diff --git a/.bin/chaos.yaml b/.bin/chaos.yaml deleted file mode 100644 index bd40775..0000000 --- a/.bin/chaos.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: chaos-mesh.org/v1alpha1 -kind: Schedule -metadata: - name: pod-failure-openldap - annotations: - experiment.chaos-mesh.org/pause: "true" -spec: - schedule: "@every 2m" - type: "PodChaos" - historyLimit: 5 - concurrencyPolicy: Forbid - podChaos: - action: pod-failure - duration: 15s - mode: random-max-percent - selector: - labelSelectors: - app.kubernetes.io/name: openldap-stack-ha - value: '66' \ No newline at end of file diff --git a/.bin/disableLdapPort.yaml b/.bin/disableLdapPort.yaml deleted file mode 100644 index ed20a96..0000000 --- a/.bin/disableLdapPort.yaml +++ /dev/null @@ -1,19 +0,0 @@ -logLevel: debug -resources: - limits: - cpu: "128m" - memory: "64Mi" -replicaCount: 3 -customLdifFiles: - 00-root.ldif: |- - # Root creation - dn: dc=example,dc=org - objectClass: dcObject - objectClass: organization - o: Example, Inc -service: - enableLdapPort: false - sslLdapPortNodePort: 30636 - type: NodePort -initTLSSecret: - tls_enabled: false diff --git a/.bin/kind-conf.yml b/.bin/kind-conf.yml deleted file mode 100644 index 67a046a..0000000 --- a/.bin/kind-conf.yml +++ /dev/null @@ -1,24 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -nodes: -- role: control-plane -- role: worker - kubeadmConfigPatches: - - | - kind: JoinConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 8080 - protocol: TCP - - containerPort: 443 - hostPort: 8444 - protocol: TCP - - containerPort: 30636 - hostPort: 30636 - - containerPort: 30389 - hostPort: 30389 -- role: worker -- role: worker diff --git a/.bin/myval.yaml b/.bin/myval.yaml deleted file mode 100644 index d61897c..0000000 --- a/.bin/myval.yaml +++ /dev/null @@ -1,108 +0,0 @@ -logLevel: debug -resources: - limits: - cpu: "128m" - memory: "64Mi" -replicaCount: 3 -ltb-passwd: - ingress: - hosts: - - "ssl-ldap2.example" -phpldapadmin: - ingress: - hosts: - - "phpldapadmin.example" -customSchemaFiles: - 00-memberof.ldif: |- - # Load memberof module - dn: cn=module,cn=config - cn: module - objectClass: olcModuleList - olcModuleLoad: memberof - olcModulePath: /opt/bitnami/openldap/lib/openldap - - dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config - changetype: add - objectClass: olcOverlayConfig - objectClass: olcMemberOf - olcOverlay: memberof - olcMemberOfRefint: TRUE - - 10_owncloud_schema.ldif: |- - # This LDIF files describes the ownCloud schema and can be used to - # add two optional attributes: ownCloudQuota and ownCloudUUID - # The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups - dn: cn=owncloud,cn=schema,cn=config - objectClass: olcSchemaConfig - cn: owncloud - olcObjectIdentifier: ownCloudOid 1.3.6.1.4.1.39430 - olcAttributeTypes: ( ownCloudOid:1.1.1 NAME 'ownCloudQuota' - DESC 'User Quota (e.g. 2 GB)' - EQUALITY caseExactMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) - olcAttributeTypes: ( ownCloudOid:1.1.2 NAME 'ownCloudUUID' - DESC 'A non-reassignable and persistent account ID)' - EQUALITY uuidMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE ) - olcObjectClasses: ( ownCloudOid:1.2.1 NAME 'ownCloud' - DESC 'ownCloud LDAP Schema' - AUXILIARY - MAY ( ownCloudQuota $ ownCloudUUID ) ) -customLdifFiles: - 00-root.ldif: |- - # Root creation - dn: dc=example,dc=org - objectClass: dcObject - objectClass: organization - o: Example, Inc - 01-default-group.ldif: |- - dn: cn=myGroup,dc=example,dc=org - cn: myGroup - gidnumber: 500 - objectclass: posixGroup - objectclass: top - 02-default-user.ldif: |- - dn: cn=Jean Dupond,dc=example,dc=org - cn: Jean Dupond - gidnumber: 500 - givenname: Jean - homedirectory: /home/users/jdupond - objectclass: inetOrgPerson - objectclass: posixAccount - objectClass: ownCloud - objectclass: top - sn: Dupond - uid: jdupond - uidnumber: 1000 - userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw== - 03-test-memberof.ldif: |- - dn: ou=Group,dc=example,dc=org - objectclass: organizationalUnit - ou: Group - - dn: ou=People,dc=example,dc=org - objectclass: organizationalUnit - ou: People - - dn: uid=test1,ou=People,dc=example,dc=org - objectclass: account - uid: test1 - - dn: cn=testgroup,ou=Group,dc=example,dc=org - objectclass: groupOfNames - cn: testgroup - member: uid=test1,ou=People,dc=example,dc=org -service: - ldapPortNodePort: 30389 - sslLdapPortNodePort: 30636 - type: NodePort -initTLSSecret: - tls_enabled: true - image: - registry: docker.io - repository: alpine/openssl - tag: latest - pullPolicy: IfNotPresent - secret: "custom-cert" diff --git a/.bin/phpldap-test.py b/.bin/phpldap-test.py deleted file mode 100644 index 51cd460..0000000 --- a/.bin/phpldap-test.py +++ /dev/null @@ -1,62 +0,0 @@ -# Generated by Selenium IDE -import pytest -import time -import json -from selenium import webdriver -from selenium.webdriver.common.by import By -from selenium.webdriver.common.action_chains import ActionChains -from selenium.webdriver.support import expected_conditions -from selenium.webdriver.support.wait import WebDriverWait -from selenium.webdriver.common.keys import Keys -from selenium.webdriver.common.desired_capabilities import DesiredCapabilities - -class TestPhpldap(): - - def setup_method(self, method): - op = webdriver.ChromeOptions() - op.add_argument('headless') - self.driver = webdriver.Chrome(options=op) - self.vars = {} - - def teardown_method(self, method): - self.driver.quit() - - def test_phpldap(self): - self.driver.get("http://phpldapadmin.example.lan:8080/") - print(self.driver.title) - self.driver.find_element(By.LINK_TEXT, "login").click() - #element = self.driver.find_element(By.LINK_TEXT, "login") - #actions = ActionChains(self.driver) - #actions.move_to_element(element).perform() - #element = self.driver.find_element(By.CSS_SELECTOR, "body") - #actions = ActionChains(self.driver) - #actions.move_to_element(element, 0, 0).perform() - self.driver.find_element(By.ID, "login").click() - self.driver.find_element(By.ID, "login").send_keys("cn=admin,dc=example,dc=org") - self.driver.find_element(By.ID, "password").click() - self.driver.find_element(By.ID, "password").send_keys("admin") - self.driver.find_element(By.NAME, "submit").click() - print("successfully logged") - #test = self.driver.find_element(By.XPATH, "//a[@href='cmd.php?cmd=template_engine&server_id=1&dn=dc%3Dexample%2Cdc%3Dorg']") - #test.click() - #main = test.find_element(By.XPATH, "//a[@title='dc=example,dc=org']") - #print(main.find_element(By.XPATH, "//a[contains(text(), 'child')]")) - #self.driver.find_element(By.ID, "posixAccount:2").click() - #self.driver.find_element(By.ID, "new_values_givenname_0").click() - #self.driver.find_element(By.ID, "new_values_givenname_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_sn_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_uid_0").click() - #self.driver.find_element(By.ID, "new_values_userpassword_0").click() - #self.driver.find_element(By.ID, "new_values_userpassword_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").click() - #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_gidnumber_0").click() - #dropdown = self.driver.find_element(By.ID, "new_values_gidnumber_0") - #dropdown.find_element(By.XPATH, "//option[. = 'myGroup']").click() - #self.driver.find_element(By.ID, "create_button").click() - -testClass = TestPhpldap() - -testClass.setup_method("") -testClass.test_phpldap() -testClass.teardown_method("") diff --git a/.bin/selfservice-test.py b/.bin/selfservice-test.py deleted file mode 100644 index 51cd460..0000000 --- a/.bin/selfservice-test.py +++ /dev/null @@ -1,62 +0,0 @@ -# Generated by Selenium IDE -import pytest -import time -import json -from selenium import webdriver -from selenium.webdriver.common.by import By -from selenium.webdriver.common.action_chains import ActionChains -from selenium.webdriver.support import expected_conditions -from selenium.webdriver.support.wait import WebDriverWait -from selenium.webdriver.common.keys import Keys -from selenium.webdriver.common.desired_capabilities import DesiredCapabilities - -class TestPhpldap(): - - def setup_method(self, method): - op = webdriver.ChromeOptions() - op.add_argument('headless') - self.driver = webdriver.Chrome(options=op) - self.vars = {} - - def teardown_method(self, method): - self.driver.quit() - - def test_phpldap(self): - self.driver.get("http://phpldapadmin.example.lan:8080/") - print(self.driver.title) - self.driver.find_element(By.LINK_TEXT, "login").click() - #element = self.driver.find_element(By.LINK_TEXT, "login") - #actions = ActionChains(self.driver) - #actions.move_to_element(element).perform() - #element = self.driver.find_element(By.CSS_SELECTOR, "body") - #actions = ActionChains(self.driver) - #actions.move_to_element(element, 0, 0).perform() - self.driver.find_element(By.ID, "login").click() - self.driver.find_element(By.ID, "login").send_keys("cn=admin,dc=example,dc=org") - self.driver.find_element(By.ID, "password").click() - self.driver.find_element(By.ID, "password").send_keys("admin") - self.driver.find_element(By.NAME, "submit").click() - print("successfully logged") - #test = self.driver.find_element(By.XPATH, "//a[@href='cmd.php?cmd=template_engine&server_id=1&dn=dc%3Dexample%2Cdc%3Dorg']") - #test.click() - #main = test.find_element(By.XPATH, "//a[@title='dc=example,dc=org']") - #print(main.find_element(By.XPATH, "//a[contains(text(), 'child')]")) - #self.driver.find_element(By.ID, "posixAccount:2").click() - #self.driver.find_element(By.ID, "new_values_givenname_0").click() - #self.driver.find_element(By.ID, "new_values_givenname_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_sn_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_uid_0").click() - #self.driver.find_element(By.ID, "new_values_userpassword_0").click() - #self.driver.find_element(By.ID, "new_values_userpassword_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").click() - #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").send_keys("test") - #self.driver.find_element(By.ID, "new_values_gidnumber_0").click() - #dropdown = self.driver.find_element(By.ID, "new_values_gidnumber_0") - #dropdown.find_element(By.XPATH, "//option[. = 'myGroup']").click() - #self.driver.find_element(By.ID, "create_button").click() - -testClass = TestPhpldap() - -testClass.setup_method("") -testClass.test_phpldap() -testClass.teardown_method("") diff --git a/.bin/simpleUser.ldif b/.bin/simpleUser.ldif deleted file mode 100644 index 7a55f0d..0000000 --- a/.bin/simpleUser.ldif +++ /dev/null @@ -1,12 +0,0 @@ -dn: cn=Jean Dupond,dc=example,dc=org -cn: Jean Dupond -gidnumber: 500 -givenname: Jean -homedirectory: /home/users/jdupond -objectclass: inetOrgPerson -objectclass: posixAccount -objectclass: top -sn: Dupond -uid: jdupond -uidnumber: 1000 -userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw== diff --git a/.bin/singleNode.yaml b/.bin/singleNode.yaml deleted file mode 100644 index 0695355..0000000 --- a/.bin/singleNode.yaml +++ /dev/null @@ -1,25 +0,0 @@ -logLevel: debug -global: - ldapDomain: "singlenode.org" - existingSecret: "my-super-secret" -resources: - limits: - cpu: "128m" - memory: "64Mi" -replicaCount: 1 -replication: - enabled: false -ltb-passwd: - ingress: - hosts: - - "ssl-ldap2.example" -phpldapadmin: - ingress: - hosts: - - "phpldapadmin.example" -customTLS: - enabled: false -service: - ldapPortNodePort: 30389 - sslLdapPortNodePort: 30636 - type: NodePort diff --git a/.bin/update-gh-pages b/.bin/update-gh-pages deleted file mode 100755 index ee474ac..0000000 --- a/.bin/update-gh-pages +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash - -set -eu - -curl -fsSL -o ../get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 -chmod 700 ../get_helm.sh -../get_helm.sh - -#repo_uri="https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" -repo_uri="https://x-access-token:${DEPLOY_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" - -remote_name="origin" -main_branch="master" -target_branch="gh-pages" -build_dir="dist" - -cd "$GITHUB_WORKSPACE" - -helm package --destination ../ . - -git config user.name "$GITHUB_ACTOR" -git config user.email "${GITHUB_ACTOR}@bots.github.com" - -git checkout "$target_branch" -#git rebase "${remote_name}/${main_branch}" - -mv ../*.tgz . -helm repo index . - -git add -A - -git commit -m "updated GitHub Pages" -if [ $? -ne 0 ]; then - echo "nothing to commit" - exit 0 -fi - -git remote set-url "$remote_name" "$repo_uri" # includes access token -git push --force-with-lease "$remote_name" "$target_branch" diff --git a/.bin/user.ldif b/.bin/user.ldif deleted file mode 100644 index 6ce29da..0000000 --- a/.bin/user.ldif +++ /dev/null @@ -1,19 +0,0 @@ -dn: uid=einstein,dc=example,dc=org -objectClass: inetOrgPerson -objectClass: organizationalPerson -objectClass: ownCloud -objectClass: person -objectClass: posixAccount -objectClass: top -uid: einstein -givenName: Albert -sn: Einstein -cn: einstein -displayName: Albert Einstein -description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics). -mail: einstein@example.org -uidNumber: 20000 -gidNumber: 30000 -homeDirectory: /home/einstein -ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx -userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ== \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index dd84ea7..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: '' -assignees: '' - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: -1. Go to '...' -2. Click on '....' -3. Scroll down to '....' -4. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Screenshots** -If applicable, add screenshots to help explain your problem. - -**Desktop (please complete the following information):** - - OS: [e.g. iOS] - - Browser [e.g. chrome, safari] - - Version [e.g. 22] - -**Smartphone (please complete the following information):** - - Device: [e.g. iPhone6] - - OS: [e.g. iOS8.1] - - Browser [e.g. stock browser, safari] - - Version [e.g. 22] - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 11fc491..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 0cc57fa..0000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,9 +0,0 @@ -### What this PR does / why we need it: - - - -### Pre-submission checklist: - -* [ ] Did you explain what problem does this PR solve? Or what new features have been added? -* [ ] Have you updated the readme? -* [ ] Is this PR backward compatible? **If it is not backward compatible, please discuss open a ticket first** \ No newline at end of file diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml deleted file mode 100644 index 865c815..0000000 --- a/.github/actions/setup/action.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: 'Setup env' -description: 'Greet someone' -inputs: - install-chaos: - description: 'Setup ChaosMesh' - required: true - default: false -runs: - using: "composite" - steps: - - name: Lint - shell: bash - run: | - curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 /tmp/get_helm.sh - /tmp/get_helm.sh - helm lint . - - name: setup cluster - shell: bash - run: | - curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 - chmod +x /tmp/kind - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - rm -f kubectl - sudo apt update - sudo apt-get install -y ldap-utils - /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 - kubectl apply -f https://projectcontour.io/quickstart/contour.yaml - kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - - name: setup chaos mesh - if: ${{ inputs.install-chaos == 'true' }} - shell: bash - run: | - curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind \ No newline at end of file diff --git a/.github/semantic.yml b/.github/semantic.yml deleted file mode 100644 index e1c924f..0000000 --- a/.github/semantic.yml +++ /dev/null @@ -1,15 +0,0 @@ -titleOnly: true -allowRevertCommits: true -types: - - feat - - fix - - docs - - style - - refactor - - perf - - test - - build - - ci - - chore - - revert - - change \ No newline at end of file diff --git a/.github/stale.yml b/.github/stale.yml deleted file mode 100644 index dc90e5a..0000000 --- a/.github/stale.yml +++ /dev/null @@ -1,17 +0,0 @@ -# Number of days of inactivity before an issue becomes stale -daysUntilStale: 60 -# Number of days of inactivity before a stale issue is closed -daysUntilClose: 7 -# Issues with these labels will never be considered stale -exemptLabels: - - pinned - - security -# Label to use when marking an issue as stale -staleLabel: wontfix -# Comment to post when marking an issue as stale. Set to `false` to disable -markComment: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. -# Comment to post when closing a stale issue. Set to `false` to disable -closeComment: false diff --git a/.github/workflows/chart-release-manual.yml b/.github/workflows/chart-release-manual.yml new file mode 100644 index 0000000..6c6d772 --- /dev/null +++ b/.github/workflows/chart-release-manual.yml @@ -0,0 +1,33 @@ +name: Push Charts to helm-charts-registry manually with specified version + +on: + workflow_dispatch: + inputs: + chart_version: + type: string + description: "Chart version" + required: true + image_tag: + type: string + description: "image tag" + required: true + +concurrency: + group: dbildungs-iam-ldap-chart-manual + cancel-in-progress: true + +jobs: + scan: + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 + permissions: + contents: read + release: + needs: scan + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5 + secrets: inherit + with: + chart_name: dbildungs-iam-ldap + helm_chart_version_generation: specified + image_tag_generation: specified + helm_chart_version: ${{ inputs.chart_version }} + image_tag: ${{ inputs.image_tag }} \ No newline at end of file diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml deleted file mode 100644 index 5a24e72..0000000 --- a/.github/workflows/ci-ha.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Test-HA -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: true - - name: setup certs - shell: bash - run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt - - name: deploy openldap-stack-ha - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -f .bin/myval.yaml . - kubectl rollout status sts openldap-stack-ha - - name: verify deployment - shell: bash - run: | - echo "test access to openldap database" - sleep 10 - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' - - name: test phpldapadmin access - shell: bash - run: | - echo "test access to phpldapadmin" - echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts - curl phpldapadmin.example:8080 - - name: test self service pwd access - shell: bash - run: | - echo "test access to ssp" - curl ssl-ldap2.example:8080 - - name: verify certs - shell: bash - run: | - echo "verify certificate" - echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi - - name: apply chaos tests - shell: bash - run: | - echo "test access to openldap database" - kubectl apply -f .bin/chaos.yaml - - name: test write - shell: bash - run: | - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if ! grep "Einstein" /tmp/test-write.txt; then echo 'no Einstein entry found' ; fi - if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi - - name: test memberOf - shell: bash - run: | - echo "MemberOf test to openldap database" - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" > /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 2 ]; then exit 1 ; fi - if ! grep -q "uid=test1,ou=People,dc=example,dc=org" /tmp/test-write.txt; then echo exit 1; fi - - name: chaos tests - shell: bash - run: | - echo "test access to openldap database" - for i in {1..20}; do LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done \ No newline at end of file diff --git a/.github/workflows/ci-other.yml b/.github/workflows/ci-other.yml deleted file mode 100644 index b90f7b6..0000000 --- a/.github/workflows/ci-other.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Test-Other -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: false - - name: deploy openldap-stack-ha-disable-ldap-port - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . - kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port - - name: verify no ldap port deployment - shell: bash - run: | - echo "test access to openldap database" - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif - sleep 10 - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - cat /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi - - - diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml deleted file mode 100644 index 96c5a80..0000000 --- a/.github/workflows/ci-singlenode.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Test-SingleNode -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: false - - name: deploy openldap-stack-ha-single-node - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - kubectl create ns single - kubectl create secret generic my-super-secret -n single --from-literal=LDAP_ADMIN_PASSWORD=Not@SecurePassw0rd --from-literal=LDAP_CONFIG_ADMIN_PASSWORD=Not@SecurePassw0rd - helm install openldap-stack-ha -n single -f .bin/singleNode.yaml . - kubectl rollout status sts openldap-stack-ha -n single - kubectl logs -n single openldap-stack-ha-0 - - name: verify single node deployment - shell: bash - run: | - sleep 10 - echo "test access to openldap database" - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt - cat /tmp/test-single-node.txt - if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 195004a..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Setup -on: - push: - branches: - - "*" - pull_request: - branches: - - "master" - - "bitnami" -jobs: - call-ci-singlenode: - uses: ./.github/workflows/ci-singlenode.yml - call-ci-other: - uses: ./.github/workflows/ci-other.yml - call-ci-ha: - uses: ./.github/workflows/ci-ha.yml \ No newline at end of file diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml new file mode 100644 index 0000000..0726aae --- /dev/null +++ b/.github/workflows/create-release.yml @@ -0,0 +1,27 @@ +# Push Helm Chart to helm-charts-registry +name: Release Helm Chart +on: + push: + tags: + - '[0-9]+.[0-9]+.[0-9]+' + +concurrency: + group: dbildungs-iam-ldap-image-helm-chart + cancel-in-progress: true + +jobs: + scan_helm: + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 + permissions: + contents: read + + release_helm: + needs: scan_helm + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5 + secrets: inherit + with: + chart_name: "dbildungs-iam-ldap" + helm_chart_version_generation: specified + image_tag_generation: specified + helm_chart_version: "${{ github.ref_name }}" + image_tag: "${{ github.ref_name }}" \ No newline at end of file diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml new file mode 100644 index 0000000..50bc048 --- /dev/null +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -0,0 +1,114 @@ +# Scan & Publish helm chart on push, deployment on push, delete deployment on branch deletion, scheduled trivy scanner +name: "Dev Pipeline" + +# All triggers have to be in one file, so that the trivy results can be compared to identify introduced vulnerabilities +# See DBP-340 +on: + push: + branches: + - "**" + schedule: + - cron: '0 2 * * *' + delete: + +concurrency: + group: dbildungs-iam-ldap-${{ github.event.ref }} + cancel-in-progress: true + +jobs: + scan_helm: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5 + permissions: + contents: read + + select_helm_version_generation_and_image_tag_generation: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + needs: + - scan_helm + runs-on: ubuntu-latest + outputs: + SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }} + SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} + steps: + - id: select_generation + shell: bash + run: | + if ${{ github.ref_name == 'main' }}; then + echo "SELECT_HELM_VERION_GENERATION=timestamp" >> "$GITHUB_OUTPUT" + echo "SELECT_IMAGE_TAG_GENERATION=commit_hash" >> "$GITHUB_OUTPUT" + else + echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT" + echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT" + fi + release_helm: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + needs: + - select_helm_version_generation_and_image_tag_generation + uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5 + secrets: inherit + with: + chart_name: dbildungs-iam-ldap + helm_chart_version_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION }} + image_tag_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION }} + + branch_meta: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3 + + create_branch_identifier: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + needs: + - branch_meta + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 + with: + branch: ${{ needs.branch_meta.outputs.branch }} + + wait_for_helm_chart_to_get_published: + needs: + - release_helm + runs-on: ubuntu-latest + steps: + - shell: bash + run: | + sleep 1m + + deploy: + if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }} + needs: + - branch_meta + - create_branch_identifier + - wait_for_helm_chart_to_get_published + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 + with: + dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} + schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} + dbildungs_iam_keycloak_branch: ${{ needs.branch_meta.outputs.ticket }} + dbildungs_iam_ldap_branch: ${{ needs.branch_meta.outputs.ticket }} + namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }} + secrets: inherit + + create_branch_identifier_for_deletion: + if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3 + with: + branch: ${{ github.event.ref }} + + delete_namespace: + if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch'}} + needs: + - create_branch_identifier_for_deletion + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/delete-namespace.yml@3 + with: + namespace: ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} + secrets: + SPSH_DEV_KUBECONFIG: ${{ secrets.SPSH_DEV_KUBECONFIG }} + + delete_successful: + if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }} + needs: + - delete_namespace + - create_branch_identifier_for_deletion + runs-on: ubuntu-latest + steps: + - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" \ No newline at end of file diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml deleted file mode 100644 index 18d114f..0000000 --- a/.github/workflows/pages.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: GitHub Pages - -on: - release: - types: # This configuration does not affect the page_build event above - - created - - prereleased -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - run: .bin/update-gh-pages - env: - DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }} - GITHUB_TOKEN: ${{ secrets.github_token }} diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 8f84a0d..0000000 --- a/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -myValues.yaml -ignore/* -ignore \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index 4789c26..0000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,76 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, sex characteristics, gender identity and expression, -level of experience, education, socio-economic status, nationality, personal -appearance, race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at jp-gouin@hotmail.fr. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html - -[homepage]: https://www.contributor-covenant.org - -For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq diff --git a/Chart.lock b/Chart.lock deleted file mode 100644 index 48784c4..0000000 --- a/Chart.lock +++ /dev/null @@ -1,12 +0,0 @@ -dependencies: -- name: ltb-passwd - repository: "" - version: 0.1.x -- name: phpldapadmin - repository: "" - version: 0.1.x -- name: common - repository: https://charts.bitnami.com/bitnami - version: 2.16.1 -digest: sha256:45e133518c38cbd6708fbfa5de2db847a2612490ac1c100e91fc381a73664c5e -generated: "2024-02-21T22:20:56.807097-06:00" diff --git a/Chart.yaml b/Chart.yaml deleted file mode 100644 index 148cf87..0000000 --- a/Chart.