--- {{- define "homey.auth.ingress.annotations" }} # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com" nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80" nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email nginx.ingress.kubernetes.io/location-snippets: |- auth_request /auth nginx.ingress.kubernetes.io/configuration-snippet: |- location /auth { # proxy_pass http://ldap-auth-internal; proxy_pass_request_body off; proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80; proxy_set_header X-Ldap-URL "ldap://openldap"; proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; proxy_set_header X-CookieName "homey.auth.cookie"; proxy_set_header Cookie $cookie_homey.auth.cookie; proxy_set_header X-Remote-User $remote_user; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Ldap-Template "(uid=%(username)s)"; } {{- end }} --- {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }} # --- {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-config") $) }} # --- {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: selector: matchLabels: app.kubernetes.io/name: openldap replicas: 1 template: metadata: labels: app.kubernetes.io/name: openldap spec: # securityContext: # fsGroup: 0 containers: - name: openldap image: osixia/openldap imagePullPolicy: "Always" env: - name: LDAP_ORGANISATION value: {{ .Values.homey.organization }} - name: LDAP_DOMAIN value: {{ .Values.homey.url | quote}} - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_READONLY_USER value: "true" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-admin - name: LDAP_CONFIG_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-config - name: LDAP_READONLY_USER_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-ro ports: - name: tcp-ldap containerPort: 389 - name: ssl-ldap containerPort: 636 volumeMounts: - mountPath: /etc/ldap/slapd.d subPath: openldap/etc/ldap/slapd.d name: openldap-volume - mountPath: /var/lib/ldap subPath: openldap/var/lib/ldap name: openldap-volume volumes: - name: openldap-volume persistentVolumeClaim: claimName: homey-pvc-nfs --- apiVersion: v1 kind: Service metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: type: ClusterIP ports: - name: tcp-ldap port: 389 targetPort: tcp-ldap - name: ssl-ldap port: 636 targetPort: ssl-ldap selector: app.kubernetes.io/name: openldap --- # --- # apiVersion: v1 # kind: ConfigMap # metadata: # name: keycloak-postgres-config # labels: # app: keycloak-postgres # data: # POSTGRES_DB: keycloak-db # POSTGRES_USER: keycloak-admin # --- # apiVersion: apps/v1 # kind: Deployment # metadata: # name: keycloak-postgres # labels: # app: keycloak-postgres # spec: # replicas: 1 # selector: # matchLabels: # app: keycloak-postgres # template: # metadata: # labels: # app: keycloak-postgres # name: keycloak-postgres # spec: # containers: # - name: postgres # image: postgres:10.4 # imagePullPolicy: "IfNotPresent" # ports: # - containerPort: 5432 # envFrom: # - configMapRef: # name: keycloak-postgres-config # env: # - name: POSTGRES_PASSWORD # valueFrom: # secretKeyRef: # name: keycloak-db-pass # key: password # volumeMounts: # - mountPath: /var/lib/postgresql/data # subPath: keycloak/db/data # name: keycloak-postgresdb # volumes: # - name: keycloak-postgresdb # persistentVolumeClaim: # claimName: homey-pvc-nfs # --- # apiVersion: v1 # kind: Service # metadata: # name: keycloak-postgres-service # labels: # app: keycloak-postgres # spec: # ports: # - port: 5432 # selector: # app: keycloak-postgres # --- # apiVersion: apps/v1 # kind: Deployment # metadata: # name: keycloak # labels: # app: keycloak # spec: # replicas: 1 # selector: # matchLabels: # app: keycloak # template: # metadata: # labels: # app: keycloak # spec: # containers: # - name: keycloak # image: mihaibob/keycloak:18.0.2-legacy # env: # - name: KEYCLOAK_USER # value: "admin" # - name: KEYCLOAK_PASSWORD # valueFrom: # secretKeyRef: # name: keycloak-pass # key: password # - name: PROXY_ADDRESS_FORWARDING # value: "true" # - name: DB_ADDR # value: keycloak-postgres-service # - name: DB_DATABASE # value: "keycloak-db" # - name: DB_VENDOR # value: postgres # - name: DB_USER # value: keycloak-admin # - name: DB_PASSWORD # valueFrom: # secretKeyRef: # name: keycloak-db-pass # key: password # ports: # - name: http # containerPort: 8080 # readinessProbe: # failureThreshold: 3 # httpGet: # path: /auth/realms/master/ # port: http # initialDelaySeconds: 240 # timeoutSeconds: 240 # livenessProbe: # failureThreshold: 3 # httpGet: # path: /auth/ # port: http # initialDelaySeconds: 240 # timeoutSeconds: 240 # --- # apiVersion: v1 # kind: Service # metadata: # name: keycloak-web # labels: # app: keycloak # spec: # ports: # - name: http # port: 8080 # targetPort: http # selector: # app: keycloak # --- # apiVersion: networking.k8s.io/v1 # kind: Ingress # metadata: # name: keycloak # spec: # ingressClassName: {{ .Values.homey.ingress_class }} # tls: # - hosts: # - keycloak.{{ .Values.homey.url }} # secretName: {{ .Values.homey.certname }} # rules: # - host: keycloak.{{ .Values.homey.url }} # http: # paths: # - path: / # pathType: Prefix # backend: # service: # name: keycloak-web # port: # number: 8080