diff --git a/README.md b/README.md index c4cd9ac..2b9a9df 100755 --- a/README.md +++ b/README.md @@ -57,7 +57,10 @@ Global parameters to configure the deployment of the application. | `global.imagePullSecrets` | Global list of imagePullSecrets | `[]` | | `global.ldapDomain` | Domain LDAP can be explicit `dc=example,dc=org` or domain based `example.org` | `example.org` | | `global.existingSecret` | Use existing secret for credentials - the expected keys are LDAP_ADMIN_PASSWORD and LDAP_CONFIG_ADMIN_PASSWORD | `""` | +| `global.adminUser` | Openldap database admin user | `admin` | | `global.adminPassword` | Administration password of Openldap | `Not@SecurePassw0rd` | +| `global.configUserEnabled` | Whether to create a configuration admin user | `true` | +| `global.configUser` | Openldap configuration admin user | `admin` | | `global.configPassword` | Configuration password of Openldap | `Not@SecurePassw0rd` | | `global.ldapPort` | Ldap port | `389` | | `global.sslLdapPort` | Ldaps port | `636` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 337d0d1..537ffda 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -69,6 +69,7 @@ Generate olcSyncRepl list {{- define "olcSyncRepls" -}} {{- $name := (include "openldap.fullname" .) }} {{- $namespace := .Release.Namespace }} +{{- $bindDNUser := .Values.global.adminUser }} {{- $cluster := .Values.replication.clusterName }} {{- $configPassword := ternary .Values.global.configPassword "%%CONFIG_PASSWORD%%" (empty .Values.global.existingSecret) }} {{- $retry := .Values.replication.retry }} @@ -78,7 +79,7 @@ Generate olcSyncRepl list {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn=admin,cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{- end -}} {{- end -}} @@ -88,6 +89,7 @@ Generate olcSyncRepl list {{- define "olcSyncRepls2" -}} {{- $name := (include "openldap.fullname" .) }} {{- $domain := (include "global.baseDomain" .) }} +{{- $bindDNUser := .Values.global.adminUser }} {{- $namespace := .Release.Namespace }} {{- $cluster := .Values.replication.clusterName }} {{- $adminPassword := ternary .Values.global.adminPassword "%%ADMIN_PASSWORD%%" (empty .Values.global.existingSecret) }} @@ -102,7 +104,7 @@ Generate olcSyncRepl list olcSyncrepl: rid=10{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 - binddn={{ printf "cn=admin,%s" $domain }} + binddn={{ printf "cn=%s,%s" $bindDNUser $domain }} bindmethod=simple credentials={{ $adminPassword }} searchbase={{ $domain }} @@ -223,7 +225,7 @@ Return the server name Return the bdmin indDN */}} {{- define "global.bindDN" -}} -{{- printf "cn=admin,%s" (include "global.baseDomain" .) -}} +{{- printf "cn=%s,%s" .Values.global.adminUser (include "global.baseDomain" .) -}} {{- end -}} {{/* diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml index 8bd8169..b298910 100755 --- a/templates/configmap-env.yaml +++ b/templates/configmap-env.yaml @@ -31,4 +31,10 @@ data: LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/tls.crt LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/tls.key LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/ca.crt + {{- if .Values.global.configUserEnabled }} + LDAP_CONFIG_ADMIN_ENABLED: "yes" + LDAP_CONFIG_ADMIN_USERNAME: "{{ .Values.global.configUser }}" + {{- else }} + LDAP_CONFIG_ADMIN_ENABLED: "no" + {{- end }} {{ toYaml .Values.env | indent 2 }} diff --git a/templates/secret.yaml b/templates/secret.yaml index 1b26043..5decc14 100755 --- a/templates/secret.yaml +++ b/templates/secret.yaml @@ -13,6 +13,9 @@ metadata: {{- end }} type: Opaque data: + LDAP_ADMIN_USERNAME: {{ .Values.global.adminUser | b64enc | quote }} LDAP_ADMIN_PASSWORD: {{ .Values.global.adminPassword | b64enc | quote }} + {{- if .Values.global.configUserEnabled }} LDAP_CONFIG_ADMIN_PASSWORD: {{ .Values.global.configPassword | b64enc | quote }} + {{- end}} {{ end }} diff --git a/values.yaml b/values.yaml index 00b42e2..e1acbb8 100644 --- a/values.yaml +++ b/values.yaml @@ -17,7 +17,10 @@ global: # Specifies an existing secret to be used for admin and config user passwords. The expected key are LDAP_ADMIN_PASSWORD and LDAP_CONFIG_ADMIN_PASSWORD. # existingSecret: "" ## Default Passwords to use, stored as a secret. Not used if existingSecret is set. - adminPassword: Not@SecurePassw0rd + adminUser: "admin" + adminPassword: Not@SecurePassw0rd + configUserEnabled: true + configUser: "admin" configPassword: Not@SecurePassw0rd ldapPort: 389 sslLdapPort: 636 @@ -96,8 +99,6 @@ env: LDAP_TLS_ENFORCE: "false" LDAPTLS_REQCERT: "never" LDAP_ENABLE_TLS: "yes" - LDAP_CONFIG_ADMIN_ENABLED: "yes" - LDAP_CONFIG_ADMIN_USERNAME: "admin" LDAP_SKIP_DEFAULT_TREE: "no" # Pod Disruption Budget for Stateful Set