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v2 -name: openldap-stack-ha -dependencies: - - name: ltb-passwd - version: 0.1.x - condition: ltb-passwd.enabled - - name: phpldapadmin - version: 0.1.x - condition: phpldapadmin.enabled - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: ~2 -home: https://www.openldap.org -version: 4.2.5 -appVersion: 2.6.7 -description: Community developed LDAP software -icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png -keywords: - - ldap - - openldap - - iam-stack - - high availability -sources: - - https://github.com/jp-gouin/helm-openldap -maintainers: - - name: Jean-Philippe Gouin - email: jp-gouin@hotmail.fr -engine: gotpl diff --git a/README.md b/README.md index 74deb22..b543406 100755 --- a/README.md +++ b/README.md @@ -1,7 +1,3 @@ -[![build](https://github.com/jp-gouin/helm-openldap/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/jp-gouin/helm-openldap/actions/workflows/ci.yml) -[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/helm-openldap)](https://artifacthub.io/packages/search?repo=helm-openldap) -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/apache/apisix/blob/master/LICENSE) -![Version](https://img.shields.io/static/v1?label=Openldap&message=2.6.3&color=blue) # OpenLDAP Helm Chart ## Disclaimer @@ -11,37 +7,15 @@ More detail on the container image can be found [here](https://github.com/bitnam The chart now support `Bitnami/Openldap 2.6.6`. -Due to #115, the chart does not fully support scaling the `openldap` cluster. To scale the cluster please follow [scaling your cluster](#scaling-your-cluster) -- This will be fixed in priority - -## Prerequisites Details -* Kubernetes 1.8+ -* PV support on the underlying infrastructure - -## Chart Details -This chart will do the following: - -* Instantiate 3 instances of OpenLDAP server with multi-master replication -* A phpldapadmin to administrate the OpenLDAP server -* ltb-passwd for self service password - -## TL;DR To install the chart with the release name `my-release`: ```bash -$ helm repo add helm-openldap https://jp-gouin.github.io/helm-openldap/ -$ helm install my-release helm-openldap/openldap-stack-ha +$ helm repo add dbildungsplattform https://dbildungsplattform.github.io/helm-charts-registry/ +$ helm install my-release dbildungsplattform/dbildungs-iam-ldap ``` - -## Configuration - -We use the container images provided by https://github.com/bitnami/containers/tree/main/bitnami/openldap. The container image is highly configurable and well documented. Please consult to documentation of the image for more information. - -The following table lists the configurable parameters of the openldap chart and their default values. - ### Global section Global parameters to configure the deployment of the application. @@ -75,8 +49,6 @@ Parameters related to the configuration of the application. | `initTLSSecret.secret` | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt | `""` | | `customSchemaFiles` | Custom openldap schema files used in addition to default schemas | `""` | | `customLdifFiles` | Custom openldap configuration files used to override default settings | `""` | -| `customLdifCm` | Existing configmap with custom ldif. Can't be use with customLdifFiles | `""` | -| `customAcls` | Custom openldap ACLs. Overrides default ones. | `""` | | `replication.enabled` | Enable the multi-master replication | `true` | | `replication.retry` | retry period for replication in sec | `60` | | `replication.timeout` | timeout for replication in sec| `1` | @@ -98,17 +70,6 @@ Parameters related to PHPLdapAdmin For more advance configuration see [README.md](./advanced_examples/README.md) For all possible chart parameters see chart's [README.md](./charts/phpldapadmin/README.md) -### Self-service password configuration - -Parameters related to Self-service password. - -| Parameter | Description | Default | -| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -|`ltb-passwd.enabled`| Enable the deployment of Ltb-Passwd| `true` | -|`ltb-passwd.ingress`| Ingress of the Ltb-Passwd service | `{}` | - -For more advance configuration see [README.md](./advanced_examples/README.md) -For all possible parameters see chart's [README.md](./charts/ltb-passwd/README.md) ### Kubernetes parameters @@ -128,7 +89,6 @@ Parameters related to Kubernetes. | `service.enableLdapPort` | Enable LDAP port on the service and headless service | `true` | | `service.enableSslLdapPort` | Enable SSL LDAP port on the service and headless service | `true` | | `service.ldapPortNodePort` | Nodeport of External service port for LDAP if service.type is NodePort | `nil` | -| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` | | `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` | | `service.sslLdapPortNodePort` | Nodeport of External service port for SSL if service.type is NodePort | `nil` | | `service.type` | Service type can be ClusterIP, NodePort, LoadBalancer | `ClusterIP` | @@ -144,7 +104,6 @@ Parameters related to Kubernetes. | `customStartupProbe` | Startup probe configuration | `[see values.yaml]` | | `resources` | Container resource requests and limits in yaml | `{}` | | `podSecurityContext` | Enabled OPENLDAP pods' Security Context | `true` |`` -| `containerSecurityContext` | Set OPENLDAP pod's Security Context fsGroup | `true` | | `existingConfigmap` | existingConfigmap The name of an existing ConfigMap with your custom configuration for OPENLDAP | `` | | `podLabels` | podLabels Extra labels for OPENLDAP pods| `{}` | | `podAnnotations` | podAnnotations Extra annotations for OPENLDAP pods | `{}` | @@ -196,113 +155,4 @@ phpldapadmin: - phpldapadmin.local env: PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never" - -``` -## Self-service-password -To enable Self-service-password set `ltb-passwd.enabled` to `true` - -Ingress can be configure if you want to expose the service. - -Setup the `ldap` part with the information of the OpenLdap server. - -Set `bindDN` accordingly to your ldap domain - -**Note** : The ldap server host should match the following `ldap://namespace.Appfullname` - -Example : -``` -ltb-passwd: - enabled : true - ingress: - enabled: true - annotations: {} - # Assuming that ingress-nginx is used - ingressClassName: nginx - host: "ssl-ldap2.local" - -``` - -## Cleanup orphaned Persistent Volumes - -Deleting the Deployment will not delete associated Persistent Volumes if persistence is enabled. - -Do the following after deleting the chart release to clean up orphaned Persistent Volumes. - -```bash -$ kubectl delete pvc -l release=${RELEASE-NAME} -``` - -## Custom Secret - -`global.existingSecret` can be used to override the default secret.yaml provided - -## Scaling your cluster -In order to scale the cluster, first use `helm` to updrgade the number of `replica` -``` -helm upgrade -n openldap-ha --set replicaCount=4 openldap-ha . -``` -Then connect to the `-0` container, under `/opt/bitnami/openldap/etc/schema/`, edit : - 1. `serverid.ldif` and remove existing `olcServerID` (only keep the one you added by scaling) - 2. `brep.ldif` and remove existing `olcServerID` (only keep the one you added by scaling) - 3. Apply your changes - -``` -ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/serverid.ldif -ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/brep.ldif -``` - -Tips : to edit in the container, use : -``` -cat < /tmp/serverid.ldif -copy -your -line -EOF -``` - -## Troubleshoot - -You can increase the level of log using `env.LDAP_LOGLEVEL` - -Valid log levels can be found [here](https://www.openldap.org/doc/admin24/slapdconfig.html) - -### Boostrap custom ldif - -**Warning** when using custom ldif in the `customLdifFiles` or `customLdifCm` section you have to create the high level object `organization` - -``` -dn: dc=test,dc=example -dc: test -o: Example Inc. -objectclass: top -objectclass: dcObject -objectclass: organization -``` - -**note** the admin user is created by the application and should not be added as a custom ldif - -All internal configuration like `cn=config` , `cn=module{0},cn=config` cannot be configured yet. - -## Changelog/Updating - -### To 4.0.0 - -This major update switch the base image from [Osixia](https://github.com/osixia/docker-openldap) to [Bitnami Openldap](https://github.com/bitnami/containers/tree/main/bitnami/openldap) - -- Upgrade may not work fine between `3.x` and `4.x` -- Ldap and Ldaps port are non privileged ports (`1389` and `1636`) -- Replication is now purely setup by configuration -- Extra schema cannot be added/modified - -A default tree (Root organisation, users and group) is created during startup, this can be skipped using `LDAP_SKIP_DEFAULT_TREE` , however you need to use `customLdifFiles` or `customLdifCm` to create a root organisation. - -- This will be improved in a future update. - -### To 3.0.0 - -This major update of the chart enable new feature for the deployment such as : - -- supporting initcontainer -- supporting sidecar -- use global parameters to ease the configuration of the app -- out of the box integration with phpldapadmin and self-service password in a secure way +``` \ No newline at end of file diff --git a/advanced_examples/MemberOf.md b/advanced_examples/MemberOf.md deleted file mode 100644 index a0e5dee..0000000 --- a/advanced_examples/MemberOf.md +++ /dev/null @@ -1,110 +0,0 @@ -# Examples of MemberOf configuration - -## Enable MemberOf - -Use the following values to enable `memberof` attribute: - -This configuration works regardless of the `replication` configuration (`enabled` or `disabled`) - -``` -# Default configuration for openldap as environment variables. These get injected directly in the container. -# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide -env: - BITNAMI_DEBUG: "true" - LDAP_LOGLEVEL: "256" - LDAP_TLS_ENFORCE: "false" - LDAPTLS_REQCERT: "never" - LDAP_ENABLE_TLS: "yes" - LDAP_CONFIG_ADMIN_ENABLED: "yes" - LDAP_SKIP_DEFAULT_TREE: "no" - -customLdifFiles: - 00-root.ldif: |- - # Root creation - dn: dc=example,dc=org - objectClass: dcObject - objectClass: organization - o: Example, Inc - 01-default-user.ldif: |- - dn: cn=Jean Dupond,dc=example,dc=org - cn: Jean Dupond - gidnumber: 500 - givenname: Jean - homedirectory: /home/users/jdupond - objectclass: inetOrgPerson - objectclass: posixAccount - objectclass: top - sn: Dupond - uid: jdupond - uidnumber: 1000 - userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw== - 02-default-group.ldif: |- - dn: cn=myGroup,dc=example,dc=org - cn: myGroup - gidnumber: 500 - objectclass: posixGroup - objectclass: top - add: memberUid - memberUid: jdupond - 03-test-memberof.ldif: |- - dn: ou=Group,dc=example,dc=org - objectclass: organizationalUnit - ou: Group - - dn: ou=People,dc=example,dc=org - objectclass: organizationalUnit - ou: People - - dn: uid=test1,ou=People,dc=example,dc=org - objectclass: account - uid: test1 - - dn: cn=testgroup,ou=Group,dc=example,dc=org - objectclass: groupOfNames - cn: testgroup - member: uid=test1,ou=People,dc=example,dc=org -customSchemaFiles: - #enable memberOf ldap search functionality, users automagically track groups they belong to - 00-memberof.ldif: |- - # Load memberof module - dn: cn=module,cn=config - cn: module - objectClass: olcModuleList - olcModuleLoad: memberof - olcModulePath: /opt/bitnami/openldap/lib/openldap - - dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config - changetype: add - objectClass: olcOverlayConfig - objectClass: olcMemberOf - olcOverlay: memberof - olcMemberOfRefint: TRUE -``` - -Connect to your openldap instance and execute: - -``` -LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://127.0.0.1:1636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" -``` -You should get the following result: -``` -# extended LDIF -# -# LDAPv3 -# base with scope subtree -# filter: (memberOf=cn=testgroup,ou=Group,dc=example,dc=org) -# requesting: ALL -# - -# test1, People, example.org -dn: uid=test1,ou=People,dc=example,dc=org -objectClass: account -uid: test1 - -# search result -search: 2 -result: 0 Success - -# numResponses: 2 -# numEntries: 1 -``` \ No newline at end of file diff --git a/advanced_examples/README.md b/advanced_examples/README.md deleted file mode 100644 index b08089c..0000000 --- a/advanced_examples/README.md +++ /dev/null @@ -1,251 +0,0 @@ -# Examples of advanced configurations - -You will find here some examples of advanced configurations. - - -## Use your own logos -To use your own logos for password portal and phpmyadmin, first create a configmap with your logos. -For instance, a configmap with 2 keys: -- my-logo.png: logo with size for instance 450x128 pixels -- my-logo_50.png: smaller logo, for instance 180x50 pixels - -Next, configure your values so that your logos are installed in the containers: -```yaml -ltb-passwd: - initContainers: - - name: install-logo - image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}" - command: [sh, -c] - args: - - |- - cat </data/31-logo - #!