coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8db000e5f03bc2bd80c19c99aedb993da0d68a63
net-kingdom/sso-mfa/k8s/lldap/deployment.yaml
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

138 lines
3.6 KiB
YAML
Raw Blame History

# Deployment + Service — LLDAP (namespace: sso)
#
# LLDAP is the lightweight LDAP directory backing both Authelia (credential
# validation) and KeyCape (user attribute lookup). Configured via environment
# variables only; no config file is needed.
#
# Prerequisites:
# 1. pvc.yaml — lldap-data PVC
# 2. create-secrets.sh — lldap-secrets (LLDAP_JWT_SECRET, LLDAP_LDAP_USER_PASS)
# 3. This file
#
# Ports:
# 3890 — LDAP (internal only; Authelia and KeyCape reach LLDAP here)
# 17170 — Web UI (ingress restricted to VPN via middleware — see ingress.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: lldap
namespace: sso
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: lldap
strategy:
type: Recreate # single replica; SQLite cannot be accessed concurrently
template:
metadata:
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: lldap
# Check https://hub.docker.com/r/lldap/lldap for latest stable tag.
image: lldap/lldap:stable
imagePullPolicy: IfNotPresent
ports:
- name: ldap
containerPort: 3890
protocol: TCP
- name: web-ui
containerPort: 17170
protocol: TCP
env:
- name: LLDAP_LDAP_BASE_DN
value: dc=netkingdom,dc=local
- name: LLDAP_HTTP_HOST
value: "0.0.0.0"
- name: LLDAP_LDAP_HOST
value: "0.0.0.0"
- name: LLDAP_HTTP_PORT
value: "17170"
- name: LLDAP_LDAP_PORT
value: "3890"
# Sensitive values from Secret
- name: LLDAP_JWT_SECRET
valueFrom:
secretKeyRef:
name: lldap-secrets
key: LLDAP_JWT_SECRET
- name: LLDAP_LDAP_USER_PASS
valueFrom:
secretKeyRef:
name: lldap-secrets
key: LLDAP_LDAP_USER_PASS
volumeMounts:
- name: data
mountPath: /data
# LLDAP health check — HTTP endpoint at /health on web UI port
livenessProbe:
httpGet:
path: /health
port: 17170
initialDelaySeconds: 10
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 17170
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "200m"
memory: "128Mi"
volumes:
- name: data
persistentVolumeClaim:
claimName: lldap-data
---
# Service — ClusterIP; LDAP port for Authelia/KeyCape, Web UI for Traefik.
apiVersion: v1
kind: Service
metadata:
name: lldap
namespace: sso
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: lldap
ports:
- name: ldap
port: 3890
targetPort: 3890
protocol: TCP
- name: web-ui
port: 17170
targetPort: 17170
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink