bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance: disable k3s traefik; keycloak portal admin roles

Browse Source
This commit is contained in:
Brad Stein 2026-01-16 07:53:04 -03:00
parent cf5d7dfa00
commit 9474ab97f2
5 changed files with 193 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
services/keycloak/portal-admin-client-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-portal-admin-secret-ensure-1
name: keycloak-portal-admin-secret-ensure-2
namespace: sso
spec:
backoffLimit: 0
@ -123,8 +123,18 @@ spec:
if status != 200 or not isinstance(client_rep, dict):
raise SystemExit(f"Unable to fetch client representation (status={status})")
updated = False
if client_rep.get("serviceAccountsEnabled") is not True:
client_rep["serviceAccountsEnabled"] = True
updated = True
if client_rep.get("publicClient") is not False:
client_rep["publicClient"] = False
updated = True
if client_rep.get("secret") != client_secret:
client_rep["secret"] = client_secret
updated = True
if updated:
status, resp = http_json(
"PUT",
f"{base_url}/admin/realms/{realm}/clients/{client_uuid}",
@ -134,5 +144,60 @@ spec:
if status not in (200, 204):
raise SystemExit(f"Client update failed (status={status}) resp={resp}")
# Ensure the portal admin service account can manage users.
status, svc_user = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/clients/{client_uuid}/service-account-user",
token,
)
if status != 200 or not isinstance(svc_user, dict) or not svc_user.get("id"):
raise SystemExit(f"Unable to fetch service account user (status={status})")
svc_user_id = svc_user["id"]
status, rm_clients = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/clients?clientId=realm-management",
token,
)
if status != 200 or not isinstance(rm_clients, list) or not rm_clients:
raise SystemExit("Unable to find realm-management client")
rm_uuid = rm_clients[0].get("id")
if not rm_uuid:
raise SystemExit("realm-management client has no id")
wanted_roles = ("query-users", "view-users", "manage-users", "impersonation")
role_reps = []
for role_name in wanted_roles:
status, role = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/clients/{rm_uuid}/roles/{urllib.parse.quote(role_name)}",
token,
)
if status != 200 or not isinstance(role, dict):
raise SystemExit(f"Unable to fetch role {role_name} (status={status})")
role_reps.append({"id": role.get("id"), "name": role.get("name")})
status, assigned = http_json(
"GET",
f"{base_url}/admin/realms/{realm}/users/{svc_user_id}/role-mappings/clients/{rm_uuid}",
token,
)
assigned_names = set()
if status == 200 and isinstance(assigned, list):
for r in assigned:
if isinstance(r, dict) and r.get("name"):
assigned_names.add(r["name"])
missing = [r for r in role_reps if r.get("name") and r["name"] not in assigned_names]
if missing:
status, resp = http_json(
"POST",
f"{base_url}/admin/realms/{realm}/users/{svc_user_id}/role-mappings/clients/{rm_uuid}",
token,
missing,
)
if status not in (200, 204):
raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}")
print(f"OK: ensured secret for {client_id}")
PY

49
services/maintenance/disable-k3s-traefik-daemonset.yaml Normal file
View File

@ -0,0 +1,49 @@
# services/maintenance/disable-k3s-traefik-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: disable-k3s-traefik
namespace: maintenance
spec:
selector:
matchLabels:
app: disable-k3s-traefik
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: disable-k3s-traefik
spec:
serviceAccountName: disable-k3s-traefik
nodeSelector:
node-role.kubernetes.io/control-plane: "true"
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
containers:
- name: disable-k3s-traefik
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/usr/bin/env", "bash"]
args: ["/scripts/disable_k3s_traefik.sh"]
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: host-root
mountPath: /host
- name: script
mountPath: /scripts
readOnly: true
volumes:
- name: host-root
hostPath:
path: /
- name: script
configMap:
name: disable-k3s-traefik-script
defaultMode: 0555

6
services/maintenance/disable-k3s-traefik-serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/maintenance/disable-k3s-traefik-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: disable-k3s-traefik
namespace: maintenance

8
services/maintenance/kustomization.yaml
View File

@ -3,8 +3,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- disable-k3s-traefik-serviceaccount.yaml
- node-nofile-serviceaccount.yaml
- pod-cleaner-rbac.yaml
- disable-k3s-traefik-daemonset.yaml
- node-nofile-daemonset.yaml
- pod-cleaner-cronjob.yaml
- node-image-sweeper-serviceaccount.yaml
@ -12,6 +14,12 @@ resources:
- image-sweeper-cronjob.yaml
configMapGenerator:
- name: disable-k3s-traefik-script
namespace: maintenance
files:
- disable_k3s_traefik.sh=scripts/disable_k3s_traefik.sh
options:
disableNameSuffixHash: true
- name: node-nofile-script
namespace: maintenance
files:

64
services/maintenance/scripts/disable_k3s_traefik.sh Normal file
View File

@ -0,0 +1,64 @@
#!/usr/bin/env bash
set -euo pipefail
host_root="/host"
env_file="${host_root}/etc/systemd/system/k3s.service.env"
manifest_dir="${host_root}/var/lib/rancher/k3s/server/manifests"
changed=0
ensure_disable_flag() {
mkdir -p "$(dirname "${env_file}")"
if [ ! -f "${env_file}" ]; then
printf 'K3S_DISABLE=traefik\n' > "${env_file}"
changed=1
return
fi
if grep -q '^K3S_DISABLE=' "${env_file}"; then
current="$(grep '^K3S_DISABLE=' "${env_file}" | tail -n1 | cut -d= -f2-)"
current="$(printf '%s' "${current}" | sed 's/^\"//;s/\"$//' | tr -d ' ')"
if ! printf '%s' "${current}" | grep -qw "traefik"; then
if [ -z "${current}" ]; then
updated="traefik"
else
updated="${current},traefik"
fi
sed -i "s/^K3S_DISABLE=.*/K3S_DISABLE=${updated}/" "${env_file}"
changed=1
fi
else
printf '\nK3S_DISABLE=traefik\n' >> "${env_file}"
changed=1
fi
}
remove_manifest() {
if [ -d "${manifest_dir}" ] && ls "${manifest_dir}"/traefik* >/dev/null 2>&1; then
rm -f "${manifest_dir}"/traefik*.yaml "${manifest_dir}"/traefik*.yml
changed=1
fi
}
restart_k3s() {
node_name="$(cat "${host_root}/etc/hostname" 2>/dev/null || hostname)"
delay=0
case "${node_name}" in
*0b) delay=60 ;;
*0c) delay=120 ;;
esac
if [ "${delay}" -gt 0 ]; then
sleep "${delay}"
fi
chroot "${host_root}" /bin/systemctl daemon-reload || true
chroot "${host_root}" /bin/systemctl restart k3s
}
ensure_disable_flag
remove_manifest
if [ "${changed}" -eq 1 ]; then
restart_k3s
fi
sleep infinity