From 98514f94d683d909c383179e7584308ef8a7d20c Mon Sep 17 00:00:00 2001 From: jinxinwang Date: Tue, 31 Oct 2023 17:23:03 +0800 Subject: [PATCH 1/2] Fix issues 130 and 131 --- Chart.yaml | 2 +- README.md | 4 +- templates/_helpers.tpl | 12 +++++- templates/statefulset.yaml | 27 +++++++++--- values.yaml | 87 ++++++++++++++++++++++++++------------ 5 files changed, 92 insertions(+), 40 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 9146a79..a1c3027 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -13,7 +13,7 @@ dependencies: - bitnami-common version: 1.x.x home: https://www.openldap.org -version: 4.1.1 +version: 4.1.2 appVersion: 2.6.3 description: Community developed LDAP software icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png diff --git a/README.md b/README.md index 2b9a9df..96f9e8a 100755 --- a/README.md +++ b/README.md @@ -76,8 +76,8 @@ Parameters related to the configuration of the application. | `userPasswords` | User password to create (comma seprated list) | "" | | `group` | Group to create and add list of user above | "" | | `env` | List of key value pairs as env variables to be sent to the docker image. See https://github.com/bitnami/containers/tree/main/bitnami/openldap for available ones | `[see values.yaml]` | -| `customTLS.enabled` | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret` | `false` | -| `customTLS.secret` | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt | `""` | +| `initTLSSecret.tls_enabled` | Set to enable TLS/LDAPS with custom certificate - Please also set `initTLSSecret.secret`, otherwise it will not take effect | `false` | +| `initTLSSecret.secret` | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt | `""` | | `customSchemaFiles` | Custom openldap schema files used in addition to default schemas | `""` | | `customLdifFiles` | Custom openldap configuration files used to override default settings | `""` | | `customLdifCm` | Existing configmap with custom ldif. Can't be use with customLdifFiles | `""` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 537ffda..840ff73 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -149,8 +149,16 @@ Return the proper Docker Image Registry Secret Names {{/* Return the proper Openldap init container image name */}} -{{- define "openldap.initContainerImage" -}} -{{- include "common.images.image" (dict "imageRoot" .Values.customTLS.image "global" .Values.global) -}} +{{- define "openldap.initTLSSecretImage" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.initTLSSecret.image "global" .Values.global) -}} +{{- end -}} + + +{{/* +Return the proper Openldap volume permissions init container image name +*/}} +{{- define "openldap.volumePermissionsImage" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}} {{- end -}} diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 923a9e4..92b0d80 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -45,18 +45,25 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} - name: init-tls-secret - image: {{ include "openldap.initContainerImage" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ include "openldap.initTLSSecretImage" . }} + imagePullPolicy: {{ .Values.initTLSSecret.image.pullPolicy | quote }} command: - sh - -c - | - {{- if not .Values.customTLS.enabled}} + {{- if and .Values.initTLSSecret.tls_enabled .Values.initTLSSecret.secret }} + {{- else }} openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN={{ .Values.global.ldapDomain }}' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365 chmod 777 /tmp-certs/* {{- end }} cp -Lr /tmp-certs/* /certs [ -e /certs/ca.crt ] || cp -a /certs/tls.crt /certs/ca.crt + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.initTLSSecret.resources }} + resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }} + {{- end }} volumeMounts: - name: certs mountPath: "/certs" @@ -64,7 +71,7 @@ spec: mountPath: "/tmp-certs" {{- if .Values.volumePermissions.enabled }} - name: volume-permissions - image: {{ include "openldap.initContainerImage" . }} + image: {{ include "openldap.volumePermissionsImage" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.command "context" $) | nindent 12 }} {{- if .Values.containerSecurityContext.enabled }} @@ -90,6 +97,12 @@ spec: ls -al /custom_config sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/* sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/* + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.updateReplication.resources }} + resources: {{- toYaml .Values.updateReplication.resources | nindent 12 }} + {{- end }} volumeMounts: - name: cm-replication-acls mountPath: "/cm-schemas-acls" @@ -274,10 +287,10 @@ spec: - name: certs emptyDir: medium: Memory -{{- if .Values.customTLS.enabled }} +{{- if .Values.initTLSSecret.tls_enabled }} - name: secret-certs secret: - secretName: {{ .Values.customTLS.secret }} + secretName: {{ .Values.initTLSSecret.secret }} {{- else }} - name: secret-certs emptyDir: @@ -317,4 +330,4 @@ spec: {{- else if (not .Values.persistence.enabled) }} - name: data emptyDir: {} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index e1acbb8..b31332a 100644 --- a/values.yaml +++ b/values.yaml @@ -63,16 +63,6 @@ image: logLevel: info -# Settings for enabling TLS with custom certificate -# need a secret with tls.crt, tls.key and ca.crt keys with associated files -# Ref: https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#create-a-secret -customTLS: - enabled: false - image: - repository: alpine/openssl - tag: latest - secret: "" # The name of a kubernetes.io/tls type secret to use for TLS -## Add additional labels to all resources extraLabels: {} service: @@ -371,6 +361,42 @@ serviceAccount: ## @section Init Container Parameters +## 'initTlsSecret' init container parameters +## need a secret with tls.crt, tls.key and ca.crt keys with associated files +## based on the *containerSecurityContext parameters +## +initTLSSecret: + tls_enabled: false + ## openssl image + ## @param initTlsSecret.image.registry openssl image registry + ## @param initTlsSecret.image.repository openssl image name + ## @param initTlsSecret.image.tag openssl image tag + ## + image: + registry: docker.io + repository: alpine/openssl + tag: latest + ## @param image.pullPolicy openssl image pull policy + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + # The name of a kubernetes.io/tls type secret to use for TLS + secret: "" + ## init-tls-secret container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## @param initTlsSecret.resources.limits The resources limits for the init container + ## @param initTlsSecret.resources.requests The requested resources for the init container + ## + resources: + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi + limits: {} + requests: {} + ## 'volumePermissions' init container parameters ## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values ## based on the *podSecurityContext/*containerSecurityContext parameters @@ -385,41 +411,46 @@ volumePermissions: ## @param volumePermissions.image.repository Bitnami Shell image repository ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets ## image: registry: docker.io repository: bitnami/bitnami-shell tag: 10-debian-10 pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] + ## Command to execute during the volumePermission startup ## command: ['sh', '-c', 'echo "hello world"'] command: {} ## Init container's resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param volumePermissions.resources.limits The resources limits for the init container ## @param volumePermissions.resources.requests The requested resources for the init container ## resources: + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi limits: {} requests: {} - ## Init container Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser - ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the - ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + +## 'updateReplication' init container parameters +## based on the *global.existingSecret/*containerSecurityContext parameters +## +updateReplication: + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container ## - containerSecurityContext: - runAsUser: 0 + resources: + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi + limits: {} + requests: {} + ## Configure extra options for liveness, readiness, and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes From 6f4af86628efcff400475ca6948aa083dbe79bdd Mon Sep 17 00:00:00 2001 From: opencmit2 <112474703+opencmit2@users.noreply.github.com> Date: Wed, 1 Nov 2023 09:33:21 +0800 Subject: [PATCH 2/2] Update myval.yaml Modify the custom certificate parameters in the myval.yaml file --- .bin/myval.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.bin/myval.yaml b/.bin/myval.yaml index dd3c03b..229c2ff 100644 --- a/.bin/myval.yaml +++ b/.bin/myval.yaml @@ -12,12 +12,6 @@ phpldapadmin: ingress: hosts: - "phpldapadmin.example" -customTLS: - enabled: true - image: - repository: alpine/openssl - tag: latest - secret: "custom-cert" customSchemaFiles: 10_owncloud_schema.ldif: |- # This LDIF files describes the ownCloud schema and can be used to @@ -72,3 +66,11 @@ service: ldapPortNodePort: 30389 sslLdapPortNodePort: 30636 type: NodePort +initTLSSecret: + tls_enabled: true + image: + registry: docker.io + repository: alpine/openssl + tag: latest + pullPolicy: IfNotPresent + secret: "custom-cert"