Merge pull request #132 from opencmit2/FixIssue130_131

.bin/myval.yaml

@@ -12,12 +12,6 @@ phpldapadmin:
   ingress:
     hosts:
     - "phpldapadmin.example"
-customTLS:
-  enabled: true
-  image:
-    repository: alpine/openssl
-    tag: latest
-  secret: "custom-cert" 
 customSchemaFiles:
   10_owncloud_schema.ldif: |-
     # This LDIF files describes the ownCloud schema and can be used to
@@ -72,3 +66,11 @@ service:
   ldapPortNodePort: 30389
   sslLdapPortNodePort: 30636
   type: NodePort
+initTLSSecret:
+  tls_enabled: true
+  image:
+    registry: docker.io
+    repository: alpine/openssl
+    tag: latest
+    pullPolicy: IfNotPresent
+  secret: "custom-cert" 

Chart.yaml

@@ -13,7 +13,7 @@ dependencies:
       - bitnami-common
     version: 1.x.x
 home: https://www.openldap.org
-version: 4.1.1
+version: 4.1.2
 appVersion: 2.6.3
 description: Community developed LDAP software
 icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png

README.md

@@ -76,8 +76,8 @@ Parameters related to the configuration of the application.
 | `userPasswords`          | User password to create (comma seprated list)  | "" |
 | `group`          | Group to create and add list of user above | "" |
 | `env`                              | List of key value pairs as env variables to be sent to the docker image. See https://github.com/bitnami/containers/tree/main/bitnami/openldap for available ones | `[see values.yaml]` |
-| `customTLS.enabled`                      | Set to enable TLS/LDAPS with custom certificate - should also set `tls.secret`                                                                                    | `false`             |
-| `customTLS.secret`                       | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt                                                                       | `""`                |
+| `initTLSSecret.tls_enabled`                      | Set to enable TLS/LDAPS with custom certificate - Please also set `initTLSSecret.secret`, otherwise it will not take effect                                                                                    | `false`             |
+| `initTLSSecret.secret`                       | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt                                                                       | `""`                |
 | `customSchemaFiles` | Custom openldap schema files used in addition to default schemas                                                                    | `""`                |
 | `customLdifFiles`                       | Custom openldap configuration files used to override default settings                                                                      | `""`                |
 | `customLdifCm`                       | Existing configmap with custom ldif. Can't be use with customLdifFiles                                                            | `""`                |

templates/_helpers.tpl

@@ -149,8 +149,16 @@ Return the proper Docker Image Registry Secret Names
 {{/*
 Return the proper Openldap init container image name
 */}}
-{{- define "openldap.initContainerImage" -}}
-{{- include "common.images.image" (dict "imageRoot" .Values.customTLS.image "global" .Values.global) -}}
+{{- define "openldap.initTLSSecretImage" -}}
+{{- include "common.images.image" (dict "imageRoot" .Values.initTLSSecret.image "global" .Values.global) -}}
+{{- end -}}
+
+
+{{/*
+Return the proper Openldap volume permissions init container image name
+*/}}
+{{- define "openldap.volumePermissionsImage" -}}
+{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}}
 {{- end -}}
 
 

templates/statefulset.yaml

@@ -45,26 +45,33 @@ spec:
         {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
       {{- end }}
         - name: init-tls-secret
-          image: {{ include "openldap.initContainerImage" . }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "openldap.initTLSSecretImage" . }}
+          imagePullPolicy: {{ .Values.initTLSSecret.image.pullPolicy | quote }}
           command:
             - sh
             - -c
             - |
-              {{- if not .Values.customTLS.enabled}}
+              {{- if and .Values.initTLSSecret.tls_enabled .Values.initTLSSecret.secret }}
+              {{- else }}
               openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN={{ .Values.global.ldapDomain }}' -keyout /tmp-certs/tls.key -out /tmp-certs/tls.crt -days 365
               chmod 777  /tmp-certs/*
               {{- end }}
               cp -Lr /tmp-certs/* /certs
               [ -e /certs/ca.crt ] || cp -a /certs/tls.crt /certs/ca.crt
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.initTLSSecret.resources }}
+          resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: certs
               mountPath: "/certs"
             - name: secret-certs
               mountPath: "/tmp-certs"
       {{- if .Values.volumePermissions.enabled }}
         - name: volume-permissions
-          image: {{ include "openldap.initContainerImage" . }}
+          image: {{ include "openldap.volumePermissionsImage" . }}
           imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
           command: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.command "context" $) | nindent 12 }}
           {{- if .Values.containerSecurityContext.enabled }}
@@ -90,6 +97,12 @@ spec:
               ls -al /custom_config
               sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/*
               sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/*
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.updateReplication.resources }}
+          resources: {{- toYaml .Values.updateReplication.resources | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: cm-replication-acls
               mountPath: "/cm-schemas-acls"
@@ -274,10 +287,10 @@ spec:
         - name: certs
           emptyDir:
             medium: Memory
-{{- if .Values.customTLS.enabled }}
+{{- if .Values.initTLSSecret.tls_enabled }}
         - name: secret-certs
           secret:
-            secretName: {{ .Values.customTLS.secret }}
+            secretName: {{ .Values.initTLSSecret.secret }}
 {{- else }}
         - name: secret-certs
           emptyDir:
@@ -317,4 +330,4 @@ spec:
 {{- else if (not .Values.persistence.enabled) }}
         - name: data
           emptyDir: {}
-{{- end }}
+{{- end }}

