ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kanidm: bump to v1.6.2, helm chart v0.2.0

Browse Source
This commit is contained in:
ace
2025-05-13 00:12:33 +03:00
parent 77c2028150
commit c0ad9437b2
5 changed files with 51 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kanidm/Chart.yaml
View File

@@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0 version: 0.2.0
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to # incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using. # follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes. # It is recommended to use it with quotes.
appVersion: "1.16.0" appVersion: "1.6.2"

41
kanidm/templates/configmap.yaml
View File

@@ -6,32 +6,24 @@ metadata:
{{- include "kanidm.labels" . | nindent 4 }} {{- include "kanidm.labels" . | nindent 4 }}
data: data:
server.toml: | server.toml: |
# The server configuration file version.
version = "2"
# The webserver bind address. Requires TLS certificates. # The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the # If the port is set to 443 you may require the
# NET_BIND_SERVICE capability. # NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443" # Defaults to "127.0.0.1:8443"
bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}" bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
# #
{{- if .Values.kanidmLdap.enabled }}
# The read-only ldap server bind address. Requires # The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require # TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability. # the NET_BIND_SERVICE capability.
# Defaults to "" (disabled) # Defaults to "" (disabled)
dapbindaddress = "{{ .Values.kanidmLdap.dapbindaddress }}" {{- if .Values.kanidmLdap.enabled }}
dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- else }} {{- else }}
# ldapbindaddress = "[::]:3636" # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
{{- end }} {{- end }}
# #
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". If set to true, then this header is
# respected as the "authoritative" source of the IP of the
# connected client. If you are not using a load balancer
# then you should leave this value as default.
# Defaults to false
trust_x_forward_for = {{ .Values.kanidm.trust_x_forward_for }}
#
# The path to the kanidm database. # The path to the kanidm database.
db_path = "{{ .Values.kanidm.db_path }}" db_path = "{{ .Values.kanidm.db_path }}"
# #
@@ -103,6 +95,29 @@ data:
# origin = "https://idm.example.com" # origin = "https://idm.example.com"
origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}" origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
# #
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# # OR
# x-forward-for = ["127.0.0.1"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
{{- if .Values.kanidmOnlineBackup.enabled }} {{- if .Values.kanidmOnlineBackup.enabled }}
[online_backup] [online_backup]
# The path to the output folder for online backups # The path to the output folder for online backups

13
kanidm/templates/deployment.yaml
View File

@@ -60,16 +60,20 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }} {{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command: command:
- bash - sh
- -c - -c
- | - |
zypper install -y gawk kubernetes-client
/sbin/kanidmd server -c /data/server.toml & /sbin/kanidmd server -c /data/server.toml &
serverPID=$! serverPID=$!
until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
printf '.' printf '.'
sleep 5 sleep 5
done done
echo "##### Start domain upgrade-check"
/sbin/kanidmd domain upgrade-check
echo "##### Done domain upgrade-check"
ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}') ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}') IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
kill $serverPID kill $serverPID
@@ -95,6 +99,11 @@ spec:
- name: http - name: http
containerPort: {{ .Values.service.port }} containerPort: {{ .Values.service.port }}
protocol: TCP protocol: TCP
{{- if .Values.kanidmLdap.enabled }}
- name: ldap
containerPort: {{ .Values.service.ldap }}
protocol: TCP
{{- end }}
livenessProbe: livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }} {{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe: readinessProbe:

6
kanidm/templates/service.yaml
View File

@@ -11,5 +11,11 @@ spec:
targetPort: http targetPort: http
protocol: TCP protocol: TCP
name: http name: http
{{- if .Values.kanidmLdap.enabled }}
- port: {{ .Values.service.ldap }}
targetPort: ldap
protocol: TCP
name: ldap
{{- end }}
selector: selector:
{{- include "kanidm.selectorLabels" . | nindent 4 }} {{- include "kanidm.selectorLabels" . | nindent 4 }}

8
kanidm/values.yaml
View File

@@ -8,10 +8,10 @@ strategy:
type: Recreate type: Recreate
image: image:
repository: docker.io/kanidm/server repository: gitea.geekhome.org/ghp/kanidm
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
tag: "1.5.0" tag: "1.6.2-1"
imagePullSecrets: [] imagePullSecrets: []
nameOverride: "" nameOverride: ""
@@ -21,7 +21,6 @@ kanidm:
bindaddress: "[::]:{{ .Values.service.port }}" bindaddress: "[::]:{{ .Values.service.port }}"
domain: "idm.example.com" domain: "idm.example.com"
#origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}" #origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
trust_x_forward_for: true
db_path: "/data/kanidm.db" db_path: "/data/kanidm.db"
#db_fs_type: "zfs" #db_fs_type: "zfs"
#db_arc_size: "2048" #db_arc_size: "2048"
@@ -31,7 +30,7 @@ kanidm:
kanidmLdap: kanidmLdap:
enabled: false enabled: false
dapbindaddress: "[::]:3636" dapbindaddress: "[::]:{{ .Values.service.ldap }}"
kanidmOnlineBackup: kanidmOnlineBackup:
enabled: true enabled: true
@@ -67,6 +66,7 @@ securityContext: {}
service: service:
type: ClusterIP type: ClusterIP
port: 443 port: 443
ldap: 636
ingress: ingress:
enabled: false enabled: false