From 035d42adb87cb420f6f7fc2226e8e0644b5786c8 Mon Sep 17 00:00:00 2001
From: Vegard Hagen <vegard@stonegarden.dev>
Date: Sun, 19 Jan 2025 11:51:17 +0100
Subject: [PATCH] test(lldap): enable ldaps

---
 k8s/infra/auth/lldap/cert.yaml          | 16 ++++++++++++++++
 k8s/infra/auth/lldap/deployment.yaml    | 10 ++++++++++
 k8s/infra/auth/lldap/kustomization.yaml |  4 ++++
 k8s/infra/auth/lldap/svc.yaml           |  7 ++++++-
 4 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 k8s/infra/auth/lldap/cert.yaml

diff --git a/k8s/infra/auth/lldap/cert.yaml b/k8s/infra/auth/lldap/cert.yaml
new file mode 100644
index 0000000..d41c285
--- /dev/null
+++ b/k8s/infra/auth/lldap/cert.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cert
+  namespace: lldap
+spec:
+  dnsNames:
+    - lldap.stonegarden.dev
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cloudflare-cluster-issuer
+  secretName: cert
+  usages:
+    - digital signature
+    - key encipherment
diff --git a/k8s/infra/auth/lldap/deployment.yaml b/k8s/infra/auth/lldap/deployment.yaml
index b4e44f7..d401272 100644
--- a/k8s/infra/auth/lldap/deployment.yaml
+++ b/k8s/infra/auth/lldap/deployment.yaml
@@ -56,6 +56,16 @@ spec:
           volumeMounts:
             - name: lldap-data
               mountPath: /data
+            - name: cert
+              mountPath: /cert
       volumes:
+        - name: cert
+          secret:
+            secretName: cert
+            items:
+              - key: tls.key
+                path: tls.key
+              - key: tls.crt
+                path: tls.crt
         - name: lldap-data
           emptyDir: { }
diff --git a/k8s/infra/auth/lldap/kustomization.yaml b/k8s/infra/auth/lldap/kustomization.yaml
index 279e776..e6b5d23 100644
--- a/k8s/infra/auth/lldap/kustomization.yaml
+++ b/k8s/infra/auth/lldap/kustomization.yaml
@@ -12,6 +12,9 @@ configMapGenerator:
     namespace: lldap
     literals:
       - LLDAP_HTTP_URL="https://lldap.stonegarden.dev"
+      - LLDAP_LDAPS_OPTIONS__ENABLED="true"
+      - LLDAP_LDAPS_OPTIONS__CERT_FILE="/cert/tls.crt"
+      - LLDAP_LDAPS_OPTIONS__KEY_FILE="/cert/tls.key"
   - name: bootstrap-env
     namespace: lldap
     literals:
@@ -27,6 +30,7 @@ resources:
   - ns.yaml
   - svc.yaml
   - cnpg-db.yaml
+  - cert.yaml
   - lldap-credentials.yaml
   - lldap-config.yaml
   - smtp-credentials.yaml
diff --git a/k8s/infra/auth/lldap/svc.yaml b/k8s/infra/auth/lldap/svc.yaml
index 08401b3..45f9376 100644
--- a/k8s/infra/auth/lldap/svc.yaml
+++ b/k8s/infra/auth/lldap/svc.yaml
@@ -3,8 +3,10 @@ kind: Service
 metadata:
   name: lldap
   namespace: lldap
+  annotations:
+    io.cilium/lb-ipam-ips: 192.168.1.242
 spec:
-  type: ClusterIP
+  type: LoadBalancer
   selector:
     app: lldap
   ports:
@@ -14,3 +16,6 @@ spec:
     - name: ldap
       port: 389
       targetPort: ldap
+    - name: ldaps
+      port: 636
+      targetPort: ldaps