Enable setting the CA for replication.

README.md

@@ -84,6 +84,7 @@ Parameters related to the configuration of the application.
 | `replication.timeout`       | timeout for replication  in sec                                                                                                                                  | `1`                 |
 | `replication.starttls`      | starttls replication                                                                                                                                             | `critical`          |
 | `replication.tls_reqcert`   | tls certificate validation for replication                                                                                                                       | `never`             |
+| `replication.tls_cacert`    | Specifies the file that contains certificates for all Certificate Authorities used in replication.                                                                | `nil`               |
 | `replication.interval`      | interval for replication                                                                                                                                         | `00:00:00:10`       |
 | `replication.clusterName`   | Set the clustername for replication                                                                                                                              | "cluster.local"     |
 

templates/_helpers.tpl

@@ -63,6 +63,12 @@ Generate olcServerID list
   {{- end -}}
 {{- end -}}
 
+{{- define "openldap.replication.tls_cacert" -}}
+{{- if .Values.replication.tls_cacert -}}
+{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Generate olcSyncRepl list
 */}}
@@ -76,10 +82,11 @@ Generate olcSyncRepl list
 {{- $timeout := .Values.replication.timeout }}
 {{- $starttls := .Values.replication.starttls }}
 {{- $tls_reqcert := .Values.replication.tls_reqcert }}
+{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
 {{- $nodeCount := .Values.replicaCount | int }}
   {{- range $index0 := until $nodeCount }}
     {{- $index1 := $index0 | add1 }}
-    olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }}
+    olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }}
   {{- end -}}
 {{- end -}}
 
@@ -97,6 +104,7 @@ Generate olcSyncRepl list
 {{- $timeout := .Values.replication.timeout }}
 {{- $starttls := .Values.replication.starttls }}
 {{- $tls_reqcert := .Values.replication.tls_reqcert }}
+{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
 {{- $interval := .Values.replication.interval }}
 {{- $nodeCount := .Values.replicaCount | int }}
   {{- range $index0 := until $nodeCount }}
@@ -115,6 +123,7 @@ Generate olcSyncRepl list
       timeout={{ $timeout }}
       starttls={{ $starttls }}
       tls_reqcert={{ $tls_reqcert }}
+      {{ $tls_cacert }}
   {{- end -}}
 {{- end -}}
 

values.yaml

@@ -238,6 +238,7 @@ replication:
   interval: 00:00:00:10
   starttls: "critical"
   tls_reqcert: "never"
+  # tls_cacert: "/etc/ssl/certs/ca-certificates.crt"
 ## Persist data to a persistent volume
 persistence:
   enabled: true