diff --git a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml index 570b600..3cb6d57 100644 --- a/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml +++ b/.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml @@ -77,7 +77,7 @@ jobs: - branch_meta - create_branch_identifier - wait_for_helm_chart_to_get_published - uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5 + uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@SPSH-1044 with: dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }} schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }} diff --git a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml index eb91457..74c8d90 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-config-script.yaml @@ -21,29 +21,46 @@ data: ldapmodify -Y EXTERNAL -H ldapi:/// -f /ldap-configuration/modify/modify.ldif # no sure why this sleep is needed again - but it is sleep 10 - # /bin/bash /script/02.sh - # ldapapply -Y EXTERNAL -H ldapi:/// -f /script/ucsmail.ldif + + # Loading Schemas + if ! (ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "(cn=*ucsMail)"); then + ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/ucsmail.ldif + else + echo "Entry for ucsMail Schema already exists. Nothing to add." + fi + + # Adding Config Users + /bin/bash /script/02.sh /ldap-configuration/apply/apply.ldif true + # Adding other Configs + # /bin/bash /script/02.sh /ldap-configuration/extra/apply.ldif false + # /bin/bash /script/02.sh /ldap-configuration/extra/modify.ldif true + + # this script is needed so that Helm Chart is stable if persistence is enabled # it applies changes if they are new, but modifies them if they already exist 02.sh: | - LDIF_FILE="/ldap-configuration/apply/apply.ldif" + LDIF_FILE="$1" + OVERWRITE="${2:-false}" - # Function to process each entry process_entry() { local entry_dn="$1" local entry_ldif="$2" # Check if entry exists - ldapsearch -Y External -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1 + ldapsearch -Y EXTERNAL -H ldapi:/// -b "$entry_dn" -s base -LLL dn > /dev/null 2>&1 if [ $? -eq 0 ]; then - echo "Entry already exists: $entry_dn, updating entry by running ldapmodify" - echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y External -H ldapi:/// + if [ "$OVERWRITE" = true ]; then + echo "Entry already exists: $entry_dn, updating entry by running ldapmodify" + echo "$entry_ldif" | sed 's/^dn: .*/changetype: modify/' | ldapmodify -Y EXTERNAL -H ldapi:/// + else + echo "Entry already exists: $entry_dn, skipping ldapmodify" + fi else echo "Entry does not exist, adding entry: $entry_dn" - echo "$entry_ldif" | ldapadd -Y External -H ldapi:/// + echo "$entry_ldif" | ldapadd -Y EXTERNAL -H ldapi:/// fi } diff --git a/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml deleted file mode 100644 index 10dd560..0000000 --- a/charts/dbildungs-iam-ldap/templates/configmap-customfiles.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- range .Values.customFileSets }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "openldap.fullname" $ }}-fs-{{ .name }} - labels: - app: {{ template "openldap.name" $ }} - chart: {{ template "openldap.chart" $ }} - release: {{ $.Release.Name }} - heritage: {{ $.Release.Service }} -{{- if $.Values.extraLabels }} -{{ toYaml $.Values.extraLabels | indent 4 }} -{{- end }} -data: -{{- range .files }} -{{ .filename | indent 2}}: | -{{ .content | indent 4 }} -{{- end}} ---- -{{- end }} diff --git a/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml b/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml index e971be5..8f17e8e 100644 --- a/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml +++ b/charts/dbildungs-iam-ldap/templates/configmap-customschema.yaml @@ -1,6 +1,6 @@ # # A ConfigMap spec for openldap slapd that map directly to files under -# /opt/bitnami/openldap/etc/schema/custom +# /opt/bitnami/openldap/etc/schema/ # {{- if .Values.customSchemaFiles }} apiVersion: v1 diff --git a/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml new file mode 100644 index 0000000..27ab8de --- /dev/null +++ b/charts/dbildungs-iam-ldap/templates/configmap-extraldif.