/command/with-contenv bash - source /assets/functions/00-container - PROCESS_NAME="logo" - cp /tmp/ltb-logo.png /www/ssp/images/ltb-logo.png - chmod +x /data/31-logo - liftoff - EOF - volumeMounts: - - name: data - mountPath: /data - volumes: - - name: logos - configMap: - name: logos - - name: data - emptyDir: {} - volumeMounts: - - name: logos - mountPath: /tmp/ltb-logo.png - subPath: my-logo.png - - name: data - mountPath: /etc/cont-init.d/31-logo - subPath: 31-logo - -phpldapadmin: - initContainers: - - name: modify-configuration - image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}" - command: [sh, -c] - args: - - |- - # modify startup script in order to use logos - cp -p /container/service/phpldapadmin/startup.sh /data/ - sed -i -e 's/exit 0/# exit 0/' /data/startup.sh - cat <<'EOF' >>/data/startup.sh - cp /logos/my-logo.png /var/www/phpldapadmin/htdocs/images/default/logo.png - cp /logos/my-logo_50.png /var/www/phpldapadmin/htdocs/images/default/logo-small.png - exit 0 - EOF - volumeMounts: - - mountPath: /data - name: data - volumes: - - name: data - emptyDir: {} - - name: logos - configMap: - name: logos - volumeMounts: - - name: data - mountPath: /data - - name: logos - mountPath: /logos - - name: data - mountPath: /container/service/phpldapadmin/startup.sh - subPath: startup.sh -``` - -## Use a user with restricted permissions for password portal -By default ```cn=admin``` account is used by the password portal to retrieve the users. -We will define here a user with restricted permissions (only read-only on attributes except passwords). -His password is set in a separated secret (allowing vault solutions). -For that, we need to define a custom ldif and custom acls. -First, create a custom ldif file (or add it directly in the values file): -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: my-customldif -data: - 00-root.ldif: |- - dn: dc=mydomain,dc=com - objectClass: top - objectClass: dcObject - objectClass: organization - o: MY-DOMAIN - dc: mydomain - 01-admin-read-user.ldif: |- - dn: cn=admin-read,dc=mydomain,dc=com - cn: admin-read - mail: admin-read@mydomain.com - objectClass: inetOrgPerson - objectClass: top - userPassword:: {SSHA}xxxxxxxxxxxx - sn: Admin read only - 02-users-group.ldif: |- - dn: ou=users,dc=mydomain,dc=com - ou: users - objectClass: organizationalUnit - objectClass: top - 03-foo-user.ldif: |- - dn: cn=foo,ou=users,dc=mydomain,dc=com - cn: foo - objectClass: inetOrgPerson - objectClass: top - sn: Foo Foo - mail: foo@mydomain.com - userPassword:: {SSHA}xxxxxxxxx -``` -Now create a secret for the passwords: -```yaml -kind: Secret -apiVersion: v1 -metadata: - name: openldap-secrets -type: Opaque -stringData: - LDAP_ADMIN_PASSWORD: xxxxxxxx - LDAP_CONFIG_ADMIN_PASSWORD: xxxxxxxx - LDAP_ADMIN_READ_PASSWORD: xxxxxxxx -``` - -Next configure the values to use this secret, set the correct acls for ```admin-read``` and configure password portal to use this account: -```yaml -global: - existingSecret: "openldap-secrets" - -customAcls: |- - dn: olcDatabase={2}mdb,cn=config - changetype: modify - replace: olcAccess - olcAccess: {0}to * - by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage - by * break - olcAccess: {1}to attrs=userPassword,shadowLastChange - by self write - by dn="cn=admin,dc=mydomain,dc=com" write - by anonymous auth by * none - olcAccess: {2}to * - by dn="cn=admin-read,dc=mydomain,dc=com" read - by dn="cn=admin,dc=mydomain,dc=com" write - by self read - by * none - -ltb-passwd: - ldap: - searchBase: "ou=users,dc=mydomain,dc=com" - bindDN: "cn=admin-read,dc=mydomain,dc=com" - passKey: LDAP_ADMIN_READ_PASSWORD -``` - -## Allow login to phpldapadmin using only cn attribute -It is easier to login on phpldapadmin using only your cn attribute instead of cn=xxx,dc=xxx,dc=xxxx. -At the same time, use the previous read only admin account to retrieve the user. -Here is the values.yaml to use: -```yaml -phpldapadmin: - initContainers: - - name: modify-configuration - image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . }}" - command: [sh, -c] - args: - - |- - # adapt config.php: allow login without complete dn (only username) - needs admin read account - # use also binddn with restricted permissions (read only) - cat </data/my_config.php - \$servers->setValue('login','attr','cn'); - \$servers->setValue('login','bind_id','cn=admin-read,dc=mydomain,dc=com'); - \$servers->setValue('login','bind_pass','${LDAP_ADMIN_READ_PASSWORD}'); - EOF - # modify startup script in order to use modified config.php and logos - cp -p /container/service/phpldapadmin/startup.sh /data/ - sed -i -e 's/exit 0/# exit 0/' /data/startup.sh - cat <<'EOF' >>/data/startup.sh - sed -i -e 's/\($servers->setValue..login.,.bind_id\)/#\1/' /var/www/phpldapadmin/config/config.php - cat /data/my_config.php >> /var/www/phpldapadmin/config/config.php - exit 0 - EOF - volumeMounts: - - mountPath: /data - name: data - env: - - name: LDAP_ADMIN_READ_PASSWORD - valueFrom: - secretKeyRef: - name: openldap-secrets - key: LDAP_ADMIN_READ_PASSWORD - volumes: - - name: data - emptyDir: {} - volumeMounts: - - name: data - mountPath: /data - - name: data - mountPath: /container/service/phpldapadmin/startup.sh - subPath: startup.sh -``` - -## Allow a user to have admin permissions -More tricky, we now authorize users to be administrator according to the value of the attribute ```employeeType```. If this attribute has a value of ```LDAP_ADMIN``` the user will be LDAP administrator. -Using the previous ```my-customldif``` configmap just add the following line in the foo user section: -```yaml - employeeType: LDAP_ADMIN -``` -In long: -```yaml - 03-foo-user.ldif: |- - dn: cn=foo,ou=users,dc=mydomain,dc=com - cn: foo - objectClass: inetOrgPerson - objectClass: top - sn: Foo Foo - mail: foo@mydomain.com - employeeType: LDAP_ADMIN - userPassword:: {SSHA}xxxxxxxxx -``` -Now modify the custom acls in the values file using the ```set``` feature: -```yaml -customAcls: |- - dn: olcDatabase={2}mdb,cn=config - changetype: modify - replace: olcAccess - olcAccess: {0}to * - by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage - by * break - olcAccess: {1}to attrs=userPassword,shadowLastChange - by self write - by dn="cn=admin,dc=mydomain,dc=com" write - by set="user/employeeType & [ldap_admin]" write - by anonymous auth by * none - olcAccess: {2}to * - by dn="cn=admin-read,dc=mydomain,dc=com" read - by dn="cn=admin,dc=mydomain,dc=com" write - by set="user/employeeType & [ldap_admin]" write - by self read - by * none -``` - -Putting all together, the user ```foo``` can now login on phpldapadmin with only *foo* as username and his password, and with full permissions to manage the ldap database. - diff --git a/.helmignore b/charts/dbildungs-iam-ldap/.helmignore similarity index 100% rename from .helmignore rename to charts/dbildungs-iam-ldap/.helmignore diff --git a/charts/dbildungs-iam-ldap/Chart.yaml b/charts/dbildungs-iam-ldap/Chart.yaml new file mode 100644 index 0000000..ff7d1c1 --- /dev/null +++ b/charts/dbildungs-iam-ldap/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: dbildungs-iam-ldap +version: 0.0.1 +description: Helm Chart for using community developed OpenLDAP software +appVersion: "" +dependencies: +- condition: phpldapadmin.enabled + name: phpldapadmin + repository: "" + version: 0.1.x +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: ~2 +home: https://www.openldap.org +keywords: +- ldap +- openldap \ No newline at end of file diff --git a/charts/common-2.16.1.tgz b/charts/dbildungs-iam-ldap/charts/common-2.16.1.tgz similarity index 100% rename from charts/common-2.16.1.tgz rename to charts/dbildungs-iam-ldap/charts/common-2.16.1.tgz diff --git a/charts/phpldapadmin/Chart.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/Chart.yaml similarity index 100% rename from charts/phpldapadmin/Chart.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/Chart.yaml diff --git a/charts/phpldapadmin/README.md b/charts/dbildungs-iam-ldap/charts/phpldapadmin/README.md similarity index 100% rename from charts/phpldapadmin/README.md rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/README.md diff --git a/charts/phpldapadmin/publish.sh b/charts/dbildungs-iam-ldap/charts/phpldapadmin/publish.sh similarity index 100% rename from charts/phpldapadmin/publish.sh rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/publish.sh diff --git a/charts/phpldapadmin/templates/NOTES.txt b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/NOTES.txt similarity index 100% rename from charts/phpldapadmin/templates/NOTES.txt rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/NOTES.txt diff --git a/charts/phpldapadmin/templates/_helpers.tpl b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/_helpers.tpl similarity index 100% rename from charts/phpldapadmin/templates/_helpers.tpl rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/_helpers.tpl diff --git a/charts/phpldapadmin/templates/configmap.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/configmap.yaml similarity index 94% rename from charts/phpldapadmin/templates/configmap.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/configmap.yaml index 37e360b..d8697a2 100755 --- a/charts/phpldapadmin/templates/configmap.yaml +++ b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "phpldapadmin.fullname" . }} + namespace: {{ .Release.Namespace }} labels: app: {{ template "phpldapadmin.name" . }} chart: {{ template "phpldapadmin.chart" . }} diff --git a/charts/phpldapadmin/templates/deployment.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/deployment.yaml similarity index 89% rename from charts/phpldapadmin/templates/deployment.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/deployment.yaml index d33572d..d462a04 100755 --- a/charts/phpldapadmin/templates/deployment.yaml +++ b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/deployment.yaml @@ -28,10 +28,14 @@ spec: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} {{- end }} + automountServiceAccountToken: false containers: - name: {{ .Chart.Name }} image: {{ include "phpldapadmin.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} ports: - name: http containerPort: 80 diff --git a/charts/phpldapadmin/templates/ingress.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/ingress.yaml similarity index 100% rename from charts/phpldapadmin/templates/ingress.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/ingress.yaml diff --git a/charts/phpldapadmin/templates/service.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/service.yaml similarity index 100% rename from charts/phpldapadmin/templates/service.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/templates/service.yaml diff --git a/charts/phpldapadmin/values.yaml b/charts/dbildungs-iam-ldap/charts/phpldapadmin/values.yaml similarity index 89% rename from charts/phpldapadmin/values.yaml rename to charts/dbildungs-iam-ldap/charts/phpldapadmin/values.yaml index b7193eb..9e3922f 100755 --- a/charts/phpldapadmin/values.yaml +++ b/charts/dbildungs-iam-ldap/charts/phpldapadmin/values.yaml @@ -91,20 +91,29 @@ livenessProbe: path: / port: http -resources: {} +resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} + +# enabling other features does not let ldapadmin get access +containerSecurityContext: + enabled: true + # privileged: false + # readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + # seccompProfile: + # type: "RuntimeDefault" diff --git a/charts/dbildungs-iam-ldap/templates/NOTES.txt b/charts/dbildungs-iam-ldap/templates/NOTES.txt new file mode 100644 index 0000000..3d13e6a --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/NOTES.txt @@ -0,0 +1,5 @@ +OpenLDAP-Stack has been installed. You can access the server from within the k8s cluster using: + {{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} + +You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain): + ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD \ No newline at end of file diff --git a/templates/_helpers.tpl b/charts/dbildungs-iam-ldap/templates/_helpers.tpl old mode 100755 new mode 100644 similarity index 98% rename from templates/_helpers.tpl rename to charts/dbildungs-iam-ldap/templates/_helpers.tpl index 2a76fd5..5d19868 --- a/templates/_helpers.tpl +++ b/charts/dbildungs-iam-ldap/templates/_helpers.tpl @@ -1,4 +1,3 @@ -{{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. */}} @@ -49,74 +48,7 @@ Generate chart secret name {{ default (include "openldap.fullname" .) .Values.global.existingSecret }} {{- end -}} -{{/* -Generate olcServerID list -*/}} -{{- define "olcServerIDs" }} -{{- $name := (include "openldap.fullname" .) }} -{{- $namespace := .Release.Namespace }} -{{- $cluster := .Values.replication.clusterName }} -{{- $nodeCount := .Values.replicaCount | int }} - {{- range $index0 := until $nodeCount }} - {{- $index1 := $index0 | add1 }} - olcServerID: {{ $index1 }} ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 - {{- end -}} -{{- end -}} -{{/* -Generate olcSyncRepl list -*/}} -{{- define "olcSyncRepls" -}} -{{- $name := (include "openldap.fullname" .) }} -{{- $namespace := .Release.Namespace }} -{{- $bindDNUser := .Values.global.adminUser }} -{{- $cluster := .Values.replication.clusterName }} -{{- $configPassword := ternary .Values.global.configPassword "%%CONFIG_PASSWORD%%" (empty .Values.global.existingSecret) }} -{{- $retry := .Values.replication.retry }} -{{- $timeout := .Values.replication.timeout }} -{{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} -{{- $nodeCount := .Values.replicaCount | int }} - {{- range $index0 := until $nodeCount }} - {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} - {{- end -}} -{{- end -}} - -{{/* -Generate olcSyncRepl list -*/}} -{{- define "olcSyncRepls2" -}} -{{- $name := (include "openldap.fullname" .) }} -{{- $domain := (include "global.baseDomain" .) }} -{{- $bindDNUser := .Values.global.adminUser }} -{{- $namespace := .Release.Namespace }} -{{- $cluster := .Values.replication.clusterName }} -{{- $adminPassword := ternary .Values.global.adminPassword "%%ADMIN_PASSWORD%%" (empty .Values.global.existingSecret) }} -{{- $retry := .Values.replication.retry }} -{{- $timeout := .Values.replication.timeout }} -{{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} -{{- $interval := .Values.replication.interval }} -{{- $nodeCount := .Values.replicaCount | int }} - {{- range $index0 := until $nodeCount }} - {{- $index1 := $index0 | add1 }} - olcSyncrepl: - rid=10{{ $index1 }} - provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 - binddn={{ printf "cn=%s,%s" $bindDNUser $domain }} - bindmethod=simple - credentials={{ $adminPassword }} - searchbase={{ $domain }} - type=refreshAndPersist - interval={{ $interval }} - network-timeout=0 - retry="{{ $retry }} +" - timeout={{ $timeout }} - starttls={{ $starttls }} - tls_reqcert={{ $tls_reqcert }} - {{- end -}} -{{- end -}} {{/* Renders a value that contains template. @@ -217,7 +149,7 @@ Return the proper base domain tmp method to iterate through the ldapDomain */}} {{- define "tmp.baseDomain" -}} -{{- if regexMatch ".