From 5f8e1832865db83ddfae8a63b0ca69ae2a9aface Mon Sep 17 00:00:00 2001
From: ace <ace@0xace.cc>
Date: Sat, 3 Jan 2026 22:34:31 +0300
Subject: [PATCH] kanidm: bump to 1.8.5, helm chart 0.2.7

---
 kanidm/Chart.yaml               |  4 +--
 kanidm/templates/configmap.yaml | 51 +++++++++++++++++++++++----------
 kanidm/values.yaml              |  2 +-
 3 files changed, 39 insertions(+), 18 deletions(-)

diff --git a/kanidm/Chart.yaml b/kanidm/Chart.yaml
index 4eb8777..2cd1e74 100644
--- a/kanidm/Chart.yaml
+++ b/kanidm/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.4
+version: 0.2.7
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.7.4"
+appVersion: "1.8.5"
diff --git a/kanidm/templates/configmap.yaml b/kanidm/templates/configmap.yaml
index 59d076f..d1c92f8 100644
--- a/kanidm/templates/configmap.yaml
+++ b/kanidm/templates/configmap.yaml
@@ -10,18 +10,22 @@ data:
     version = "2"
     #   The webserver bind address. Requires TLS certificates.
     #   If the port is set to 443 you may require the
-    #   NET_BIND_SERVICE capability.
+    #   NET_BIND_SERVICE capability. This accepts a single address
+    #   or an array of addresses to listen on.
     #   Defaults to "127.0.0.1:8443"
     bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
+    # bindaddress = ["[::]:443", "0.0.0.0:443"]
     #
     #   The read-only ldap server bind address. Requires
-    #   TLS certificates. If set to 636 you may require
-    #   the NET_BIND_SERVICE capability.
+    #   TLS certificates. If set to 636 you may require the
+    #   NET_BIND_SERVICE capability. This accepts a single address
+    #   or an array of addresses to listen on.
     #   Defaults to "" (disabled)
     {{- if .Values.kanidmLdap.enabled }}
     dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
     {{- else }}
-    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
+    # ldapbindaddress = "[::]:636"
+    # ldapbindaddress = ["[::]:636", "0.0.0.0:636"]
     {{- end }}
     #
     #   The path to the kanidm database.
@@ -94,30 +98,47 @@ data:
     #   not consistent, the server WILL refuse to start!
     #   origin = "https://idm.example.com"
     origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
-    #
+
     #   HTTPS requests can be reverse proxied by a loadbalancer.
     #   To preserve the original IP of the caller, these systems
     #   will often add a header such as "Forwarded" or
     #   "X-Forwarded-For". Some other proxies can use the PROXY
-    #   protocol v2 header.
-    #   This setting allows configuration of the range of trusted
-    #   IPs which can supply this header information, and which
-    #   format the information is provided in.
+    #   protocol v2 header. While we support the PROXY protocol
+    #   v1 header, we STRONGLY discourage it's use as it has
+    #   significantly greater overheads compared to v2 during
+    #   processing.
+    #   This setting allows configuration of the list of trusted
+    #   IPs or IP ranges which can supply this header information,
+    #   and which format the information is provided in.
     #   Defaults to "none" (no trusted sources)
     #   Only one option can be used at a time.
     # [http_client_address_info]
-    # proxy-v2 = ["127.0.0.1"]
+    # proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
     #   # OR
-    # x-forward-for = ["127.0.0.1"]
+    # [http_client_address_info]
+    # x-forward-for = ["127.0.0.1", "127.0.0.0/8"]
+    #   # OR
+    # [http_client_address_info]
+    # # AVOID IF POSSIBLE!!!
+    # proxy-v1 = ["127.0.0.1", "127.0.0.0/8"]
+
     #   LDAPS requests can be reverse proxied by a loadbalancer.
     #   To preserve the original IP of the caller, these systems
     #   can add a header such as the PROXY protocol v2 header.
-    #   This setting allows configuration of the range of trusted
-    #   IPs which can supply this header information, and which
-    #   format the information is provided in.
+    #   While we support the PROXY protocol v1 header, we STRONGLY
+    #   discourage it's use as it has significantly greater
+    #   overheads compared to v2 during processing.
+    #   This setting allows configuration of the list of trusted
+    #   IPs or IP ranges which can supply this header information,
+    #   and which format the information is provided in.
     #   Defaults to "none" (no trusted sources)
     # [ldap_client_address_info]
-    # proxy-v2 = ["127.0.0.1"]
+    # proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
+    #   # OR
+    # [ldap_client_address_info]
+    # # AVOID IF POSSIBLE!!!
+    # proxy-v1 = ["127.0.0.1", "127.0.0.0/8"]
+
     {{- if .Values.kanidmOnlineBackup.enabled }}
     [online_backup]
     #   The path to the output folder for online backups
diff --git a/kanidm/values.yaml b/kanidm/values.yaml
index 09e4bbf..e5e282e 100644
--- a/kanidm/values.yaml
+++ b/kanidm/values.yaml
@@ -11,7 +11,7 @@ image:
   repository: gitea.geekhome.org/ghp/kanidm
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "1.7.4-1"
+  tag: "1.8.5-1"
 
 imagePullSecrets: []
 nameOverride: ""