openldap_short_name: "openldap" openldap_default_values: replicaCount: 1 # Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy. # It prevents from merging with existing map keys which are forbidden. strategy: type: RollingUpdate # type: RollingUpdate # rollingUpdate: # maxSurge: 1 # maxUnavailable: 0 # # or # # type: Recreate # rollingUpdate: null image: # From repository https://github.com/osixia/docker-openldap repository: osixia/openldap tag: 1.4.0 pullPolicy: Always # Spcifies an existing secret to be used for admin and config user passwords existingSecret: "" # settings for enabling TLS tls: enabled: true secret: "{{ openldap_short_name }}.{{ domain }}-secret" # The name of a kubernetes.io/tls type secret to use for TLS CA: enabled: true secret: "{{ openldap_short_name }}.{{ domain }}-ca" # The name of a generic secret to use for custom CA certificate (ca.crt) ## Add additional labels to all resources extraLabels: {} ## Add additional annotations to pods podAnnotations: {} service: annotations: external-dns.alpha.kubernetes.io/hostname: "{{ openldap_short_name }}.{{ domain }}" clusterIP: "" ldapPort: 389 sslLdapPort: 636 # Only used if tls.enabled is true ## List of IP addresses at which the service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] loadBalancerIP: "{{ openldap_loadbalancer_ip | default(omit) }}" loadBalancerSourceRanges: [] type: LoadBalancer # Default configuration for openldap as environment variables. These get injected directly in the container. # Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide env: LDAP_ORGANISATION: "{{ ldap_org | default('GHP') }}" LDAP_DOMAIN: "{{ ldap_domain | default(domain) }}" LDAP_BACKEND: "mdb" LDAP_TLS: "true" LDAP_TLS_ENFORCE: "false" LDAP_RFC2307BIS_SCHEMA: "true" LDAP_TLS_VERIFY_CLIENT: "try" # Default Passwords to use, stored as a secret. If unset, passwords are auto-generated. # You can override these at install time with # helm install openldap --set openldap.adminPassword=,openldap.configPassword= adminPassword: "{{ openldap_admin_pass | default(openldap_admin_password) }}" configPassword: "{{ openldap_config_pass | default(openldap_config_password) }}" # Custom openldap configuration files used to override default settings customLdifFiles: 01-pw-pbkdf2.ldif: |- dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pw-pbkdf2 02-acl.ldif: |- dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: {1}to * by users read by anonymous auth by * none 03-default-users.ldif: |- dn: ou=groups,{{ openldap_domain }} changetype: add objectClass: organizationalUnit objectClass: top ou: groups dn: ou=users,{{ openldap_domain }} changetype: add objectClass: organizationalUnit objectClass: top ou: users dn: ou=services,{{ openldap_domain }} changetype: add objectClass: organizationalUnit objectClass: top ou: services dn: uid=admin,ou=users,{{ openldap_domain }} changetype: add uid: admin cn: admin sn: 4 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/admin uidNumber: 14583104 gidNumber: 14564104 userPassword: {{ openldap_admin_pbkdf2_sha512_hash }} gecos: Admin user dn: uid=systemuser,ou=services,{{ openldap_domain }} changetype: add uid: systemuser cn: systemuser sn: 5 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/systemuser uidNumber: 14583105 gidNumber: 14564105 userPassword: {{ systemuser_pbkdf2_sha512_hash }} mail: systemuser@{{ domain }} gecos: System user dn: uid=nextcloud,ou=users,{{ openldap_domain }} changetype: add uid: nextcloud cn: nextcloud sn: 6 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/nextcloud uidNumber: 14583106 gidNumber: 14564106 userPassword: {{ nextcloud_ldap_pbkdf2_sha512_hash }} mail: nextcloud@{{ domain }} gecos: Nexcloud user dn: uid=ldapbind,ou=services,{{ openldap_domain }} changetype: add uid: ldapbind cn: ldapbind sn: 7 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /sbin/nologin homeDirectory: /home/ldapbind uidNumber: 14583107 gidNumber: 14564107 userPassword: {{ ldapbind_pbkdf2_sha512_hash }} gecos: LDAP bind user dn: uid=bitwarden,ou=users,{{ openldap_domain }} changetype: add uid: bitwarden cn: bitwarden sn: 8 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/bitwarden uidNumber: 14583108 gidNumber: 14564108 userPassword: {{ bitwarden_ldap_pbkdf2_sha512_hash }} mail: bitwarden@{{ domain }} gecos: Bitwarden user dn: uid=gitea,ou=users,{{ openldap_domain }} changetype: add uid: gitea cn: gitea sn: 9 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/gitea uidNumber: 14583109 gidNumber: 14564109 userPassword: {{ gitea_ldap_pbkdf2_sha512_hash }} mail: gitea@{{ domain }} gecos: Gitea user dn: uid=wikijs,ou=users,{{ openldap_domain }} changetype: add uid: wikijs cn: wikijs sn: 10 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/wikijs uidNumber: 14583110 gidNumber: 14564110 userPassword: {{ wikijs_ldap_pbkdf2_sha512_hash }} mail: wikijs@{{ domain }} gecos: WikiJS user dn: uid=peertube,ou=users,{{ openldap_domain }} changetype: add uid: peertube cn: peertube sn: 11 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/peertube uidNumber: 14583111 gidNumber: 14564111 userPassword: {{ peertube_ldap_pbkdf2_sha512_hash }} mail: peertube@{{ domain }} gecos: PeerTube user dn: uid=mastodon,ou=users,{{ openldap_domain }} changetype: add uid: mastodon cn: mastodon sn: 12 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/mastodon uidNumber: 14583112 gidNumber: 14564112 userPassword: {{ mastodon_ldap_pbkdf2_sha512_hash }} mail: mastodon@{{ domain }} gecos: Mastodon user dn: cn=admin,ou=groups,{{ openldap_domain }} changetype: add objectClass: groupOfUniqueNames cn: admin description: Admin users uniqueMember: cn=admin,{{ openldap_domain }} 06-memberof.ldif: |- dn: cn=services,ou=groups,{{ openldap_domain }} changetype: add objectClass: groupOfUniqueNames cn: services description: System users uniqueMember: uid=systemuser,ou=services,{{ openldap_domain }} uniqueMember: uid=ldapbind,ou=services,{{ openldap_domain }} uniqueMember: uid=nextcloud,ou=users,{{ openldap_domain }} uniqueMember: uid=bitwarden,ou=users,{{ openldap_domain }} uniqueMember: uid=gitea,ou=users,{{ openldap_domain }} uniqueMember: uid=wikijs,ou=users,{{ openldap_domain }} uniqueMember: uid=peertube,ou=users,{{ openldap_domain }} uniqueMember: uid=mastodon,ou=users,{{ openldap_domain }} dn: cn=users,ou=groups,{{ openldap_domain }} changetype: add objectClass: groupOfUniqueNames cn: users description: Simple users {% for user in openldap_simple_users %} uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }} {% endfor %} {% for user in openldap_custom_users %} uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }} {% endfor %} ## Persist data to a persistent volume persistence: enabled: true ## database data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## storageClass: "{{ openldap_storage | default('nfs-ssd') }}" accessMode: "{{ openldap_storage_mode | default('ReadWriteMany') }}" size: "{{ openldap_size | default('8Gi') }}" # existingClaim: "" ## test container details test: enabled: false