feat(kubernetes): install lldap (#156)

kubernetes/apps/default/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./external-apps/ks.yaml
   - ./hajimari/ks.yaml
   - ./home-assistant/ks.yaml
-  - ./kubernetes-schemas/ks.yaml
   - ./kromgo/ks.yaml
+  - ./kubernetes-schemas/ks.yaml
+  - ./lldap/ks.yaml
   - ./minio/ks.yaml

kubernetes/apps/default/lldap/app/helmrelease.yaml

@@ -0,0 +1,92 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app lldap
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        replicas: 2
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            envFrom: &envFrom
+              - secretRef:
+                  name: lldap
+        containers:
+          main:
+            image:
+              repository: ghcr.io/lldap/lldap
+              tag: v0.5.0@sha256:f0f5d92cd6c6dca9415993cfc57919f0618e87090b323a98c1536975860fa45a
+            env:
+              TZ: Europe/Berlin
+              LLDAP_HTTP_PORT: &port 80
+              LLDAP_HTTP_URL: https://lldap.18b.haus
+              LLDAP_LDAP_PORT: &ldapPort 389
+              LLDAP_LDAP_BASE_DN: dc=home,dc=arpa
+            envFrom: *envFrom
+            resources:
+              requests:
+                cpu: 5m
+                memory: 36M
+              limits:
+                memory: 128M
+        pod:
+          topologySpreadConstraints:
+            - maxSkew: 1
+              topologyKey: kubernetes.io/hostname
+              whenUnsatisfiable: DoNotSchedule
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: *app
+    service:
+      main:
+        ports:
+          http:
+            port: *port
+          ldap:
+            port: *ldapPort
+    ingress:
+      main:
+        enabled: true
+        className: internal
+        annotations:
+          hajimari.io/icon: mdi:users
+        hosts:
+          - host: &host "{{ .Release.Name }}.18b.haus"
+            paths:
+              - path: /
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      data:
+        type: emptyDir

kubernetes/apps/default/lldap/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.yaml
+  - ./helmrelease.yaml

kubernetes/apps/default/lldap/app/secret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: lldap
+stringData:
+  LLDAP_JWT_SECRET: "${SECRET_LLDAP_JWT_SECRET}"
+  LLDAP_LDAP_USER_PASS: "${SECRET_LLDAP_LDAP_USER_PASS}"
+  LLDAP_USER_DN: "${SECRET_LLDAP_USER_DN}"
+  LLDAP_LDAP_USER_EMAIL: "${SECRET_LLDAP_LDAP_USER_EMAIL}"
+  LLDAP_SERVER_KEY_SEED: "${SECRET_LLDAP_SERVER_KEY_SEED}"
+  LLDAP_DATABASE_URL: |-
+    postgres://${SECRET_LLDAP_POSTGRES_USER}:${SECRET_LLDAP_POSTGRES_PASSWORD}@postgres16-rw.database.svc.cluster.local/lldap
+  INIT_POSTGRES_DBNAME: lldap
+  INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
+  INIT_POSTGRES_USER: "${SECRET_LLDAP_POSTGRES_USER}"
+  INIT_POSTGRES_PASS: "${SECRET_LLDAP_POSTGRES_PASSWORD}"
+  INIT_POSTGRES_SUPER_PASS: "${SECRET_POSTGRES_SUPER_PASSWORD}"

kubernetes/apps/default/lldap/ks.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app lldap
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cloudnative-pg-cluster
+  path: ./kubernetes/apps/default/lldap/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/flux/vars/cluster-secrets.sops.yaml

