Skip to content

Commit

Permalink
(ldap) reintroduce lldap #1341
Browse files Browse the repository at this point in the history
  • Loading branch information
@h3mmy
h3mmy committed Aug 6, 2023
1 parent ec6700a commit 293b764
Show file tree
Hide file tree
Showing 18 changed files with 633 additions and 1 deletion.
1 change: 0 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ infrastructure/bare-metal/*
infrastructure/shared/networks.yaml
infrastructure/terraform/vault/*
*volsync-config.yaml
cluster/apps/auth/ldap
cluster/bootstrap
kube-dns.yml
ceph-dis/*
Expand Down
97 changes: 97 additions & 0 deletions cluster/apps/auth/ldap/app/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# glauth

Initial version yoinked from @onedr0p

## Debugging

kubectl run ephemeral-demo --image=registry.k8s.io/pause:3.1 --restart=Never

## Repo configuration

- (Optional) Add/Update `.vscode/extensions.json`

```json
{
"files.associations": {
"**/kubernetes/**/*.sops.toml": "plaintext"
}
}
```

- (Optional) Add/Update `.gitattributes`

```text
*.sops.toml linguist-language=JSON
```

- (Required) Add/Update `.sops.yaml`

```yaml
- path_regex: kubernetes/.*\.sops\.toml
key_groups:
- age:
- <PUBLIC_AGE_KEY>
```
## App Configuration
Below are some sample decrypted versions of the sops encrypted toml files.
> `passbcrypt` can be generated at https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0)

or via

> `htpasswd -bnBC 10 "" YOUR_PASSWORD | tr -d ':\n' | od -A n -t x1 | sed 's/ *//g' | tr -d '\n'`

- `server.sops.toml`

```toml
debug = true
[ldap]
enabled = true
listen = "0.0.0.0:389"
[ldaps]
enabled = false
[api]
enabled = true
tls = false
listen = "0.0.0.0:5555"
[backend]
datastore = "config"
baseDN = "dc=home,dc=arpa"
```

- `groups.sops.toml`

```toml
[[groups]]
name = "svcaccts"
gidnumber = 6500
[[groups]]
name = "admins"
gidnumber = 6501
[[groups]]
name = "people"
gidnumber = 6502
```

