From a1ced0a0a803e8f2e6ca5c1b674504503a24fee1 Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Fri, 15 Aug 2025 15:29:07 +0900
Subject: [PATCH] fix(k8s): fix enabling OIDC auth

---
 debug/debug-pod.yaml         | 43 +++++++++++++++++++++++++++---------
 debug/debug-svc.yaml         | 13 +++++++++++
 k8s/justfile                 | 37 ++++++++++++++++++++-----------
 k8s/k3s/config.gomplate.yaml |  6 +++++
 4 files changed, 75 insertions(+), 24 deletions(-)
 create mode 100644 debug/debug-svc.yaml
 create mode 100644 k8s/k3s/config.gomplate.yaml

diff --git a/debug/debug-pod.yaml b/debug/debug-pod.yaml
index 845d6e1..e15d148 100644
--- a/debug/debug-pod.yaml
+++ b/debug/debug-pod.yaml
@@ -3,16 +3,37 @@ kind: Pod
 metadata:
   name: debug-pod
   namespace: default
+  labels:
+    app: debug
 spec:
   containers:
-  - name: debug
-    image: busybox:latest
-    command: ["sleep", "3600"]
-    resources:
-      requests:
-        cpu: 10m
-        memory: 32Mi
-      limits:
-        cpu: 100m
-        memory: 64Mi
-  restartPolicy: Never
\ No newline at end of file
+    - name: web
+      image: busybox:latest
+      command:
+        - sh
+        - -c
+        - |
+          echo "<h1>Debug Pod Web Server</h1><p>Hostname: $(hostname)</p><p>Time: $(date)</p>" > /tmp/index.html
+          httpd -f -p 8080 -h /tmp
+      ports:
+        - containerPort: 8080
+          name: http
+      resources:
+        requests:
+          cpu: 10m
+          memory: 32Mi
+        limits:
+          cpu: 100m
+          memory: 64Mi
+    # Shell container for exec testing
+    - name: debug
+      image: busybox:latest
+      command: ["sleep", "3600"]
+      resources:
+        requests:
+          cpu: 10m
+          memory: 32Mi
+        limits:
+          cpu: 100m
+          memory: 64Mi
+  restartPolicy: Never
diff --git a/debug/debug-svc.yaml b/debug/debug-svc.yaml
new file mode 100644
index 0000000..4dafce1
--- /dev/null
+++ b/debug/debug-svc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: debug-service
+  namespace: default
+spec:
+  selector:
+    app: debug
+  ports:
+    - port: 8080
+      targetPort: 8080
+      name: http
+  type: ClusterIP
diff --git a/k8s/justfile b/k8s/justfile
index 14ad4f7..e55acea 100644
--- a/k8s/justfile
+++ b/k8s/justfile
@@ -3,7 +3,8 @@ set fallback := true
 export LOCAL_K8S_HOST := env("LOCAL_K8S_HOST", "")
 export EXTERNAL_K8S_HOST := env("EXTERNAL_K8S_HOST", "")
 export KEYCLOAK_HOST := env("KEYCLOAK_HOST", "")
-export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "k8shl")
+export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
+export K8S_OIDC_CLIENT_ID := env('K8S_OIDC_CLIENT_ID', "k8s")
 
 [private]
 default:
@@ -49,15 +50,33 @@ uninstall:
     set -euo pipefail
     if gum confirm "Uninstall k3s from ${LOCAL_K8S_HOST}?"; then
         ssh "${LOCAL_K8S_HOST}" "/usr/local/bin/k3s-uninstall.sh"
+        echo "Cleaning up kubeconfig entries..."
+        cluster_name=$(kubectl config view -o json | jq -r ".contexts[] | select(.name == \"${LOCAL_K8S_HOST}\") | .context.cluster // empty")
+        user_name=$(kubectl config view -o json | jq -r ".contexts[] | select(.name == \"${LOCAL_K8S_HOST}\") | .context.user // empty")
+        if kubectl config get-contexts "${LOCAL_K8S_HOST}" &>/dev/null; then
+            kubectl config delete-context "${LOCAL_K8S_HOST}"
+            echo "Deleted context: ${LOCAL_K8S_HOST}"
+        fi
+        if [ -n "${cluster_name}" ] && kubectl config get-clusters | grep -q "^${cluster_name}$"; then
+            kubectl config delete-cluster "${cluster_name}"
+            echo "Deleted cluster: ${cluster_name}"
+        fi
+        if [ -n "${user_name}" ] && kubectl config get-users | grep -q "^${user_name}$"; then
+            kubectl config delete-user "${user_name}"
+            echo "Deleted user: ${user_name}"
+        fi
+        echo "k3s cluster uninstalled from ${LOCAL_K8S_HOST}."
     else
         echo "Uninstallation cancelled." >&2
         exit 1
     fi
 
-# Setup k8s OIDC authentication (proxy-url example: socks5://localhost:6443)
-setup-oidc proxy-url='':
-    #!/bin/bash
-    set -euo pipefail
+# Enable k8s OIDC authentication
+enable-oidc:
+    just env::check
+    gomplate -f ./k3s/config.gomplate.yaml | \
+        ssh ${LOCAL_K8S_HOST} "sudo tee /etc/rancher/k3s/config.yaml > /dev/null"
+    ssh ${LOCAL_K8S_HOST} "sudo systemctl restart k3s"
     kubectl config set-credentials ${LOCAL_K8S_HOST}-oidc \
         --exec-api-version=client.authentication.k8s.io/v1beta1 \
         --exec-command=kubectl \
@@ -65,16 +84,8 @@ setup-oidc proxy-url='':
         --exec-arg=get-token \
         --exec-arg=--oidc-issuer-url=https://${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM} \
         --exec-arg=--oidc-client-id=${K8S_OIDC_CLIENT_ID}
-    ssh ${LOCAL_K8S_HOST} \
-        'openssl s_client -connect 127.0.0.1:6443 -showcerts </dev/null 2>/dev/null |
-         openssl x509 -outform PEM' > ${HOME}/.kube/${LOCAL_K8S_HOST}.crt
     kubectl config set-cluster ${LOCAL_K8S_HOST}-oidc \
-        --certificate-authority=${HOME}/.kube/${LOCAL_K8S_HOST}.crt \
         --server=https://${EXTERNAL_K8S_HOST}
-    if [ -n "{{ proxy-url }}" ]; then
-        kubectl config set-cluster ${LOCAL_K8S_HOST}-oidc --proxy-url={{ proxy-url }} \
-            --server=https://${EXTERNAL_K8S_HOST}
-    fi
     kubectl config set-context ${LOCAL_K8S_HOST}-oidc \
         --cluster=${LOCAL_K8S_HOST}-oidc --user=${LOCAL_K8S_HOST}-oidc
     kubectl config use-context ${LOCAL_K8S_HOST}-oidc
diff --git a/k8s/k3s/config.gomplate.yaml b/k8s/k3s/config.gomplate.yaml
new file mode 100644
index 0000000..ac53b7a
--- /dev/null
+++ b/k8s/k3s/config.gomplate.yaml
@@ -0,0 +1,6 @@
+kube-apiserver-arg:
+  - "oidc-issuer-url=https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
+  - "oidc-client-id=k8s"
+  - "oidc-username-claim=preferred_username"
+  - "oidc-groups-claim=groups"
+  - "oidc-groups-prefix=oidc:"