A real example from my homelab.
Deployment #
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldapenforcer
namespace: directory
spec:
replicas: 1
selector:
matchLabels:
app: ldapenforcer
template:
metadata:
labels:
app: ldapenforcer
spec:
containers:
- name: enforcer
image: ghcr.io/mrled/ldapenforcer:0.1.3
args:
- "--config"
- "/etc/ldapenforcer/ldapenforcer.toml"
- "sync"
- "--poll"
- "--log-level"
- "DEBUG"
- "--ldap-log-level"
- "DEBUG"
volumeMounts:
- name: ldapenforcer-cm
mountPath: /etc/ldapenforcer
- name: dirsrv-tls-ca
mountPath: "/data/tls/ca"
- name: dirsrv-env-secret
mountPath: /etc/dirsrv/env-secret
securityContext:
runAsUser: 389
runAsGroup: 389
volumes:
- name: dirsrv-tls-ca
configMap:
name: kubernasty-ca-root-cert
- name: dirsrv-env-secret
secret:
secretName: dirsrv-env
- name: ldapenforcer-cm
configMap:
name: ldapenforcer
ConfigMap #
apiVersion: v1
kind: ConfigMap
metadata:
name: ldapenforcer
namespace: directory
data:
ldapenforcer.toml: |+
[ldapenforcer]
uri = "ldaps://dirsrv.directory.svc.cluster.local:636"
bind_dn = "cn=Directory Manager"
password_file = "/etc/dirsrv/env-secret/DS_DM_PASSWORD"
ca_cert_file = "/data/tls/ca/ca.crt"
enforced_people_ou = "ou=enforced,ou=people,dc=micahrl,dc=me"
enforced_svcacct_ou = "ou=enforced,ou=services,dc=micahrl,dc=me"
enforced_group_ou = "ou=enforced,ou=groups,dc=micahrl,dc=me"
poll_config_interval = "10s"
poll_ldap_interval = "1h"
log_level = "DEBUG"
ldap_log_level = "DEBUG"
includes = [
"svcaccts.toml",
"people.toml",
"groups.toml",
]
svcaccts.toml: |+
[ldapenforcer.svcacct.authenticator]
cn = "Authenticator"
description = "A service account for authenticating users"
[ldapenforcer.svcacct.ldapAccountManager]
cn = "LDAP Account Manager"
description = "A service account for managing LDAP accounts"
[ldapenforcer.svcacct.authelia]
cn = "Authelia"
description = "A service account for Authelia"
people.toml: |+
[ldapenforcer.person.mrladmin]
cn = "Micah R Ledbetter (Admin)"
givenName = "Micah"
sn = "Ledbetter"
mail = "mrladmin@micahrl.me"
posix = [10420, 10100]
[ldapenforcer.person.micahrl]
cn = "Micah R Ledbetter"
givenName = "Micah"
sn = "Ledbetter"
mail = "me@micahrl.com"
posix = [10069, 10101]
groups.toml: |+
[ldapenforcer.group.patricii]
description = "Accounts with administrative privileges"
posixGidNumber = 10100
people = ["mrladmin"]
[ldapenforcer.group.proletarii]
description = "Regular user accounts"
posixGidNumber = 10101
people = ["micahrl"]
[ldapenforcer.group.servi]
description = "Service accounts"
posixGidNumber = 10102
svcaccts = ["authelia", "authenticator", "ldapAccountManager"]
[ldapenforcer.group.totalgits]
description = "Users that can log in to the Git server"
people = ["mrladmin", "micahrl"]
[ldapenforcer.group.argowf-users]
description = "Users that can log in to the Argo Workflows server"
groups = ["proletarii"]
[ldapenforcer.group.argowf-admins]
description = "Users that can administer the Argo Workflows server"
groups = ["patricii"]
[ldapenforcer.group.grafana-users]
description = "Users that can log in to the Grafana server"
groups = ["proletarii"]
[ldapenforcer.group.grafana-admins]
description = "Users that can administer the Grafana server"
groups = ["patricii"]
Not shown: CA resource #
The cluster-wide certificate authority has signed the LDAP server’s TLS certificates.
The CA cert is found in the kubernasty-ca-root-cert
configmap,
and mounted into the Deployment pod.
Not shown: dirsrv-env Secret #
The drsrv-env Secret resource contains secret environment variables for the deployment of
389 Directory Server,
including the Directory Manager password as DS_DM_PASSWORD
.
This user will be used to sync the config to the LDAP server.