lunny/helm-chart
1
0
Fork 0
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Add multiple LDAP sources (#222)

Browse Source 
Add multiple add sources.

Instead of a single entry for ldap configuration we now would have a dictionary for ldap config.

This would be a breaking change for those working with the ldap config.

fixes: #190

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/222
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
This commit is contained in:
luhahn 2021-10-08 20:16:24 +08:00
parent b344673d11
commit 3273b245e7
5 changed files with 65 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
README.md
View File

@ -370,25 +370,26 @@ gitea:
### LDAP Settings
Like the admin user the LDAP settings can be updated, but also disabled or deleted.
Like the admin user the LDAP settings can be updated.
All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items.
```yaml
gitea:
ldap:
enabled: true
name: 'MyAwesomeGiteaLdap'
securityProtocol: unencrypted
host: "127.0.0.1"
port: "389"
userSearchBase: ou=Users,dc=example,dc=com
userFilter: sAMAccountName=%s
adminFilter: CN=Admin,CN=Group,DC=example,DC=com
emailAttribute: mail
bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
bindPassword: JustAnotherBindPw
usernameAttribute: CN
sshPublicKeyAttribute: sshPublicKey
- name: MyAwesomeGiteaLdap
securityProtocol: unencrypted
host: "127.0.0.1"
port: "389"
userSearchBase: ou=Users,dc=example,dc=com
userFilter: sAMAccountName=%s
adminFilter: CN=Admin,CN=Group,DC=example,DC=com
emailAttribute: mail
bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
bindPassword: JustAnotherBindPw
usernameAttribute: CN
publicSSHKeyAttribute: publicSSHKey
```
You can also use an existing secret to set the bindDn and bindPassword:
@ -407,7 +408,8 @@ stringData:
```yaml
gitea:
ldap:
existingSecret: gitea-ldap-secret
- existingSecret: gitea-ldap-secret
...
```
:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:

17
templates/_helpers.tpl
View File

@ -108,21 +108,24 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "gitea.ldap_settings" -}}
{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
{{- $idx := index . 0 }}
{{- $values := index . 1 }}
{{- if not (hasKey $values "bindDn") -}}
{{- $_ := set $values "bindDn" "" -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
{{- if not (hasKey $values "bindPassword") -}}
{{- $_ := set $values "bindPassword" "" -}}
{{- end -}}
{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
{{- range $key, $val := .Values.gitea.ldap -}}
{{- range $key, $val := $values -}}
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
{{- if eq $key "bindDn" -}}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}}
{{- else if eq $key "bindPassword" -}}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}}
{{- else if eq $key "port" -}}
{{- printf "--%s %d " $key ($val | int) -}}
{{- else if has $key $flags -}}

14
templates/gitea/init.yaml
View File

@ -84,24 +84,28 @@ stringData:
configure_admin_user
{{- end }}
{{- if .Values.gitea.ldap.enabled }}
function configure_ldap() {
local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
{{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }}
local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
echo '...installed.'
else
echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
echo '...sync settings done.'
fi
{{- end }}
{{- else }}
echo 'no ldap configuration... skipping.'
{{- end }}
}
configure_ldap
{{- end }}
{{- if .Values.gitea.oauth.enabled }}
function configure_oauth() {

26
templates/gitea/statefulset.yaml
View File

@ -17,7 +17,9 @@ spec:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
{{- range $idx, $value := .Values.gitea.ldap }}
checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
{{- end }}
checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
{{- with .Values.gitea.podAnnotations }}
{{- toYaml . | nindent 8 }}
@ -79,23 +81,25 @@ spec:
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
{{- if .Values.gitea.ldap.enabled }}
{{- if .Values.gitea.ldap.existingSecret }}
- name: GITEA_LDAP_BIND_DN
{{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }}
{{- if $value.existingSecret }}
- name: GITEA_LDAP_BIND_DN_{{ $idx }}
valueFrom:
secretKeyRef:
key: bindDn
name: {{ .Values.gitea.ldap.existingSecret }}
- name: GITEA_LDAP_PASSWORD
name: {{ $value.existingSecret }}
- name: GITEA_LDAP_PASSWORD_{{ $idx }}
valueFrom:
secretKeyRef:
key: bindPassword
name: {{ .Values.gitea.ldap.existingSecret }}
name: {{ $value.existingSecret }}
{{- else }}
- name: GITEA_LDAP_BIND_DN
value: {{ .Values.gitea.ldap.bindDn | quote }}
- name: GITEA_LDAP_PASSWORD
value: {{ .Values.gitea.ldap.bindPassword | quote }}
- name: GITEA_LDAP_BIND_DN_{{ $idx }}
value: {{ $value.bindDn | quote }}
- name: GITEA_LDAP_PASSWORD_{{ $idx }}
value: {{ $value.bindPassword | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.gitea.admin.existingSecret }}

29
values.yaml
View File

@ -154,21 +154,20 @@ gitea:
# additionalLabels:
# prometheus-release: prom1
ldap:
enabled: false
#existingSecret: gitea-ldap-secret
#name:
#securityProtocol:
#host:
#port:
#userSearchBase:
#userFilter:
#adminFilter:
#emailAttribute:
#bindDn:
#bindPassword:
#usernameAttribute:
#sshPublicKeyAttribute:
ldap: []
# - name: "LDAP 1"
# existingSecret:
# securityProtocol:
# host:
# port:
# userSearchBase:
# userFilter:
# adminFilter:
# emailAttribute:
# bindDn:
# bindPassword:
# usernameAttribute:
# publicSSHKeyAttribute:
oauth:
enabled: false