coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/lldap/deployment.yaml
Bernd Worsch f2f07871eb fix(sso-mfa): commit T02–T06 fixes and workplan status updates 
- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 20:25:03 +00:00

138 lines
3.7 KiB
YAML
Raw Blame History

# Deployment + Service — LLDAP (namespace: sso)
#
# LLDAP is the lightweight LDAP directory backing both Authelia (credential
# validation) and KeyCape (user attribute lookup). Configured via environment
# variables only; no config file is needed.
#
# Prerequisites:
# 1. pvc.yaml — lldap-data PVC
# 2. create-secrets.sh — lldap-secrets (LLDAP_JWT_SECRET, LLDAP_LDAP_USER_PASS)
# 3. This file
#
# Ports:
# 3890 — LDAP (internal only; Authelia and KeyCape reach LLDAP here)
# 17170 — Web UI (ingress restricted to VPN via middleware — see ingress.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: lldap
namespace: sso
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: lldap
strategy:
type: Recreate # single replica; SQLite cannot be accessed concurrently
template:
metadata:
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
securityContext:
# lldap/lldap:stable initialises /app as root then drops privileges
# internally — runAsNonRoot/runAsUser would prevent that init step.
fsGroup: 1000
containers:
- name: lldap
# Check https://hub.docker.com/r/lldap/lldap for latest stable tag.
image: lldap/lldap:stable
imagePullPolicy: IfNotPresent
ports:
- name: ldap
containerPort: 3890
protocol: TCP
- name: web-ui
containerPort: 17170
protocol: TCP
env:
- name: LLDAP_LDAP_BASE_DN
value: dc=netkingdom,dc=local
- name: LLDAP_HTTP_HOST
value: "0.0.0.0"
- name: LLDAP_LDAP_HOST
value: "0.0.0.0"
- name: LLDAP_HTTP_PORT
value: "17170"
- name: LLDAP_LDAP_PORT
value: "3890"
# Sensitive values from Secret
- name: LLDAP_JWT_SECRET
valueFrom:
secretKeyRef:
name: lldap-secrets
key: LLDAP_JWT_SECRET
- name: LLDAP_LDAP_USER_PASS
valueFrom:
secretKeyRef:
name: lldap-secrets
key: LLDAP_LDAP_USER_PASS
volumeMounts:
- name: data
mountPath: /data
# LLDAP health check — HTTP endpoint at /health on web UI port
livenessProbe:
httpGet:
path: /health
port: 17170
initialDelaySeconds: 10
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 17170
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "200m"
memory: "128Mi"
volumes:
- name: data
persistentVolumeClaim:
claimName: lldap-data
---
# Service — ClusterIP; LDAP port for Authelia/KeyCape, Web UI for Traefik.
apiVersion: v1
kind: Service
metadata:
name: lldap
namespace: sso
labels:
app.kubernetes.io/name: lldap
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: lldap
ports:
- name: ldap
port: 3890
targetPort: 3890
protocol: TCP
- name: web-ui
port: 17170
targetPort: 17170
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink