sso(openldap): restore in-cluster LDAP

clusters/atlas/flux-system/applications/jellyfin/kustomization.yaml

@@ -15,5 +15,6 @@ spec:
     namespace: flux-system
   dependsOn:
     - name: core
+    - name: openldap
   wait: true
   timeout: 5m

clusters/atlas/flux-system/applications/kustomization.yaml

@@ -16,6 +16,7 @@ resources:
   - jellyfin/kustomization.yaml
   - xmr-miner/kustomization.yaml
   - sui-metrics/kustomization.yaml
+  - openldap/kustomization.yaml
   - keycloak/kustomization.yaml
   - oauth2-proxy/kustomization.yaml
   - mailu/kustomization.yaml

clusters/atlas/flux-system/applications/openldap/kustomization.yaml

@@ -0,0 +1,19 @@
+# clusters/atlas/flux-system/applications/openldap/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: openldap
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./services/openldap
+  targetNamespace: sso
+  dependsOn:
+    - name: core
+  wait: true
+  timeout: 5m

services/openldap/configmap-bootstrap.yaml

@@ -0,0 +1,15 @@
+# services/openldap/configmap-bootstrap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: openldap-bootstrap
+  namespace: sso
+data:
+  00-organizational-units.ldif: |
+    dn: ou=users,dc=bstein,dc=dev
+    objectClass: organizationalUnit
+    ou: users
+
+    dn: ou=groups,dc=bstein,dc=dev
+    objectClass: organizationalUnit
+    ou: groups

services/openldap/kustomization.yaml

@@ -0,0 +1,8 @@
+# services/openldap/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sso
+resources:
+  - configmap-bootstrap.yaml
+  - service.yaml
+  - statefulset.yaml

services/openldap/service.yaml

@@ -0,0 +1,19 @@
+# services/openldap/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: openldap
+  namespace: sso
+  labels:
+    app: openldap
+spec:
+  clusterIP: None
+  selector:
+    app: openldap
+  ports:
+    - name: ldap
+      port: 389
+      targetPort: ldap
+    - name: ldaps
+      port: 636
+      targetPort: ldaps

services/openldap/statefulset.yaml

@@ -0,0 +1,87 @@
+# services/openldap/statefulset.yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: openldap
+  namespace: sso
+  labels:
+    app: openldap
+spec:
+  serviceName: openldap
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openldap
+  template:
+    metadata:
+      labels:
+        app: openldap
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: arm64
+        node-role.kubernetes.io/worker: "true"
+      containers:
+        - name: openldap
+          image: docker.io/osixia/openldap:1.5.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: ldap
+              containerPort: 389
+            - name: ldaps
+              containerPort: 636
+          env:
+            - name: LDAP_ORGANISATION
+              value: Atlas
+            - name: LDAP_DOMAIN
+              value: bstein.dev
+            - name: LDAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: openldap-admin
+                  key: LDAP_ADMIN_PASSWORD
+            - name: LDAP_CONFIG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: openldap-admin
+                  key: LDAP_CONFIG_PASSWORD
+          readinessProbe:
+            tcpSocket:
+              port: ldap
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: ldap
+            initialDelaySeconds: 30
+            periodSeconds: 20
+          volumeMounts:
+            - name: ldap-data
+              mountPath: /var/lib/ldap
+            - name: slapd-config
+              mountPath: /etc/ldap/slapd.d
+            - name: bootstrap-ldif
+              mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
+              readOnly: true
+      volumes:
+        - name: bootstrap-ldif
+          configMap:
+            name: openldap-bootstrap
+  volumeClaimTemplates:
+    - metadata:
+        name: ldap-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: astreae
+        resources:
+          requests:
+            storage: 1Gi
+    - metadata:
+        name: slapd-config
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: astreae
+        resources:
+          requests:
+            storage: 1Gi