diff --git a/ldap/.helmignore b/ldap/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/ldap/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/ldap/Chart.yaml b/ldap/Chart.yaml new file mode 100644 index 0000000..43b4b4a --- /dev/null +++ b/ldap/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: ungleich-ldap +description: ungleich ldap servers based on osixia/phpldapadmin:0.9.0 + +type: application + +version: 0.1.0 +appVersion: "1.5.0" diff --git a/ldap/Dockerfile b/ldap/Dockerfile new file mode 100644 index 0000000..6f3fe7d --- /dev/null +++ b/ldap/Dockerfile @@ -0,0 +1,5 @@ +FROM alpine:3.14 + +# ungleich certbot for https + +RUN apk update && apk add openldap openldap-back-mdb diff --git a/ldap/manifest b/ldap/manifest new file mode 100644 index 0000000..56ae6cc --- /dev/null +++ b/ldap/manifest @@ -0,0 +1,21 @@ +sixia/openldap:1.5.0 + +389 +636 + +LDAP_ORGANISATION="My Company" \ + --env LDAP_DOMAIN="my-company.com" \ + --env LDAP_ADMIN_PASSWORD="JonSn0w" \ + +vol + +/var/lib/ldap (LDAP database files) and /etc/ldap/slapd.d + + +Do not edit slapd.conf it's not used. To modify your server +configuration use ldap utils: ldapmodify / ldapadd / ldapdelete + +LDAP_SEED_INTERNAL_LDAP_TLS_CRT_FILE: "${CI_PROJECT_DIR}/docker/certificates/certs/cert.pem" + LDAP_SEED_INTERNAL_LDAP_TLS_KEY_FILE: "${CI_PROJECT_DIR}/docker/certificates/certs/key.pem" + LDAP_SEED_INTERNAL_LDAP_TLS_CA_CRT_FILE: "${CI_PROJECT_DIR}/docker/certificates/ca/ca.pem" + LDAP_SEED_INTERNAL_LDAP_TLS_DH_PARAM_FILE: "${CI_PROJECT_DIR}/certificates/dhparam.pem" diff --git a/ldap/templates/deployment.yaml b/ldap/templates/deployment.yaml new file mode 100644 index 0000000..989cc6e --- /dev/null +++ b/ldap/templates/deployment.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-openldap +spec: + selector: + matchLabels: + instance: {{ .Release.Name }}-openldap + replicas: 1 + template: + metadata: + labels: + app: openldap + instance: {{ .Release.Name }}-openldap + spec: + containers: + - name: openldap + image: osixia/openldap:1.5.0 + ports: + - containerPort: 389 + - containerPort: 636 + volumeMounts: + - name: openldap-data + mountPath: "/var/lib/ldap" + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "400m" + - name: phpldapadmin + image: osixia/phpldapadmin:0.9.0 + ports: + - containerPort: 80 + - containerPort: 443 + env: + - key: PHPLDAPADMIN_LDAP_HOSTS + value: {{ .Release.Name }}-openldap + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "400m" + volumes: + - name: openldap-data + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-openldap-data +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-openldap + labels: + instance: {{ .Release.Name }}-openldap + app: openldap +spec: + type: ClusterIP + ports: + - port: 389 + name: openldap + - port: 636 + name: openldap-ssl + selector: + instance: {{ .Release.Name }}-openldap +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ tpl .Values.identifier . }}-letsencrypt-certs +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Mi + storageClassName: rook-ceph-block +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ tpl .Values.identifier . }}-openldap-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.dbsizeingb }}Gi + storageClassName: rook-ceph-block + +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: {{ tpl .Values.identifier . }}-openldap-config +# annotations: +# secret-generator.v1.mittwald.de/autogenerate: OPENLDAP_PASSWORD +# stringData: +# OPENLDAP_USER: "openldap" +# OPENLDAP_DB: "zammad" diff --git a/ldap/templates/nginxconf.yaml b/ldap/templates/nginxconf.yaml new file mode 100644 index 0000000..699d7f6 --- /dev/null +++ b/ldap/templates/nginxconf.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ tpl .Values.identifier . }}-nginx-config +data: +{{ tpl (.Files.Glob "nginx/*").AsConfig . | indent 2 }} diff --git a/ldap/templates/tests/test-connection.yaml b/ldap/templates/tests/test-connection.yaml new file mode 100644 index 0000000..85cbdda --- /dev/null +++ b/ldap/templates/tests/test-connection.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ tpl .Values.identifier . }}-test-connection" + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['https://{{ tpl .Values.fqdn . }}'] + restartPolicy: Never diff --git a/ldap/values.yaml b/ldap/values.yaml new file mode 100644 index 0000000..ffd79a7 --- /dev/null +++ b/ldap/values.yaml @@ -0,0 +1,15 @@ +clusterDomain: c2.k8s.ooo +email: technik@ungleich.ch +letsencryptStaging: "yes" + +# This is how the service and the data volumes are named - i.e. the +# persistent thing +identifier: "{{ .Release.Name }}" +fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + +storage: + data: + size: 1Gi + +datasizeingb: 1 +dbsizeingb: 0.5