*=.*" .Values.global.ldapDomain }} +{{- if regexMatch ".*=.*,.*" .Values.global.ldapDomain }} {{- printf "%s" .Values.global.ldapDomain }} {{- else }} {{- $parts := split "." .Values.global.ldapDomain }} @@ -255,3 +187,77 @@ Return the ldap port {{- define "global.ldapPort" -}} {{- printf "%d" .Values.global.ldapPort -}} {{- end -}} + + + + +# Replication - need to take a look later on + +{{/* +Generate olcServerID list +*/}} +{{- define "olcServerIDs" }} +{{- $name := (include "openldap.fullname" .) }} +{{- $namespace := .Release.Namespace }} +{{- $cluster := .Values.replication.clusterName }} +{{- $nodeCount := .Values.replicaCount | int }} + {{- range $index0 := until $nodeCount }} + {{- $index1 := $index0 | add1 }} + olcServerID: {{ $index1 }} ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 + {{- end -}} +{{- end -}} + +{{/* +Generate olcSyncRepl list +*/}} +{{- define "olcSyncRepls" -}} +{{- $name := (include "openldap.fullname" .) }} +{{- $namespace := .Release.Namespace }} +{{- $bindDNUser := .Values.global.adminUser }} +{{- $cluster := .Values.replication.clusterName }} +{{- $configPassword := ternary .Values.global.configPassword "%%CONFIG_PASSWORD%%" (empty .Values.global.existingSecret) }} +{{- $retry := .Values.replication.retry }} +{{- $timeout := .Values.replication.timeout }} +{{- $starttls := .Values.replication.starttls }} +{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $nodeCount := .Values.replicaCount | int }} + {{- range $index0 := until $nodeCount }} + {{- $index1 := $index0 | add1 }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} + {{- end -}} +{{- end -}} + +{{/* +Generate olcSyncRepl list +*/}} +{{- define "olcSyncRepls2" -}} +{{- $name := (include "openldap.fullname" .) }} +{{- $domain := (include "global.baseDomain" .) }} +{{- $bindDNUser := .Values.global.adminUser }} +{{- $namespace := .Release.Namespace }} +{{- $cluster := .Values.replication.clusterName }} +{{- $adminPassword := ternary .Values.global.adminPassword "%%ADMIN_PASSWORD%%" (empty .Values.global.existingSecret) }} +{{- $retry := .Values.replication.retry }} +{{- $timeout := .Values.replication.timeout }} +{{- $starttls := .Values.replication.starttls }} +{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $interval := .Values.replication.interval }} +{{- $nodeCount := .Values.replicaCount | int }} + {{- range $index0 := until $nodeCount }} + {{- $index1 := $index0 | add1 }} + olcSyncrepl: + rid=10{{ $index1 }} + provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 + binddn={{ printf "cn=%s,%s" $bindDNUser $domain }} + bindmethod=simple + credentials={{ $adminPassword }} + searchbase={{ $domain }} + type=refreshAndPersist + interval={{ $interval }} + network-timeout=0 + retry="{{ $retry }} +" + timeout={{ $timeout }} + starttls={{ $starttls }} + tls_reqcert={{ $tls_reqcert }} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml new file mode 100644 index 0000000..6fa8f6b --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: entrypoint-script + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "openldap.name" . }} + chart: {{ template "openldap.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} +data: + 01.sh: | + #!/bin/sh + set -e + # found no way to check if ldap server is running with a while statement + sleep 5 + # it is important that the modify.ldif runs first, otherwise it fails since the ACLS have to get adjusted first + ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif + # no sure why this sleep is needed again - but it is + sleep 10 + /bin/bash /script/02.sh + + # this script is needed so that Helm Chart is stable if persistence is enabled + # it applies changes if they are new, but modifies them if they already exist + 02.sh: | + LDIF_FILE="/ldap-configuration/apply/apply.ldif" + + # Function to process each entry + process_entry() { + local entry_dn="$1" + local entry_ldif="$2" + + # Check if entry exists + ldapsearch -Y External -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + echo "Entry already exists: $entry_dn, updating entry by running ldapmodify" + echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y External -H ldapi:/// + else + echo "Entry does not exist, adding entry: $entry_dn" + echo "$entry_ldif" | ldapadd -Y External -H ldapi:/// + fi + } + + # Read the LDIF file and process each entry + current_dn="" + current_entry="" + + # Read the LDIF file line by line + while IFS= read -r line || [[ -n "$line" ]]; do + # Check for dn line to identify new entry + if echo "$line" | grep -q "^dn:"; then + # If current_dn is set, process the previous entry + if [ -n "$current_dn" ]; then + process_entry "$current_dn" "$current_entry" + fi + # Start a new entry + current_dn=$(echo "$line" | cut -d' ' -f2-) + current_entry="$line" + else + # Accumulate the current entry + current_entry="$current_entry"$'\n'"$line" + fi + done < "$LDIF_FILE" + + # Process the last entry in the file + if [[ -n "$current_dn" ]]; then + process_entry "$current_dn" "$current_entry" + fi \ No newline at end of file diff --git a/templates/configmap-customfiles.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml similarity index 100% rename from templates/configmap-customfiles.yaml rename to charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml diff --git a/templates/configmap-customldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customldif.yaml old mode 100755 new mode 100644 similarity index 94% rename from templates/configmap-customldif.yaml rename to charts/dbildungs-iam-ldap/templates/configmap-customldif.yaml index f060d1d..b47d092 --- a/templates/configmap-customldif.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-customldif.yaml @@ -7,6 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "openldap.fullname" . }}-customldif + namespace: {{ .Release.Namespace }} labels: app: {{ template "openldap.name" . }} chart: {{ template "openldap.chart" . }} diff --git a/templates/configmap-customschema.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml old mode 100755 new mode 100644 similarity index 100% rename from templates/configmap-customschema.yaml rename to charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml diff --git a/templates/configmap-env.yaml b/charts/dbildungs-iam-ldap/templates/configmap-env.yaml old mode 100755 new mode 100644 similarity index 65% rename from templates/configmap-env.yaml rename to charts/dbildungs-iam-ldap/templates/configmap-env.yaml index b298910..f875bf8 --- a/templates/configmap-env.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-env.yaml @@ -1,13 +1,8 @@ -# -# A ConfigMap spec for openldap slapd that map directly to env variables in the Pod. -# List of environment variables supported is from the docker image: -# https://hub.docker.com/r/bitnami/openldap/ -# Note that passwords are defined as secrets -# apiVersion: v1 kind: ConfigMap metadata: name: {{ template "openldap.fullname" . }}-env + namespace: {{ .Release.Namespace }} labels: app: {{ template "openldap.name" . }} chart: {{ template "openldap.chart" . }} @@ -19,17 +14,9 @@ metadata: data: LDAP_ROOT: {{ include "global.baseDomain" . }} LDAP_EXTRA_SCHEMAS: {{ print "cosine,inetorgperson,nis," (include "openldap.schemaFiles" .) }} - {{- if .Values.users }} - LDAP_USERS: {{ .Values.users }} - {{- end }} - {{- if .Values.userPasswords }} - LDAP_PASSWORDS: {{ .Values.userPasswords }} - {{- end }} - {{- if .Values.group }} - LDAP_GROUP: {{ .Values.group }} - {{- end }} LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/tls.crt LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/tls.key + # the var has to be set even though we do not provide a value # content of tls.crt seems to get inserted if nothing is provided LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/ca.crt {{- if .Values.global.configUserEnabled }} LDAP_CONFIG_ADMIN_ENABLED: "yes" diff --git a/templates/configmap-replication-acls.yaml b/charts/dbildungs-iam-ldap/templates/configmap-replication.yaml old mode 100755 new mode 100644 similarity index 71% rename from templates/configmap-replication-acls.yaml rename to charts/dbildungs-iam-ldap/templates/configmap-replication.yaml index 2b9382d..39118f2 --- a/templates/configmap-replication-acls.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-replication.yaml @@ -1,11 +1,15 @@ # # A ConfigMap spec for openldap slapd that map directly to files under # /container/service/slapd/assets/config/bootstrap/ldif/custom -# + +# files are placed in /opt/bitnami/openldap/etc/schema +# Starts to run within the adding LDAP extra schemas Section + apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "openldap.fullname" . }}-replication-acls + name: {{ template "openldap.fullname" . }}-replication + namespace: {{ .Release.Namespace }} labels: app: {{ template "openldap.name" . }} chart: {{ template "openldap.chart" . }} @@ -15,7 +19,7 @@ metadata: {{ toYaml .Values.extraLabels | indent 4 }} {{- end }} data: - # replication + # Replication syncprov.ldif: | # Load syncprov module dn: cn=module,cn=config @@ -61,23 +65,3 @@ data: changetype: modify add: olcMirrorMode olcMirrorMode: TRUE - # acls - acls.ldif: | -{{- if .Values.customAcls }} - {{- .Values.customAcls | nindent 4 }} -{{- else }} - dn: olcDatabase={2}mdb,cn=config - changetype: modify - replace: olcAccess - olcAccess: {0}to * - by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage - by * break - olcAccess: {1}to attrs=userPassword,shadowLastChange - by self write - by dn="{{ include "global.bindDN" . }}" write - by anonymous auth by * none - olcAccess: {2}to * - by dn="{{ include "global.bindDN" . }}" write - by self read - by * none -{{- end }} diff --git a/charts/dbildungs-iam-ldap/templates/metrics-deployment.yml b/charts/dbildungs-iam-ldap/templates/metrics-deployment.yml new file mode 100644 index 0000000..162c60c --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/metrics-deployment.yml @@ -0,0 +1,66 @@ +{{- if .Values.metrics.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "openldap.fullname" . }}-metrics + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics + chart: {{ template "openldap.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.metrics.replicaCount }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + selector: + matchLabels: + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics + template: + metadata: + labels: + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics + spec: + automountServiceAccountToken: false + containers: + - name: {{ template "openldap.fullname" . }}-metrics + image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}" + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | default "Always"}} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ports: + - name: {{ (index .Values.metrics.ports 0).name }} + protocol: TCP + containerPort: {{ (index .Values.metrics.ports 0).containerPort }} + env: + - name: LDAP_ADDR + value: "{{ template "openldap.fullname" . }}-0.{{ template "openldap.fullname" . }}-headless.{{ .Release.Namespace }}.svc.cluster.local:1389" + - name: LDAP_USER + value: uid=monitoring_user,ou=users,dc=schule-sh,dc=de + - name: INTERVAL + value: 10s + - name: LDAP_PASS + valueFrom: + secretKeyRef: + name: {{ template "openldap.fullname" . }} + key: LDAP_MONITORING_PASSWORD + resources: +{{ toYaml .Values.metrics.resources | indent 12 }} +{{ end }} + diff --git a/charts/dbildungs-iam-ldap/templates/metrics-service.yml b/charts/dbildungs-iam-ldap/templates/metrics-service.yml new file mode 100644 index 0000000..608ff58 --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/metrics-service.yml @@ -0,0 +1,23 @@ +{{- if .Values.metrics.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "openldap.fullname" . }}-metrics + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics + chart: {{ template "openldap.chart" . }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: metrics + protocol: TCP + port: {{ (index .Values.metrics.service.ports 0).port }} + targetPort: {{ (index .Values.metrics.service.ports 0).name }} + selector: + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics +{{ end }} diff --git a/charts/dbildungs-iam-ldap/templates/metrics-servicemonitor.yml b/charts/dbildungs-iam-ldap/templates/metrics-servicemonitor.yml new file mode 100644 index 0000000..c197b84 --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/metrics-servicemonitor.yml @@ -0,0 +1,23 @@ +{{- if .Values.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "openldap.