feat(glauth): switch away from lldap

Signed-off-by: Devin Buhl <[email protected]>

README.md

@@ -93,23 +93,22 @@ This Git repository contains the following directories under [Kubernetes](./kube
 
 ### Flux Workflow
 
-This is a high-level look how Flux deploys my applications with dependencies. Below there are 3 apps `postgres`, `lldap` and `authelia`. `postgres` is the first app that needs to be running and healthy before `lldap` and `authelia`. Once `postgres` is healthy `lldap` will be deployed and after that is healthy `authelia` will be deployed.
+This is a high-level look how Flux deploys my applications with dependencies. Below there are 3 apps `postgres`, `glauth` and `authelia`. `postgres` is the first app that needs to be running and healthy before `glauth` and `authelia`. Once `postgres` is healthy `glauth` will be deployed and after that is healthy `authelia` will be deployed.
 
 ```mermaid
 graph TD;
   id1>Kustomization: cluster] -->|Creates| id2>Kustomization: cluster-apps];
   id2>Kustomization: cluster-apps] -->|Creates| id3>Kustomization: postgres];
-  id2>Kustomization: cluster-apps] -->|Creates| id6>Kustomization: lldap]
+  id2>Kustomization: cluster-apps] -->|Creates| id6>Kustomization: glauth]
   id2>Kustomization: cluster-apps] -->|Creates| id8>Kustomization: authelia]
   id2>Kustomization: cluster-apps] -->|Creates| id5>Kustomization: postgres-cluster]
   id3>Kustomization: postgres] -->|Creates| id4[HelmRelease: postgres];
   id5>Kustomization: postgres-cluster] -->|Depends on| id3>Kustomization: postgres];
   id5>Kustomization: postgres-cluster] -->|Creates| id10[Postgres Cluster];
-  id6>Kustomization: lldap] -->|Creates| id7(HelmRelease: lldap);
-  id6>Kustomization: lldap] -->|Depends on| id5>Kustomization: postgres-cluster];
+  id6>Kustomization: glauth] -->|Creates| id7(HelmRelease: glauth);
   id8>Kustomization: authelia] -->|Creates| id9(HelmRelease: authelia);
   id8>Kustomization: authelia] -->|Depends on| id5>Kustomization: postgres-cluster];
-  id9(HelmRelease: authelia) -->|Depends on| id7(HelmRelease: lldap);
+  id9(HelmRelease: authelia) -->|Depends on| id7(HelmRelease: glauth);
 ```
 
 ### Networking

kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml

@@ -88,9 +88,6 @@ spec:
             port: *port
           metrics:
             port: 8080
-    serviceAccount:
-      create: true
-      name: *app
     serviceMonitor:
       app:
         serviceName: *app
@@ -100,3 +97,6 @@ spec:
             path: /metrics
             interval: 1m
             scrapeTimeout: 10s
+    serviceAccount:
+      create: true
+      name: *app

kubernetes/main/apps/default/authelia/app/externalsecret.yaml

@@ -13,7 +13,7 @@ spec:
     template:
       engineVersion: v2
       data:
-        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .LLDAP_LDAP_USER_PASS }}"
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .GLAUTH_SEARCH_PASSWORD }}"
         AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
         AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_JWKS }}"
         AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET }}"
@@ -36,8 +36,8 @@ spec:
     - extract:
         key: cloudnative-pg
     - extract:
-        key: grafana
+        key: glauth
     - extract:
-        key: lldap
+        key: grafana
     - extract:
         key: miniflux

kubernetes/main/apps/default/authelia/app/helmrelease.yaml

@@ -23,7 +23,7 @@ spec:
       strategy: rollback
       retries: 3
   dependsOn:
-    - name: lldap
+    - name: glauth
       namespace: default
   values:
     controllers:

