From 2a3f01736dc39f367bd582ed4cf7af118781da64 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sat, 7 Sep 2024 16:50:05 +0200 Subject: [PATCH] feat(ldap): add lldap as ldap server --- k8s/infra/auth/lldap/deployment.yaml | 56 +++++++++++++++++++++ k8s/infra/auth/lldap/http-route.yaml | 15 ++++++ k8s/infra/auth/lldap/kustomization.yaml | 17 +++++++ k8s/infra/auth/lldap/lldap-credentials.yaml | 14 ++++++ k8s/infra/auth/lldap/ns.yaml | 4 ++ k8s/infra/auth/lldap/pvc.yaml | 13 +++++ k8s/infra/auth/lldap/svc.yaml | 13 +++++ k8s/infra/auth/project.yaml | 2 + 8 files changed, 134 insertions(+) create mode 100644 k8s/infra/auth/lldap/deployment.yaml create mode 100644 k8s/infra/auth/lldap/http-route.yaml create mode 100644 k8s/infra/auth/lldap/kustomization.yaml create mode 100644 k8s/infra/auth/lldap/lldap-credentials.yaml create mode 100644 k8s/infra/auth/lldap/ns.yaml create mode 100644 k8s/infra/auth/lldap/pvc.yaml create mode 100644 k8s/infra/auth/lldap/svc.yaml diff --git a/k8s/infra/auth/lldap/deployment.yaml b/k8s/infra/auth/lldap/deployment.yaml new file mode 100644 index 0000000..70a593d --- /dev/null +++ b/k8s/infra/auth/lldap/deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: lldap + namespace: lldap +spec: + replicas: 1 + selector: + matchLabels: + app: lldap + strategy: + type: Recreate + template: + metadata: + namespace: lldap + labels: + app: lldap + spec: + nodeSelector: + topology.kubernetes.io/zone: abel + securityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: + type: RuntimeDefault + containers: + - name: lldap + image: ghcr.io/lldap/lldap:2024-09-02-debian-rootless # renovate: docker=ghcr.io/lldap/lldap + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ "ALL" ] + envFrom: + - configMapRef: + name: common-env + - secretRef: + name: lldap-credentials + ports: + - name: ldap + containerPort: 3890 + - name: ldaps + containerPort: 6360 + - name: web + containerPort: 17170 + volumeMounts: + - name: lldap-data + mountPath: /data + volumes: + - name: lldap-data + emptyDir: { } + # persistentVolumeClaim: + # claimName: lldap-data diff --git a/k8s/infra/auth/lldap/http-route.yaml b/k8s/infra/auth/lldap/http-route.yaml new file mode 100644 index 0000000..9c9d163 --- /dev/null +++ b/k8s/infra/auth/lldap/http-route.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: lldap + namespace: lldap +spec: + parentRefs: + - name: internal + namespace: gateway + hostnames: + - "lldap.stonegarden.dev" + rules: + - backendRefs: + - name: lldap + port: 80 diff --git a/k8s/infra/auth/lldap/kustomization.yaml b/k8s/infra/auth/lldap/kustomization.yaml new file mode 100644 index 0000000..c18cb27 --- /dev/null +++ b/k8s/infra/auth/lldap/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: + - name: common-env + namespace: lldap + literals: + - TZ="Europe/Oslo" + - GID="1001" + - UID="1001" + +resources: + - ns.yaml + - svc.yaml + - lldap-credentials.yaml + - deployment.yaml + - http-route.yaml diff --git a/k8s/infra/auth/lldap/lldap-credentials.yaml b/k8s/infra/auth/lldap/lldap-credentials.yaml new file mode 100644 index 0000000..aed3351 --- /dev/null +++ b/k8s/infra/auth/lldap/lldap-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: lldap-credentials + namespace: lldap +spec: + encryptedData: + LLDAP_JWT_SECRET: