From 80ae5593b2a83a48c05416a07b0d0706c657c324 Mon Sep 17 00:00:00 2001
From: ansible <ansible@n0ball.tw>
Date: Tue, 10 Mar 2026 18:37:59 +0800
Subject: [PATCH] Update k8s manifests

---
 k8s/apps/vaultwarden/helmrelease.yaml                |  1 +
 k8s/infrastructure/kustomization.yaml                |  1 +
 .../observability/kube-prometheus-stack.yaml         |  2 ++
 k8s/infrastructure/oidc-rbac.yaml                    | 12 ++++++++++++
 4 files changed, 16 insertions(+)
 create mode 100644 k8s/infrastructure/oidc-rbac.yaml

diff --git a/k8s/apps/vaultwarden/helmrelease.yaml b/k8s/apps/vaultwarden/helmrelease.yaml
index 2769c83..d9def42 100644
--- a/k8s/apps/vaultwarden/helmrelease.yaml
+++ b/k8s/apps/vaultwarden/helmrelease.yaml
@@ -27,6 +27,7 @@ spec:
       clientSecret:
         existingSecretKey: SSO_CLIENT_SECRET
       signupsMatchEmail: true
+      onlySSO: true
     ingress:
       enabled: true
       class: traefik
diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml
index a26595f..cf048b2 100644
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@@ -9,3 +9,4 @@ resources:
   - observability
   - openldap/helmrelease.yaml
   - keycloak/helmrelease.yaml
+  - oidc-rbac.yaml
diff --git a/k8s/infrastructure/observability/kube-prometheus-stack.yaml b/k8s/infrastructure/observability/kube-prometheus-stack.yaml
index a467ca1..4f11a70 100644
--- a/k8s/infrastructure/observability/kube-prometheus-stack.yaml
+++ b/k8s/infrastructure/observability/kube-prometheus-stack.yaml
@@ -48,6 +48,8 @@ spec:
       grafana.ini:
         server:
           root_url: https://grafana.n0ball.tw
+        auth:
+          disable_login_form: true
         auth.generic_oauth:
           enabled: true
           name: Keycloak
diff --git a/k8s/infrastructure/oidc-rbac.yaml b/k8s/infrastructure/oidc-rbac.yaml
new file mode 100644
index 0000000..49ae793
--- /dev/null
+++ b/k8s/infrastructure/oidc-rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-admin-n0ball
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: n0ball