infra/foundation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add security context
All checks were successful
kustomization/flux-system/12ab30af reconciliation succeeded
kustomization/alerts/12ab30af reconciliation succeeded
kustomization/cert-manager/12ab30af reconciliation succeeded
kustomization/longhorn/12ab30af reconciliation succeeded
kustomization/lldap/12ab30af reconciliation succeeded
kustomization/longhorn-jobs/12ab30af reconciliation succeeded
kustomization/reflector/12ab30af reconciliation succeeded
kustomization/spegel/12ab30af reconciliation succeeded
kustomization/certificates/12ab30af reconciliation succeeded
kustomization/cilium/12ab30af reconciliation succeeded
kustomization/cnpg/12ab30af reconciliation succeeded
kustomization/cilium-config/12ab30af reconciliation succeeded
kustomization/local-path-provisioner/12ab30af reconciliation succeeded

Browse Source
This commit is contained in:
Dreaded_X
2025-12-21 22:47:26 +01:00
parent 28b5ac8e98
commit 078a9c6155
1 changed files with 286 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
manifests.yaml Normal file
View File

@@ -0,0 +1,286 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: groups.lldap.huizinga.dev
spec:
group: lldap.huizinga.dev
names:
categories: []
kind: Group
plural: groups
shortNames:
- lg
singular: group
scope: Cluster
versions:
- additionalPrinterColumns: []
name: v1
schema:
openAPIV3Schema:
description: Custom resource for managing Groups inside of LLDAP
properties:
spec:
type: object
required:
- spec
title: Group
type: object
served: true
storage: true
subresources: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: serviceusers.lldap.huizinga.dev
spec:
group: lldap.huizinga.dev
names:
categories: []
kind: ServiceUser
plural: serviceusers
shortNames:
- lsu
singular: serviceuser
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Can the service user manage passwords
jsonPath: .spec.passwordManager
name: Manager
type: boolean
- description: Secret creation timestamp
jsonPath: .status.secretCreated
name: Password
type: date
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Custom resource for managing Service Users inside of LLDAP
properties:
spec:
properties:
additionalGroups:
default: []
items:
type: string
type: array
passwordManager:
default: false
type: boolean
type: object
status:
nullable: true
properties:
secretCreated:
format: date-time
nullable: true
type: string
type: object
required:
- spec
title: ServiceUser
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: userattributes.lldap.huizinga.dev
spec:
group: lldap.huizinga.dev
names:
categories: []
kind: UserAttribute
plural: userattributes
shortNames:
- lua
singular: userattribute
scope: Cluster
versions:
- additionalPrinterColumns:
- description: Type of attribute
jsonPath: .spec.type
name: Type
type: string
- description: Can the attribute contain multiple values
jsonPath: .spec.list
name: List
type: boolean
- description: Can users see the value
jsonPath: .spec.userVisible
name: Visible
type: boolean
- description: Can users edit the value
jsonPath: .spec.userEditable
name: Editable
type: boolean
- jsonPath: .status.synced
name: Synced
type: boolean
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Custom resource for managing custom User Attributes inside of
LLDAP
properties:
spec:
properties:
list:
default: false
type: boolean
type:
enum:
- String
- Integer
- Jpeg
- DateTime
type: string
userEditable:
default: false
type: boolean
userVisible:
default: false
type: boolean
required:
- type
type: object
status:
nullable: true
properties:
synced:
type: boolean
required:
- synced
type: object
required:
- spec
title: UserAttributeValidated
type: object
x-kubernetes-validations:
- message: User attributes are immutable
rule: self.spec == oldSelf.spec
- message: Editable attribute must also be visible
rule: '!self.spec.userEditable || self.spec.userVisible && self.spec.userEditable'
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app: lldap-controller
app.kubernetes.io/name: lldap-controller
name: lldap-controller
namespace: lldap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: lldap-controller
rules:
- apiGroups:
- lldap.huizinga.dev
resources:
- serviceusers
- serviceusers/status
- serviceusers/finalizers
- groups
- grours/status
- grours/finalizers
- userattributes
- userattributes/status
- userattributes/finalizers
verbs:
- '*'
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: lldap-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: lldap-controller
subjects:
- kind: ServiceAccount
name: lldap-controller
namespace: lldap
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: lldap-controller
app.kubernetes.io/name: lldap-controller
name: lldap-controller
namespace: lldap
spec:
replicas: 1
selector:
matchLabels:
app: lldap-controller
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: lldap-controller
labels:
app: lldap-controller
spec:
containers:
- env:
- name: RUST_LOG
value: info,lldap_controller=debug
- name: LLDAP_URL
value: http://lldap:17170
- name: LLDAP_USERNAME
value: admin
- name: LLDAP_PASSWORD_FILE
value: /secrets/credentials/lldap-ldap-user-pass
- name: LLDAP_BIND_DN
value: uid={username},ou=people,dc=huizinga,dc=dev
image: git.huizinga.dev/infra/lldap-controller@git.huizinga.dev/infra/lldap-controller@sha256:02aa3a7d70c1af838d0a4ac488d647abb90a4a641c8c82a8e82222c3a9d68f17
imagePullPolicy: IfNotPresent
name: lldap-controller
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 100Mi
securityContext: {}
volumeMounts:
- mountPath: /secrets/credentials
name: credentials
readOnly: true
securityContext: {}
serviceAccountName: lldap-controller
volumes:
- name: credentials
secret:
secretName: credentials