Merge pull request #84 from jp-gouin/bitnami

Bitnami

.bin/myval.yaml

@@ -14,8 +14,17 @@ phpldapadmin:
     - "phpldapadmin.example"
 customTLS:
   enabled: true
-  secret: "custom-cert"
+  image:
+    repository: alpine/openssl
+    tag: latest
+  secret: "custom-cert" 
 customLdifFiles:
+  00-root.ldif: |-
+    # Root creation
+    dn: dc=example,dc=org
+    objectClass: dcObject
+    objectClass: organization
+    o: Example, Inc
   01-default-group.ldif: |-
     dn: cn=myGroup,dc=example,dc=org
     cn: myGroup

.github/workflows/ci.yml

@@ -6,6 +6,7 @@ on:
   pull_request:
     branches:
       - "master"
+      - "bitnami"
 jobs:
   qualif:
       runs-on: ubuntu-latest
@@ -33,8 +34,7 @@ jobs:
         run: |
           openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
           cp tls.crt ca.crt
-          openssl dhparam -out dhparam.pem 2048
-          kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./dhparam.pem --from-file=./ca.crt
+          kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
       - name: deploy openldap-stack-ha
         shell: bash
         run: |

.gitignore

@@ -1 +1,3 @@
-myValues.yaml
+myValues.yaml
+ignore/*
+ignore

Chart.yaml

@@ -13,8 +13,8 @@ dependencies:
       - bitnami-common
     version: 1.x.x
 home: https://www.openldap.org
-version: 3.0.2
-appVersion: 2.4.57
+version: 4.0.0
+appVersion: 2.6.3
 description: Community developed LDAP software
 icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png
 keywords:
@@ -27,4 +27,4 @@ sources:
 maintainers:
   - name: Jean-Philippe Gouin
     email: [email protected]
-engine: gotpl
+engine: gotpl

README.md

@@ -1,8 +1,28 @@
 [![build](https://github.com/jp-gouin/helm-openldap/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/jp-gouin/helm-openldap/actions/workflows/ci.yml)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/helm-openldap)](https://artifacthub.io/packages/search?repo=helm-openldap)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/apache/apisix/blob/master/LICENSE)
+![Version](https://img.shields.io/static/v1?label=Openldap&message=2.6.3&color=blue) 
 
 # OpenLDAP Helm Chart
+## Disclaimer
+This version now use the [Bitnami Openldap](https://hub.docker.com/r/bitnami/openldap) container image.
+
+More detail on the container image can be found [here](https://github.com/bitnami/containers/tree/main/bitnami/openldap)
+
+There are some major changes between the Osixia version and the Bitnami version , ergo the major gap of the chart version.
+
+- Upgrade may not work fine between `3.x` and `4.x`
+- Ldap and Ldaps port are non privileged ports (`1389` and `1636`)
+- Replication is now purely setup by configuration
+Extra schemas are loaded using `LDAP_EXTRA_SCHEMAS: "cosine,inetorgperson,nis,syncprov,serverid,csyncprov,rep,bsyncprov,brep"`
+  - For now this list is harcoded and will be configurable in a future update.
+  - (let me know if you need this feature priorityzed)
+
+A default tree (Root organisation, users and group) is created during startup, this can be skipped using `LDAP_SKIP_DEFAULT_TREE` , however you need to use `customLdifFiles` to create a root organisation.
+
+- This will be improved in a future update.
+
+Self service password is not fully working with this new version, troubleshooting is in progress and will be working in the next update.
 
