diff --git a/README.md b/README.md index 22035c7..187ce4f 100755 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ Parameters related to the configuration of the application. | `replication.timeout` | timeout for replication in sec | `1` | | `replication.starttls` | starttls replication | `critical` | | `replication.tls_reqcert` | tls certificate validation for replication | `never` | +| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` | | `replication.interval` | interval for replication | `00:00:00:10` | | `replication.clusterName` | Set the clustername for replication | "cluster.local" | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e95e3b8..b981f16 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -63,6 +63,12 @@ Generate olcServerID list {{- end -}} {{- end -}} +{{- define "openldap.replication.tls_cacert" -}} +{{- if .Values.replication.tls_cacert -}} +{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} +{{- end -}} +{{- end -}} + {{/* Generate olcSyncRepl list */}} @@ -76,10 +82,11 @@ Generate olcSyncRepl list {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} {{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} @@ -97,6 +104,7 @@ Generate olcSyncRepl list {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} {{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $interval := .Values.replication.interval }} {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} @@ -115,6 +123,7 @@ Generate olcSyncRepl list timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} + {{ $tls_cacert }} {{- end -}} {{- end -}} diff --git a/values.yaml b/values.yaml index 80e72b8..b69641a 100644 --- a/values.yaml +++ b/values.yaml @@ -238,6 +238,7 @@ replication: interval: 00:00:00:10 starttls: "critical" tls_reqcert: "never" + # tls_cacert: "/etc/ssl/certs/ca-certificates.crt" ## Persist data to a persistent volume persistence: enabled: true