feat: install Kanidm for identity management

platform/kanidm/Chart.yaml

@@ -0,0 +1,6 @@
+name: kanidm
+version: 0.0.0
+dependencies:
+  - name: app-template
+    version: 2.2.0
+    repository: https://bjw-s.github.io/helm-charts

platform/kanidm/templates/certificate.yaml

@@ -0,0 +1,13 @@
+# TODO https://github.com/kanidm/kanidm/issues/1227
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: kanidm-selfsigned-certificate
+  issuerRef:
+    kind: Issuer
+    name: kanidm-selfsigned
+  dnsNames:
+    - home.arpa

platform/kanidm/templates/issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: kanidm-selfsigned
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}

platform/kanidm/values.yaml

@@ -0,0 +1,76 @@
+app-template:
+  controllers:
+    main:
+      type: statefulset
+      containers:
+        main:
+          image:
+            repository: docker.io/kanidm/server
+            tag: 1.1.0-rc.15
+      statefulset:
+        volumeClaimTemplates:
+          - name: data
+            size: 1Gi
+            globalMounts:
+              - path: /data
+            accessMode: "ReadWriteOnce"
+  configMaps:
+    config:
+      enabled: true
+      data:
+        server.toml: |
+          bindaddress = "[::]:443"
+          ldapbindaddress = "[::]:636"
+          # trust_x_forward_for = false
+          db_path = "/data/kanidm.db"
+          tls_chain = "/data/ca.crt"
+          tls_key = "/data/tls.key"
+          domain = "auth.khuedoan.com"
+          origin = "https://auth.khuedoan.com"
+  service:
+    main:
+      ports:
+        http:
+          enabled: false
+        https:
+          port: 443
+          protocol: HTTPS
+        ldap:
+          port: 636
+          protocol: TCP
+  ingress:
+    main:
+      enabled: true
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+        nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+      hosts:
+        - host: &host auth.khuedoan.com
+          paths:
+            - path: /
+              pathType: Prefix
+              service:
+                name: main
+                port: https
+      tls:
+        - hosts:
+            - *host
+          secretName: kanidm-tls-certificate
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: kanidm-config
+      globalMounts:
+        - path: /data/server.toml
+          subPath: server.toml
+    tls:
+      enabled: true
+      type: secret
+      name: kanidm-selfsigned-certificate
+      globalMounts:
+        - path: /data/ca.crt
+          subPath: ca.crt
+        - path: /data/tls.key
+          subPath: tls.key

scripts/kanidm-reset-admin-password

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "WARNING: Kanidm admin can do anything in the cluster, only use it for just enough initial setup or in emergencies." >&2
+export KUBECONFIG=./metal/kubeconfig.yaml
+kubectl exec -it -n kanidm statefulset/kanidm -- kanidmd recover-account admin

scripts/setupkanidm

@@ -0,0 +1,22 @@
+# TODO Do not run this script directly, it only serves as documentation,
+# Proper automation will be added later, waiting for client library update:
+# https://github.com/kanidm/kanidm/pull/2301
+
+./scripts/kanidm-reset-admin-password
+# copy password manually
+kanidm login -D admin
+kanidm service-account credential generate -D admin idm_admin
+# copy password manually
+kanidm login -D idm_admin
+
+kanidm person create khuedoan "Khue Doan" --name idm_admin
+kanidm person update khuedoan --mail "mail@khuedoan.com"
+kanidm group create demo_group --name idm_admin
+kanidm group add-members demo_group khuedoan --name idm_admin
+kanidm person credential create-reset-token khuedoan --name idm_admin
+
+kanidm system oauth2 create dex Dex https://dex.khuedoan.com/callback
+kanidm system oauth2 show-basic-secret dex
+# add secret to k8s manually
+kanidm system oauth2 create-scope-map dex demo_group openid profile email groups
+kanidm system oauth2 warning-insecure-client-disable-pkce dex