@@ -6,15 +6,23 @@ metadata:
 stringData:
     SECRET_ACME_EMAIL: ENC[AES256_GCM,data:USAq2VMuuK6aldyw31M0xPDsAGWRMXXZoRijLAu8t3Pe6pYnHF4=,iv:LfiGlBVn+NApPDtWEGsWXV3LrsuY7riMrFco0Nb6LmA=,tag:+dEFJ8vWcoC/oUakUGHFMg==,type:str]
     SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:/CnIAnfEwUN1Ap8dqes0WUrMFfQP1X9WKiNy+yeRnjYghj1I,iv:6n5bg8KsvNuSWaMfskOPUJ9GaWWc6NXeHfyrKVPN1LI=,tag:fTbP+4Zcq59F/DaP3QlyPw==,type:str]
+    SECRET_CLOUDNATIVE_PG_MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:FqZo9SLHZXLX2pzNWco=,iv:kOf9BwCF1ohT03mgRITuDIzj1cUIde/bvXL632YxttM=,tag:pwjLJ/vafObaDrnyZ4/j/A==,type:str]
+    SECRET_CLOUDNATIVE_PG_MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:iO5NoNCg5OOqeU3lmm7evcvf+ZelDgg7ynUCNVzSE1GSoGwuxi5H2sz5nMdCQ7MpXwTvMCzMr5Y=,iv:FzPTfrgl3ETtvkl9nflOzcJXNOtrnvkMXf/pcWlJRW8=,tag:kTQveggHnpLgZlOzEAUT0Q==,type:str]
+    SECRET_HASS_POSTGRES_PASSWORD: ENC[AES256_GCM,data:LiE8HfCnP/B9xiL+fjm03EBB/tDvGvSq,iv:JdDgT/Dm3rtlvJqhddfR6VKc4CnRwj2KMz4krWF+hMU=,tag:j67DCPDjCEBPlC/aEcGHgg==,type:str]
+    SECRET_HASS_POSTGRES_USER: ENC[AES256_GCM,data:x3C0v/uguAHGCKpH9HQ=,iv:WAocwbxHMtmSnI7vlvVJUkSIAMacu2Nzos4MK2AluJc=,tag:IWGVuny41qSrIefnr2W11g==,type:str]
+    SECRET_LLDAP_JWT_SECRET: ENC[AES256_GCM,data:LUMiKTDi0bon+YiYbj6uUn8btvTtJzxEaxVpvliXIY4=,iv:RBLyw19dhxENg1gRTRofO174+KccTp2D0bOq3BUqizk=,tag:htRpE/shfl1X7SzSlhXlkw==,type:str]
+    SECRET_LLDAP_KEY_SEED: ENC[AES256_GCM,data:x5ALigmjdoexjXLirbdasMkoaYhcGzz1eDGwLgWu6/c=,iv:/a2v3HT8o2PIOJqPQ9XY2HRRg///wRmw40+zxn3dw90=,tag:k6Lx+xeVJJnJIPW1mtjcMg==,type:str]
+    SECRET_LLDAP_LDAP_USER_EMAIL: ENC[AES256_GCM,data:D8TC5+4j2Cw4GDLhBoU=,iv:4rTdhWzSJQUzRfIMdVgdGFXE+gIhdActmyMvrc6oqJA=,tag:6SdHaZn/fKyvc0ilM4loyw==,type:str]
+    SECRET_LLDAP_LDAP_USER_PASS: ENC[AES256_GCM,data:CxE/BXihdQ1HxkKyR1fqcnMLEn6cduKs,iv:BYZU5zMXCXwOyB4ppKsGjdESVguocEnESrsA/Jq0nsI=,tag:6gW61GkpJRfTOeNs84Q6jg==,type:str]
+    SECRET_LLDAP_POSTGRES_PASSWORD: ENC[AES256_GCM,data:4w3l36zJt2ZizaPIyILYnOerGONs6z7F,iv:BTYjKjdKe4OcWzXo427JZtM16u6pz3n0l/kcYXvAfHY=,tag:LnMmXxfB4fWVb1EOdRP9FA==,type:str]
+    SECRET_LLDAP_POSTGRES_USER: ENC[AES256_GCM,data:Wz5yj8Y=,iv:Bs+Hhtn2tZhRCzVInwONeFeffrK8P6U0eMmwzqwEZ8w=,tag:EbQdNrCT2baZsdBB84fDGQ==,type:str]
+    SECRET_LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:Mg+iaSiw4Wue3TKRVNj8+fQgq/KKHYR/4Ws4I7O66K4=,iv:FWbUIp4DNh0+k5R5oEEWNhhzqgncj9+gGdBzxTnyVf0=,tag:MUeLdbw41PUg7/cP5nsD3A==,type:str]
+    SECRET_LLDAP_USER_DN: ENC[AES256_GCM,data:C+R4L+0=,iv:Sblcl9AIIlkmAUH7EV1KzZpnVSAG7r6sqAxrtEOHdlI=,tag:Ta0/dCjwqnRa/WP+bG+O+w==,type:str]
+    SECRET_POSTGRES_SUPER_PASSWORD: ENC[AES256_GCM,data:PX5fC/Czl95B6J6AmHkFCPBE0I/j7Esi,iv:4noh58XM4c5pSpC6xx+j+Cix17alp+jDoSUJ/4WvAs8=,tag:Cx5JLgz7T8kK6aB4iqESQw==,type:str]
