Use lldap service users in authelia and grafana

2025-03-22 00:34:06 +01:00
parent 60a63fff7e
commit e2b30d2f41
9 changed files with 24 additions and 130 deletions
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@@ -5,7 +5,7 @@ resources:
  - ./namespace.yaml
  - ./repository.yaml
  - ./release.yaml
-  - ./lldap.yaml
+  - ./service-user.yaml
  - ./config-map-authelia-acl.yaml
  - ../../common/postgres
  - ../../common/dragonflydb
--- a/apps/grafana/ldap.toml
+++ b/apps/grafana/ldap.toml
@@ -20,10 +20,10 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"

 # Search user bind dn
-bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev"
+bind_dn = "uid=${LDAP_USERNAME},ou=people,dc=huizinga,dc=dev"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = """${LDAP_ADMIN_PASSWORD}"""
+bind_password = "${LDAP_PASSWORD}"

 # User search filter
 search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))"
--- a/apps/grafana/lldap.yaml
+++ b/apps/grafana/lldap.yaml
@@ -1,60 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: grafana-lldap
-type: Opaque
-stringData:
-    password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str]
-    user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-12-30T03:11:38Z"
-    mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str]
-    pgp:
-        - created_at: "2024-12-30T03:06:07Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti
-            CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU
-            QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2
-            GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG
-            omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq
-            U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/
-            kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW
-            mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij
-            92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58
-            psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT
-            07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU
-            aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5
-            E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj
-            8PqQ49TpHxYC
-            =eBq+
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2024-12-30T03:06:07Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll
-            tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi
-            /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9
-            gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU
-            LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr
-            wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH
-            qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop
-            el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN
-            R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8
-            IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9
-            2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S
-            XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4
-            FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM=
-            =9p2Q
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.1
--- a/apps/grafana/release.yaml
+++ b/apps/grafana/release.yaml
@@ -27,9 +27,13 @@ spec:
        traefik.ingress.kubernetes.io/router.tls: "true"

    envValueFrom:
-      LDAP_ADMIN_PASSWORD:
+      LDAP_USERNAME:
        secretKeyRef:
-          name: grafana-lldap
+          name: grafana-lldap-credentials
+          key: username
+      LDAP_PASSWORD:
+        secretKeyRef:
+          name: grafana-lldap-credentials
          key: password

    grafana.ini:
--- a/apps/grafana/service-user.yaml
+++ b/apps/grafana/service-user.yaml
@@ -0,0 +1,5 @@
+apiVersion: lldap.huizinga.dev/v1
+kind: ServiceUser
+metadata:
+  name: grafana
+spec: {}