@ function main() {
    --exec-arg=get-token \
    --exec-arg="--oidc-issuer-url=${MATHMAST_AD_ISSUER}" \
    --exec-arg="--oidc-client-id=${MATHMAST_AD_CLIENT_ID}" \
-    --exec-arg="--oidc-client-secret=${MATHMAST_AD_CLIENT_SECRET}"
+    --exec-arg="--oidc-client-secret=${MATHMAST_AD_CLIENT_SECRET}" \
+    --exec-arg="--oidc-extra-scope=offline_access" \
+    --exec-arg="--oidc-extra-scope=profile" \
+    --exec-arg="--oidc-extra-scope=email" \
  
  echo "Set cluster..."
  kubectl config set-cluster freeleaps-cluster \
-    --server=https://${CLUSTER_API_LB_IP}:6443
+    --server=https://${CLUSTER_API_LB_IP}:6443 \
+    --insecure-skip-tls-verify=true
  
  echo "Create context..."
  kubectl config set-context "$username@freeleaps-cluster" \
--- a/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
+++ b/cluster/manifests/freeleaps-controls-system/cert-manager/microsoft-entra-id-selfsigned.yaml
@ -1,22 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: microsoft-entra-id-selfsigned
-  namespace: freeleaps-controls-system
-spec:
-  selfSigned: {}
---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: microsoft-entra-id-selfsigned
-  namespace: freeleaps-controls-system
-spec:
-  dnsNames:
-  - login.microsoftonline.com
-  - 4.155.160.32
-  secretName: microsoft-entra-id-selfsigned
-  issuerRef:
-    name: microsoft-entra-id-selfsigned
-    kind: Issuer
-    group: cert-manager.io
--- a/cluster/manifests/freeleaps-devops-system/namespace.yaml
+++ b/cluster/manifests/freeleaps-devops-system/namespace.yaml
@ -4,14 +4,3 @@ metadata:
  name: freeleaps-devops-system
  labels:
    name: freeleaps-devops-system
-
---
-
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: freeleaps-devops-system
-  namespace: freeleaps-devops-system
-spec:
-  hard:
-    requests.cpu: "4"
--- a/cluster/manifests/rbac/mathmast-admin-cr-binding.yaml
+++ b/cluster/manifests/rbac/mathmast-admin-cr-binding.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mathmast-admin-cr-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: mathmast:admin
--- a/cluster/manifests/rbac/mathmast-regular-cr-binding.yaml
+++ b/cluster/manifests/rbac/mathmast-regular-cr-binding.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: mathmast-regular-cr-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: mathmast:basic-user