GHP publish

roles/openldap/defaults/main.yaml

@@ -0,0 +1,279 @@
+openldap_default_values:
+  replicaCount: 1
+  
+  # Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
+  # It prevents from merging with existing map keys which are forbidden.
+  strategy: 
+    type: RollingUpdate
+    # type: RollingUpdate
+    # rollingUpdate:
+    #   maxSurge: 1
+    #   maxUnavailable: 0
+    #
+    # or
+    #
+    # type: Recreate
+    # rollingUpdate: null
+  image:
+    # From repository https://github.com/osixia/docker-openldap
+    repository: osixia/openldap
+    tag: 1.4.0
+    pullPolicy: Always
+  
+  # Spcifies an existing secret to be used for admin and config user passwords
+  existingSecret: ""
+  
+  # settings for enabling TLS
+  tls:
+    enabled: true
+    secret: "openldap.{{ domain }}-secret"  # The name of a kubernetes.io/tls type secret to use for TLS
+    CA:
+      enabled: true
+      secret: "openldap.{{ domain }}-ca"  # The name of a generic secret to use for custom CA certificate (ca.crt)
+  
+  ## Add additional labels to all resources
+  extraLabels: {}
+  ## Add additional annotations to pods
+  podAnnotations: {}
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: openldap.{{ domain }}
+    clusterIP: ""
+  
+    ldapPort: 389
+    sslLdapPort: 636  # Only used if tls.enabled is true
+    ## List of IP addresses at which the service is available
+    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ##
+    externalIPs: []
+  
+    loadBalancerIP: "{{ openldap_loadbalancer_ip | default(omit) }}"
+    loadBalancerSourceRanges: []
+    type: LoadBalancer
+  
+  # Default configuration for openldap as environment variables. These get injected directly in the container.
+  # Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
+  env:
+    LDAP_ORGANISATION: "{{ ldap_org | default('GHP') }}"
+    LDAP_DOMAIN: "{{ ldap_domain | default(domain) }}"
+    LDAP_BACKEND: "mdb"
+    LDAP_TLS: "true"
+    LDAP_TLS_ENFORCE: "false"
+    LDAP_RFC2307BIS_SCHEMA: "true"
+    LDAP_TLS_VERIFY_CLIENT: "try"
+  
+  # Default Passwords to use, stored as a secret. If unset, passwords are auto-generated.
+  # You can override these at install time with
+  # helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
+  adminPassword: "{{ openldap_admin_pass | default(openldap_admin_password) }}"
+  configPassword: "{{ openldap_config_pass | default(openldap_config_password) }}"
+  
+  # Custom openldap configuration files used to override default settings
+  customLdifFiles:
+    01-pw-pbkdf2.ldif: |-
+      dn: cn=module{0},cn=config
+      changetype: modify
+      add: olcModuleLoad
+      olcModuleLoad: pw-pbkdf2
+    02-acl.ldif: |-
+      dn: olcDatabase={1}mdb,cn=config
+      changetype: modify
+      add: olcAccess
+      olcAccess: {1}to * by users read by anonymous auth by * none
+    03-default-users.ldif: |-
+      dn: ou=groups,{{ openldap_domain }}
+      changetype: add
+      objectClass: organizationalUnit
+      objectClass: top
+      ou: groups
+      