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "openldap.fullname" $ }}-extraldif + labels: + app: {{ template "openldap.name" $ }} + chart: {{ template "openldap.chart" $ }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} +{{- if $.Values.extraLabels }} +{{ toYaml $.Values.extraLabels | indent 4 }} +{{- end }} +data: + apply.ldif: |- + dn: cn=lehrer,dc=schule-sh,dc=de + cn: lehrer + objectclass: groupOfUniqueNames + objectclass: top + + dn: cn=schueler,dc=schule-sh,dc=de + cn: schueler + objectclass: groupOfUniqueNames + objectclass: top + + dn: ou=oeffentlicheSchulen,dc=schule-sh,dc=de + objectclass: organizationalUnit + objectclass: top + ou: oeffentlicheSchulen + + dn: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: mmusterschueler + cn: mmusterschueler + givenname: Moritz + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: moritz.muster-schueler@schule-sh.de + mailAlternativeAddress: moritz.muster-schueler@schule-sh.de + objectclass: top + sn: Muster-Schueler + + dn: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + uid: ssuperadmin + cn: ssuperadmin + givenname: Susi + objectclass: inetOrgPerson + objectclass: univentionMail + mailPrimaryAddress: susi.superadmin@schule-sh.de + mailAlternativeAddress: susi.superadmin@schule-sh.de + objectclass: top + sn: Superadmin + + modify.ldif: |- + # Group members + dn: cn=lehrer,dc=schule-sh,dc=de + add: uniquemember + uniquemember: cn=ssuperadmin,ou=oeffentlicheSchulen,dc=schule-sh,dc=de + + dn: cn=schueler,dc=schule-sh,dc=de + add: uniquemember + uniquemember: cn=mmusterschueler,ou=oeffentlicheSchulen,dc=schule-sh,dc=de \ No newline at end of file diff --git a/charts/dbildungs-iam-ldap/templates/statefulset.yaml b/charts/dbildungs-iam-ldap/templates/statefulset.yaml index 1f741ad..f39869d 100644 --- a/charts/dbildungs-iam-ldap/templates/statefulset.yaml +++ b/charts/dbildungs-iam-ldap/templates/statefulset.yaml @@ -65,7 +65,6 @@ spec: fi cp /tmp-init-scripts/01.sh /script/01.sh && cp /tmp-init-scripts/02.sh /script/02.sh && - # cp /tmp-init-scripts/ucsmail.ldif /opt/bitnami/openldap/etc/schema/ucsmail.ldif chmod +x /script/01.sh chmod +x /script/02.sh {{- if .Values.global.existingSecret }} @@ -87,6 +86,8 @@ spec: mountPath: /ldap-configuration/apply/ - name: ldap-configuration-modify mountPath: /ldap-configuration/modify/ + - name: ldap-configuration-extra + mountPath: /ldap-configuration/extra/ {{- if .Values.customSchemaFiles }} {{- range $file := (include "openldap.customSchemaFiles" . | split ",") }} - name: cm-custom-schema-files @@ -264,6 +265,8 @@ spec: mountPath: /ldap-configuration/apply - name: ldap-configuration-modify mountPath: /ldap-configuration/modify + - name: ldap-configuration-extra + mountPath: /ldap-configuration/extra - name: certs mountPath: /opt/bitnami/openldap/certs {{- range $file := (include "openldap.builtinSchemaFiles" . | split ",") }} @@ -282,14 +285,6 @@ spec: - name: custom-ldif-files mountPath: /ldifs/ {{- end }} -{{- range .Values.customFileSets }} -{{- $fs := . }} -{{- range .files }} - - name: {{ $fs.name }} - mountPath: {{ $fs.targetPath }}/{{ .filename }} - subPath: {{ .filename }} -{{- end }} -{{- end }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -317,6 +312,10 @@ spec: secret: # could make the secret name variable secretName: dbildungs-iam-ldap-config-modify + - name: ldap-configuration-extra + configMap: + # could make the secret name variable + name: {{ template "openldap.fullname" $ }}-extraldif - name: cm-replication configMap: name: {{ template "openldap.fullname" . }}-replication @@ -358,11 +357,6 @@ spec: - name: secret-certs emptyDir: medium: Memory -{{- end }} -{{- range .Values.customFileSets }} - - name: {{ .name }} - configMap: - name: {{ template "openldap.fullname" $ }}-fs-{{ .name }} {{- end }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/charts/dbildungs-iam-ldap/values.yaml b/charts/dbildungs-iam-ldap/values.yaml index 244d021..21cde16 100644 --- a/charts/dbildungs-iam-ldap/values.yaml +++ b/charts/dbildungs-iam-ldap/values.yaml @@ -110,12 +110,14 @@ customSchemaFiles: olcObjectClasses: ( 1.3.6.1.4.1.10176.1010.2.1 NAME 'univentionMail' DESC 'Univention Mail Preferences' SUP top AUXILIARY MUST uid MAY ( univentionMailHomeServer $ mailPrimaryAddress $ mailAlternativeAddress $ mailGlobalSpamFolder $ univentionMailUserQuota $ mailForwardAddress $ mailForwardCopyToSelf ) ) # anothercustom.ldif: |- # # another custom schema +# # adjust the configuration script configmap-config-script to make sure schema is always loaded # Custom openldap configuration files used to override default settings # can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required # DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles -# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret +# Files that change the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the dbildungs-iam-ldap-configuration secret +# Only considered once in the initial setup customLdifFiles: 00-root.ldif: |- dn: dc=schule-sh,dc=de