- `users.sops.toml`

```toml
[[users]]
name = "search"
uidnumber = 5000
primarygroup = 6500
passbcrypt = ""
[[users.capabilities]]
action = "search"
object = "*"
[[users]]
name = "h3mmy"
mail = ""
givenname = "Zee"
sn = "Aslam"
uidnumber = 5001
primarygroup = 6502
othergroups = [ 6501 ]
passbcrypt = ""
103 changes: 103 additions & 0 deletions cluster/apps/auth/ldap/app/helm-release.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app lldap
namespace: auth
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 1.5.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
maxHistory: 2
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controller:
replicas: 2
strategy: RollingUpdate
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/lldap/lldap
tag: v0.4.3
env:
TZ: ${TZ}
LLDAP_HTTP_PORT: &port 80
LLDAP_HTTP_URL: https://lldap.${XYZ_DOMAIN}
# enable after cert secret is generated
LLDAP_LDAPS_OPTIONS__PORT: &ldapsPort 636
LLDAP_LDAPS_OPTIONS__ENABLED: true
LLDAP_LDAPS_OPTIONS__KEY_FILE: /certs/tls.key
LLDAP_LDAPS_OPTIONS__CERT_FILE: /certs/tls.crt
LLDAP_LDAP_PORT: &ldapPort 389
LLDAP_VERBOSE: true
envFrom:
- secretRef:
name: lldap-env
service:
main:
ports:
http:
port: *port
ldap:
enabled: true
port: *ldapPort
# enable after cert secret is generated
ldaps:
enabled: true
port: *ldapsPort
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
hajimari.io/enable: "true"
hajimari.io/instance: "bloop-quarky"
# hajimari.io/icon: "weather-sunset"
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
hosts:
- host: &host "{{ .Release.Name }}.${XYZ_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: tls.lldap
persistence:
data:
enabled: true
type: emptyDir
# enable after cert secret is generated
certs:
enabled: true
type: secret
name: tls.lldap
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 500Mi
8 changes: 8 additions & 0 deletions cluster/apps/auth/ldap/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./lldap-secret.sops.yaml
- ./helm-release.yaml
# - ./gatus.yaml
42 changes: 42 additions & 0 deletions cluster/apps/auth/ldap/app/lldap-secret.sops.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: v1
kind: Secret
metadata:
name: lldap-env
namespace: auth
stringData:
LLDAP_JWT_SECRET: ENC[AES256_GCM,data:en/woBbELDxa9yWtNYE5ZWOjXWNY3f7M/JsJVEbSl0E=,iv:ZZ7xGebAo3VlNlImTjXpBAHV/Cy2PtriXcz2rnvxchY=,tag:LyBvQXHsjQBpS7KpRwGz1g==,type:str]
LLDAP_LDAP_BASE_DN: ENC[AES256_GCM,data:JqqpvaQdvgXb8MU2gE/QyUtY,iv:lRf9x/ZlK38bD1htXAu+JEIfpyIdA9MbFPL5yH9Op9Q=,tag:K3zJZ9ejGbhk4jJ/2gsfKg==,type:str]
LLDAP_LDAP_USER_PASS: ENC[AES256_GCM,data:15CVM2p3G1/GfiVdxX5WBmRRgu1tKRSR2U0vIE92Tft80las4A==,iv:4kK4s20aRfaDxRpLE8BQJeChFFhdoZUdEP7Bw6VeHA8=,tag:nvJpwz4HCKSG5xFmhKWeaw==,type:str]
LLDAP_LDAP_USER_DN: ENC[AES256_GCM,data:CQjs/AQRFTGK,iv:K6k8x45hca08hvKC3oDdoK/2Z76qdJ1W60ZQaURRECA=,tag:ub1MSRMoISE3qM1yfb3Hgw==,type:str]
LLDAP_LDAP_USER_EMAIL: ENC[AES256_GCM,data:omUNKx3qhQbGk6P7mRGZMLY8U6xazQ==,iv:UzmwmgbYYCs15oD2H5WP1JL9P0dXyvgw3F3+htIvL6w=,tag:ftVTyKESjGvFcx7H5i8/pA==,type:str]
LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:WlsaSffaMj44zraglilIkwn5lDTBsSIgTiFnUYyJLsvB,iv:6Y6d+bmaWSsTuIkihcdCFEJJ8g7f0JLoJrq+OJK/CTk=,tag:DORWlFApPD6EZXkjvqFFhA==,type:str]
LLDAP_DATABASE_URL: ENC[AES256_GCM,data:VcOBjmTypWyqNt6uiNZJ7J7h70DB/Z11SoARd09+NTAG8tVHNtBroeLms1QVJZOo5BXhXSpwDrMyzwEWznkyR3OvYwHaEagw8ACFjPiOabgRp+HaFVZR9w0=,iv:QRdxwEGGwfCti/tFwrQngYExgN0Ud2GGVr4Tyhi63ac=,tag:OC6jiiseII6plzlRn9TkJg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hr5v66mq2rtflw8vrzmdlaku48v0j5l2wr58lrdmxqp5decczugs3rr6yt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZnFtbmNhd3Z0MS9PS2pw
Wjlaei9Kb3g0T2MzbjFNMUhwTVViZzNHYWhJCmsrYmp4dHJkZnhFN2tFWXZmRDh3
eXBoV3RjYjlKcmxsUW9YSGpBTGI3MmsKLS0tIGxubGdxZXMyczErRUVFRHozNU0w
VFR6aVRBS0NWNlFmRnBxWmVycXY4N0kKh7keWuHwhG/BO199FTHElTwLZYpXWkHE