+      dn: ou=users,{{ openldap_domain }}
+      changetype: add
+      objectClass: organizationalUnit
+      objectClass: top
+      ou: users
+      
+      dn: ou=services,{{ openldap_domain }}
+      changetype: add
+      objectClass: organizationalUnit
+      objectClass: top
+      ou: services
+      
+      dn: uid=admin,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: admin
+      cn: admin
+      sn: 3
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/admin
+      uidNumber: 14583103
+      gidNumber: 14564103
+      userPassword: {{ openldap_admin_pbkdf2_sha512_hash }}
+      gecos: Admin user
+
+      dn: uid=systemuser,ou=services,{{ openldap_domain }}
+      changetype: add
+      uid: systemuser
+      cn: systemuser
+      sn: 4
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/systemuser
+      uidNumber: 14583104
+      gidNumber: 14564104
+      userPassword: {{ systemuser_pbkdf2_sha512_hash }}
+      mail: systemuser@{{ domain }}
+      gecos: System user
+  
+      dn: uid=nextcloud,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: nextcloud
+      cn: nextcloud
+      sn: 6
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/nextcloud
+      uidNumber: 14583106
+      gidNumber: 14564106
+      userPassword: {{ nextcloud_ldap_pbkdf2_sha512_hash }}
+      mail: nextcloud@{{ domain }}
+      gecos: Nexcloud user
+  
+      dn: uid=ldapbind,ou=services,{{ openldap_domain }}
+      changetype: add
+      uid: ldapbind
+      cn: ldapbind
+      sn: 7
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /sbin/nologin
+      homeDirectory: /home/ldapbind
+      uidNumber: 14583107
+      gidNumber: 14564107
+      userPassword: {{ ldapbind_pbkdf2_sha512_hash }}
+      gecos: LDAP bind user
+  
+      dn: uid=bitwarden,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: bitwarden
+      cn: bitwarden
+      sn: 8
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/bitwarden
+      uidNumber: 14583108
+      gidNumber: 14564108
+      userPassword: {{ bitwarden_ldap_pbkdf2_sha512_hash }}
+      mail: bitwarden@{{ domain }}
+      gecos: Bitwarden user
+
+      dn: uid=gitea,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: gitea
+      cn: gitea
+      sn: 9
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/gitea
+      uidNumber: 14583109
+      gidNumber: 14564109
+      userPassword: {{ gitea_ldap_pbkdf2_sha512_hash }}
+      mail: gitea@{{ domain }}
+      gecos: Gitea user
+
+      dn: uid=wikijs,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: wikijs
+      cn: wikijs
+      sn: 10
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/wikijs
+      uidNumber: 14583110
+      gidNumber: 14564110
+      userPassword: {{ wikijs_ldap_pbkdf2_sha512_hash }}
+      mail: wikijs@{{ domain }}
+      gecos: WikiJS user
+
+      dn: uid=peertube,ou=users,{{ openldap_domain }}
+      changetype: add
+      uid: peertube
+      cn: peertube
+      sn: 11
+      objectClass: top
+      objectClass: posixAccount
+      objectClass: inetOrgPerson
