diff --git a/README.md b/README.md index d878d0e..55c5713 100644 --- a/README.md +++ b/README.md @@ -370,25 +370,26 @@ gitea: ### LDAP Settings -Like the admin user the LDAP settings can be updated, but also disabled or deleted. +Like the admin user the LDAP settings can be updated. All LDAP values from are available. +Multiple LDAP sources can be configured with additional LDAP list items. + ```yaml gitea: ldap: - enabled: true - name: 'MyAwesomeGiteaLdap' - securityProtocol: unencrypted - host: "127.0.0.1" - port: "389" - userSearchBase: ou=Users,dc=example,dc=com - userFilter: sAMAccountName=%s - adminFilter: CN=Admin,CN=Group,DC=example,DC=com - emailAttribute: mail - bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com - bindPassword: JustAnotherBindPw - usernameAttribute: CN - sshPublicKeyAttribute: sshPublicKey + - name: MyAwesomeGiteaLdap + securityProtocol: unencrypted + host: "127.0.0.1" + port: "389" + userSearchBase: ou=Users,dc=example,dc=com + userFilter: sAMAccountName=%s + adminFilter: CN=Admin,CN=Group,DC=example,DC=com + emailAttribute: mail + bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com + bindPassword: JustAnotherBindPw + usernameAttribute: CN + publicSSHKeyAttribute: publicSSHKey ``` You can also use an existing secret to set the bindDn and bindPassword: @@ -407,7 +408,8 @@ stringData: ```yaml gitea: ldap: - existingSecret: gitea-ldap-secret + - existingSecret: gitea-ldap-secret + ... ``` :warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 510f538..26c6aa0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -108,21 +108,24 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "gitea.ldap_settings" -}} -{{- if not (hasKey .Values.gitea.ldap "bindDn") -}} -{{- $_ := set .Values.gitea.ldap "bindDn" "" -}} +{{- $idx := index . 0 }} +{{- $values := index . 1 }} + +{{- if not (hasKey $values "bindDn") -}} +{{- $_ := set $values "bindDn" "" -}} {{- end -}} -{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}} -{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}} +{{- if not (hasKey $values "bindPassword") -}} +{{- $_ := set $values "bindPassword" "" -}} {{- end -}} {{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}} -{{- range $key, $val := .Values.gitea.ldap -}} +{{- range $key, $val := $values -}} {{- if and (ne $key "enabled") (ne $key "existingSecret") -}} {{- if eq $key "bindDn" -}} -{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}} +{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}} {{- else if eq $key "bindPassword" -}} -{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}} +{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}} {{- else if eq $key "port" -}} {{- printf "--%s %d " $key ($val | int) -}} {{- else if has $key $flags -}} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 231d841..c40ef7b 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -84,24 +84,28 @@ stringData: configure_admin_user {{- end }} - {{- if .Values.gitea.ldap.enabled }} function configure_ldap() { - local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }} + {{- if .Values.gitea.ldap }} + {{- range $idx, $value := .Values.gitea.ldap }} + local LDAP_NAME={{ (printf "%s" $value.name) | squote }} local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}") if [[ -z "${GITEA_AUTH_ID}" ]]; then echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..." - gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }} + gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }} echo '...installed.' else echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..." - gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }} + gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }} echo '...sync settings done.' fi + {{- end }} + {{- else }} + echo 'no ldap configuration... skipping.' + {{- end }} } configure_ldap - {{- end }} {{- if .Values.gitea.oauth.enabled }} function configure_oauth() { diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index b00fd93..1ddd529 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -17,7 +17,9 @@ spec: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }} - checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }} + {{- range $idx, $value := .Values.gitea.ldap }} + checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }} + {{- end }} checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }} {{- with .Values.gitea.podAnnotations }} {{- toYaml . | nindent 8 }} @@ -79,23 +81,25 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea - {{- if .Values.gitea.ldap.enabled }} - {{- if .Values.gitea.ldap.existingSecret }} - - name: GITEA_LDAP_BIND_DN + {{- if .Values.gitea.ldap }} + {{- range $idx, $value := .Values.gitea.ldap }} + {{- if $value.existingSecret }} + - name: GITEA_LDAP_BIND_DN_{{ $idx }} valueFrom: secretKeyRef: key: bindDn - name: {{ .Values.gitea.ldap.existingSecret }} - - name: GITEA_LDAP_PASSWORD + name: {{ $value.existingSecret }} + - name: GITEA_LDAP_PASSWORD_{{ $idx }} valueFrom: secretKeyRef: key: bindPassword - name: {{ .Values.gitea.ldap.existingSecret }} + name: {{ $value.existingSecret }} {{- else }} - - name: GITEA_LDAP_BIND_DN - value: {{ .Values.gitea.ldap.bindDn | quote }} - - name: GITEA_LDAP_PASSWORD - value: {{ .Values.gitea.ldap.bindPassword | quote }} + - name: GITEA_LDAP_BIND_DN_{{ $idx }} + value: {{ $value.bindDn | quote }} + - name: GITEA_LDAP_PASSWORD_{{ $idx }} + value: {{ $value.bindPassword | quote }} + {{- end }} {{- end }} {{- end }} {{- if .Values.gitea.admin.existingSecret }} diff --git a/values.yaml b/values.yaml index 83a71f8..ee96232 100644 --- a/values.yaml +++ b/values.yaml @@ -154,21 +154,20 @@ gitea: # additionalLabels: # prometheus-release: prom1 - ldap: - enabled: false - #existingSecret: gitea-ldap-secret - #name: - #securityProtocol: - #host: - #port: - #userSearchBase: - #userFilter: - #adminFilter: - #emailAttribute: - #bindDn: - #bindPassword: - #usernameAttribute: - #sshPublicKeyAttribute: + ldap: [] + # - name: "LDAP 1" + # existingSecret: + # securityProtocol: + # host: + # port: + # userSearchBase: + # userFilter: + # adminFilter: + # emailAttribute: + # bindDn: + # bindPassword: + # usernameAttribute: + # publicSSHKeyAttribute: oauth: enabled: false