 ## Prerequisites Details
 * Kubernetes 1.8+
@@ -24,9 +44,11 @@ $ helm repo add helm-openldap https://jp-gouin.github.io/helm-openldap/
 $ helm install my-release helm-openldap/openldap-stack-ha
 ```
 
+
+
 ## Configuration
 
-We use the docker images provided by https://github.com/osixia/docker-openldap. The docker image is highly configurable and well documented. Please consult to documentation for the docker image for more information.
+We use the docker images provided by https://github.com/bitnami/containers/tree/main/bitnami/openldap. The docker image is highly configurable and well documented. Please consult to documentation for the docker image for more information.
 
 The following table lists the configurable parameters of the openldap chart and their default values.
 
@@ -42,6 +64,8 @@ Global parameters to configure the deployment of the application.
 | `global.ldapDomain`                     | Domain LDAP                                                                                                                         | `example.org`                 |
 | `global.adminPassword`                     | Administration password of Openldap                                                                                                                        | `Not@SecurePassw0rd`                 |
 | `global.configPassword`                     | Configuration password of Openldap                                                                                                                        | `Not@SecurePassw0rd`                 |
+| `global.ldapPort`                     | Ldap port                                                                                                                         | `1389`                 |
+| `global.sslLdapPort`                     | Ldaps port                                                                                                                         | `1636`                 |
 
 ### Application parameters
 
@@ -50,11 +74,13 @@ Parameters related to the configuration of the application.
 | Parameter                          | Description                                                                                                                               | Default             |
 | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
 | `replicaCount`                     | Number of replicas                                                                                                                        | `3`                 |
-| `env`                              | List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones | `[see values.yaml]` |
+| `users`          | User list to create (comma separated list) , can't be use with customLdifFiles | "" |
+| `userPasswords`          | User password to create (comma seprated list)  | "" |
+| `group`          | Group to create and add list of user above | "" |
+| `env`                              | List of key value pairs as env variables to be sent to the docker image. See https://github.com/bitnami/containers/tree/main/bitnami/openldap for available ones | `[see values.yaml]` |
 | `logLevel`                         | Set the container log level. Valid values: `none`, `error`, `warning`, `info`, `debug`, `trace`                                           | `info`              |
 | `customTLS.enabled`                      | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret`                                                                                    | `false`             |
-| `customTLS.secret`                       | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt (if tls.CA.enabled: true)                                                                       | `""`                |
-| `customTLS.CA.enabled`                   | Set to enable custom CA crt file                                                                         | `false`
+| `customTLS.secret`                       | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt                                                                       | `""`                |
 | `replication.enabled`              | Enable the multi-master replication | `true` |
 | `replication.retry`              | retry period for replication in sec | `60` |
 | `replication.timeout`              | timeout for replication  in sec| `1` |
@@ -97,11 +123,9 @@ Parameters related to Kubernetes.
 | `extraDeploy`                   | extraDeploy Array of extra objects to deploy with the release                                                                                | `""`                |
 | `service.annotations`              | Annotations to add to the service                                                                                                         | `{}`                |
 | `service.externalIPs`              | Service external IP addresses                                                                                                             | `[]`                |
-| `service.ldapPort`                 | External service port for LDAP                                                                                                            | `389`               |
 | `service.ldapPortNodePort`                 | Nodeport of External service port for LDAP if service.type is NodePort                                                                                                            | `nil`               |
 | `service.loadBalancerIP`           | IP address to assign to load balancer (if supported)                                                                                      | `""`                |
 | `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported)                                                                           | `[]`                |
-| `service.sslLdapPort`              | External service port for SSL+LDAP                                                                                                        | `636`               |
 | `service.sslLdapPortNodePort`                 | Nodeport of External service port for SSL if service.type is NodePort                                                                                                            | `nil`               |
 | `service.type`                     | Service type can be ClusterIP, NodePort, LoadBalancer                                                                                                                              | `ClusterIP`         |
 | `persistence.enabled`              | Whether to use PersistentVolumes or not                                                                                                   | `false`             |
@@ -207,17 +231,13 @@ $ kubectl delete pvc -l release=${RELEASE-NAME}
 
 ## Troubleshoot
 
-You can increase the level of log using 'logLevel'
+You can increase the level of log using `env.LDAP_LOGLEVEL`
 
-```
-# Set the container log level
-# Valid log levels: none, error, warning, info (default), debug, trace
-logLevel: info
-```
+Valid log levels can be found [here](https://www.openldap.org/doc/admin24/slapdconfig.html)
 
 ### Boostrap custom ldif
 
-**Warning** when using custom ldif in the `customLdifFiles:` section you do not have to and shouldn't create the high level object `organization` or the `admin` user such as : 
+**Warning** when using custom ldif in the `customLdifFiles:` section you  have to create the high level object `organization` or the `admin` user such as :
 
