kanidm: bump to 1.8.5, helm chart 0.2.7

kanidm/templates/configmap.yaml

@@ -10,18 +10,22 @@ data:
     version = "2"
     #   The webserver bind address. Requires TLS certificates.
     #   If the port is set to 443 you may require the
-    #   NET_BIND_SERVICE capability.
+    #   NET_BIND_SERVICE capability. This accepts a single address
+    #   or an array of addresses to listen on.
     #   Defaults to "127.0.0.1:8443"
     bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
+    # bindaddress = ["[::]:443", "0.0.0.0:443"]
     #
     #   The read-only ldap server bind address. Requires
-    #   TLS certificates. If set to 636 you may require
-    #   the NET_BIND_SERVICE capability.
+    #   TLS certificates. If set to 636 you may require the
+    #   NET_BIND_SERVICE capability. This accepts a single address
+    #   or an array of addresses to listen on.
     #   Defaults to "" (disabled)
     {{- if .Values.kanidmLdap.enabled }}
     dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
     {{- else }}
-    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
+    # ldapbindaddress = "[::]:636"
+    # ldapbindaddress = ["[::]:636", "0.0.0.0:636"]
     {{- end }}
     #
     #   The path to the kanidm database.
@@ -94,30 +98,47 @@ data:
     #   not consistent, the server WILL refuse to start!
     #   origin = "https://idm.example.com"
     origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
-    #
+
     #   HTTPS requests can be reverse proxied by a loadbalancer.
     #   To preserve the original IP of the caller, these systems
     #   will often add a header such as "Forwarded" or
     #   "X-Forwarded-For". Some other proxies can use the PROXY
-    #   protocol v2 header.
-    #   This setting allows configuration of the range of trusted
-    #   IPs which can supply this header information, and which
-    #   format the information is provided in.
+    #   protocol v2 header. While we support the PROXY protocol
+    #   v1 header, we STRONGLY discourage it's use as it has
+    #   significantly greater overheads compared to v2 during
+    #   processing.
+    #   This setting allows configuration of the list of trusted
+    #   IPs or IP ranges which can supply this header information,
+    #   and which format the information is provided in.
     #   Defaults to "none" (no trusted sources)
     #   Only one option can be used at a time.
     # [http_client_address_info]
-    # proxy-v2 = ["127.0.0.1"]
+    # proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
     #   # OR
-    # x-forward-for = ["127.0.0.1"]
+    # [http_client_address_info]
+    # x-forward-for = ["127.0.0.1", "127.0.0.0/8"]
+    #   # OR
+    # [http_client_address_info]
+    # # AVOID IF POSSIBLE!!!
+    # proxy-v1 = ["127.0.0.1", "127.0.0.0/8"]
+
     #   LDAPS requests can be reverse proxied by a loadbalancer.
     #   To preserve the original IP of the caller, these systems
     #   can add a header such as the PROXY protocol v2 header.
-    #   This setting allows configuration of the range of trusted
-    #   IPs which can supply this header information, and which
-    #   format the information is provided in.
+    #   While we support the PROXY protocol v1 header, we STRONGLY
+    #   discourage it's use as it has significantly greater
+    #   overheads compared to v2 during processing.
+    #   This setting allows configuration of the list of trusted
+    #   IPs or IP ranges which can supply this header information,
+    #   and which format the information is provided in.
     #   Defaults to "none" (no trusted sources)
     # [ldap_client_address_info]
-    # proxy-v2 = ["127.0.0.1"]
+    # proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
+    #   # OR
+    # [ldap_client_address_info]
+    # # AVOID IF POSSIBLE!!!
+    # proxy-v1 = ["127.0.0.1", "127.0.0.0/8"]
+
     {{- if .Values.kanidmOnlineBackup.enabled }}
     [online_backup]
     #   The path to the output folder for online backups