Saslauthd service using Tiki database :)

init-scripts/cyrus-saslauthd-init.sh

+#!/bin/bash
+
+cat > /etc/pam.d/imap <<'EOF'
+auth       required     pam_env.so
+auth       sufficient   pam_url.so config=/etc/pam_url.conf
+auth       requisite    pam_succeed_if.so uid >= 500 quiet
+auth       required     pam_deny.so
+
+account    sufficient   pam_url.so config=/etc/pam_url.conf
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+EOF
+
+cat > /etc/pam_url.conf <<'EOF'
+# pam_url configuration file
+pam_url:
+{
+    settings:
+    {
+        url         = "http://127.0.0.1/index.php";
+        returncode  = "OK";
+        userfield   = "user";
+        passwdfield = "pass";
+    };
+};
+# END
+EOF

init-scripts/cyrus-saslauthd-tiki.php

+<?php
+/**
+ * Validate given user/password againt TikiWiki database. This service
+ * can not be exposed to public Internet. It is intend to provide auth
+ * to saslauthd module
+ * 
+ * @category Script
+ * @package  TikiWiki
+ * @author   Fabio Montefuscolo <fabio.montefuscolo@evoludata.com>
+ * @license  https://dev.tiki.org/license.txt LGPL
+ * @link     https://tiki.org
+ */
+
+$db_name = getenv('TIKI_DB_NAME') ?: 'tikiwiki';
+$db_user = getenv('TIKI_DB_USER') ?: 'tiki';
+$db_pass = getenv('TIKI_DB_PASS') ?: 'wiki';
+$db_host = getenv('TIKI_DB_HOST') ?: 'db';
+
+$pdo = new PDO("mysql:host=${db_host};dbname=${db_name}", $db_user, $db_pass);
+
+$PSK = "OK";
+
+if (isset($_POST["user"]) && isset($_POST["pass"]) && isset($_POST["mode"])) {
+    $ret = false;
+
+    if ($_POST["mode"] === "PAM_SM_AUTH") {
+        $stm = $pdo->prepare('SELECT hash FROM users_users WHERE login = ?');
+        $stm->bindValue(1, $_POST["user"]);
+        $stm->execute();
+        $ret = $stm->rowCount() === 1
+            && password_verify($_POST['pass'], $stm->fetchColumn());
+
+    } elseif ($_POST["mode"] === "PAM_SM_ACCOUNT") {
+        $ret = true;
+
+    } elseif ($_POST["mode"] === "PAM_SM_SESSION") {
+        // Nothing to do yet
+
+    } elseif ($_POST["mode"] === "PAM_SM_PASSWORD") {
+        // Nothing to do yet
+    }
+
+    if ($ret === true) {
+        header("HTTP/1.1 200 OK");
+        echo $PSK;
+    } else {
+        header("HTTP/1.1 400 Bad Request");
+        echo "ACCESS DENIED";
+    }
+} else {
+    header("HTTP/1.1 403 Forbidden");
+    echo "ACCESS DENIED";
+}
\ No newline at end of file

kustomization.yaml

@@ -8,6 +8,12 @@ configMapGenerator:
 - name: openfire-init
   files:
   - init-scripts/openfire-init.sh
+- name: cyrus-saslauthd-init
+  files:
+  - init-scripts/cyrus-saslauthd-init.sh
+- name: cyrus-saslauthd-tiki
+  files:
+  - init-scripts/cyrus-saslauthd-tiki.php
 
 secretGenerator:
 - name: tiki-db-pass
@@ -24,6 +30,8 @@ secretGenerator:
   - secretkey=d9a35d982f7590175b78eab138435e3c6d8ad87a53d10757c50b8062609811d8
 
 resources:
+  - resources/cyrus-saslauthd-service.yaml
+  - resources/cyrus-saslauthd-deployment.yaml
   - resources/mariadb-service.yaml
   - resources/mariadb-pv-claim.yaml
   - resources/mariadb-deployment.yaml

resources/cyrus-saslauthd-deployment.yaml

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: saslauthd-deployment
+  labels:
+    app: cyrus
+spec:
+  selector:
+    matchLabels:
+      app: cyrus
+      tier: frontend
+  strategy:
+    type: Recreate
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: cyrus
+        tier: frontend
+    spec:
+      containers:
+
+      - image: montefuscolo/cyrus-saslauthd
+        name: saslauthd
+        stdin: true
+        tty: true
+        volumeMounts:
+        - name: cyrus-run
+          mountPath: /run
+        - name: cyrus-saslauthd-init
+          mountPath: /entrypoint.d
+
+      - image: montefuscolo/rsyslogd
+        name: rsyslogd
+        volumeMounts:
+        - name: cyrus-run
+          mountPath: /run
+
+      - image: tikiwiki/php:7.2-apache
+        name: tiki-auth
+        volumeMounts:
+        - name: cyrus-saslauthd-tiki
+          mountPath: /var/www/html/index.php
+          subPath: cyrus-saslauthd-tiki.php
+        env:
+        - name: TIKI_DB_HOST
+          value: db
+        - name: TIKI_DB_USER
+          value: tikiuser
+        - name: TIKI_DB_NAME
+          value: tikiwiki
+        - name: TIKI_DB_PASS
+          valueFrom:
+            secretKeyRef:
+              name: tiki-db-pass
+              key: password
+
+      volumes:
+      - name: cyrus-run
+      - name: cyrus-saslauthd-init
+        configMap:
+          name: cyrus-saslauthd-init
+          items:
+          - key: cyrus-saslauthd-init.sh
+            path: cyrus-saslauthd-init.sh
+      - name: cyrus-saslauthd-tiki
+        configMap:
+          name: cyrus-saslauthd-tiki
+          items:
+          - key: cyrus-saslauthd-tiki.php
+            path: cyrus-saslauthd-tiki.php

resources/cyrus-saslauthd-service.yaml

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: saslauthd-service
+  labels:
+    app: cyrus
+spec:
+  selector:
+    app: cyrus
+    tier: frontend
+  ports:
+  - name: mysql
+    port: 3306

resources/cyrus-volumes.yaml

+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: cyrus-volume
+spec:
+  capacity:
+    storage: 30Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-storage
+  local:
+    path: /kubernetes/volume01
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - lke2004-2369-5e5d5dbb9c77