 ```
 dn: dc=test,dc=example
@@ -236,20 +256,29 @@ objectclass: top
 userpassword: foo
 ```
 
-This will result with the following error : 
-```
-***  ERROR  | 2021-11-21 08:53:38 | /container/run/startup/slapd failed with status 68
-Already exist
-```
-And the rest of your custom file will be skipped.
-
-All internal configuration like `cn=config` , `cn=module{0},cn=config` should be avoided as well.
+All internal configuration like `cn=config` , `cn=module{0},cn=config` cannot be configured yet.
 
 ## Changelog/Updating
 
+### To 4.0.0
+
+This major update switch the base image from [Osixia](https://github.com/osixia/docker-openldap) to [Bitnami Openldap](https://github.com/bitnami/containers/tree/main/bitnami/openldap)
+
+- Upgrade may not work fine between `3.x` and `4.x`
+- Ldap and Ldaps port are non privileged ports (`1389` and `1636`)
+- Replication is now purely setup by configuration
+- Extra schema cannot be added/modified
+
+A default tree (Root organisation, users and group) is created during startup, this can be skipped using `LDAP_SKIP_DEFAULT_TREE` , however you need to use `customLdifFiles` to create a root organisation.
+
+- This will be improved in a future update.
+
+Self service password is not fully working with this new version, troubleshooting is in progress and will be working in the next update.
+
 ### To 3.0.0
 
-This major update of the chart enable new feature for the deployment such as : 
+This major update of the chart enable new feature for the deployment such as :
+
 - supporting initcontainer
 - supporting sidecar
 - use global parameters to ease the configuration of the app

charts/ltb-passwd/templates/deployment.yaml

@@ -23,7 +23,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
           - name: LDAP_SERVER
-            value: ldaps://{{ include "global.server" . }}
+            value: ldaps://{{ include "global.server" . }}:{{ .Values.global.sslLdapPort }}
           - name: LDAP_BINDDN
             value: {{ include "global.bindDN" . }}
           - name: LDAP_BINDPASS

charts/phpldapadmin/templates/configmap.yaml

@@ -12,4 +12,4 @@ metadata:
 {{- end }}
 data:
 {{ toYaml .Values.env | indent 2 }}
-  PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{ '{{ template "global.server" . }}'  : [{'server': [{'tls': True},{'port':389}]},{'login': [{'bind_id': '{{ template "global.bindDN" . }}'  }]}]}]"
+  PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{ '{{ template "global.server" . }}'  : [{'server': [{'tls': True},{'port':{{ .Values.global.ldapPort }}}]},{'login': [{'bind_id': '{{ template "global.bindDN" . }}'  }]}]}]"

templates/_helpers.tpl

@@ -48,19 +48,74 @@ Generate chart secret name
 {{- define "openldap.secretName" -}}
 {{ default (include "openldap.fullname" .) .Values.existingSecret }}
 {{- end -}}
+
 {{/*
-Generate replication services list
+Generate olcServerID list
 */}}
-{{- define "replicalist" -}}
+{{- define "olcServerIDs" }}
 {{- $name := (include "openldap.fullname" .) }}
 {{- $namespace := .Release.Namespace }}
 {{- $cluster := .Values.replication.clusterName }}
 {{- $nodeCount := .Values.replicaCount | int }}
-  {{- range $index0 := until $nodeCount -}}
-    {{- $index1 := $index0 | add1 -}}
-'ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}'{{ if ne $index1 $nodeCount }},{{ end }}
+  {{- range $index0 := until $nodeCount }}
+    {{- $index1 := $index0 | add1 }}
+    olcServerID: {{ $index1 }} ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389
   {{- end -}}
 {{- end -}}
+
+{{/*
+Generate olcSyncRepl list
+*/}}
+{{- define "olcSyncRepls" -}}
+{{- $name := (include "openldap.fullname" .) }}
+{{- $namespace := .Release.Namespace }}
+{{- $cluster := .Values.replication.clusterName }}
+{{- $configPassword := .Values.global.configPassword }}
+{{- $retry := .Values.replication.retry }}
+{{- $timeout := .Values.replication.timeout }}
+{{- $starttls := .Values.replication.starttls }}
+{{- $tls_reqcert := .Values.replication.tls_reqcert }}
+{{- $nodeCount := .Values.replicaCount | int }}
+  {{- range $index0 := until $nodeCount }}
+    {{- $index1 := $index0 | add1 }}
+    olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn=admin,cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Generate olcSyncRepl list
+*/}}
+{{- define "olcSyncRepls2" -}}
+{{- $name := (include "openldap.fullname" .) }}
+{{- $domain := (include "global.baseDomain" .) }}
+{{- $namespace := .Release.Namespace }}
+{{- $cluster := .Values.replication.clusterName }}
+{{- $configPassword := .Values.global.configPassword }}
+{{- $retry := .Values.replication.retry }}
+{{- $timeout := .Values.replication.timeout }}
+{{- $starttls := .Values.replication.starttls }}
+{{- $tls_reqcert := .Values.replication.tls_reqcert }}
+{{- $interval := .Values.replication.interval }}
+{{- $nodeCount := .Values.replicaCount | int }}
+  {{- range $index0 := until $nodeCount }}
+    {{- $index1 := $index0 | add1 }}
+    olcSyncrepl:
+      rid=10{{ $index1 }}
+      provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389
+      binddn={{ printf "cn=admin,%s" $domain }}
+      bindmethod=simple
+      credentials={{ $configPassword }}
+      searchbase={{ $domain }}
+      type=refreshAndPersist
+      interval={{ $interval }}
+      network-timeout=0
+      retry="{{ $retry }} +"
+      timeout={{ $timeout }}
+      starttls={{ $starttls }}
+      tls_reqcert={{ $tls_reqcert }}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Renders a value that contains template.
 Usage:
@@ -128,3 +183,17 @@ Return the proper Docker Image Registry Secret Names
 {{- define "global.bindDN" -}}
 {{- printf "cn=admin,%s" (include "global.baseDomain" .) -}}
 {{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "global.ldapsPort" -}}
+{{- printf "%d" .Values.global.sslLdapPort  -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "global.ldapPort" -}}
+{{- printf "%d" .Values.global.ldapPort  -}}
+{{- end -}}

templates/configmap-env.yaml

@@ -17,11 +17,20 @@ metadata:
 {{ toYaml .Values.extraLabels | indent 4 }}
 {{- end }}
 data:
-  LDAP_DOMAIN: {{ .Values.global.ldapDomain }}
+  LDAP_ROOT: {{ include "global.baseDomain" . }}
+  LDAP_EXTRA_SCHEMAS: "cosine,inetorgperson,nis,syncprov,serverid,csyncprov,rep,bsyncprov,brep"
+  LDAP_CONFIG_ADMIN_ENABLED: "true"
+  LDAP_CONFIG_ADMIN_USERNAME: "config"
+  {{- if .Values.users }}
+  LDAP_USERS: {{ .Values.users }}
+  {{- end }}
+  {{- if .Values.userPasswords }}
+  LDAP_PASSWORDS: {{ .Values.userPasswords }}
+  {{- end }}
+  {{- if .Values.group }}
+  LDAP_GROUP: {{ .Values.group }}
+  {{- end }}
+  LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/tls.crt
+  LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/tls.key
+  LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/ca.crt
 {{ toYaml .Values.env | indent 2 }}
-{{- if .Values.replication.enabled }}
-  LDAP_REPLICATION: "true"
-  LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
-  LDAP_REPLICATION_DB_SYNCPROV: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval={{.Values.replication.interval }} retry=\"{{.Values.replication.retry }} +\" timeout={{.Values.replication.timeout }} starttls={{.Values.replication.starttls }} tls_reqcert={{.Values.replication.tls_reqcert }}"
-  LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:[{{ template "replicalist" . }}]"
-{{- end }}