WIP: Add Authentik Terraform Code #16
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
make new cluster for cloudnative.coop
use clusters/cluster
use sharingio
try and make it wait
remove state
makes it progress further
use different secret
depend on metal device and bgp session
don't require coder-override to exist
use value from secret for domain
add and shuffle
move from main to locals
to ensure verification works correctly
use pdns
add rolling annotation for config on config changes Co-Authored-By: Caleb Woodbine <[email protected]>
adds the operator for KubeVirt
remove local ref for remote url
to allow for dependants
adds a KubeVirt instance using KubeVirt Operator
adds to kustomization in infra
set separately, since some machine plans don't have sda
in order to make it be available for the github webhook
to sync the resources without resource not found errors
By default Talos enables dns search if the talos hostname is an Fully Qualified Domain Name. (fdqn). In our case, we set our talos node names to ADVERB-ANIMAL.sharing.io This filters through to the /etc/resolv.conf on the node: talosctl read /etc/resolv.conf nameserver 147.75.207.207 nameserver 147.75.207.208 search sharing.io Due to this, kubernetes schedules pods that have the following: pod$ cat /etc/resolv.conf search kube-system.svc.cluster.local svc.cluster.local cluster.local sharing.io nameserver 10.96.0.10 options ndots:5 This means that a search is performed for every name, including simple ones like github.com pod$ host github.com github.aaakk.us.kg.sharing.io has address 139.178.88.70 Notice the appending .sharing.io? This commit removes the search line from Talos nodes /etc/resolv.conf, and this trickles down to Kubernetes.
Previously we hardcoded the version, now we drive it from config.tfvars through to the authentik-kustomization configmap deployed in the manifests.
Too many v's: Failed to pull image "ghcr.io/coder/coder:vv2.10.2"
Mainly so we can review the config with Authentik
The way we create and save users manually is different than the way we create them via github. I didn't realize this. This commit adds all the fields necessary to click on "Sign Up"
Most of the configuration for cilium is within the helm chart.
Looking at ways to run more isolated workloads. https://github.com/siderolabs/extensions/tree/main/container-runtime/gvisor#usage WARNING! This disables KSPP best practices setting: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Lot's of docs here: https://registry.terraform.io/providers/goauthentik/authentik/latest/docs/resources/flow
We have a working instance over at https://sso.cloudnative.coop
Just needing to automate the creation of the config from cloudnative.coop as terraform to apply to sharing.io