Skip to content

Commit

Permalink
Merge pull request #132 from opencmit2/FixIssue130_131
Browse files Browse the repository at this point in the history
  • Loading branch information
jp-gouin authored Nov 4, 2023
2 parents a1d952b + 6f4af86 commit af8ea7c
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 46 deletions.
14 changes: 8 additions & 6 deletions .bin/myval.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,6 @@ phpldapadmin:
ingress:
hosts:
- "phpldapadmin.example"
customTLS:
enabled: true
image:
repository: alpine/openssl
tag: latest
secret: "custom-cert"
customSchemaFiles:
10_owncloud_schema.ldif: |-
# This LDIF files describes the ownCloud schema and can be used to
Expand Down Expand Up @@ -72,3 +66,11 @@ service:
ldapPortNodePort: 30389
sslLdapPortNodePort: 30636
type: NodePort
initTLSSecret:
tls_enabled: true
image:
registry: docker.io
repository: alpine/openssl
tag: latest
pullPolicy: IfNotPresent
secret: "custom-cert"
2 changes: 1 addition & 1 deletion Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ dependencies:
- bitnami-common
version: 1.x.x
home: https://www.openldap.org
version: 4.1.1
version: 4.1.2
appVersion: 2.6.3
description: Community developed LDAP software
icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,8 @@ Parameters related to the configuration of the application.
| `userPasswords` | User password to create (comma seprated list) | "" |
| `group` | Group to create and add list of user above | "" |
| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/bitnami/containers/tree/main/bitnami/openldap for available ones | `[see values.yaml]` |
| `customTLS.enabled` | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret` | `false` |
| `customTLS.secret` | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt | `""` |
| `initTLSSecret.tls_enabled` | Set to enable TLS/LDAPS with custom certificate - Please also set `initTLSSecret.secret`, otherwise it will not take effect | `false` |
| `initTLSSecret.secret` | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt | `""` |
| `customSchemaFiles` | Custom openldap schema files used in addition to default schemas | `""` |
| `customLdifFiles` | Custom openldap configuration files used to override default settings | `""` |
| `customLdifCm` | Existing configmap with custom ldif. Can't be use with customLdifFiles | `""` |
Expand Down
12 changes: 10 additions & 2 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -149,8 +149,16 @@ Return the proper Docker Image Registry Secret Names
{{/*
Return the proper Openldap init container image name
*/}}
{{- define "openldap.initContainerImage" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.customTLS.image "global" .Values.global) -}}
{{- define "openldap.initTLSSecretImage" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.initTLSSecret.image "global" .Values.global) -}}
{{- end -}}


{{/*
Return the proper Openldap volume permissions init container image name
*/}}
{{- define "openldap.volumePermissionsImage" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}}
{{- end -}}


Expand Down
27 changes: 20 additions & 7 deletions templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,26 +45,33 @@ spec:
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
- name: init-tls-secret
image: {{ include "openldap.initContainerImage" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
image: {{ include "openldap.initTLSSecretImage" . }}
imagePullPolicy: {{ .Values.initTLSSecret.image.pullPolicy | quote }}
command:
- sh
- -c
- |
{{- if not .Values.customTLS.enabled}}
{{- if and .Values.initTLSSecret.tls_enabled .Values.initTLSSecret.secret }}
{{- else }}
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN={{ .Values.global.ldapDomain }}' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365
chmod 777 /tmp-certs/*
{{- end }}
cp -Lr /tmp-certs/* /certs
[ -e /certs/ca.crt ] || cp -a /certs/tls.crt /certs/ca.crt
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.initTLSSecret.resources }}
resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: certs
mountPath: "/certs"
- name: secret-certs
mountPath: "/tmp-certs"
{{- if .Values.volumePermissions.enabled }}
- name: volume-permissions
image: {{ include "openldap.initContainerImage" . }}
image: {{ include "openldap.volumePermissionsImage" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.command "context" $) | nindent 12 }}
{{- if .Values.containerSecurityContext.enabled }}
Expand All @@ -90,6 +97,12 @@ spec:
ls -al /custom_config
sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/*
sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/*
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.updateReplication.resources }}
resources: {{- toYaml .Values.updateReplication.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: cm-replication-acls
mountPath: "/cm-schemas-acls"
Expand Down Expand Up @@ -274,10 +287,10 @@ spec:
- name: certs
emptyDir:
medium: Memory
{{- if .Values.customTLS.enabled }}
{{- if .Values.initTLSSecret.tls_enabled }}
- name: secret-certs
secret:
secretName: {{ .Values.customTLS.secret }}
secretName: {{ .Values.initTLSSecret.secret }}
{{- else }}
- name: secret-certs
emptyDir:
Expand Down Expand Up @@ -317,4 +330,4 @@ spec:
{{- else if (not .Values.persistence.enabled) }}
- name: data
emptyDir: {}
{{- end }}
{{- end }}
87 changes: 59 additions & 28 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,16 +63,6 @@ image:
logLevel: info


# Settings for enabling TLS with custom certificate
# need a secret with tls.crt, tls.key and ca.crt keys with associated files
# Ref: https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#create-a-secret
customTLS:
enabled: false
image:
repository: alpine/openssl
tag: latest
secret: "" # The name of a kubernetes.io/tls type secret to use for TLS
## Add additional labels to all resources
extraLabels: {}

service:
Expand Down Expand Up @@ -371,6 +361,42 @@ serviceAccount:

## @section Init Container Parameters

## 'initTlsSecret' init container parameters
## need a secret with tls.crt, tls.key and ca.crt keys with associated files
## based on the *containerSecurityContext parameters
##
initTLSSecret:
tls_enabled: false
## openssl image
## @param initTlsSecret.image.registry openssl image registry
## @param initTlsSecret.image.repository openssl image name
## @param initTlsSecret.image.tag openssl image tag
##
image:
registry: docker.io
repository: alpine/openssl
tag: latest
## @param image.pullPolicy openssl image pull policy
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
# The name of a kubernetes.io/tls type secret to use for TLS
secret: ""
## init-tls-secret container's resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
## @param initTlsSecret.resources.limits The resources limits for the init container
## @param initTlsSecret.resources.requests The requested resources for the init container
##
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
limits: {}
requests: {}

## 'volumePermissions' init container parameters
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
## based on the *podSecurityContext/*containerSecurityContext parameters
Expand All @@ -385,41 +411,46 @@ volumePermissions:
## @param volumePermissions.image.repository Bitnami Shell image repository
## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended)
## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy
## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets
##
image:
registry: docker.io
repository: bitnami/bitnami-shell
tag: 10-debian-10
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []

## Command to execute during the volumePermission startup
## command: ['sh', '-c', 'echo "hello world"']
command: {}
## Init container's resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
## @param volumePermissions.resources.limits The resources limits for the init container
## @param volumePermissions.resources.requests The requested resources for the init container
##
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
limits: {}
requests: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)

## 'updateReplication' init container parameters
## based on the *global.existingSecret/*containerSecurityContext parameters
##
updateReplication:
## Init container's resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
## @param volumePermissions.resources.limits The resources limits for the init container
## @param volumePermissions.resources.requests The requested resources for the init container
##
containerSecurityContext:
runAsUser: 0
resources:
## Example:
## limits:
## cpu: 500m
## memory: 1Gi
limits: {}
requests: {}


## Configure extra options for liveness, readiness, and startup probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
Expand Down

0 comments on commit af8ea7c

Please sign in to comment.