kanidm: bump to v1.6.2, helm chart v0.2.0

2025-05-13 00:12:33 +03:00 · 2025-05-13 00:12:33 +03:00 · c0ad9437b2
commit c0ad9437b2
parent 77c2028150
5 changed files with 51 additions and 21 deletions
--- a/kanidm/Chart.yaml
+++ b/kanidm/Chart.yaml
@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "1.6.2"
--- a/kanidm/templates/configmap.yaml
+++ b/kanidm/templates/configmap.yaml
@ -6,32 +6,24 @@ metadata:
    {{- include "kanidm.labels" . | nindent 4 }}
 data: 
  server.toml: |
+    # The server configuration file version.
+    version = "2"
    #   The webserver bind address. Requires TLS certificates.
    #   If the port is set to 443 you may require the
    #   NET_BIND_SERVICE capability.
    #   Defaults to "127.0.0.1:8443"
    bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
    #
-    {{- if .Values.kanidmLdap.enabled }}
    #   The read-only ldap server bind address. Requires
    #   TLS certificates. If set to 636 you may require
    #   the NET_BIND_SERVICE capability.
    #   Defaults to "" (disabled)
-    dapbindaddress = "{{ .Values.kanidmLdap.dapbindaddress }}"
+    {{- if .Values.kanidmLdap.enabled }}
+    dapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
    {{- else }}
-    # ldapbindaddress = "[::]:3636"
+    # ldapbindaddress = "{{ tpl .Values.kanidmLdap.dapbindaddress $ }}"
    {{- end }}
    #
-    #   HTTPS requests can be reverse proxied by a loadbalancer.
-    #   To preserve the original IP of the caller, these systems
-    #   will often add a header such as "Forwarded" or
-    #   "X-Forwarded-For". If set to true, then this header is
-    #   respected as the "authoritative" source of the IP of the
-    #   connected client. If you are not using a load balancer
-    #   then you should leave this value as default.
-    #   Defaults to false
-    trust_x_forward_for = {{ .Values.kanidm.trust_x_forward_for }}
-    #
    #   The path to the kanidm database.
    db_path = "{{ .Values.kanidm.db_path }}"
    #
@ -103,6 +95,29 @@ data:
    #   origin = "https://idm.example.com"
    origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
    #
+    #   HTTPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   will often add a header such as "Forwarded" or
+    #   "X-Forwarded-For". Some other proxies can use the PROXY
+    #   protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    #   Only one option can be used at a time.
+    # [http_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
+    #   # OR
+    # x-forward-for = ["127.0.0.1"]
+    #   LDAPS requests can be reverse proxied by a loadbalancer.
+    #   To preserve the original IP of the caller, these systems
+    #   can add a header such as the PROXY protocol v2 header.
+    #   This setting allows configuration of the range of trusted
+    #   IPs which can supply this header information, and which
+    #   format the information is provided in.
+    #   Defaults to "none" (no trusted sources)
+    # [ldap_client_address_info]
+    # proxy-v2 = ["127.0.0.1"]
    {{- if .Values.kanidmOnlineBackup.enabled }}
    [online_backup]
    #   The path to the output folder for online backups
--- a/kanidm/templates/deployment.yaml
+++ b/kanidm/templates/deployment.yaml
@ -60,16 +60,20 @@ spec:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          command:
-            - bash
+            - sh
            - -c
            - |
-              zypper install -y gawk kubernetes-client
              /sbin/kanidmd server -c /data/server.toml &
              serverPID=$!
              until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
                printf '.'
                sleep 5
              done
+
+              echo "##### Start domain upgrade-check"
+              /sbin/kanidmd domain upgrade-check
+              echo "##### Done domain upgrade-check"
+
              ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
              IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
              kill $serverPID
@ -95,6 +99,11 @@ spec:
            - name: http
              containerPort: {{ .Values.service.port }}
              protocol: TCP
+          {{- if .Values.kanidmLdap.enabled }}
+            - name: ldap
+              containerPort: {{ .Values.service.ldap }}
+              protocol: TCP
+          {{- end }}
          livenessProbe:
            {{- toYaml .Values.livenessProbe | nindent 12 }}
          readinessProbe:
--- a/kanidm/templates/service.yaml
+++ b/kanidm/templates/service.yaml
@ -11,5 +11,11 @@ spec:
      targetPort: http
      protocol: TCP
      name: http
+    {{- if .Values.kanidmLdap.enabled }}
+    - port: {{ .Values.service.ldap }}
+      targetPort: ldap
+      protocol: TCP
+      name: ldap
+    {{- end }}
  selector:
    {{- include "kanidm.selectorLabels" . | nindent 4 }}
--- a/kanidm/values.yaml
+++ b/kanidm/values.yaml
@ -8,10 +8,10 @@ strategy:
  type: Recreate

 image:
-  repository: docker.io/kanidm/server
+  repository: gitea.geekhome.org/ghp/kanidm
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
-  tag: "1.5.0"
+  tag: "1.6.2-1"

 imagePullSecrets: []
 nameOverride: ""
@ -21,7 +21,6 @@ kanidm:
  bindaddress: "[::]:{{ .Values.service.port }}"
  domain: "idm.example.com"
  #origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
-  trust_x_forward_for: true
  db_path: "/data/kanidm.db"
  #db_fs_type: "zfs"
  #db_arc_size: "2048"
@ -31,7 +30,7 @@ kanidm:

 kanidmLdap:
  enabled: false
-  dapbindaddress: "[::]:3636"
+  dapbindaddress: "[::]:{{ .Values.service.ldap }}"

 kanidmOnlineBackup:
  enabled: true
@ -67,6 +66,7 @@ securityContext: {}
 service:
  type: ClusterIP
  port: 443
+  ldap: 636

 ingress:
  enabled: false