Openldap config: fix #40 (#47)

georchestra · Sep 6, 2023 · 381bf33 · 381bf33
1 parent 801bff1
commit 381bf33
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 7 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -127,7 +127,11 @@ Insert LDAP environment variables
 - name: LDAPADMINDN
   value: "{{ $ldap.adminDn }}"
 - name: LDAPADMINPASSWORD
-  value: "{{ $ldap.adminPassword }}"
+  valueFrom:
+    secretKeyRef:
+      name: {{ $ldap.existingSecret | default (printf "%s-ldap-passwords-secret" (include "georchestra.fullname" .)) }}
+      key: SLAPD_PASSWORD
+      optional: false
 - name: LDAPUSERSRDN
   value: "{{ $ldap.usersRdn }}"
 - name: LDAPROLESRDN

diff --git a/templates/ldap/openldap-deployment.yaml b/templates/ldap/openldap-deployment.yaml
@@ -36,17 +36,19 @@ spec:
             value: georchestra
           - name: SLAPD_DOMAIN
             value: georchestra.org
-          - name: SLAPD_PASSWORD
-            value: secret
           - name: RUN_AS_UID
             value: "0"
           - name: RUN_AS_GID
             value: "0"
           {{- if $webapp.extra_environment }}
           {{- $webapp.extra_environment | toYaml | nindent 10 }}
           {{- end }}
+        # Load the ldap admin password from a secret. Can also allow to override some other env vars with env vars defined in this secret, like for instance the GEORCHESTRA_PRIVILEGED_USER_PASSWORD
+        envFrom:
+          - secretRef:
+              name: {{ .Values.ldap.existingSecret | default (printf "%s-ldap-passwords-secret" (include "georchestra.fullname" .)) | quote }}
         ports:
-        - containerPort: 389
+        - containerPort: {{ .Values.ldap.port }}
           name: ldap
         volumeMounts:
           - mountPath: /etc/ldap
@@ -58,9 +60,9 @@ spec:
             command:
             - ldapsearch
             - -x
-            - -Hldap://localhost:389/
-            - -bdc=georchestra,dc=org
-            - cn=admin,dc=georchestra,dc=org
+            - -Hldap://localhost:{{ .Values.ldap.port }}/
+            - -b{{ .Values.ldap.baseDn }}
+            - {{ .Values.ldap.adminDn }}
           initialDelaySeconds: 30
       volumes:
       - name: openldap-data

diff --git a/templates/ldap/openldap-passwords-secret.yaml b/templates/ldap/openldap-passwords-secret.yaml
@@ -0,0 +1,11 @@
+{{- if (not .Values.ldap.existingSecret ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "georchestra.fullname" . }}-ldap-passwords-secret
+  labels:
+    {{- include "georchestra.labels" . | nindent 4 }}
+type: Opaque
+data:
+  SLAPD_PASSWORD: {{ .Values.ldap.adminPassword | b64enc | quote }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -197,6 +197,16 @@ ldap:
   adminDn: "cn=admin,dc=georchestra,dc=org"
   rolesRdn: "ou=roles"
   orgsRdn: "ou=orgs"
+  # By default, a secret is automatically created with the password declared above.
+  # You can override this by using an existingSecret declaring some environment variables
+  # and that should at least declare the ldap admin password
+  # Example of valid secret content (limited to the data part) would be
+  # "data": {
+  #     "SLAPD_PASSWORD": "mysecretldapadminpasswor_base64encoded"
+  # },
+  # Optionally, you can also provide the GEORCHESTRA_PRIVILEGED_USER_PASSWORD env var, that will
+  # be used to replace the default one on first run, see https://github.com/georchestra/georchestra/blob/master/ldap/docker-root/docker-entrypoint.d/01-populate#L47-L54
+  # existingSecret: mysecretldapenvvars
 
 database:
   builtin: true