# Deployment + Service — LLDAP (namespace: sso)
#
# LLDAP is the lightweight LDAP directory backing both Authelia (credential
# validation) and KeyCape (user attribute lookup). Configured via environment
# variables only; no config file is needed.
#
# Prerequisites:
#   1. pvc.yaml          — lldap-data PVC
#   2. create-secrets.sh — lldap-secrets (LLDAP_JWT_SECRET, LLDAP_LDAP_USER_PASS)
#   3. This file
#
# Ports:
#   3890  — LDAP (internal only; Authelia and KeyCape reach LLDAP here)
#   17170 — Web UI (ingress restricted to VPN via middleware — see ingress.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: lldap
  namespace: sso
  labels:
    app.kubernetes.io/name: lldap
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: lldap
  strategy:
    type: Recreate   # single replica; SQLite cannot be accessed concurrently
  template:
    metadata:
      labels:
        app.kubernetes.io/name: lldap
        app.kubernetes.io/part-of: net-kingdom-sso-mfa
        net-kingdom/component: sso
    spec:
      securityContext:
        # lldap/lldap:stable initialises /app as root then drops privileges
        # internally — runAsNonRoot/runAsUser would prevent that init step.
        fsGroup: 1000

      containers:
        - name: lldap
          # Check https://hub.docker.com/r/lldap/lldap for latest stable tag.
          image: lldap/lldap:stable
          imagePullPolicy: IfNotPresent

          ports:
            - name: ldap
              containerPort: 3890
              protocol: TCP
            - name: web-ui
              containerPort: 17170
              protocol: TCP

          env:
            - name: LLDAP_LDAP_BASE_DN
              value: dc=netkingdom,dc=local
            - name: LLDAP_HTTP_HOST
              value: "0.0.0.0"
            - name: LLDAP_LDAP_HOST
              value: "0.0.0.0"
            - name: LLDAP_HTTP_PORT
              value: "17170"
            - name: LLDAP_LDAP_PORT
              value: "3890"
            # Sensitive values from Secret
            - name: LLDAP_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: lldap-secrets
                  key: LLDAP_JWT_SECRET
            - name: LLDAP_LDAP_USER_PASS
              valueFrom:
                secretKeyRef:
                  name: lldap-secrets
                  key: LLDAP_LDAP_USER_PASS

          volumeMounts:
            - name: data
              mountPath: /data

          # LLDAP health check — HTTP endpoint at /health on web UI port
          livenessProbe:
            httpGet:
              path: /health
              port: 17170
            initialDelaySeconds: 10
            periodSeconds: 15
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /health
              port: 17170
            initialDelaySeconds: 5
            periodSeconds: 10
            failureThreshold: 3

          resources:
            requests:
              cpu: "50m"
              memory: "64Mi"
            limits:
              cpu: "200m"
              memory: "128Mi"

      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: lldap-data

---
# Service — ClusterIP; LDAP port for Authelia/KeyCape, Web UI for Traefik.
apiVersion: v1
kind: Service
metadata:
  name: lldap
  namespace: sso
  labels:
    app.kubernetes.io/name: lldap
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: lldap
  ports:
    - name: ldap
      port: 3890
      targetPort: 3890
      protocol: TCP
    - name: web-ui
      port: 17170
      targetPort: 17170
      protocol: TCP