feat: Add security context

2025-12-21 22:47:26 +01:00
parent 28b5ac8e98
commit 078a9c6155
1 changed files with 286 additions and 0 deletions
--- a/manifests.yaml
+++ b/manifests.yaml
@@ -0,0 +1,286 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: groups.lldap.huizinga.dev
+spec:
+  group: lldap.huizinga.dev
+  names:
+    categories: []
+    kind: Group
+    plural: groups
+    shortNames:
+    - lg
+    singular: group
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns: []
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Custom resource for managing Groups inside of LLDAP
+        properties:
+          spec:
+            type: object
+        required:
+        - spec
+        title: Group
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: serviceusers.lldap.huizinga.dev
+spec:
+  group: lldap.huizinga.dev
+  names:
+    categories: []
+    kind: ServiceUser
+    plural: serviceusers
+    shortNames:
+    - lsu
+    singular: serviceuser
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Can the service user manage passwords
+      jsonPath: .spec.passwordManager
+      name: Manager
+      type: boolean
+    - description: Secret creation timestamp
+      jsonPath: .status.secretCreated
+      name: Password
+      type: date
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Custom resource for managing Service Users inside of LLDAP
+        properties:
+          spec:
+            properties:
+              additionalGroups:
+                default: []
+                items:
+                  type: string
+                type: array
+              passwordManager:
+                default: false
+                type: boolean
+            type: object
+          status:
+            nullable: true
+            properties:
+              secretCreated:
+                format: date-time
+                nullable: true
+                type: string
+            type: object
+        required:
+        - spec
+        title: ServiceUser
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: userattributes.lldap.huizinga.dev
+spec:
+  group: lldap.huizinga.dev
+  names:
+    categories: []
+    kind: UserAttribute
+    plural: userattributes
+    shortNames:
+    - lua
+    singular: userattribute
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - description: Type of attribute
+      jsonPath: .spec.type
+      name: Type
+      type: string
+    - description: Can the attribute contain multiple values
+      jsonPath: .spec.list
+      name: List
+      type: boolean
+    - description: Can users see the value
+      jsonPath: .spec.userVisible
+      name: Visible
+      type: boolean
+    - description: Can users edit the value
+      jsonPath: .spec.userEditable
+      name: Editable
+      type: boolean
+    - jsonPath: .status.synced
+      name: Synced
+      type: boolean
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Custom resource for managing custom User Attributes inside of
+          LLDAP
+        properties:
+          spec:
+            properties:
+              list:
+                default: false
+                type: boolean
+              type:
+                enum:
+                - String
+                - Integer
+                - Jpeg
+                - DateTime
+                type: string
+              userEditable:
+                default: false
+                type: boolean
+              userVisible:
+                default: false
+                type: boolean
+            required:
+            - type
+            type: object
+          status:
+            nullable: true
+            properties:
+              synced:
+                type: boolean
+            required:
+            - synced
+            type: object
+        required:
+        - spec
+        title: UserAttributeValidated
+        type: object
+        x-kubernetes-validations:
+        - message: User attributes are immutable
+          rule: self.spec == oldSelf.spec
+        - message: Editable attribute must also be visible
+          rule: '!self.spec.userEditable || self.spec.userVisible && self.spec.userEditable'
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  labels:
+    app: lldap-controller
+    app.kubernetes.io/name: lldap-controller
+  name: lldap-controller
+  namespace: lldap
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: lldap-controller
+rules:
+- apiGroups:
+  - lldap.huizinga.dev
+  resources:
+  - serviceusers
+  - serviceusers/status
+  - serviceusers/finalizers
+  - groups
+  - grours/status
+  - grours/finalizers
+  - userattributes
+  - userattributes/status
+  - userattributes/finalizers
+  verbs:
+  - '*'
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: lldap-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: lldap-controller
+subjects:
+- kind: ServiceAccount
+  name: lldap-controller
+  namespace: lldap
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lldap-controller
+    app.kubernetes.io/name: lldap-controller
+  name: lldap-controller
+  namespace: lldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lldap-controller
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: lldap-controller
+      labels:
+        app: lldap-controller
+    spec:
+      containers:
+      - env:
+        - name: RUST_LOG
+          value: info,lldap_controller=debug
+        - name: LLDAP_URL
+          value: http://lldap:17170
+        - name: LLDAP_USERNAME
+          value: admin
+        - name: LLDAP_PASSWORD_FILE
+          value: /secrets/credentials/lldap-ldap-user-pass
+        - name: LLDAP_BIND_DN
+          value: uid={username},ou=people,dc=huizinga,dc=dev
+        image: git.huizinga.dev/infra/lldap-controller@git.huizinga.dev/infra/lldap-controller@sha256:02aa3a7d70c1af838d0a4ac488d647abb90a4a641c8c82a8e82222c3a9d68f17
+        imagePullPolicy: IfNotPresent
+        name: lldap-controller
+        resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
+          requests:
+            cpu: 50m
+            memory: 100Mi
+        securityContext: {}
+        volumeMounts:
+        - mountPath: /secrets/credentials
+          name: credentials
+          readOnly: true
+      securityContext: {}
+      serviceAccountName: lldap-controller
+      volumes:
+      - name: credentials
+        secret:
+          secretName: credentials