apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: groups.lldap.huizinga.dev spec: group: lldap.huizinga.dev names: categories: [] kind: Group plural: groups shortNames: - lg singular: group scope: Cluster versions: - additionalPrinterColumns: [] name: v1 schema: openAPIV3Schema: description: Custom resource for managing Groups inside of LLDAP properties: spec: type: object required: - spec title: Group type: object served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: serviceusers.lldap.huizinga.dev spec: group: lldap.huizinga.dev names: categories: [] kind: ServiceUser plural: serviceusers shortNames: - lsu singular: serviceuser scope: Namespaced versions: - additionalPrinterColumns: - description: Can the service user manage passwords jsonPath: .spec.passwordManager name: Manager type: boolean - description: Secret creation timestamp jsonPath: .status.secretCreated name: Password type: date - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: Custom resource for managing Service Users inside of LLDAP properties: spec: properties: additionalGroups: default: [] items: type: string type: array passwordManager: default: false type: boolean type: object status: nullable: true properties: secretCreated: format: date-time nullable: true type: string type: object required: - spec title: ServiceUser type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: userattributes.lldap.huizinga.dev spec: group: lldap.huizinga.dev names: categories: [] kind: UserAttribute plural: userattributes shortNames: - lua singular: userattribute scope: Cluster versions: - additionalPrinterColumns: - description: Type of attribute jsonPath: .spec.type name: Type type: string - description: Can the attribute contain multiple values jsonPath: .spec.list name: List type: boolean - description: Can users see the value jsonPath: .spec.userVisible name: Visible type: boolean - description: Can users edit the value jsonPath: .spec.userEditable name: Editable type: boolean - jsonPath: .status.synced name: Synced type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: Custom resource for managing custom User Attributes inside of LLDAP properties: spec: properties: list: default: false type: boolean type: enum: - String - Integer - Jpeg - DateTime type: string userEditable: default: false type: boolean userVisible: default: false type: boolean required: - type type: object status: nullable: true properties: synced: type: boolean required: - synced type: object required: - spec title: UserAttributeValidated type: object x-kubernetes-validations: - message: User attributes are immutable rule: self.spec == oldSelf.spec - message: Editable attribute must also be visible rule: '!self.spec.userEditable || self.spec.userVisible && self.spec.userEditable' served: true storage: true subresources: status: {} --- apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: app: lldap-controller app.kubernetes.io/name: lldap-controller name: lldap-controller namespace: lldap --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: lldap-controller rules: - apiGroups: - lldap.huizinga.dev resources: - serviceusers - serviceusers/status - serviceusers/finalizers - groups - grours/status - grours/finalizers - userattributes - userattributes/status - userattributes/finalizers verbs: - '*' - apiGroups: - events.k8s.io resources: - events verbs: - create - apiGroups: - "" resources: - secrets verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: lldap-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: lldap-controller subjects: - kind: ServiceAccount name: lldap-controller namespace: lldap --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: lldap-controller app.kubernetes.io/name: lldap-controller name: lldap-controller namespace: lldap spec: replicas: 1 selector: matchLabels: app: lldap-controller template: metadata: annotations: kubectl.kubernetes.io/default-container: lldap-controller labels: app: lldap-controller spec: containers: - env: - name: RUST_LOG value: info,lldap_controller=debug - name: LLDAP_URL value: http://lldap:17170 - name: LLDAP_USERNAME value: admin - name: LLDAP_PASSWORD_FILE value: /secrets/credentials/lldap-ldap-user-pass - name: LLDAP_BIND_DN value: uid={username},ou=people,dc=huizinga,dc=dev image: git.huizinga.dev/infra/lldap-controller@git.huizinga.dev/infra/lldap-controller@sha256:02aa3a7d70c1af838d0a4ac488d647abb90a4a641c8c82a8e82222c3a9d68f17 imagePullPolicy: IfNotPresent name: lldap-controller resources: limits: cpu: 200m memory: 256Mi requests: cpu: 50m memory: 100Mi securityContext: {} volumeMounts: - mountPath: /secrets/credentials name: credentials readOnly: true securityContext: {} serviceAccountName: lldap-controller volumes: - name: credentials secret: secretName: credentials