+      loginShell: /bin/bash
+      homeDirectory: /home/peertube
+      uidNumber: 14583111
+      gidNumber: 14564111
+      userPassword: {{ peertube_ldap_pbkdf2_sha512_hash }}
+      mail: peertube@{{ domain }}
+      gecos: PeerTube user
+  
+      dn: cn=admin,ou=groups,{{ openldap_domain }}
+      changetype: add
+      objectClass: groupOfUniqueNames
+      cn: admin
+      description: Admin users
+      uniqueMember: cn=admin,{{ openldap_domain }}
+  
+    06-memberof.ldif: |-
+      dn: cn=services,ou=groups,{{ openldap_domain }}
+      changetype: add
+      objectClass: groupOfUniqueNames
+      cn: services
+      description: System users
+      uniqueMember: uid=systemuser,ou=services,{{ openldap_domain }}
+      uniqueMember: uid=ldapbind,ou=services,{{ openldap_domain }}
+      uniqueMember: uid=nextcloud,ou=users,{{ openldap_domain }}
+      uniqueMember: uid=bitwarden,ou=users,{{ openldap_domain }}
+      uniqueMember: uid=gitea,ou=users,{{ openldap_domain }}
+      uniqueMember: uid=wikijs,ou=users,{{ openldap_domain }}
+      uniqueMember: uid=peertube,ou=users,{{ openldap_domain }}
+
+      dn: cn=users,ou=groups,{{ openldap_domain }}
+      changetype: add
+      objectClass: groupOfUniqueNames
+      cn: users
+      description: Simple users
+      {% for user in openldap_simple_users %}
+      uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }}
+      {% endfor %}
+      {% for user in openldap_custom_users %}
+      uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }}
+      {% endfor %}
+
+  ## Persist data to a persistent volume
+  persistence:
+    enabled: true
+    ## database data Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+    ##   GKE, AWS & OpenStack)
+    ##
+    storageClass: "{{ openldap_storage | default('nfs-ssd') }}"
+    accessMode: "{{ openldap_storage_mode | default('ReadWriteMany') }}"
+    size: "{{ openldap_size | default('8Gi') }}"
+    # existingClaim: ""
+
+## test container details
+test:
+  enabled: false
+

roles/openldap/tasks/main.yaml

@@ -0,0 +1,44 @@
+- name: Create Let's Encrypt ISRG Root X1 CA secret for OpenLDAP
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      data:
+        ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lSQUlJUXo3RFNRT05aUkdQZ3UyT0Npd0F3RFFZSktvWklodmNOQVFFTEJRQXcKVHpFTE1Ba0dBMVVFQmhNQ1ZWTXhLVEFuQmdOVkJBb1RJRWx1ZEdWeWJtVjBJRk5sWTNWeWFYUjVJRkpsYzJWaApjbU5vSUVkeWIzVndNUlV3RXdZRFZRUURFd3hKVTFKSElGSnZiM1FnV0RFd0hoY05NVFV3TmpBME1URXdORE00CldoY05NelV3TmpBME1URXdORE00V2pCUE1Rc3dDUVlEVlFRR0V3SlZVekVwTUNjR0ExVUVDaE1nU1c1MFpYSnUKWlhRZ1UyVmpkWEpwZEhrZ1VtVnpaV0Z5WTJnZ1IzSnZkWEF4RlRBVEJnTlZCQU1UREVsVFVrY2dVbTl2ZENCWQpNVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29DZ2dJQkFLM29KSFAwRkRmem01NHJWeWdjCmg3N2N0OTg0a0l4dVBPWlhvSGozZGNLaS92VnFidllBVHlqYjNtaUdiRVNUdHJGai9SUVNhNzhmMHVveG15RisKMFRNOHVrajEzWG5mczdqL0V2RWhta3ZCaW9aeGFVcG1abXlQZmp4d3Y2MHBJZ2J6NU1EbWdLN2lTNCszbVg2VQpBNS9UUjVkOG1VZ2pVK2c0cms4S2I0TXUwVWxYaklCMHR0b3YwRGlOZXdOd0lSdDE4akE4K28rdTNkcGpxK3NXClQ4S09FVXQrend2by83VjNMdlN5ZTByZ1RCSWxESENOQXltZzRWTWs3QlBaN2htL0VMTktqRCtKbzJGUjNxeUgKQjVUMFkzSHNMdUp2VzVpQjRZbGNOSGxzZHU4N2tHSjU1dHVrbWk4bXhkQVE0UTdlMlJDT0Z2dTM5NmozeCtVQwpCNWlQTmdpVjUrSTNsZzAyZFo3N0RuS3hIWnU4QS9sSkJkaUIzUVcwS3RaQjZhd0JkcFVLRDlqZjFiMFNIelV2CktCZHMwcGpCcUFsa2QyNUhON3JPckZsZWFKMS9jdGFKeFFaQktUNVpQdDBtOVNUSkVhZGFvMHhBSDBhaG1iV24KT2xGdWhqdWVmWEtuRWdWNFdlMCtVWGdWQ3dPUGpkQXZCYkkrZTBvY1MzTUZFdnpHNnVCUUUzeERrM1N6eW5UbgpqaDhCQ05BdzFGdHhOclFIdXNFd01GeEl0NEk3bUtaOVlJcWlveW1DekxxOWd3UWJvb01EUWFIV0JmRWJ3cmJ3CnFIeUdPMGFvU0NxSTNIYWFkcjhmYXFVOUdZL3JPUE5rM3NnckRRb28vL2ZiNGhWQzFDTFFKMTNoZWY0WTUzQ0kKclU3bTJZczZ4dDBuVVc3L3ZHVDFNME5QQWdNQkFBR2pRakJBTUE0R0ExVWREd0VCL3dRRUF3SUJCakFQQmdOVgpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSNXRGbm1lN2JsNUFGemdBaUl5QnBZOXVtYmJqQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBVlI5WXFieXlxRkRRRExIWUdta2dKeWtJckdGMVhJcHUrSUxsYVMvVjlsWkwKdWJoekVGblRJWmQrNTB4eCs3TFNZSzA1cUF2cUZ5RldoZkZRRGxucnp1Qlo2YnJKRmUrR25ZK0VnUGJrNlpHUQozQmViWWh0RjhHYVYwbnh2d3VvNzd4L1B5OWF1Si9HcHNNaXUvWDErbXZvaUJPdi8yWC9xa1NzaXNSY09qL0tLCk5GdFkyUHdCeVZTNXVDYk1pb2d6aVV3dGhEeUMzKzZXVndXNkxMdjN4TGZIVGp1Q3ZqSElJbk56a3RIQ2dLUTUKT1JBekk0Sk1QSitHc2xXWUhiNHBob3dpbTU3aWF6dFhPb0p3VGR3Sng0bkxDZ2ROYk9oZGpzbnZ6cXZIdTdVcgpUa1hXU3RBbXpPVnl5Z2hxcFpYakZhSDNwTzNKTEYrbCsvK3NLQUl1dnRkN3UrTnhlNUFXMHdkZVJsTjhOd2RDCmpOUEVscHpWbWJVcTRKVWFnRWl1VERrSHpzeEhwRktWSzdxNCs2M1NNMU45NVIxTmJkV2hzY2RDYitaQUp6VmMKb3lpM0I0M25qVE9RNXlPZisxQ2NlV3hHMWJRVnM1WnVmcHNNbGpxNFVpMC8xbHZoK3dqQ2hQNGtxS09KMnF4cQo0Umdxc2FoRFlWdlRIOXc3alhieUxlaU5kZDhYTTJ3OVUvdDd5MEZmLzl5aTBHRTQ0WmE0ckYyTE45ZDExVFBBCm1SR3VuVUhCY25XRXZnSkJRbDluSkVpVTBac252Z2MvdWJoUGdYUlI0WHEzN1owajRyN2cxU2dFRXp3eEE1N2QKZW15UHhnY1l4bi9lUjQ0L0tKNEVCcytsVkRSM3ZleUptK2tYUTk5YjIxLytqaDVYb3MxQW5YNWlJdHJlR0NjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+      kind: Secret
+      metadata:
+        name: "openldap.{{ domain }}-ca"
+        namespace: "{{ openldap_namespace | default(namespace) }}"
+
+- name: Request cert for OpenLDAP
+  k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "openldap.{{ domain }}-crt"
+        namespace: "{{ openldap_namespace | default(namespace) }}"
+      spec:
+        secretName: "openldap.{{ domain }}-secret"
+        dnsNames:
+        - "openldap.{{ domain }}"
+        issuerRef:
+          name: letsencrypt-prod
+          # We can reference ClusterIssuers by changing the kind here.
+          # The default value is Issuer (i.e. a locally namespaced Issuer)
+          kind: ClusterIssuer
+          group: cert-manager.io
+
+- set_fact:
+    openldap_combined_values: "{{ openldap_default_values | combine(openldap_values, recursive=true) }}"
+
+- name: Deploy OpenLDAP
+  community.kubernetes.helm:
+    create_namespace: true
+    release_namespace: "{{ openldap_namespace | default(namespace) }}"
+    release_name: "{{ openldap_name | default('openldap') }}"
+    chart_ref: "{{ openldap_chart | default('ghp/openldap') }}"
+    chart_version: "{{ openldap_version | default(omit) }}"
+    release_values: "{{ openldap_combined_values | from_yaml }}"
+