kanidm: bump to v1.6.2, helm chart v0.2.0

kanidm/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.6.2"

kanidm/templates/configmap.yaml

@@ -6,32 +6,24 @@ metadata:
     {{- include "kanidm.labels" . | nindent 4 }}
 data: 
   server.toml: |
+    # The server configuration file version.
+    version = "2"
     #   The webserver bind address. Requires TLS certificates.
     #   If the port is set to 443 you may require the
     #   NET_BIND_SERVICE capability.
     #   Defaults to "127.0.0.1:8443"
     bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
     #
-    {{- if .Values.kanidmLdap.enabled }}
     #   The read-only ldap server bind address. Requires
     #   TLS certificates. If set to 636 you may require
     #   the NET_BIND_SERVICE capability.
     #   Defaults to "" (disabled)
-    dapbindaddress = "{{ .Values.kanidmLdap.dapbindaddress }}"
+    {{- if .Values.kanidmLdap.enabled }}
+    dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
     {{- else }}
-    # ldapbindaddress = "[::]:3636"
+    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
     {{- end }}
     #
-    #   HTTPS requests can be reverse proxied by a loadbalancer.
-    #   To preserve the original IP of the caller, these systems
-    #   will often add a header such as "Forwarded" or
-    #   "X-Forwarded-For". If set to true, then this header is
-    #   respected as the "authoritative" source of the IP of the
-    #   connected client. If you are not using a load balancer
-    #   then you should leave this value as default.
-    #   Defaults to false
-    trust_x_forward_for = {{ .Values.kanidm.trust_x_forward_for }}
-    #
     #   The path to the kanidm database.
     db_path = "{{ .Values.kanidm.db_path }}"
     #
@@ -103,6 +95,29 @@ data:
     #   origin = "https://idm.example.com"
     origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
     #
+    #   HTTPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   will often add a header such as "Forwarded" or
+    #   "X-Forwarded-For". Some other proxies can use the PROXY
+    #   protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    #   Only one option can be used at a time.
+    # [http_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
+    #   # OR
+    # x-forward-for = ["127.0.0.1"]
+    #   LDAPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   can add a header such as the PROXY protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    # [ldap_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
     {{- if .Values.kanidmOnlineBackup.enabled }}
     [online_backup]
     #   The path to the output folder for online backups

kanidm/templates/deployment.yaml

@@ -60,16 +60,20 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           command:
-            - bash
+            - sh
             - -c
             - |
-              zypper install -y gawk kubernetes-client
               /sbin/kanidmd server -c /data/server.toml &
               serverPID=$!
               until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
                 printf '.'
                 sleep 5
               done
+
+              echo "##### Start domain upgrade-check"
+              /sbin/kanidmd domain upgrade-check
+              echo "##### Done domain upgrade-check"
+
               ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
               IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
               kill $serverPID
@@ -95,6 +99,11 @@ spec:
             - name: http
               containerPort: {{ .Values.service.port }}
               protocol: TCP
+          {{- if .Values.kanidmLdap.enabled }}
+            - name: ldap
+              containerPort: {{ .Values.service.ldap }}
+              protocol: TCP
+          {{- end }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:

kanidm/templates/service.yaml

@@ -11,5 +11,11 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+    {{- if .Values.kanidmLdap.enabled }}
+    - port: {{ .Values.service.ldap }}
+      targetPort: ldap
+      protocol: TCP
+      name: ldap
+    {{- end }}
   selector:
     {{- include "kanidm.selectorLabels" . | nindent 4 }}

kanidm/values.yaml

@@ -8,10 +8,10 @@ strategy:
   type: Recreate
 
 image:
-  repository: docker.io/kanidm/server
+  repository: gitea.geekhome.org/ghp/kanidm
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "1.5.0"
+  tag: "1.6.2-1"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -21,7 +21,6 @@ kanidm:
   bindaddress: "[::]:{{ .Values.service.port }}"
   domain: "idm.example.com"
   #origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
-  trust_x_forward_for: true
   db_path: "/data/kanidm.db"
   #db_fs_type: "zfs"
   #db_arc_size: "2048"
@@ -31,7 +30,7 @@ kanidm:
 
 kanidmLdap:
   enabled: false
-  dapbindaddress: "[::]:3636"
+  dapbindaddress: "[::]:{{ .Values.service.ldap }}"
 
 kanidmOnlineBackup:
   enabled: true
@@ -67,6 +66,7 @@ securityContext: {}
 service:
   type: ClusterIP
   port: 443
+  ldap: 636
 
 ingress:
   enabled: false