From bfc2577e0d21fd0484ec98361f9ab618030331b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=8C=AF=E5=AE=87?= <>
Date: Mon, 13 Jan 2025 16:44:00 +0800
Subject: [PATCH] feat(k8s): add freeleaps cluster login script and update OIDC
 configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 孙振宇 <>
---
 bin/freeleaps-cluster-login                   | 119 ++++++++++++++++++
 .../group_vars/k8s_cluster/k8s-cluster.yml    |   4 +-
 2 files changed, 121 insertions(+), 2 deletions(-)
 create mode 100755 bin/freeleaps-cluster-login

diff --git a/bin/freeleaps-cluster-login b/bin/freeleaps-cluster-login
new file mode 100755
index 00000000..69c27c1b
--- /dev/null
+++ b/bin/freeleaps-cluster-login
@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+CLUSTER_API_LB_IP="4.155.160.32"
+
+MICROSOFT_ENTRA_TENANT_ID=cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24
+MATHMAST_AD_CLIENT_ID=7cd1df19-24ea-46d7-acd3-5336283139e0
+MATHMAST_AD_CLIENT_SECRET=L9J8Q~kClGP-sXKS3YFgnpDu7ednUdlWGsWfQbTl
+
+MATHMAST_AD_ISSUER="https://login.microsoftonline.com/${MICROSOFT_ENTRA_TENANT_ID}/v2.0"
+OS=${OS:-linux}
+ARCH=${ARCH:-amd64}
+KUBECTL_VERSION=${KUBECTL_VERSION:-v1.30.3}
+KUBELOGIN_VERSION=${KUBELOGIN_VERSION:-v1.29.0}
+
+function check_os() {
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    OS=linux
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    OS=darwin
+  else
+    echo "Unsupported OS: $OSTYPE"
+    exit 1
+  fi
+}
+
+function check_arch() {
+  if [[ "$(uname -m)" == "x86_64" ]]; then
+    ARCH=amd64
+  elif [[ "$(uname -m)" == "arm64" ]]; then
+    ARCH=arm64
+  else
+    echo "Unsupported architecture: $(uname -m)"
+    exit 1
+  fi
+}
+
+function ensure_kubectl () {
+  local version=${KUBECTL_VERSION}
+  local os=${OS}
+  local arch=${ARCH}
+  local download_url=https://storage.googleapis.com/kubernetes-release/release/${version}/bin/${os}/${arch}/kubectl
+
+  echo "Downloading kubectl (${arch}-${version}) from ${download_url}"
+  # download to tmp folder
+  curl -L o /tmp/kubectl "${download_url}"
+  chmod +x kubectl
+  sudo mv kubectl /usr/local/bin/kubectl
+}
+
+function ensure_kubelogin () {
+  local os=${OS}
+  local arch=${ARCH}
+  local version=${KUBELOGIN_VERSION}
+  local download_url=https://github.com/int128/kubelogin/releases/download/${version}/kubelogin_${os}_${arch}.zip
+
+  echo "Downloading kubelogin (${arch}-${version}) from ${download_url}"
+  # download to tmp folder
+  curl -L -o /tmp/kubelogin.zip "${download_url}"
+  unzip /tmp/kubelogin.zip -d /tmp
+  chmod +x /tmp/kubelogin
+  sudo mv /tmp/kubelogin /usr/local/bin/kubelogin
+}
+
+function main() {
+  # check if the kubectl not installed
+  if ! command -v kubectl &> /dev/null; then
+    ensure_kubectl
+  fi
+
+  # check if the kubelogin not installed
+  if ! command -v kubelogin &> /dev/null; then
+    ensure_kubelogin
+  fi
+
+  # setup with kubelogin
+  kubelogin setup \
+     --oidc-issuer-url ${MATHMAST_AD_ISSUER} \
+     --oidc-client-id ${MATHMAST_AD_CLIENT_ID} \
+     --oidc-client-secret ${MATHMAST_AD_CLIENT_SECRET} \
+     --oidc-extra-scope="profile,email,offline_access" \
+     --log_file=/dev/null
+
+  # Prompt user to input username
+  echo "Please enter your username: "
+  read username
+
+  # Check if username is empty
+  if [ -z "$username" ]; then
+    echo "Username cannot be empty"
+    exit 1
+  fi
+
+  echo "Set credentials for $username..."
+  kubectl config set-credentials "$username" \
+    --exec-api-version=client.authentication.k8s.io/v1beta1 \
+    --exec-command=kubelogin \
+    --exec-arg=get-token \
+    --exec-arg="--oidc-issuer-url=${MATHMAST_AD_ISSUER}" \
+    --exec-arg="--oidc-client-id=${MATHMAST_AD_CLIENT_ID}" \
+    --exec-arg="--oidc-client-secret=${MATHMAST_AD_CLIENT_SECRET}"
+  
+  echo "Set cluster..."
+  kubectl config set-cluster freeleaps-cluster \
+    --server=https://${CLUSTER_API_LB_IP}:6443
+  
+  echo "Create context..."
+  kubectl config set-context "$username@freeleaps-cluster" \
+    --cluster=freeleaps-cluster \
+    --user="$username"
+
+  echo "Use context..."
+  kubectl config use-context "$username@freeleaps-cluster"
+
+  echo "Done."
+}
+
+main "$@"
\ No newline at end of file
diff --git a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
index 47c79207..630b6135 100644
--- a/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/cluster/ansible/manifests/group_vars/k8s_cluster/k8s-cluster.yml
@@ -49,10 +49,10 @@ kube_oidc_auth: true
 kube_oidc_url: https://login.microsoftonline.com/cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24/v2.0
 kube_oidc_client_id: 7cd1df19-24ea-46d7-acd3-5336283139e0
 ## Optional settings for OIDC
-# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.pem"
+kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.crt"
 kube_oidc_username_claim: sub
 kube_oidc_username_prefix: 'mathmast:'
-kube_oidc_groups_claim: groups
+kube_oidc_groups_claim: roles
 kube_oidc_groups_prefix: 'mathmast:'
 
 ## Variables to control webhook authn/authz