Qlyo4HHEGrFvHB1+ZDhFE5JOtvPCpj/RDMZp2t97LNY13rigq/iapw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rp9r7wvsgy6zcl3j4v7kvnrv29sawvqhlm759j9x6zvs0f9ry4kqtmajrq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WlBhdnhsck1PdWgvZmF6
TndlK1RHSDh6YWlYcFlzMHVHdEFIVnlQZXdBCjAxb3cyL2k1NVhxOWYvRUxRSXpo
ZmtZakNYVkF6TlFteWV0aFErOVoreVEKLS0tIHh4b0Fpa1VmUTFaNWU5QkZ5aE9D
WWh5UG5WczA3eXc5SmxkVUs5QnlkdTAKnAqQHxRMlyg7YbFygnTxX76wcW8gnHHN
e4hs9vF7yBy1qsgLUxSD1oHOEbu1APCfI3UOTrWR5tMP12QoqLoWkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-06T18:47:04Z"
mac: ENC[AES256_GCM,data:7a0u9IP1YFUCqWMMQOG4B1ZxMnh0qso1C8qyu14K/Dx9+u2lRJEna2/slmBNH/ROTMqcZfHjHkBUGQnlkKw82u1xPh6ujG03rWBiF1tEXbyL6umzMNa8y/2Go69pRBnWA3YHPBGwPhrtN9V/flCEZILRiHRgv82/XmQjkpyfFTU=,iv:HngHSL8bnjo8nkaktCP/ZY2816IKvSJl6q6h52Gvufg=,tag:CGannr/ak84SFdM1QtADAA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1
5 changes: 5 additions & 0 deletions cluster/apps/auth/ldap/db/alerts/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./prometheus-rule.yaml
67 changes: 67 additions & 0 deletions cluster/apps/auth/ldap/db/alerts/prometheus-rule.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: ldap-cnpg-rules
namespace: auth
labels:
prometheus: k8s
role: alert-rules
spec:
groups:
- name: cloudnative-pg.rules
rules:
- alert: LongRunningTransaction
annotations:
description: Pod {{ $labels.pod }} is taking more than 5 minutes (300 seconds) for a query.
summary: A query is taking longer than 5 minutes.
expr: |-
cnpg_backends_max_tx_duration_seconds > 300
for: 1m
labels:
severity: warning
- alert: BackendsWaiting
annotations:
description: Pod {{ $labels.pod }} has been waiting for longer than 5 minutes
summary: If a backend is waiting for longer than 5 minutes
expr: |-
cnpg_backends_waiting_total > 300
for: 1m
labels:
severity: warning
- alert: PGDatabase
annotations:
description: Over 150,000,000 transactions from frozen xid on pod {{ $labels.pod }}
summary: Number of transactions from the frozen XID to the current one
expr: |-
cnpg_pg_database_xid_age > 150000000
for: 1m
labels:
severity: warning
- alert: PGReplication
annotations:
description: Standby is lagging behind by over 300 seconds (5 minutes)
summary: The standby is lagging behind the primary
expr: |-
cnpg_pg_replication_lag > 300
for: 1m
labels:
severity: warning
- alert: LastFailedArchiveTime
annotations:
description: Archiving failed for {{ $labels.pod }}
summary: Checks the last time archiving failed. Will be -1 when it has not failed.
expr: |-
delta(cnpg_pg_stat_archiver_last_failed_time[5m]) > 0
for: 1m
labels:
severity: warning
- alert: DatabaseDeadlockConflicts
annotations:
description: There are over 10 deadlock conflicts in {{ $labels.pod }}
summary: Checks the number of database conflicts
expr: |-
cnpg_pg_stat_database_deadlocks > 10
for: 1m
labels:
severity: warning
12 changes: 12 additions & 0 deletions cluster/apps/auth/ldap/db/backup/backup-schedule.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: backup-schedule-ldap-postgres-v1
namespace: auth
spec:
schedule: "@daily"
immediate: true
backupOwnerReference: self
cluster:
name: ldap-postgres
6 changes: 6 additions & 0 deletions cluster/apps/auth/ldap/db/backup/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./obc-backup-v1.yaml
- ./backup-schedule.yaml
12 changes: 12 additions & 0 deletions cluster/apps/auth/ldap/db/backup/obc-backup-v1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: cnpg-ldap-backup-v1
namespace: auth
spec:
generateBucketName: ldap-postgres-backup
storageClassName: rook-ceph-bucket
additionalConfig:
maxObjects: "1000"
maxSize: "2G"
8 changes: 8 additions & 0 deletions cluster/apps/auth/ldap/db/cluster/canary-cfg.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: canary-config
namespace: auth
data:
test: "true"
5 changes: 5 additions & 0 deletions cluster/apps/auth/ldap/db/cluster/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./ldap-cnpg-v15.yaml
Loading

0 comments on commit 293b764

Please sign in to comment.