+    SECRET_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:099ubzE7aXc=,iv:1apaExSeFS6rppRT80vrW7pyyTH6BM+q0XLTNEeUoa4=,tag:6EsyykMKS26LhK8g0Sgcew==,type:str]
     SECRET_RESTIC_PASSWORD: ENC[AES256_GCM,data:kCb8nCbIBKHeS5GfW+CZJyvuA1AFszGk,iv:zKU8Tp0ika6h+KCSurG29iX6fOLrPppBVyFBtG/f9T4=,tag:gCi/lthqzxZg6bOgWxJuww==,type:str]
     SECRET_VOLSYNC_MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:tc7FSDZBuw==,iv:Yu4+6zSsH4N5sNTD0519vYKXVH3IaqBFm8xJ1++PdSI=,tag:f35tU0nbUau4jR1nv1Hz8w==,type:str]
     SECRET_VOLSYNC_MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:vEFPFsRXyKeMSgWvdLRGbRxTwCNwm1WJjgCt04rk0PaZbXiPcC7ubwDOPuGKogSC5SoOTjTC0Ak=,iv:a6SfpWIGD1WL64OvwANTgJBrDZHl1Wb00HCI1qAjpi4=,tag:81eHa7qlBaAldzIkni5Xpg==,type:str]
-    SECRET_HASS_POSTGRES_USER: ENC[AES256_GCM,data:x3C0v/uguAHGCKpH9HQ=,iv:WAocwbxHMtmSnI7vlvVJUkSIAMacu2Nzos4MK2AluJc=,tag:IWGVuny41qSrIefnr2W11g==,type:str]
-    SECRET_HASS_POSTGRES_PASSWORD: ENC[AES256_GCM,data:LiE8HfCnP/B9xiL+fjm03EBB/tDvGvSq,iv:JdDgT/Dm3rtlvJqhddfR6VKc4CnRwj2KMz4krWF+hMU=,tag:j67DCPDjCEBPlC/aEcGHgg==,type:str]
-    SECRET_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:099ubzE7aXc=,iv:1apaExSeFS6rppRT80vrW7pyyTH6BM+q0XLTNEeUoa4=,tag:6EsyykMKS26LhK8g0Sgcew==,type:str]
-    SECRET_POSTGRES_SUPER_PASSWORD: ENC[AES256_GCM,data:PX5fC/Czl95B6J6AmHkFCPBE0I/j7Esi,iv:4noh58XM4c5pSpC6xx+j+Cix17alp+jDoSUJ/4WvAs8=,tag:Cx5JLgz7T8kK6aB4iqESQw==,type:str]
-    SECRET_CLOUDNATIVE_PG_MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:FqZo9SLHZXLX2pzNWco=,iv:kOf9BwCF1ohT03mgRITuDIzj1cUIde/bvXL632YxttM=,tag:pwjLJ/vafObaDrnyZ4/j/A==,type:str]
-    SECRET_CLOUDNATIVE_PG_MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:iO5NoNCg5OOqeU3lmm7evcvf+ZelDgg7ynUCNVzSE1GSoGwuxi5H2sz5nMdCQ7MpXwTvMCzMr5Y=,iv:FzPTfrgl3ETtvkl9nflOzcJXNOtrnvkMXf/pcWlJRW8=,tag:kTQveggHnpLgZlOzEAUT0Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +38,8 @@ sops:
             ckhSSHhTelhwQmRyZGhMcSthR2p1YjgK5NR2/Pzwgp7YVVx4o8QmZ82+PXVmKx+M
             sz/72X8laFp1M8Tp8gc1csFh2VhnjS7gLdqrJJ6ozYoWh/mSdxp8VQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-19T20:04:39Z"
-    mac: ENC[AES256_GCM,data:w0ELwCQsGsyTsbdDKMq5w0qWBxpaLdwc2aBjGz/HUbW80frU8gqi1N4wQ0CALMvDkeObyNPs6vPqSN0Z/49+EtEcz7Bo17jmlcbjXgGbPHJ4bq3BCnM6CTupsb3yenqsDhbV5lK4cOxfDKY7Req8rE6y2u+PFGd+5Po7vvsfY58=,iv:I41jnD7rljVPnoE3xA5HqxeyNn3hg+VruHT5W2LruTM=,tag:6lSg/8x7SK7CC1KWOE28hQ==,type:str]
+    lastmodified: "2023-12-28T11:14:26Z"
+    mac: ENC[AES256_GCM,data:bGXsnD+u7V2p4aDT5VWDfAy7Q2AFp5ZjydPtKHYPuslTMg00MyCMxQbsiZ+lxMbc8Gme3dn1aPucrTFPUsLQ/sU3CwyDxBinjLtKSMqQQCyzaKKeHxyLS91cqLE3ZYyXzR7ZbXihjd1TN/DETKew7s5aTHc6Fy5TloXXfKqYAag=,iv:XgKu6UBoOszREIzWjhKSeXUG+aDkeHufpv+Op/J0xs0=,tag:WkhIBXYjyDNVOVQSlQd5lA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1