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: {{ template "openldap.fullname" . }} + app.kubernetes.io/managed-by: Helm + chart: {{ template "openldap.chart" . }} + release: {{ .Release.Name }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/component: {{ template "openldap.fullname" . }}-metrics + chart: {{ template "openldap.chart" . }} + endpoints: + - port: {{ (index .Values.metrics.serviceMonitor.endpoints 0).port }} + path: {{ (index .Values.metrics.serviceMonitor.endpoints 0).path }} +{{ end }} \ No newline at end of file diff --git a/templates/pod-disruption-budget.yaml b/charts/dbildungs-iam-ldap/templates/pod-disruption-budget.yaml similarity index 100% rename from templates/pod-disruption-budget.yaml rename to charts/dbildungs-iam-ldap/templates/pod-disruption-budget.yaml diff --git a/templates/secret.yaml b/charts/dbildungs-iam-ldap/templates/secret.yaml old mode 100755 new mode 100644 similarity index 100% rename from templates/secret.yaml rename to charts/dbildungs-iam-ldap/templates/secret.yaml diff --git a/templates/service.yaml b/charts/dbildungs-iam-ldap/templates/service.yaml similarity index 82% rename from templates/service.yaml rename to charts/dbildungs-iam-ldap/templates/service.yaml index a43ba11..83e9bb9 100644 --- a/templates/service.yaml +++ b/charts/dbildungs-iam-ldap/templates/service.yaml @@ -17,11 +17,11 @@ metadata: {{- end }} spec: type: {{ .Values.service.type }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- if .Values.service.externalIp }} + loadBalancerIP: {{ (lookup "v1" "Secret" .Release.Namespace .Values.existingSecret.name ).data.LOADBALANCER_IP | b64dec }} {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- if .Values.service.SourceRangesRestriction }} + loadBalancerSourceRanges: {{ (lookup "v1" "Secret" .Release.Namespace .Values.existingSecret.name ).data.LOADBALANCER_SOURCERANGES | b64dec }} {{- end }} ports: {{- if .Values.service.enableLdapPort }} diff --git a/templates/serviceaccount.yaml b/charts/dbildungs-iam-ldap/templates/serviceaccount.yaml similarity index 100% rename from templates/serviceaccount.yaml rename to charts/dbildungs-iam-ldap/templates/serviceaccount.yaml diff --git a/templates/statefulset.yaml b/charts/dbildungs-iam-ldap/templates/statefulset.yaml similarity index 90% rename from templates/statefulset.yaml rename to charts/dbildungs-iam-ldap/templates/statefulset.yaml index 6cedc13..1f9a26c 100644 --- a/templates/statefulset.yaml +++ b/charts/dbildungs-iam-ldap/templates/statefulset.yaml @@ -63,6 +63,10 @@ spec: cp -p -f /cm-schemas-acls/*.ldif /custom_config/ echo "let the replication takes care of everything :)" fi + cp /tmp-init-scripts/01.sh /script/01.sh && + cp /tmp-init-scripts/02.sh /script/02.sh && + chmod +x /script/01.sh + chmod +x /script/02.sh {{- if .Values.global.existingSecret }} sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/* sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/* @@ -74,6 +78,14 @@ spec: resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }} {{- end }} volumeMounts: + - name: init-scripts + mountPath: /tmp-init-scripts + - name: writable-init-scripts + mountPath: /script + - name: ldap-configuration-apply + mountPath: /ldap-configuration/apply/ + - name: ldap-configuration-modify + mountPath: /ldap-configuration/modify/ {{- if .Values.customSchemaFiles }} {{- range $file := (include "openldap.customSchemaFiles" . | split ",") }} - name: cm-custom-schema-files @@ -89,7 +101,7 @@ spec: - name: custom-ldif-files mountPath: /custom-ldifs/ {{- end }} - - name: cm-replication-acls + - name: cm-replication mountPath: "/cm-schemas-acls" - name: replication-acls mountPath: "/custom_config" @@ -109,10 +121,13 @@ spec: - -c - | {{- if and .Values.initTLSSecret.tls_enabled .Values.initTLSSecret.secret }} + echo "Tls files are loaded from a secret" {{- else }} + echo "Generating tls.key, tls.crt and ca.crt" openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN={{ .Values.global.ldapDomain }}' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365 chmod 777 /tmp-certs/* {{- end }} + echo "Moving files related to TLS where they belong" cp -Lr /tmp-certs/* /certs [ -e /certs/ca.crt ] || cp -a /certs/tls.crt /certs/ca.crt {{- if .Values.containerSecurityContext.enabled }} @@ -131,9 +146,10 @@ spec: image: {{ include "openldap.volumePermissionsImage" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.image.command "context" $) | nindent 12 }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} + securityContext: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} {{- end }} @@ -141,7 +157,6 @@ spec: - mountPath: /bitnami name: data {{- end }} - serviceAccountName: {{ template "openldap.serviceAccountName" . }} {{- include "openldap.imagePullSecrets" . | nindent 6 }} {{- if .Values.hostAliases }} @@ -161,9 +176,6 @@ spec: {{- if .Values.schedulerName }} schedulerName: {{- .Values.schedulerName | quote }} {{- end }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} @@ -243,8 +255,14 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: writable-init-scripts + mountPath: /script - name: data mountPath: /bitnami/openldap/ + - name: ldap-configuration-apply + mountPath: /ldap-configuration/apply + - name: ldap-configuration-modify + mountPath: /ldap-configuration/modify - name: certs mountPath: /opt/bitnami/openldap/certs {{- range $file := (include "openldap.builtinSchemaFiles" . | split ",") }} @@ -285,9 +303,22 @@ spec: claimName: {{ .Values.persistence.existingClaim }} {{- end }} {{- end }} - - name: cm-replication-acls + - name: init-scripts + configMap: + name: entrypoint-script + - name: writable-init-scripts + emptyDir: {} + - name: ldap-configuration-apply + secret: + # could make the secret name variable + secretName: dbildungs-iam-ldap-config-apply + - name: ldap-configuration-modify + secret: + # could make the secret name variable + secretName: dbildungs-iam-ldap-config-modify + - name: cm-replication configMap: - name: {{ template "openldap.fullname" . }}-replication-acls + name: {{ template "openldap.fullname" . }}-replication - name: replication-acls emptyDir: medium: Memory diff --git a/templates/svc-headless.yaml b/charts/dbildungs-iam-ldap/templates/svc-headless.yaml old mode 100755 new mode 100644 similarity index 100% rename from templates/svc-headless.yaml rename to charts/dbildungs-iam-ldap/templates/svc-headless.yaml diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml new file mode 100644 index 0000000..fda991f --- /dev/null +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -0,0 +1,351 @@ +global: + imageRegistry: "" + #imagePullSecrets: [""] + ## ldapDomain , can be explicit (e.g dc=example,c=com) or domain based (e.g example.com) + ldapDomain: "schule-sh.de" # translates to LDAP_ROOT + # Specifies an existing secret to be used for admin and config user passwords. The expected key are LDAP_ADMIN_PASSWORD and LDAP_CONFIG_ADMIN_PASSWORD. + existingSecret: "" + # If you do not set the credentials via this secret but via the ENV the Helm Chart will fail (permission issue) + adminUser: "admin" # LDAP_ADMIN_USERNAME + # adminPassword: "" # LDAP_CONFIG_ADMIN_PASSWORD + configUserEnabled: true # LDAP_CONFIG_ADMIN_ENABLED (default: no) + configUser: "config" # LDAP_CONFIG_ADMIN_USERNAME + # configPassword: "" # LDAP_CONFIG_ADMIN_USERNAME + ldapPort: 389 # LDAP_PORT_NUMBER + sslLdapPort: 636 # LDAP_LDAPS_PORT_NUMBER + +nameOverride: "" +fullnameOverride: "" + + +# this is not so clean -can this get deleted? +# used extra secret var since you can not reference the global one +existingSecret: + enabled: true + name: dbildungs-iam-ldap + +image: + repository: bitnami/openldap + tag: 2.6.6 + pullPolicy: Always + pullSecrets: [] + +extraLabels: {} + +service: + annotations: {} + ## If service type NodePort, define the value here + # ldapPortNodePort: + # sslLdapPortNodePort: + + enableLdapPort: true + enableSslLdapPort: true + + sessionAffinity: None + type: ClusterIP + # type: LoadBalancer + externalIp: false + # if enabled you need to have to set the LOADBALANCER_IP key with value in the existingSecret + # externalIp: true + SourceRangesRestriction: false + # if enabled you need to have to set the LOADBALANCER_SOURCERANGES key with value in the existingSecret + # servicecenter für den prometheus blackbox exporter freischalten + # SourceRangesRestriction: true + # enableLdapPort: false + +# enable this service block and disable the service one above, to make LDAP outside the cluster available +# Note that only one namespace at a time can use this feature!! +# service: +# enableSslLdapPort: true +# type: LoadBalancer +# externalIp: true +# SourceRangesRestriction: false + + +# Use the env variables from https://hub.docker.com/r/bitnami/openldap/ +env: + BITNAMI_DEBUG: "true" + LDAP_LOGLEVEL: "256" + # LDAP_LOGLEVEL: "16384" + + # Configuration + LDAP_SKIP_DEFAULT_TREE: "yes" + LDAP_ULIMIT_NOFILES: "1024" # staging and prod: 4096 + # if something is not needed it can get removed by just not mentioning it here # order is importand, do not put nis in front, always append it + # is this is enabled replication is not working + # LDAP_EXTRA_SCHEMAS: cosine,inetorgperson,nis + + # Security + LDAP_ENABLE_TLS: "yes" + # LDAP_ENABLE_TLS: "no" # disable it for testing with phpldapadmin + # LDAP_REQUIRE_TLS: "yes" # not sure whether this is necessary, it breaks stuff + LDAPTLS_REQCERT: "never" + LDAP_TLS_ENFORCE: "false" + LDAP_ALLOW_ANON_BINDING: "no" + + # Accesslog + LDAP_ENABLE_ACCESSLOG: "yes" + LDAP_ACCESSLOG_LOGPURGE: "30+00:00 30+00:00" # min and max value + +pdb: + enabled: false + minAvailable: 1 + maxUnavailable: "" + +# Custom openldap schema files used to be used in addition to default schemas +# Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var +# after chart default schemas, allowing you to control the loading sequence. +# customSchemaFiles: +# custom.ldif: |- +# # custom schema +# anothercustom.ldif: |- +# # another custom schema + + +# Custom openldap configuration files used to override default settings +# can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required +# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles +# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret +customLdifFiles: + 00-root.ldif: |- + dn: dc=schule-sh,dc=de + dc: schule-sh + objectClass: dcObject + objectClass: organization + o: SPSH + +replicaCount: 1 + +# will have to work on this +replication: + enabled: false + clusterName: "cluster.local" + retry: 60 + timeout: 1 + interval: 00:00:00:10 + starttls: "critical" + tls_reqcert: "never" + +persistence: + enabled: false + # existingClaim: openldap-pvc + accessModes: + - ReadWriteOnce + size: 8Gi + storageClass: "" + +resources: + limits: + cpu: 2 + memory: 4G + requests: + cpu: 200m + memory: 200Mi + +# enabling other features makes it so that ldap container fails with not enough permissions +containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" + +podSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + +existingConfigmap: +command: [] +args: [] +hostAliases: [] +podLabels: {} +podAnnotations: {} +podAffinityPreset: "" +podAntiAffinityPreset: soft +nodeAffinityPreset: + type: "" + key: "" + values: [] +affinity: {} +nodeSelector: {} +tolerations: [] +updateStrategy: + type: RollingUpdate + +priorityClassName: "" +schedulerName: "" + +extraEnvVars: [] +extraEnvVarsCM: +extraEnvVarsSecret: +extraVolumes: [] +extraVolumeMounts: [] + +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + annotations: {} + +kubeVersion: "" +commonLabels: {} +commonAnnotations: {} +clusterDomain: cluster.local +extraDeploy: [] + +metrics: + enabled: true + replicaCount: 1 + image: + # we should create an own forked repo and publish the image + repository: ollijanatuinen/openldap-exporter + tag: v2.0 + pullPolicy: IfNotPresent + ports: + - name: metrics + containerPort: 9330 + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 200m + memory: 500Mi + + service: + type: ClusterIP + annotations: {} + labels: {} + ports: + - name: metrics + port: 9330 + + ## Prometheus Operator ServiceMonitor configuration + serviceMonitor: + enabled: true + endpoints: + - port: "metrics" + path: /metrics + +## Init Container Parameters +initSchema: + image: + repository: debian + tag: latest + pullPolicy: Always + pullSecrets: [] + +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## command: ['sh', '-c', 'echo "hello world"'] +## + +## 'initTlsSecret' init container parameters +## need a secret with tls.crt, tls.key +initTLSSecret: + # adminldap, per default disabled only works with tls_enabled + tls_enabled: false + # tls_enabled: true # needs to get enabled if you want to make the service available to the outside + # Note that only one namespace at a time can use this feature and that you need to copy a tls secret into the namespace, see Confluence for more information + image: + registry: docker.io + repository: alpine/openssl + tag: latest + pullPolicy: IfNotPresent + secret: "" + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 200m + memory: 200Mi + +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10 + pullPolicy: IfNotPresent + command: [ 'sh', '-c', 'chmod -R g+rwX /bitnami' ] + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 200m + memory: 200Mi + +sidecars: {} + +lifecycleHooks: + postStart: + exec: + command: ["sh", "-c", "/script/01.sh"] + +livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 10 +readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 10 +startupProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 30 +customLivenessProbe: {} +customReadinessProbe: {} +customStartupProbe: {} + +## phpldapadmin +## For more parameters check following file: ./charts/phpldapadmin/values.yaml +# if you want to use phpldapadmin for debugging set: +# initTLSSecret: + # tls_enabled: false +# env: + # LDAP_ENABLE_TLS: "no" +phpldapadmin: + enabled: false + image: + tag: 0.9.0 + env: + PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never" + ingress: + enabled: true + annotations: {} + # ingressClassName: nginx + path: / + pathType: Prefix + hosts: + - phpldapadmin.example + tls: [] + # - secretName: phpldapadmin.example + # hosts: + # - phpldapadmin.example diff --git a/charts/ltb-passwd/.helmignore b/charts/ltb-passwd/.helmignore deleted file mode 100755 index 50af031..0000000 --- a/charts/ltb-passwd/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/ltb-passwd/Chart.yaml b/charts/ltb-passwd/Chart.yaml deleted file mode 100755 index c7ce2dd..0000000 --- a/charts/ltb-passwd/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -appVersion: "1.3" -description: LTB Project Password self service -name: ltb-passwd -version: 0.1.0 diff --git a/charts/ltb-passwd/README.md b/charts/ltb-passwd/README.md deleted file mode 100755 index 9aa0f98..0000000 --- a/charts/ltb-passwd/README.md +++ /dev/null @@ -1,68 +0,0 @@ -# LTB Password Self Service Helm Chart - -This repository contains the helm chart for the LTB password change webapp. -It is based on several other projects, namely: - -- [LTB Self-Service Password](https://ltb-project.org/documentation/self-service-password) -- [LTB Self-Service Password Github Repo](https://github.com/ltb-project/self-service-password) -- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password) - -## Prerequisites - -- Kubernetes 1.8+ - -## Chart Details - -This chart will do the following: - -- Instantiate an instance of the LTB LDAP Self-Service Password webapp. - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install --name