values.yaml

@@ -63,16 +63,6 @@ image:
 logLevel: info
 
 
-# Settings for enabling TLS with custom certificate
-# need a secret with tls.crt, tls.key and ca.crt keys with associated files
-# Ref: https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#create-a-secret
-customTLS:
-  enabled: false
-  image:
-    repository: alpine/openssl
-    tag: latest
-  secret: ""  # The name of a kubernetes.io/tls type secret to use for TLS
-## Add additional labels to all resources
 extraLabels: {}
 
 service:
@@ -371,6 +361,42 @@ serviceAccount:
 
 ## @section Init Container Parameters
 
+## 'initTlsSecret' init container parameters
+## need a secret with tls.crt, tls.key and ca.crt keys with associated files
+## based on the *containerSecurityContext parameters
+##
+initTLSSecret:
+  tls_enabled: false
+  ##  openssl image
+  ## @param initTlsSecret.image.registry openssl image registry
+  ## @param initTlsSecret.image.repository openssl image name
+  ## @param initTlsSecret.image.tag openssl image tag
+  ##
+  image:
+    registry: docker.io
+    repository: alpine/openssl
+    tag: latest
+    ## @param image.pullPolicy openssl image pull policy
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+  # The name of a kubernetes.io/tls type secret to use for TLS
+  secret: "" 
+  ## init-tls-secret container's resource requests and limits
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  ## @param initTlsSecret.resources.limits The resources limits for the init container
+  ## @param initTlsSecret.resources.requests The requested resources for the init container
+  ##
+  resources:
+    ## Example:
+    ## limits:
+    ##   cpu: 500m
+    ##   memory: 1Gi
+    limits: {}
+    requests: {}
+
 ## 'volumePermissions' init container parameters
 ## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
 ##   based on the *podSecurityContext/*containerSecurityContext parameters
@@ -385,41 +411,46 @@ volumePermissions:
   ## @param volumePermissions.image.repository Bitnami Shell image repository
   ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended)
   ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy
-  ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets
   ##
   image:
     registry: docker.io
     repository: bitnami/bitnami-shell
     tag: 10-debian-10
     pullPolicy: IfNotPresent
-    ## Optionally specify an array of imagePullSecrets.
-    ## Secrets must be manually created in the namespace.
-    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-    ## e.g:
-    ## pullSecrets:
-    ##   - myRegistryKeySecretName
-    ##
-    pullSecrets: []
+
   ## Command to execute during the volumePermission startup
   ## command: ['sh', '-c', 'echo "hello world"']
   command: {}
   ## Init container's resource requests and limits
-  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
   ## @param volumePermissions.resources.limits The resources limits for the init container
   ## @param volumePermissions.resources.requests The requested resources for the init container
   ##
   resources:
+    ## Example:
+    ## limits:
+    ##   cpu: 500m
+    ##   memory: 1Gi
     limits: {}
     requests: {}
-  ## Init container Container Security Context
-  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-  ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
-  ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
-  ##   data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
-  ##   "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
+
+## 'updateReplication' init container parameters
+## based on the *global.existingSecret/*containerSecurityContext parameters
+##
+updateReplication:
+  ## Init container's resource requests and limits
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  ## @param volumePermissions.resources.limits The resources limits for the init container
+  ## @param volumePermissions.resources.requests The requested resources for the init container
   ##
-  containerSecurityContext:
-    runAsUser: 0
+  resources:
+    ## Example:
+    ## limits:
+    ##   cpu: 500m
+    ##   memory: 1Gi
+    limits: {}
+    requests: {}
+
 
 ## Configure extra options for liveness, readiness, and startup probes
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes