From c07901df249cc1d7cb2010cca132abadfd2dde63 Mon Sep 17 00:00:00 2001
From: Bharat Middha <5100938+bmiddha@users.noreply.github.com>
Date: Sat, 6 Jul 2024 13:10:07 -0700
Subject: [PATCH 1/2] Create openid-configuration-serve.yml

---
 .../openid-configuration-serve.yml            | 152 ++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 kubernetes/argocd/stacks/workload-identity/openid-configuration-serve.yml

diff --git a/kubernetes/argocd/stacks/workload-identity/openid-configuration-serve.yml b/kubernetes/argocd/stacks/workload-identity/openid-configuration-serve.yml
new file mode 100644
index 0000000..648f120
--- /dev/null
+++ b/kubernetes/argocd/stacks/workload-identity/openid-configuration-serve.yml
@@ -0,0 +1,152 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: workload-identity-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-conf
+  namespace: workload-identity-system
+data:
+  nginx.conf: |
+    server {
+        listen       80;
+        listen  [::]:80;
+        server_name  localhost;
+        default_type appliction/json;
+    
+        location / {
+            root   /usr/share/nginx/html;
+        }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: workload-identity-system
+  name: nginx-deployment
+  labels:
+    app.kubernetes.io/name: k8s-oidc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: k8s-oidc
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: k8s-oidc
+    spec:
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: serve-volume
+          mountPath: /usr/share/nginx/html
+          readOnly: true
+        - name: nginx-conf
+          mountPath: /etc/nginx/conf.d/default.conf
+          subPath: nginx.conf
+          readOnly: true
+        readinessProbe:
+          httpGet:
+            path: /.well-known/openid-configuration
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: /.well-known/openid-configuration
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+      initContainers:
+      - name: init-azwi
+        image: bitnami/kubectl
+        command: ["/bin/sh", "-c"]
+        args: 
+        - |
+          mkdir -p /serve/openid/v1 /serve/.well-known
+          kubectl get --raw '/.well-known/openid-configuration' | jq > /serve/.well-known/openid-configuration
+          kubectl get --raw '/openid/v1/jwks' | jq > /serve/openid/v1/jwks
+        volumeMounts:
+        - name: serve-volume
+          mountPath: /serve
+      volumes:
+      - name: serve-volume
+        emptyDir: {}
+      - name: nginx-conf
+        configMap:
+          name: nginx-conf
+          items:
+            - key: nginx.conf
+              path: nginx.conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8s-oidc
+  namespace: workload-identity-system
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: k8s-oidc
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: k8s-oidc
+  namespace: workload-identity-system
+  annotations:
+    external-dns.alpha.kubernetes.io/target: app.acmuic.org
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`k8s-oidc.acmuic.org`)
+      services:
+        - kind: Service
+          name: k8s-oidc
+          namespace: workload-identity-system
+          passHostHeader: true
+          port: 80
+          responseForwarding:
+            flushInterval: 1ms
+          scheme: http
+          strategy: RoundRobin
+          weight: 10
+  tls:
+    secretName: k8s-oidc-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: k8s-oidc-tls
+  namespace: workload-identity-system
+spec:
+  dnsNames:
+    - k8s-oidc.acmuic.org
+  secretName: k8s-oidc-tls
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+---

From f0ef411d874c3b456cd12c2475c9141c03b785bf Mon Sep 17 00:00:00 2001
From: Bharat Middha <5100938+bmiddha@users.noreply.github.com>
Date: Sat, 6 Jul 2024 14:25:55 -0700
Subject: [PATCH 2/2] Create k8s-oidc.yml

---
 kubernetes/argocd/stacks/common/k8s-oidc.yml | 24 ++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 kubernetes/argocd/stacks/common/k8s-oidc.yml

diff --git a/kubernetes/argocd/stacks/common/k8s-oidc.yml b/kubernetes/argocd/stacks/common/k8s-oidc.yml
new file mode 100644
index 0000000..6eabe69
--- /dev/null
+++ b/kubernetes/argocd/stacks/common/k8s-oidc.yml
@@ -0,0 +1,24 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: workload-identity
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: plausible
+    server: "https://kubernetes.default.svc"
+  sources:
+    - path: kubernetes/argocd/stacks/workload-identity
+      repoURL: "git@github.com:acm-uic/IaC.git"
+      targetRevision: HEAD
+      ref: values
+      directory:
+        recurse: true
+        include: "*.yml"
+  project: infrastructure
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true