my-release $PATH_TO_THIS_REPO -``` - -## Configuration - -We use this image as base image, please refer to the documentation for specific options. - -- [tiredofit Docker Image for the LTB repo](https://github.com/tiredofit/docker-self-service-password) - -Configuration is done within `values.yaml`: - -| Parameter | Description | Default | -| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | -| `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/tiredofit/docker-self-service-password for available ones | `[see values.yaml]`| -| `ldap.bindDN` | bindDN to authenticate on LDAP. Optional. Default to cn=admin,dc=... | ` ` | -| `ldap.passkey` | key of credential secret to authenticate on LDAP. Optional. Default to LDAP_ADMIN_PASSWORD | ` ` | -| `ldap.searchBase` | LDAP Search base for users. Default to dc=... | ` ` | -| `ldap.custom` | LDAP client custom configuration | ` ` | -| `replicaCount` | Number of replicas | `1` | -| `image.repository` | Container image repository | ` tiredofit/self-service-password` | -| `image.tag` | Container image tag | `latest` | -| `image.pullPolicy` | Container pull policy | `Default` | -| `service.port` | External port for the WebApp | `80` | -| `service.type` | Service type | `ClusterIP` | -| `ingress.enabled` | Whether to generate ingress resources | `false` | -| `ingress.annotations` | Annotations to add to the ingress | `{}` | -| `ingress.ingressClassName` | Ingress class name; required for kubernetes 1.18+ | `nil` | -| `ingress.hosts` | Hostnames to redirect to the webapp | `[]` | -| `ingress.tls` | TLS Configuration | `[]` | -| `resources` | Container resource requests and limits in yaml | `{}` | -| `initContainers` | Init containers to add to the application | `[]` | -| `volumeMounts` | Additional volumeMounts to the application main container | `[]` | -| `volumes` | Additional volumes to the application pod | `[]` | -| `nodeSelector` | NodeSelector to run the image on | `{}` | -| `tolerations` | Tolerations for the service pod | `[]` | -| `affinity` | Attractions for the service pod | `{}` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```bash -$ helm install --name my-release -f values.yaml $PATH_TO_THIS_REPO -``` \ No newline at end of file diff --git a/charts/ltb-passwd/templates/NOTES.txt b/charts/ltb-passwd/templates/NOTES.txt deleted file mode 100755 index f34c0df..0000000 --- a/charts/ltb-passwd/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -Happy password changing :) \ No newline at end of file diff --git a/charts/ltb-passwd/templates/_helpers.tpl b/charts/ltb-passwd/templates/_helpers.tpl deleted file mode 100755 index f18b7e1..0000000 --- a/charts/ltb-passwd/templates/_helpers.tpl +++ /dev/null @@ -1,66 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "ltb-passwd.name" -}} -{{ default (printf "%s-ltb" .Release.Name) .Values.nameOverride }} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "ltb-passwd.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "ltb-passwd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "ltb-passwd.labels" -}} -app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} -helm.sh/chart: {{ include "ltb-passwd.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Generate chart secret name -*/}} -{{- define "ltb-passwd.secretName" -}} -{{ default (include "ltb-passwd.fullname" .) .Values.global.existingSecret }} -{{- end -}} - -{{/* -Return the proper Openldap image name -*/}} -{{- define "ltb-passwd.image" -}} -{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "ltb-passwd.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image ) "global" .Values.global) }} -{{- end -}} diff --git a/charts/ltb-passwd/templates/configmap-ldap.yaml b/charts/ltb-passwd/templates/configmap-ldap.yaml deleted file mode 100644 index 93e3ab2..0000000 --- a/charts/ltb-passwd/templates/configmap-ldap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.ldap.custom }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "ltb-passwd.fullname" . }}-ldap-cm - labels: - app: {{ template "ltb-passwd.name" . }} - chart: {{ template "ltb-passwd.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - ldap.conf: | - {{- range $ldapconfig := .Values.ldap.custom }} - {{ $ldapconfig.name }} {{ $ldapconfig.value }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/ltb-passwd/templates/deployment.yaml b/charts/ltb-passwd/templates/deployment.yaml deleted file mode 100755 index e296fbf..0000000 --- a/charts/ltb-passwd/templates/deployment.yaml +++ /dev/null @@ -1,91 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "ltb-passwd.fullname" . }} - labels: -{{ include "ltb-passwd.labels" . | indent 4 }} -spec: - replicas: {{ default 1 .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- include "ltb-passwd.imagePullSecrets" . | nindent 6 }} - {{- if .Values.initContainers }} - initContainers: - {{- with .Values.initContainers }} - {{- tpl (toYaml .) $ | nindent 6 }} - {{- end }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ include "ltb-passwd.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: LDAP_SERVER - value: ldaps://{{ include "global.server" . }}:{{ .Values.global.sslLdapPort }} - - name: LDAP_BINDDN - value: {{ default (include "global.bindDN" .) (.Values.ldap.bindDN) }} - - name: LDAP_BINDPASS - valueFrom: - secretKeyRef: - name: {{ template "ltb-passwd.secretName" . }} - key: {{ default "LDAP_ADMIN_PASSWORD" (.Values.ldap.passKey) }} - - name: LDAP_BASE_SEARCH - value: {{ default (include "global.baseDomain" . | quote) (.Values.ldap.searchBase | quote) }} - {{- with .Values.env }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- if or (.Values.ldap.custom) (.Values.volumeMounts) }} - volumeMounts: - {{- if .Values.ldap.custom }} - - mountPath: /etc/openldap - name: ldap-conf - {{- end }} - {{- if .Values.volumeMounts }} - {{- toYaml .Values.volumeMounts | nindent 12 }} - {{- end }} - {{- end }} - {{- if or (.Values.ldap.custom) (.Values.volumes) }} - volumes: - {{- if .Values.ldap.custom }} - - name: ldap-conf - configMap: - name: {{ include "ltb-passwd.fullname" . }}-ldap-cm - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/ltb-passwd/templates/ingress.yaml b/charts/ltb-passwd/templates/ingress.yaml deleted file mode 100755 index 5943328..0000000 --- a/charts/ltb-passwd/templates/ingress.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "ltb-passwd.fullname" . -}} -{{- $ingressPath := .Values.ingress.path -}} -{{- $ingressPathType := .Values.ingress.pathType -}} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - app: {{ template "ltb-passwd.name" . }} - chart: {{ template "ltb-passwd.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} -{{- end }} -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . }} - http: - paths: - - path: {{ $ingressPath }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ $ingressPathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} - {{- /* - backend: - {{- if eq (include "ingress.apiVersion" $) "networking.k8s.io/v1" }} - service: - name: {{ $fullName }} - port: - name: http - {{- else }} - serviceName: {{ $fullName }} - servicePort: http - {{- end }} -*/ -}} - {{- end }} -{{- end }} diff --git a/charts/ltb-passwd/templates/service.yaml b/charts/ltb-passwd/templates/service.yaml deleted file mode 100755 index 2553c15..0000000 --- a/charts/ltb-passwd/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "ltb-passwd.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} - helm.sh/chart: {{ include "ltb-passwd.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "ltb-passwd.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/ltb-passwd/values.yaml b/charts/ltb-passwd/values.yaml deleted file mode 100755 index be5e9a7..0000000 --- a/charts/ltb-passwd/values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# Default values for ltb-passwd. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: tiredofit/self-service-password - tag: 5.3.1 - pullPolicy: Always - pullSecrets: [] - - -nameOverride: "" -fullnameOverride: "" - -service: - type: ClusterIP - port: 80 - -## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ -ingress: - enabled: false - annotations: {} - ## See https://kubernetes.io/docs/concepts/services-networking/ingress/#ingressclass-scope - # ingressClassName: nginx - path: / - ## Ingress Host - # hosts: - # - ssl-ldap.local - # - tls: [] - # tls: - # - secretName: ssl-ldap-dedicated-tls - # hosts: - # - ssl-ldap.local - -# -- Init containers to add to the pod -## Note: Supports use of custom Helm templates -initContainers: [] - -# -- Additional volumeMounts to the application main container -volumeMounts: [] -# - mountPath: /usr/local/bin/my_tool -# name: xxxxxx -# subPath: foo - -# -- Additional volumes to the application pod -volumes: [] -# - name: xxxxx -# emptyDir: {} -resources: {} -nodeSelector: {} -tolerations: [] -affinity: {} -ldap: - custom: - - name: TLS_REQCERT - value: never - # if you want to restrict search base tree for users instead of complete domain - # searchBase: "ou=....,dc=mydomain,dc=com" - # if you want to use a dedicated bindDN for the search with less permissions instead of cn=admin one - # bindDN: "cn=....,dc=mydomain,dc=com" - # if you want to use a specific key of the credentials secret instead of the default one (LDAP_ADMIN_PASSWORD) - # passKey: LDAP_MY_KEY -env: -- name: SECRETKEY - value: "password" -- name: LDAP_LOGIN_ATTRIBUTE - value: "cn" -- name: LDAP_STARTTLS - value: "false" -- name: CHANGE_SSHKEY - value: "true" diff --git a/logo.png b/logo.png deleted file mode 100644 index 63df8b7..0000000 Binary files a/logo.png and /dev/null differ diff --git a/templates/NOTES.txt b/templates/NOTES.txt deleted file mode 100755 index 3ffe651..0000000 --- a/templates/NOTES.txt +++ /dev/null @@ -1,57 +0,0 @@ -** Please be patient while the chart is being deployed ** - -OpenLDAP-Stack-HA has been installed. You can access the server from within the k8s cluster using: - - {{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} - - Or - - {{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.sslLdapPort }} - - -You can access the LDAP adminPassword and configPassword using: - - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_ADMIN_PASSWORD}" | base64 --decode; echo - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "openldap.secretName" . }} -o jsonpath="{.data.LDAP_CONFIG_ADMIN_PASSWORD}" | base64 --decode; echo - - -You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain): - ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD - - -{{- if .Values.phpldapadmin.enabled }} - -You can access PHPLdapAdmin, using -{{- if .Values.phpldapadmin.ingress.enabled }} - {{- range $host := .Values.phpldapadmin.ingress.hosts }} - - http://{{ $host }} - {{- end }} -{{- else if contains "NodePort" .Values.phpldapadmin.service.type }} - Get the NodePort using : - kubectl get --namespace {{ .Release.Namespace }} svc - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - http://$NODE_IP:/ -{{- end }} - -{{- end }} - - -{{- if index .Values "ltb-passwd" "enabled" }} - -You can access Self Service Password, using -{{- if index .Values "ltb-passwd" "ingress" "enabled" }} - {{- range $host := index .Values "ltb-passwd" "ingress" "hosts" }} - - http://{{ $host }} - {{- end }} -{{- else if contains "NodePort" (index .Values "ltb-passwd" "service" "type") }} - Get the NodePort using : - kubectl get --namespace {{ .Release.Namespace }} svc - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - http://$NODE_IP:/ -{{- end }} -{{- end }} - -Test server health using Helm test: - helm test {{ .Release.Name }} - -Enjoy :) \ No newline at end of file diff --git a/templates/secret-ltb.yaml b/templates/secret-ltb.yaml deleted file mode 100755 index b12b134..0000000 --- a/templates/secret-ltb.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ if not .Values.global.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-ltb-passwd - labels: - app: {{ template "openldap.name" . }} - chart: {{ template "openldap.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.extraLabels }} -{{ toYaml .Values.extraLabels | indent 4 }} -{{- end }} -type: Opaque -data: - LDAP_ADMIN_PASSWORD: {{ .Values.global.adminPassword | b64enc | quote }} -{{ end }} diff --git a/templates/tests/openldap-test-runner.yaml b/templates/tests/openldap-test-runner.yaml deleted file mode 100755 index cfcaf21..0000000 --- a/templates/tests/openldap-test-runner.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if .Values.test.enabled -}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ template "openldap.fullname" . }}-test-{{ randAlphaNum 5 | lower }}" - labels: - app: {{ template "openldap.name" . }} - chart: {{ template "openldap.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.extraLabels }} -{{ toYaml .Values.extraLabels | indent 4 }} -{{- end }} - annotations: - "helm.sh/hook": test-success -spec: - initContainers: - - name: test-framework - image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }} - command: - - "bash" - - "-c" - - | - set -ex - # copy bats to tools dir - cp -R /usr/local/libexec/ /tools/bats/ - volumeMounts: - - mountPath: /tools - name: tools - containers: - - name: {{ .Release.Name }}-test - image: {{ .Values.test.image.repository }}:{{ .Values.test.image.tag }} - envFrom: - - secretRef: - name: {{ template "openldap.secretName" . }} - command: ["/tools/bats/bats", "-t", "/tests/run.sh"] - volumeMounts: - - mountPath: /tests - name: tests - readOnly: true - - mountPath: /tools - name: tools - volumes: - - name: tests - configMap: - name: {{ template "openldap.fullname" . }}-tests - - name: tools - emptyDir: {} - restartPolicy: Never -{{- end -}} diff --git a/templates/tests/openldap-tests.yaml b/templates/tests/openldap-tests.yaml deleted file mode 100755 index 1cdeb80..0000000 --- a/templates/tests/openldap-tests.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.test.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "openldap.fullname" . }}-tests - labels: - app: {{ template "openldap.name" . }} - chart: {{ template "openldap.