diff --git a/manifests.yaml b/manifests.yaml new file mode 100644 index 0000000..e45625c --- /dev/null +++ b/manifests.yaml @@ -0,0 +1,286 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: groups.lldap.huizinga.dev +spec: + group: lldap.huizinga.dev + names: + categories: [] + kind: Group + plural: groups + shortNames: + - lg + singular: group + scope: Cluster + versions: + - additionalPrinterColumns: [] + name: v1 + schema: + openAPIV3Schema: + description: Custom resource for managing Groups inside of LLDAP + properties: + spec: + type: object + required: + - spec + title: Group + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serviceusers.lldap.huizinga.dev +spec: + group: lldap.huizinga.dev + names: + categories: [] + kind: ServiceUser + plural: serviceusers + shortNames: + - lsu + singular: serviceuser + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Can the service user manage passwords + jsonPath: .spec.passwordManager + name: Manager + type: boolean + - description: Secret creation timestamp + jsonPath: .status.secretCreated + name: Password + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Custom resource for managing Service Users inside of LLDAP + properties: + spec: + properties: + additionalGroups: + default: [] + items: + type: string + type: array + passwordManager: + default: false + type: boolean + type: object + status: + nullable: true + properties: + secretCreated: + format: date-time + nullable: true + type: string + type: object + required: + - spec + title: ServiceUser + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: userattributes.lldap.huizinga.dev +spec: + group: lldap.huizinga.dev + names: + categories: [] + kind: UserAttribute + plural: userattributes + shortNames: + - lua + singular: userattribute + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Type of attribute + jsonPath: .spec.type + name: Type + type: string + - description: Can the attribute contain multiple values + jsonPath: .spec.list + name: List + type: boolean + - description: Can users see the value + jsonPath: .spec.userVisible + name: Visible + type: boolean + - description: Can users edit the value + jsonPath: .spec.userEditable + name: Editable + type: boolean + - jsonPath: .status.synced + name: Synced + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Custom resource for managing custom User Attributes inside of + LLDAP + properties: + spec: + properties: + list: + default: false + type: boolean + type: + enum: + - String + - Integer + - Jpeg + - DateTime + type: string + userEditable: + default: false + type: boolean + userVisible: + default: false + type: boolean + required: + - type + type: object + status: + nullable: true + properties: + synced: + type: boolean + required: + - synced + type: object + required: + - spec + title: UserAttributeValidated + type: object + x-kubernetes-validations: + - message: User attributes are immutable + rule: self.spec == oldSelf.spec + - message: Editable attribute must also be visible + rule: '!self.spec.userEditable || self.spec.userVisible && self.spec.userEditable' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app: lldap-controller + app.kubernetes.io/name: lldap-controller + name: lldap-controller + namespace: lldap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: lldap-controller +rules: +- apiGroups: + - lldap.huizinga.dev + resources: + - serviceusers + - serviceusers/status + - serviceusers/finalizers + - groups + - grours/status + - grours/finalizers + - userattributes + - userattributes/status + - userattributes/finalizers + verbs: + - '*' +- apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create +- apiGroups: + - "" + resources: + - secrets + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: lldap-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: lldap-controller +subjects: +- kind: ServiceAccount + name: lldap-controller + namespace: lldap +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: lldap-controller + app.kubernetes.io/name: lldap-controller + name: lldap-controller + namespace: lldap +spec: + replicas: 1 + selector: + matchLabels: + app: lldap-controller + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: lldap-controller + labels: + app: lldap-controller + spec: + containers: + - env: + - name: RUST_LOG + value: info,lldap_controller=debug + - name: LLDAP_URL + value: http://lldap:17170 + - name: LLDAP_USERNAME + value: admin + - name: LLDAP_PASSWORD_FILE + value: /secrets/credentials/lldap-ldap-user-pass + - name: LLDAP_BIND_DN + value: uid={username},ou=people,dc=huizinga,dc=dev + image: git.huizinga.dev/infra/lldap-controller@git.huizinga.dev/infra/lldap-controller@sha256:02aa3a7d70c1af838d0a4ac488d647abb90a4a641c8c82a8e82222c3a9d68f17 + imagePullPolicy: IfNotPresent + name: lldap-controller + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 100Mi + securityContext: {} + volumeMounts: + - mountPath: /secrets/credentials + name: credentials + readOnly: true + securityContext: {} + serviceAccountName: lldap-controller + volumes: + - name: credentials + secret: + secretName: credentials