feat(lldap): bootstrap lldap users with script

k8s/infra/auth/lldap/bootstrap.yaml

@@ -0,0 +1,51 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: lldap-bootstrap
+  namespace: lldap
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: lldap-bootstrap
+          image: ghcr.io/lldap/lldap:2024-09-02-debian # renovate: docker=ghcr.io/lldap/lldap versioning=loose
+          command: [ /app/bootstrap.sh ]
+          envFrom:
+            - configMapRef:
+                name: common-env
+            - configMapRef:
+                name: bootstrap-env
+          env:
+            - name: LLDAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: LLDAP_LDAP_USER_PASS
+          volumeMounts:
+            - name: user-configs
+              mountPath: /user-configs
+              readOnly: true
+            - name: group-configs
+              mountPath: /group-configs
+              readOnly: true
+      volumes:
+        - name: user-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-config
+                  items:
+                    - key: users.json
+                      path: user-configs.json
+        - name: group-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-config
+                  items:
+                    - key: groups.json
+                      path: group-configs.json

k8s/infra/auth/lldap/deployment.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: lldap
-          image: ghcr.io/lldap/lldap:2024-09-02-debian-rootless # renovate: docker=ghcr.io/lldap/lldap
+          image: ghcr.io/lldap/lldap:2024-09-02-debian-rootless # renovate: docker=ghcr.io/lldap/lldap versioning=loose
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -52,5 +52,3 @@ spec:
       volumes:
         - name: lldap-data
           emptyDir: { }
-        #  persistentVolumeClaim:
-        #    claimName: lldap-data

k8s/infra/auth/lldap/kustomization.yaml

@@ -8,10 +8,18 @@ configMapGenerator:
       - TZ="Europe/Oslo"
       - GID="1001"
       - UID="1001"
+  - name: bootstrap-env
+    namespace: lldap
+    literals:
+      - LLDAP_URL="http://lldap:80"
+      - LLDAP_ADMIN_USERNAME="admin"
+      - DO_CLEANUP="true"
 
 resources:
   - ns.yaml
   - svc.yaml
   - lldap-credentials.yaml
+  - lldap-config.yaml
   - deployment.yaml
   - http-route.yaml
+  - bootstrap.yaml

k8s/infra/auth/lldap/lldap-config.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: lldap-config
+  namespace: lldap
+spec:
+  encryptedData:
+    groups.json: AgBTLIgu5qux5QUB0JunkzARODrxh5gnNFsEUOzSaj8GCny3pqcsEgxRLrb2drWrXtW5yiLgK/NHQy3bmfIInjrjITZlUKwRRJalQPifKUX+gpEI8HllIn8lhg6pqBMbzzdtEtyBCunzNNtRIyGU7927QeykdtT6/GkjyWO1PkTQeVAf8zap8V40A/R/wq4T537mz3KkMf0ljONlRT8Ej81FEJReQiyylKiokxJNIz1HwztWecQQCL8blUA3J91GLH5Z4CwVOwBh6irIIdSgNyeKePVHs9hAZ0TBE0fITC+/SiJG0/w7Vn/9Ze9Rv2MRtQoqZyfUPNE1+ctjZTZxIGFjf7ZvkA3aq1KtWcZf7Cs+kgYXLnGi8GEd4ZjGwNNljXIzw5eVvCDYJMLIq+0wjKQpGNIfgmGviREDeMyEJgU4exluBk7E8cJXeAb8DC3qTHujUThwx0r+JMCX+zHYV1sFox6EsOxGu6vD6WxNhr+CjqORxsV+JE11tiFuiAgzkcJzAfmJ7hfNdf3l0EgwKUEe6SW1GpfEu3JXFlhpQOgYAdwjfoOkVr0e1fTesRkNfkK7R8p4o/AXSPlzwgdYyU+iGNtQyYeE8jKy0FU5YIDu3QjbshzYmpPmlMX3uJne8l32ZYf5aKpZYXjvjetAlcRA8t/k/7FKYmgP6i6YU6qoq3YD49kMF6C9IBvqTIqOlDS5Wcm/lxKEAobCw49ywiU+kxlgVVE=
+    users.json: AgCBpSUEe6hM5hby5CKawJtf0BVpWEC5jc3UaM7KRG4du6V0c+EnHEwUJrvEzikUsgYjHdlxg95Snn0WM+4XsSAtxRXOTrmOSNPsGqpuvbx+HkYaXSTexonvS236BrpkNnQoSGIdpDVhIFIxupRIfbXEWFydVNXOJLycIv75D+DTqc+5+8+PCs5nyB9m3j05QIUFZ8n3Myscfq0M2kkh2K8WIrcdRm2fNptihmdbD2jy/MAKKBNDi2zn4Zu0KAfkwIjj6hKQiCvWjul4unwaeU2EZa6UXi+vJ3pBizQVwMFkctybK3Zpdh0OUx8pl69XTpRgHL6Z4tjoCEFVEZkoDTNvXr7dOoZY/QJeEjQfYbmgi32CG/4zj38Tax/OdIj7aR7VCCJDExqi5cC/Q/ZyGRHdkdKahcXLoF/w1FgpYcsjVLOddRyAjqxMundKJkmsNsHu2JbQ8KZd1NFdA1c+IF0aNPpqildEBhJ0Ioj7J+jYxbSe50kONt3Z8NEEdl39VYORkeo/URCmn3rY6DQou2QIAAJAaVj1NtnHhispL7kvHv3GAaY6mB86kI7ryvLyWjG3Qg5fbBAyYzvHD7S5Ss7+/6QpneFP7xVqs0gLG10hY5apJmx5PGRmYiJdfQowcMuoHP1zEvqGV75SgZfgeMIlyC0/mjNh4FG5s42dz9+BddTH+tYaBGvwxbtXWW+rqk+JpMnNVEdZE9ZUwnSoCZAgnBJa+hcklgpcxgg/w0s5n+0qCvxbTqixThUXR1jDJIiHv1Ig4Q/+/0dx7MM98c94g2LMSH6Alpb2AKKRic+1OQ0mJXY+GJO0rHbBgSykHkpXBreWKZPkfKgYe8bEgkZI5xbGhb8oubgiY+DECDts4daYyNq8N4nSbMZ51Ij85zftCkZU5HLdRLnedfiRAcSXMDTndGpeis2ODm364IdLF5mwE6rKnyK7aN4Vkmlri32xNpG1InWXkDk9IY1pBTFR2DvLb8IN92poK96Amv3/gc4oSN5wGGqcUv+bCX4gGPnu2A/AQtQJAh/Xme5gidhtLuyfP+wGeMiNqV+khbr4+EOfxRqPhzqERSYpB8DQQMWDdg==
+  template:
+    metadata:
+      name: lldap-config
+      namespace: lldap

k8s/infra/auth/lldap/pvc.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: lldap-data
-  namespace: lldap
-spec:
-  storageClassName: proxmox-csi
-  volumeName: pv-lldap
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1G