AgAYACrLdCEj5X3SHscaHrBGSGUMaoQ7GstvSF15jtvftUMpJAAIvYoShtutcV/EEWF+kRql4dlETzx0v58fBHNuw81pt/UeHolWiQ1XQDp7cVVe53m5DcWlI390BXF148iQ5qdt0FohBh2nzfkZN4PvIvRpkN6EPmk/3h/h8TqEVKKZSxGaXnEMT9lkMlANwfGQ2mEPkwwpbye1QaOI4u7p3hY0deXx/uodgzwx9pEAkFaW9NS+k3mveJfoLdwpKeKP6zXysesvCGzK0v6IFeQZP2WjyQmynkSZ5QzGbNE6UjFQ/60GG+oXLw/BUMjMBDJdKMJb+7IFwogdFQ4TXCeTkUqHNbHqvfbz6v0hBPxacyxLj3GAzoFIBnVYzo/fLROLeboYuu1e2p5+4NNRYUHku9n1WIQaEJnk47CclIsV7R10Tk6fEB6PNwSv8HU3aBse0Xnc7/K/X07OUzhnZxZC7peOXe7pOgAVmBBsQXi4jktWlWZA8+i7ETgIbcQHpyri0qVTZNnOjnd61XHbmOlh3LZ6fXdLOdOAbLM5KvaK26itotWeG44Uz1Yq207HOUkMf14fziw3Mhrw2uqEaiIS28tteQSQSHwSLfMS6cNk7tEzCWYTRcVVOqeMwxXMYY3FltSGN9iU0KoERRYjRLAej/y7TanARNULt/CwHaWfvzkoBelqg1Efgr6M72KU9AwazFlgomEgbSqeYvNlzF2HViTh7jXQtcgR0Z8iSn1zzw== + LLDAP_LDAP_BASE_DN: AgBjxfYu1/55vlqnaoeAGlVAa3J6ZrHG0FsT4Vo2rqz+HY7ZAwedNcNlI/Jq5rVJXGOuZvGVUXYq4OVd9HY1jwjH7nsTmDQ90eV+yq8n/TlB93lIfg5y8zWVkerrG6ywX76Q3pHMJsbSETByZli3Pz1/DYBVl9h6ps8kUuLQS+fmiL1ilMN4i+W9+SkhJLj3vQ0w8FufEHqIKNvL+ghp6HC1IDqAs7+b2y0xBR8RPSQbfdNF6DCEkWPJ/y0YyOs4B7NvBoK60kH1R+bJhqICCdXSf1bfbh+eVyWOXT7EOQYlofmNZQqnfib5V+puP5xbQPY6inrF9U60KWqD44N9BAD9EvXiE85P1H0pISUfDDrdl6zLBBZFbFB+NFkgDP1lLIfR7EngDfztrvtv3iTDOSpDJ4sXDEwN3sPLkKQidnR5+J1wApnl2RXap4XSRJgYuVSxiOsymoBtObIDkmoc/1c5k8KE1u6cGE7bm7P3xrgBLm1+VwptWWF98NJ8/rl9gdX/RIooDGGiIIZpNvsKvSDWwfhtMZqPxzTaClvV6+SJpzsi7NanzZ+E+n8Ex0kKovDmqLFeGo3Ga7B8pIYcOnWRJuiL6WmamvfG7jUc/eOkW4IqwEIVUojzXlG4Q1pEW1XA2mEYpIjgdYvsEP3yWUt7xd+AP3ZRUk+w3KjTPbY5m3Nfsrp4kxKTQHjUDvcuvLu6zcSA3aowkDOehfljHsXTn4c1ANk= + LLDAP_LDAP_USER_PASS: AgCZzAPr6wyPehQZDLJErDsZduO7VD+jU/OSgeYnZ7XJgez2vqSnw+wineYMomz3Ch0HVk6ab0qoJxLyyWpRmJyjFewPOZGcTXmLDUEIdceXMlK1MCBagVbhZjJXNSfwjVHjYpwSIg7xGVkfjqvL3/i7OwJnHkw23x5C6Beplwtb+ixM0dsBGXMETNfxl9G5zB0Y4FN/XfR+AtXrqavDurxN26l82yr38KP9sIu2GG+TRZeOL9G9MLapd8HZ78M/El3q5kySK8E8+1uHRlr7wWiRhksFvWJ71G9S8J6CqhFkiEuRhL3JazXuhl5NJYPbL79o+1NzRJzCtocq2thqtZZxiyeQoa72WnWU1voczX0kEpEdB+15j1E5onlkLhyz+lA3EjLD1e2fBc+acnf3b9/rSXkEhla0+IKl41ME1/mLor8RvGc8lvx0Vdd2lnPQ/UCG4Tc3I4dMQ5YMliHPVbcsxwPqZ6CTIMNfXbh7Ro3I04VTStNKiDqxeixKiPlr8/0qANaLm9B3XwLKmOjSSEmTTQ2JMYKFraQL5myzOfBb2deTJdFEeE4RtsrFAkFBC9938uUeKqDJJEfZH/g6fdko1Ci7XWEGKsGmRjV0faDURy3VK5UH2+mymow5V8FMRwyKpkDcdoRomhOTMGTbYyCHX6UtZDxZBuxdxdfg58exxvnjGYxF1G5ZKp4yDdUqQI2nFV2CdrrpliCcKjoKxD1D/sk8DRPixNilh/vNxhNzMg== + template: + metadata: + name: lldap-credentials + namespace: lldap diff --git a/k8s/infra/auth/lldap/ns.yaml b/k8s/infra/auth/lldap/ns.yaml new file mode 100644 index 0000000..2210139 --- /dev/null +++ b/k8s/infra/auth/lldap/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: lldap \ No newline at end of file diff --git a/k8s/infra/auth/lldap/pvc.yaml b/k8s/infra/auth/lldap/pvc.yaml new file mode 100644 index 0000000..5c331dd --- /dev/null +++ b/k8s/infra/auth/lldap/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: lldap-data + namespace: lldap +spec: + storageClassName: proxmox-csi + volumeName: pv-lldap + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1G diff --git a/k8s/infra/auth/lldap/svc.yaml b/k8s/infra/auth/lldap/svc.yaml new file mode 100644 index 0000000..ec53efd --- /dev/null +++ b/k8s/infra/auth/lldap/svc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: lldap + namespace: lldap +spec: + type: ClusterIP + selector: + app: lldap + ports: + - name: web + port: 80 + targetPort: web diff --git a/k8s/infra/auth/project.yaml b/k8s/infra/auth/project.yaml index b84749a..ba877c4 100644 --- a/k8s/infra/auth/project.yaml +++ b/k8s/infra/auth/project.yaml @@ -11,6 +11,8 @@ spec: server: '*' - namespace: 'keycloak' server: '*' + - namespace: 'lldap' + server: '*' - namespace: 'netbird' server: '*' clusterResourceWhitelist: