openldap-k8s.yaml

# kubectl create ns auth-system
# wget -q https://raw.githubusercontent.com/cloudcafetech/k8s-ad-integration/main/ldap-records.ldif
# ldapadd -x -H ldap://$HIP:30389 -D "cn=admin,dc=cloudcafe,dc=org" -w StrongAdminPassw0rd -f ldap-records.ldif
# ldapsearch -x -H ldap://$HIP:30389 -D "cn=admin,dc=cloudcafe,dc=org" -b "dc=cloudcafe,dc=org" -w "StrongAdminPassw0rd"
apiVersion: v1
kind: ConfigMap
metadata:
  name: openldap
  namespace: auth-system
data:
  LDAP_DOMAIN: cloudcafe.org
  LDAP_ORGANISATION: cloudcafe
  LDAP_TLS_VERIFY_CLIENT: try
---
apiVersion: v1
kind: Secret
metadata:
  name: openldap
  namespace: auth-system
type: Opaque
data:
  LDAP_ADMIN_PASSWORD: U3Ryb25nQWRtaW5QYXNzdzByZA==
  LDAP_BINDPASS: U3Ryb25nQWRtaW5QYXNzdzByZA==
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-pvc-data
  namespace: auth-system
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-pvc-etc
  namespace: auth-system
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: openldap
  name: openldap
  namespace: auth-system
spec:
  type: "NodePort"
  ports:
  - name: "port-689"
    port: 689
    protocol: TCP
    targetPort: 689
  - name: "port-389"
    port: 389
    protocol: TCP
    targetPort: 389
    nodePort: 30389
  selector:
    app: openldap
---
apiVersion: v1
kind: Service
metadata:
  name: ldap-pass
  namespace: auth-system
spec:
  ports:
  - name: ldap-pass-http
    port: 8765
    protocol: TCP
    targetPort: 80
  selector:
    app: ldap-pass
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: openldap
  name: openldap
  namespace: auth-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openldap
  template:
    metadata:
      labels:
        app: openldap
    spec:
      containers:
      - image: docker.io/osixia/openldap:latest
        name: openldap
        envFrom:
        - configMapRef:
            name: openldap
        - secretRef:
            name: openldap
        ports:
        - name: "port-389"
          containerPort: 389
        - name: "port-689"
          containerPort: 689
        volumeMounts:
        - name: openldap-pvc-data
          mountPath: "/var/lib/ldap"
        - name: openldap-pvc-etc
          mountPath: "/etc/ldap/slapd.d"
      volumes:
      - name: openldap-pvc-data
        persistentVolumeClaim:
          claimName: openldap-pvc-data
      - name: openldap-pvc-etc
        persistentVolumeClaim:
          claimName: openldap-pvc-etc
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ldap-pass
  name: ldap-pass
  namespace: auth-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ldap-pass
  template:
    metadata:
      labels:
        app: ldap-pass
    spec:
      containers:
      - image: docker.io/tiredofit/self-service-password:latest
        name: ldap-pass
        envFrom:
        - secretRef:
            name: openldap
        env:
        - name: LDAP_SERVER
          value: ldap://openldap.auth-system:389
        - name: LDAP_BASE_SEARCH
          value: ou=people,dc=cloudcafe,dc=org
        - name: LDAP_BINDDN
          value: cn=admin,dc=cloudcafe,dc=org
        - name: LDAP_FULLNAME_ATTRIBUTE
          value: cn
        - name: LDAP_LOGIN_ATTRIBUTE
          value: mail
        - name: LDAP_MAIL_ATTRIBUTE
          value: mail
        - name: MAIL_FROM
          value: noreply@example.com
        - name: MAIL_FROM_NAME
          value: Self Service Password
        - name: SMTP_HOST
          value: smtp.example.com
        - name: SMTP_PASS
          value: smtppassword
        - name: SMTP_PORT
          value: "587"
        - name: SMTP_SECURE_TYPE
          value: tls
        - name: SMTP_TIMEOUT
          value: "30"
        - name: SMTP_USER
          value: noreply@example.com
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: selfsigned-issuer
    #cert-manager.io/cluster-issuer: private-ca
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
  name: ldap-pass
  namespace: auth-system
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - passchange.apps.k8s.cloudcafe.tech
    secretName: ldap-pass-cert
  rules:
  - host: passchange.apps.k8s.cloudcafe.tech
    http:
      paths:
      - backend:
          service:
            name: ldap-pass
            port:
              number: 8765
        path: /
        pathType: Prefix