297 lines
9.2 KiB
YAML
297 lines
9.2 KiB
YAML
openldap_short_name: "openldap"
|
|
openldap_default_values:
|
|
replicaCount: 1
|
|
|
|
# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
|
|
# It prevents from merging with existing map keys which are forbidden.
|
|
strategy:
|
|
type: RollingUpdate
|
|
# type: RollingUpdate
|
|
# rollingUpdate:
|
|
# maxSurge: 1
|
|
# maxUnavailable: 0
|
|
#
|
|
# or
|
|
#
|
|
# type: Recreate
|
|
# rollingUpdate: null
|
|
image:
|
|
# From repository https://github.com/osixia/docker-openldap
|
|
repository: osixia/openldap
|
|
tag: 1.4.0
|
|
|
|
# Spcifies an existing secret to be used for admin and config user passwords
|
|
existingSecret: ""
|
|
|
|
# settings for enabling TLS
|
|
tls:
|
|
enabled: true
|
|
secret: "{{ openldap_short_name }}.{{ domain }}-secret" # The name of a kubernetes.io/tls type secret to use for TLS
|
|
CA:
|
|
enabled: true
|
|
secret: "{{ openldap_short_name }}.{{ domain }}-ca" # The name of a generic secret to use for custom CA certificate (ca.crt)
|
|
|
|
## Add additional labels to all resources
|
|
extraLabels: {}
|
|
## Add additional annotations to pods
|
|
podAnnotations: {}
|
|
service:
|
|
annotations:
|
|
external-dns.alpha.kubernetes.io/hostname: "{{ openldap_short_name }}.{{ domain }}"
|
|
clusterIP: ""
|
|
|
|
ldapPort: 389
|
|
sslLdapPort: 636 # Only used if tls.enabled is true
|
|
## List of IP addresses at which the service is available
|
|
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
|
|
##
|
|
externalIPs: []
|
|
|
|
loadBalancerIP: "{{ openldap_loadbalancer_ip | default(omit) }}"
|
|
loadBalancerSourceRanges: []
|
|
type: LoadBalancer
|
|
|
|
# Default configuration for openldap as environment variables. These get injected directly in the container.
|
|
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
|
|
env:
|
|
LDAP_ORGANISATION: "{{ ldap_org | default('GHP') }}"
|
|
LDAP_DOMAIN: "{{ ldap_domain | default(domain) }}"
|
|
LDAP_BACKEND: "mdb"
|
|
LDAP_TLS: "true"
|
|
LDAP_TLS_ENFORCE: "false"
|
|
LDAP_RFC2307BIS_SCHEMA: "true"
|
|
LDAP_TLS_VERIFY_CLIENT: "try"
|
|
|
|
# Default Passwords to use, stored as a secret. If unset, passwords are auto-generated.
|
|
# You can override these at install time with
|
|
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
|
|
adminPassword: "{{ openldap_admin_pass | default(openldap_admin_password) }}"
|
|
configPassword: "{{ openldap_config_pass | default(openldap_config_password) }}"
|
|
|
|
# Custom openldap configuration files used to override default settings
|
|
customLdifFiles:
|
|
01-pw-pbkdf2.ldif: |-
|
|
dn: cn=module{0},cn=config
|
|
changetype: modify
|
|
add: olcModuleLoad
|
|
olcModuleLoad: pw-pbkdf2
|
|
02-acl.ldif: |-
|
|
dn: olcDatabase={1}mdb,cn=config
|
|
changetype: modify
|
|
add: olcAccess
|
|
olcAccess: {1}to * by users read by anonymous auth by * none
|
|
03-default-users.ldif: |-
|
|
dn: ou=groups,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: organizationalUnit
|
|
objectClass: top
|
|
ou: groups
|
|
|
|
dn: ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: organizationalUnit
|
|
objectClass: top
|
|
ou: users
|
|
|
|
dn: ou=services,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: organizationalUnit
|
|
objectClass: top
|
|
ou: services
|
|
|
|
dn: uid=admin,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: admin
|
|
cn: admin
|
|
sn: 4
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/admin
|
|
uidNumber: 14583104
|
|
gidNumber: 14564104
|
|
userPassword: {{ openldap_admin_pbkdf2_sha512_hash }}
|
|
gecos: Admin user
|
|
|
|
dn: uid=systemuser,ou=services,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: systemuser
|
|
cn: systemuser
|
|
sn: 5
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/systemuser
|
|
uidNumber: 14583105
|
|
gidNumber: 14564105
|
|
userPassword: {{ systemuser_pbkdf2_sha512_hash }}
|
|
mail: systemuser@{{ domain }}
|
|
gecos: System user
|
|
|
|
dn: uid=nextcloud,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: nextcloud
|
|
cn: nextcloud
|
|
sn: 6
