ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Configure OIDC, make idempotent, fix bugs. Claude.ai

Browse Source
This commit is contained in:
Patrick Toal
2026-02-25 13:20:12 -05:00
parent 995b7c4070
commit d981b69669
23 changed files with 2269 additions and 760 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
roles/sno_deploy/tasks/delete_kubeadmin.yml Normal file
View File

@@ -0,0 +1,52 @@
---
# Delete the kubeadmin user after OIDC is configured and admin groups
# have cluster-admin. This is a security best practice.
#
# Safety checks:
# 1. Verify at least one group in oidc_admin_groups is configured
# 2. Verify ClusterRoleBindings exist for those groups
# 3. Verify the OAuth deployment is ready (OIDC login is available)
# 4. Only then delete the kubeadmin secret
- name: Fail if no admin groups are configured
ansible.builtin.fail:
msg: >-
Cannot delete kubeadmin: oidc_admin_groups is empty.
At least one OIDC group must have cluster-admin before kubeadmin can be removed.
when: oidc_admin_groups | length == 0
- name: Verify OIDC admin ClusterRoleBindings exist
kubernetes.core.k8s_info:
api_version: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
loop: "{{ oidc_admin_groups }}"
register: __sno_deploy_admin_crbs
failed_when: __sno_deploy_admin_crbs.resources | length == 0
- name: Verify OAuth deployment is ready
kubernetes.core.k8s_info:
api_version: apps/v1
kind: Deployment
namespace: openshift-authentication
name: oauth-openshift
register: __sno_deploy_oauth_status
failed_when: >-
__sno_deploy_oauth_status.resources | length == 0 or
(__sno_deploy_oauth_status.resources[0].status.readyReplicas | default(0)) < 1
- name: Delete kubeadmin secret
kubernetes.core.k8s:
api_version: v1
kind: Secret
namespace: kube-system
name: kubeadmin
state: absent
register: __sno_deploy_kubeadmin_deleted
- name: Display kubeadmin deletion result
ansible.builtin.debug:
msg: >-
{{ 'kubeadmin user deleted successfully. Login is now only available via OIDC.'
if __sno_deploy_kubeadmin_deleted.changed
else 'kubeadmin was already deleted.' }}