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.extraLabels }} -{{ toYaml .Values.extraLabels | indent 4 }} -{{- end }} -data: - run.sh: |- - @test "Testing connecting to slapd server" { - # Ideally, this should be in the docker image, but there is not a generic image we can use - # with bats and ldap-utils installed. It is not worth for now to push an image for this. - apt-get update && apt-get install -y ldap-utils - ldapsearch -x -H ldap://{{ template "openldap.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ldapPort }} -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD - } -{{- end -}} diff --git a/values.yaml b/values.yaml deleted file mode 100644 index 8836081..0000000 --- a/values.yaml +++ /dev/null @@ -1,563 +0,0 @@ -# Default values for openldap. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Global Docker image parameters -# Please, note that this will override the image parameters, including dependencies, configured to use the global value -# Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - #imagePullSecrets: [""] - ## ldapDomain , can be explicit (e.g dc=toto,c=ca) or domain based (e.g example.com) - ldapDomain: "example.org" - # Specifies an existing secret to be used for admin and config user passwords. The expected key are LDAP_ADMIN_PASSWORD and LDAP_CONFIG_ADMIN_PASSWORD. - # existingSecret: "" - ## Default Passwords to use, stored as a secret. Not used if existingSecret is set. - adminUser: "admin" - adminPassword: Not@SecurePassw0rd - configUserEnabled: true - configUser: "admin" - configPassword: Not@SecurePassw0rd - ldapPort: 389 - sslLdapPort: 636 - -## @section Common parameters - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname -## -fullnameOverride: "" -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param clusterDomain Kubernetes cluster domain name -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] - -replicaCount: 3 - -image: - # From repository https://hub.docker.com/r/bitnami/openldap/ - #repository: bitnami/openldap - #tag: 2.6.3 - # Temporary fix - repository: jpgouin/openldap - tag: 2.6.7-fix - pullPolicy: Always - pullSecrets: [] - -# Set the container log level -# Valid log levels: none, error, warning, info (default), debug, trace -logLevel: info - -initSchema: - image: - repository: debian - tag: latest - pullPolicy: Always - pullSecrets: [] - -extraLabels: {} - -service: - annotations: {} - ## If service type NodePort, define the value here - #ldapPortNodePort: - #sslLdapPortNodePort: - - # Disable if you do not want to expose port on service - enableLdapPort: true - enableSslLdapPort: true - - ## List of IP addresses at which the service is available - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips - ## - externalIPs: [] - - #loadBalancerIP: - #loadBalancerSourceRanges: [] - type: ClusterIP - sessionAffinity: None - -# Default configuration for openldap as environment variables. These get injected directly in the container. -# Use the env variables from https://hub.docker.com/r/bitnami/openldap/ -# Be careful, do not modify the following values unless you know exactly what your are doing -env: - BITNAMI_DEBUG: "true" - LDAP_LOGLEVEL: "256" - LDAP_TLS_ENFORCE: "false" - LDAPTLS_REQCERT: "never" - LDAP_ENABLE_TLS: "yes" - LDAP_SKIP_DEFAULT_TREE: "no" - - -# Pod Disruption Budget for Stateful Set -# Disabled by default, to ensure backwards compatibility -pdb: - enabled: false - minAvailable: 1 - maxUnavailable: "" - -## User list to create (comma separated list) , can't be use with customLdifFiles -## Default set by bitnami image -# users: user01,user02 - -## User password to create (comma separated list, one for each user) -## Default set by bitnami image -# userPasswords: bitnami1, bitnami2 - -## Group to create and add list of user above - ## Default set by bitnami image -# group: readers - -# Custom openldap schema files used to be used in addition to default schemas -# Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var -# after chart default schemas, allowing you to control the loading sequence. -# customSchemaFiles: -# custom.ldif: |- -# # custom schema -# anothercustom.ldif: |- -# # another custom schema - -## Existing configmap with custom ldif -# Can't be use with customLdifFiles -# Same format as customLdifFiles -# customLdifCm: my-custom-ldif-cm - -# Custom openldap configuration files used to override default settings -# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles -# customLdifFiles: -# 00-root.ldif: |- -# # Root creation -# dn: dc=example,dc=org -# objectClass: dcObject -# objectClass: organization -# o: Example, Inc -# 01-default-group.ldif: |- -# dn: cn=myGroup,dc=example,dc=org -# cn: myGroup -# gidnumber: 500 -# objectclass: posixGroup -# objectclass: top -# 02-default-user.ldif: |- -# dn: cn=Jean Dupond,dc=example,dc=org -# cn: Jean Dupond -# gidnumber: 500 -# givenname: Jean -# homedirectory: /home/users/jdupond -# objectclass: inetOrgPerson -# objectclass: posixAccount -# objectclass: top -# sn: Dupond -# uid: jdupond -# uidnumber: 1000 -# userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw== - -# Custom openldap ACLs -# If not defined, the following default ACLs are applied: -# customAcls: |- -# dn: olcDatabase={2}mdb,cn=config -# changetype: modify -# replace: olcAccess -# olcAccess: {0}to * -# by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage -# by * break -# olcAccess: {1}to attrs=userPassword,shadowLastChange -# by self write -# by dn="{{ include "global.bindDN" . }}" write -# by anonymous auth by * none -# olcAccess: {2}to * -# by dn="{{ include "global.bindDN" . }}" write -# by self read -# by * none - -replication: - enabled: true - # Enter the name of your cluster, defaults to "cluster.local" - clusterName: "cluster.local" - retry: 60 - timeout: 1 - interval: 00:00:00:10 - starttls: "critical" - tls_reqcert: "never" -## Persist data to a persistent volume -persistence: - enabled: true - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "standard-singlewriter" - # existingClaim: openldap-pvc - accessModes: - - ReadWriteOnce - size: 8Gi - storageClass: "" - -## @param customLivenessProbe Custom livenessProbe that overrides the default one -## -customLivenessProbe: {} -## @param customReadinessProbe Custom readinessProbe that overrides the default one -## -customReadinessProbe: {} -## @param customStartupProbe Custom startupProbe that overrides the default one -## -customStartupProbe: {} -## OPENLDAP resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## @param resources.limits The resources limits for the OPENLDAP containers -## @param resources.requests The requested resources for the OPENLDAP containers -## -resources: - limits: {} - requests: {} -## Configure Pods Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enabled OPENLDAP pods' Security Context -## @param podSecurityContext.fsGroup Set OPENLDAP pod's Security Context fsGroup -## -podSecurityContext: - enabled: true - fsGroup: 1001 -## Configure Container Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param containerSecurityContext.enabled Enabled OPENLDAP containers' Security Context -## @param containerSecurityContext.runAsUser Set OPENLDAP containers' Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set OPENLDAP containers' Security Context runAsNonRoot -## -containerSecurityContext: - enabled: false - runAsUser: 1001 - runAsNonRoot: true - -## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for OPENLDAP -## -existingConfigmap: -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param hostAliases OPENLDAP pods host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param podLabels Extra labels for OPENLDAP pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @param podAnnotations Annotations for OPENLDAP pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set - ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for OPENLDAP pods assignment -## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set -## -affinity: {} -## @param nodeSelector Node labels for OPENLDAP pods assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## @param tolerations Tolerations for OPENLDAP pods assignment -## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param updateStrategy.type OPENLDAP statefulset strategy type -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete - ## - type: RollingUpdate -## @param priorityClassName OPENLDAP pods' priorityClassName -## -priorityClassName: "" -## @param schedulerName Name of the k8s scheduler (other than default) for OPENLDAP pods -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param lifecycleHooks for the OPENLDAP container(s) to automate configuration before or after startup -## -lifecycleHooks: {} -## @param extraEnvVars Array with extra environment variables to add to OPENLDAP nodes -## e.g: -## extraEnvVars: -## - name: FOO -## value: "bar" -## -extraEnvVars: [] -## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for OPENLDAP nodes -## -extraEnvVarsCM: -## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for OPENLDAP nodes -## -extraEnvVarsSecret: -## @param extraVolumes Optionally specify extra list of additional volumes for the OPENLDAP pod(s) -## -extraVolumes: [] -## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the OPENLDAP container(s) -## -extraVolumeMounts: [] -## @param sidecars Add additional sidecar containers to the OPENLDAP pod(s) -## e.g: -## sidecars: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -sidecars: {} -## @param initContainers Add additional init containers to the OPENLDAP pod(s) -## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ -## e.g: -## initContainers: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## command: ['sh', '-c', 'echo "hello world"'] -## -initContainers: {} - -## Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for Apache pod - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} - -## @section Init Container Parameters - -## 'initTlsSecret' init container parameters -## need a secret with tls.crt, tls.key and ca.crt keys with associated files -## based on the *containerSecurityContext parameters -## -initTLSSecret: - tls_enabled: false - ## openssl image - ## @param initTlsSecret.image.registry openssl image registry - ## @param initTlsSecret.image.repository openssl image name - ## @param initTlsSecret.image.tag openssl image tag - ## - image: - registry: docker.io - repository: alpine/openssl - tag: latest - ## @param image.pullPolicy openssl image pull policy - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - # The name of a kubernetes.io/tls type secret to use for TLS - secret: "" - ## init-tls-secret container's resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## @param initTlsSecret.resources.limits The resources limits for the init container - ## @param initTlsSecret.resources.requests The requested resources for the init container - ## - resources: - ## Example: - ## limits: - ## cpu: 500m - ## memory: 1Gi - limits: {} - requests: {} - -## 'volumePermissions' init container parameters -## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values -## based on the *podSecurityContext/*containerSecurityContext parameters -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` - ## - enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param volumePermissions.image.registry Bitnami Shell image registry - ## @param volumePermissions.image.repository Bitnami Shell image repository - ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10 - pullPolicy: IfNotPresent - - ## Command to execute during the volumePermission startup - command: [ 'sh', '-c', 'chmod -R g+rwX /bitnami' ] - ## command: {} - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - ## Example: - ## limits: - ## cpu: 500m - ## memory: 1Gi - limits: {} - requests: {} - -## 'updateReplication' init container parameters -## based on the *global.existingSecret/*containerSecurityContext parameters -## -updateReplication: - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - ## Example: - ## limits: - ## cpu: 500m - ## memory: 1Gi - limits: {} - requests: {} - - -## Configure extra options for liveness, readiness, and startup probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes -livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 10 -readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 10 -startupProbe: - enabled: true - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 30 - -## test container details -test: - enabled: false - image: - repository: dduportal/bats - tag: 0.4.0 - -## ltb-passwd -# For more parameters check following file: ./charts/ltb-passwd/values.yaml -ltb-passwd: - enabled : true - image: - tag: 5.2.3 - ingress: - enabled: true - annotations: {} - # See https://kubernetes.io/docs/concepts/services-networking/ingress/#ingressclass-scope - # ingressClassName: nginx - path: / - pathType: Prefix - ## Ingress Host - hosts: - - "ssl-ldap2.example" - ## Ingress cert - tls: [] - # - secretName: ssl-ldap2.example - # hosts: - # - ssl-ldap2.example - # ldap: - # if you want to restrict search base tree for users instead of complete domain - # searchBase: "ou=....,dc=mydomain,dc=com" - # if you want to use a dedicated bindDN for the search with less permissions instead of cn=admin one - # bindDN: "cn=....,dc=mydomain,dc=com" - # if you want to use a specific key of the credentials secret instead of the default one (LDAP_ADMIN_PASSWORD) - # passKey: LDAP_MY_KEY - -## phpldapadmin -## For more parameters check following file: ./charts/phpldapadmin/values.yaml -phpldapadmin: - enabled: true - image: - tag: 0.9.0 - env: - PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never" - ingress: - enabled: true - annotations: {} - ## See https://kubernetes.io/docs/concepts/services-networking/ingress/#ingressclass-scope - # ingressClassName: nginx - path: / - pathType: Prefix - ## Ingress Host - hosts: - - phpldapadmin.example - ## Ingress cert - tls: [] - # - secretName: phpldapadmin.example - # hosts: - # - phpldapadmin.example