From 59fb6fe9dae8b310e49b090149ef06d9480b1e51 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Wed, 17 Sep 2025 08:12:50 +0200
Subject: [PATCH] feat: splitted lb and ingress and added service_account

---
 docs/talos-linux/{basics.md => ingress.md} | 52 +------------
 docs/talos-linux/lb.md                     | 50 +++++++++++++
 docs/talos-linux/service_account.md        | 86 ++++++++++++++++++++++
 3 files changed, 138 insertions(+), 50 deletions(-)
 rename docs/talos-linux/{basics.md => ingress.md} (52%)
 create mode 100644 docs/talos-linux/lb.md
 create mode 100644 docs/talos-linux/service_account.md

diff --git a/docs/talos-linux/basics.md b/docs/talos-linux/ingress.md
similarity index 52%
rename from docs/talos-linux/basics.md
rename to docs/talos-linux/ingress.md
index 39112f7..4016ed3 100644
--- a/docs/talos-linux/basics.md
+++ b/docs/talos-linux/ingress.md
@@ -1,54 +1,6 @@
-# Basics
+# Ingress Controller
 
-Lets install a basic loadbalancer (MetalLB) and ingress controller (NGINX or Traefik) on a basic Talos Linux cluster
-using 3 dedicated (to be labelled) worker nodes.
-
-## MetalLB
-
-```shell
-# add repo and install
-helm repo add metallb https://metallb.github.io/metallb
-helm repo update
-helm install metallb metallb/metallb -n metallb-system --create-namespace --wait
-
-# fix pod security for speaker pods
-kubectl label namespace metallb-system pod-security.kubernetes.io/enforce=privileged
-kubectl label namespace metallb-system pod-security.kubernetes.io/audit=privileged
-kubectl label namespace metallb-system pod-security.kubernetes.io/warn=privileged
-
-# restart speaker daemonset
-kubectl rollout restart daemonset/metallb-speaker -n metallb-system
-```
-
-```shell
-# configure metallb
-cat <<EOF | kubectl apply -f -
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: ingress-pool
-  namespace: metallb-system
-spec:
-  addresses:
-  - 10.8.15.175/32
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: ingress-pool
-  namespace: metallb-system
-spec:
-  ipAddressPools:
-  - ingress-pool
-EOF
-```
-
-### Uninstall MetalLB
-
-```shell
-helm uninstall metallb -n metallb-system
-```
+Lets install an ingress controller (NGINX or Traefik) on a basic Talos Linux cluster.
 
 ## NGINX (option 1)
 
diff --git a/docs/talos-linux/lb.md b/docs/talos-linux/lb.md
new file mode 100644
index 0000000..b13d7da
--- /dev/null
+++ b/docs/talos-linux/lb.md
@@ -0,0 +1,50 @@
+# Loadbalancer
+
+Lets install a loadbalancer (MetalLB) on a Talos Linux cluster.
+
+## MetalLB
+
+```shell
+# add repo and install
+helm repo add metallb https://metallb.github.io/metallb
+helm repo update
+helm install metallb metallb/metallb -n metallb-system --create-namespace --wait
+
+# fix pod security for speaker pods
+kubectl label namespace metallb-system pod-security.kubernetes.io/enforce=privileged
+kubectl label namespace metallb-system pod-security.kubernetes.io/audit=privileged
+kubectl label namespace metallb-system pod-security.kubernetes.io/warn=privileged
+
+# restart speaker daemonset
+kubectl rollout restart daemonset/metallb-speaker -n metallb-system
+```
+
+```shell
+# configure metallb
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: ingress-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 10.8.15.175/32
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: ingress-pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - ingress-pool
+EOF
+```
+
+### Uninstall MetalLB
+
+```shell
+helm uninstall metallb -n metallb-system
+```
diff --git a/docs/talos-linux/service_account.md b/docs/talos-linux/service_account.md
new file mode 100644
index 0000000..471277b
--- /dev/null
+++ b/docs/talos-linux/service_account.md
@@ -0,0 +1,86 @@
+# Service Account
+
+Lets create a service account for cicd activities in a new namespace.
+
+## Namespace
+
+```yaml
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: "v1"
+kind: "Namespace"
+metadata:
+  name: "my-namespace"
+EOF
+```
+
+## Service Account 
+
+```yaml
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: "v1"
+kind: "ServiceAccount"
+metadata:
+  name: "buzz"
+  namespace: "my-namespace"
+EOF
+```
+
+## Role
+
+```yaml
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "Role"
+metadata:
+  namespace: "my-namespace"
+  name: "buzz-role"
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["services", "configmaps", "secrets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+EOF
+```
+
+## RoleBinding
+
+```yaml
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: "rbac.authorization.k8s.io/v1"
+kind: "RoleBinding"
+metadata:
+  name: "buzz-binding"
+  namespace: "my-namespace"
+subjects:
+- kind: "ServiceAccount"
+  name: "buzz"
+  namespace: "my-namespace"
+roleRef:
+  kind: "Role"
+  name: "buzz-role"
+  apiGroup: "rbac.authorization.k8s.io"
+EOF
+```
+
+## Token and KubeConfig (OmnI)
+
+Get the token for the user.
+
+```shell
+kubectl create token buzz -n my-namespace
+```
+
+When using OmnI you can get the service account details (kubeconf) using the following command;
+
+```shell
+omnictl kubeconfig --service-account -c <cluster-name> --user buzz /tmp/buzz-kubeconfig.yaml
+```