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/nextcloud
|
|
uidNumber: 14583106
|
|
gidNumber: 14564106
|
|
userPassword: {{ nextcloud_ldap_pbkdf2_sha512_hash }}
|
|
mail: nextcloud@{{ domain }}
|
|
gecos: Nexcloud user
|
|
|
|
dn: uid=ldapbind,ou=services,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: ldapbind
|
|
cn: ldapbind
|
|
sn: 7
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /sbin/nologin
|
|
homeDirectory: /home/ldapbind
|
|
uidNumber: 14583107
|
|
gidNumber: 14564107
|
|
userPassword: {{ ldapbind_pbkdf2_sha512_hash }}
|
|
gecos: LDAP bind user
|
|
|
|
dn: uid=bitwarden,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: bitwarden
|
|
cn: bitwarden
|
|
sn: 8
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/bitwarden
|
|
uidNumber: 14583108
|
|
gidNumber: 14564108
|
|
userPassword: {{ bitwarden_ldap_pbkdf2_sha512_hash }}
|
|
mail: bitwarden@{{ domain }}
|
|
gecos: Bitwarden user
|
|
|
|
dn: uid=gitea,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: gitea
|
|
cn: gitea
|
|
sn: 9
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/gitea
|
|
uidNumber: 14583109
|
|
gidNumber: 14564109
|
|
userPassword: {{ gitea_ldap_pbkdf2_sha512_hash }}
|
|
mail: gitea@{{ domain }}
|
|
gecos: Gitea user
|
|
|
|
dn: uid=wikijs,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: wikijs
|
|
cn: wikijs
|
|
sn: 10
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/wikijs
|
|
uidNumber: 14583110
|
|
gidNumber: 14564110
|
|
userPassword: {{ wikijs_ldap_pbkdf2_sha512_hash }}
|
|
mail: wikijs@{{ domain }}
|
|
gecos: WikiJS user
|
|
|
|
dn: uid=peertube,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: peertube
|
|
cn: peertube
|
|
sn: 11
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/peertube
|
|
uidNumber: 14583111
|
|
gidNumber: 14564111
|
|
userPassword: {{ peertube_ldap_pbkdf2_sha512_hash }}
|
|
mail: peertube@{{ domain }}
|
|
gecos: PeerTube user
|
|
|
|
dn: uid=mastodon,ou=users,{{ openldap_domain }}
|
|
changetype: add
|
|
uid: mastodon
|
|
cn: mastodon
|
|
sn: 12
|
|
objectClass: top
|
|
objectClass: posixAccount
|
|
objectClass: inetOrgPerson
|
|
loginShell: /bin/bash
|
|
homeDirectory: /home/mastodon
|
|
uidNumber: 14583112
|
|
gidNumber: 14564112
|
|
userPassword: {{ mastodon_ldap_pbkdf2_sha512_hash }}
|
|
mail: mastodon@{{ domain }}
|
|
gecos: Mastodon user
|
|
|
|
dn: cn=admin,ou=groups,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: groupOfUniqueNames
|
|
cn: admin
|
|
description: Admin users
|
|
uniqueMember: cn=admin,{{ openldap_domain }}
|
|
|
|
06-memberof.ldif: |-
|
|
dn: cn=services,ou=groups,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: groupOfUniqueNames
|
|
cn: services
|
|
description: System users
|
|
uniqueMember: uid=systemuser,ou=services,{{ openldap_domain }}
|
|
uniqueMember: uid=ldapbind,ou=services,{{ openldap_domain }}
|
|
uniqueMember: uid=nextcloud,ou=users,{{ openldap_domain }}
|
|
uniqueMember: uid=bitwarden,ou=users,{{ openldap_domain }}
|
|
uniqueMember: uid=gitea,ou=users,{{ openldap_domain }}
|
|
uniqueMember: uid=wikijs,ou=users,{{ openldap_domain }}
|
|
uniqueMember: uid=peertube,ou=users,{{ openldap_domain }}
|
|
uniqueMember: uid=mastodon,ou=users,{{ openldap_domain }}
|
|
|
|
dn: cn=users,ou=groups,{{ openldap_domain }}
|
|
changetype: add
|
|
objectClass: groupOfUniqueNames
|
|
cn: users
|
|
description: Simple users
|
|
{% for user in openldap_simple_users %}
|
|
uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }}
|
|
{% endfor %}
|
|
{% for user in openldap_custom_users %}
|
|
uniqueMember: uid={{ user.name }},ou=users,{{ openldap_domain }}
|
|
{% endfor %}
|
|
|
|
## Persist data to a persistent volume
|
|
persistence:
|
|
enabled: true
|
|
## database data Persistent Volume Storage Class
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
storageClass: "{{ openldap_storage | default('nfs-ssd') }}"
|
|
accessMode: "{{ openldap_storage_mode | default('ReadWriteMany') }}"
|
|
size: "{{ openldap_size | default('8Gi') }}"
|
|
# existingClaim: ""
|
|
|
|
## test container details
|
|
test:
|
|
enabled: false
|
|
|