kubernetes/main/apps/default/authelia/app/resources/configuration.yaml

@@ -1,28 +1,28 @@
 ---
 # Note: Authelia vars should be escaped with $${VAR_NAME} to avoid interpolation by Flux
 authentication_backend:
-  password_reset:
-    disable: true
-  refresh_interval: 1m
   ldap:
-    address: ldap://lldap.default.svc.cluster.local:389
+    address: ldap://glauth.default.svc.cluster.local:389
     implementation: custom
     timeout: 5s
     start_tls: false
     base_dn: dc=home,dc=arpa
-    additional_users_dn: ou=people
-    users_filter: (&({username_attribute}={input})(objectClass=person))
+    additional_users_dn: ou=users
+    users_filter: (&({username_attribute}={input})(objectClass=posixAccount))
     additional_groups_dn: ou=groups
-    groups_filter: (member={dn})
+    groups_filter: (&(memberUid={username})(objectClass=posixGroup))
     group_search_mode: filter
-    user: uid=admin,ou=people,dc=home,dc=arpa
+    user: cn=search,ou=svcaccts,dc=home,dc=arpa
     password: password
     attributes:
       username: uid
-      display_name: displayName
+      display_name: givenName
       mail: mail
       member_of: memberOf
       group_name: cn
+  password_reset:
+    disable: true
+  refresh_interval: 1m
 
 session:
   same_site: lax

kubernetes/main/apps/default/glauth/app/externalsecret.yaml

@@ -0,0 +1,72 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: glauth
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: glauth-secret
+    template:
+      engineVersion: v2
+      # Create passbcrypt:
+      #   "https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex('None',0)"
+      # or
+      #   htpasswd -bnBC 10 "" YOUR_PASSWORD | tr -d ':\n' | od -A n -t x1 | sed 's/ *//g' | tr -d '\n'
+      data:
+        server.toml: |
+          debug = true
+          [api]
+            enabled = true
+            tls = false
+            listen = "0.0.0.0:5555"
+          [ldap]
+            enabled = true
+            listen = "0.0.0.0:389"
+          [ldaps]
+            enabled = false
+          [backend]
+            datastore = "config"
+            baseDN = "dc=home,dc=arpa"
+        groups.toml: |
+          [[groups]]
+            name = "svcaccts"
+            gidnumber = 6500
+          [[groups]]
+            name = "admins"
+            gidnumber = 6501
+          [[groups]]
+            name = "people"
+            gidnumber = 6502
+        users.toml: |
+          [[users]]
+            name = "search"
+            uidnumber = 5000
+            primarygroup = 6500
+            passbcrypt = "{{ .GLAUTH_SEARCH_PASSWORD_BCRYPT }}"
+            [[users.capabilities]]
+              action = "search"
+              object = "*"
+          [[users]]
+            name = "devin"
+            mail = "{{ .GLAUTH_DEVIN_EMAIL }}"
+            givenname = "Devin"
+            sn = "Buhl"
+            uidnumber = 5001
+            primarygroup = 6502
+            othergroups = [ 6501 ]
+            passbcrypt = "{{ .GLAUTH_DEVIN_PASSWORD_BCRYPT }}"
+          [[users]]
+            name = "louie"
+            mail = "{{ .GLAUTH_LOUIE_EMAIL }}"
+            givenname = "Louie"
+            sn = "Buhl"
+            uidnumber = 5002
+            primarygroup = 6502
+            passbcrypt = "{{ .GLAUTH_LOUIE_PASSWORD_BCRYPT }}"
+  dataFrom:
+    - extract:
+        key: glauth

kubernetes/main/apps/default/lldap/app/helmrelease.yaml → kubernetes/main/apps/default/glauth/app/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: &app lldap
+  name: &app glauth
 spec:
   interval: 30m
   chart:
@@ -24,50 +24,44 @@ spec:
       retries: 3
   values:
     controllers:
-      lldap:
+      glauth:
         replicas: 2
         strategy: RollingUpdate
         annotations:
           reloader.stakater.com/auto: "true"
-        initContainers:
-          init-db:
-            image:
-              repository: ghcr.io/onedr0p/postgres-init
-              tag: 16
-            envFrom: &envFrom
-              - secretRef:
-                  name: lldap-secret
         containers:
           app:
             image:
-              repository: ghcr.io/lldap/lldap
-              tag: v0.5.0@sha256:f0f5d92cd6c6dca9415993cfc57919f0618e87090b323a98c1536975860fa45a
-            env:
-              TZ: America/New_York
-              LLDAP_HTTP_PORT: &port 80
-              LLDAP_HTTP_URL: https://lldap.devbu.io
-              LLDAP_LDAP_PORT: &ldapPort 389
-              LLDAP_LDAP_BASE_DN: dc=home,dc=arpa
-            envFrom: *envFrom
+              repository: docker.io/glauth/glauth
+              tag: v2.3.2
+            command: ["/app/glauth", "-c", "/config"]
             probes:
               liveness: &probes
                 enabled: true
                 custom: true
                 spec:
                   httpGet:
-                    path: /health
-                    port: *port
+                    path: /
+                    port: &port 5555
                   initialDelaySeconds: 0
                   periodSeconds: 10
                   timeoutSeconds: 1
                   failureThreshold: 3
               readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
             resources:
               requests:
                 cpu: 10m
               limits:
                 memory: 128Mi
         pod:
+          securityContext:
+            runAsUser: 65534
+            runAsGroup: 65534
+            runAsNonRoot: true
           topologySpreadConstraints:
             - maxSkew: 1
               topologyKey: kubernetes.io/hostname
@@ -77,24 +71,34 @@ spec:
                   app.kubernetes.io/name: *app
     service:
       app:
-        controller: lldap
+        controller: *app
         ports:
           http:
             port: *port
           ldap:
-            port: *ldapPort
-    ingress:
+            enabled: true
+            port: 389
+            protocol: TCP
+    serviceMonitor:
       app:
-        className: internal
-        hosts:
-          - host: &host "{{ .Release.Name }}.devbu.io"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts: [*host]
+        serviceName: *app
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
     persistence:
-      data:
-        type: emptyDir
+      config:
+        type: secret
+        name: glauth-secret
+        globalMounts:
+          - path: /config/groups.toml
+            subPath: groups.toml
+            readOnly: true
+          - path: /config/server.toml
+            subPath: server.toml
+            readOnly: true
+          - path: /config/users.toml
+            subPath: users.toml
+            readOnly: true

kubernetes/main/apps/default/lldap/app/kustomization.yaml → kubernetes/main/apps/default/glauth/app/kustomization.yaml

@@ -5,4 +5,3 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ../../../../templates/gatus/guarded

kubernetes/main/apps/default/lldap/ks.yaml → kubernetes/main/apps/default/glauth/ks.yaml

@@ -3,25 +3,21 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app lldap
+  name: &app glauth
   namespace: flux-system
 spec:
   targetNamespace: default
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: cloudnative-pg-cluster
     - name: external-secrets-stores
-  path: ./kubernetes/main/apps/default/lldap/app
+  path: ./kubernetes/main/apps/default/glauth/app
   prune: true
   sourceRef:
     kind: GitRepository
     name: home-kubernetes
-  wait: true
+  wait: false
   interval: 30m
   retryInterval: 1m
   timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app

kubernetes/main/apps/default/kustomization.yaml

@@ -12,8 +12,8 @@ resources:
   - ./cross-seed/ks.yaml
   - ./flaresolverr/ks.yaml
   - ./frigate/ks.yaml
+  - ./glauth/ks.yaml
   - ./home-assistant/ks.yaml
-  - ./lldap/ks.yaml
   - ./miniflux/ks.yaml
   - ./mosquitto/ks.yaml
   - ./overseerr/ks.yaml