kanidm: bump to v1.6.2, helm chart v0.2.0

2025-05-13 00:12:33 +03:00
parent 77c2028150
commit c0ad9437b2
5 changed files with 51 additions and 21 deletions
--- a/kanidm/templates/configmap.yaml
+++ b/kanidm/templates/configmap.yaml
@ -6,32 +6,24 @@ metadata:
    {{- include "kanidm.labels" . | nindent 4 }}
 data: 
  server.toml: |
+    # The server configuration file version.
+    version = "2"
    #   The webserver bind address. Requires TLS certificates.
    #   If the port is set to 443 you may require the
    #   NET_BIND_SERVICE capability.
    #   Defaults to "127.0.0.1:8443"
    bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
    #
-    {{- if .Values.kanidmLdap.enabled }}
    #   The read-only ldap server bind address. Requires
    #   TLS certificates. If set to 636 you may require
    #   the NET_BIND_SERVICE capability.
    #   Defaults to "" (disabled)
-    dapbindaddress = "{{ .Values.kanidmLdap.dapbindaddress }}"
+    {{- if .Values.kanidmLdap.enabled }}
+    dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
    {{- else }}
-    # ldapbindaddress = "[::]:3636"
+    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
    {{- end }}
    #
-    #   HTTPS requests can be reverse proxied by a loadbalancer.
-    #   To preserve the original IP of the caller, these systems
-    #   will often add a header such as "Forwarded" or
-    #   "X-Forwarded-For". If set to true, then this header is
-    #   respected as the "authoritative" source of the IP of the
-    #   connected client. If you are not using a load balancer
-    #   then you should leave this value as default.
-    #   Defaults to false
-    trust_x_forward_for = {{ .Values.kanidm.trust_x_forward_for }}
-    #
    #   The path to the kanidm database.
    db_path = "{{ .Values.kanidm.db_path }}"
    #
@ -103,6 +95,29 @@ data:
    #   origin = "https://idm.example.com"
    origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
    #
+    #   HTTPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   will often add a header such as "Forwarded" or
+    #   "X-Forwarded-For". Some other proxies can use the PROXY
+    #   protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    #   Only one option can be used at a time.
+    # [http_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
+    #   # OR
+    # x-forward-for = ["127.0.0.1"]
+    #   LDAPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   can add a header such as the PROXY protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    # [ldap_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
    {{- if .Values.kanidmOnlineBackup.enabled }}
    [online_backup]
    #   The path to the output folder for online backups