Merge pull request #133 from LiquidPL/main

djjudas21 · web-flow · commit 08f3f2e631a6 · 2025-04-07T17:04:43.000+01:00
[lldap] allow specifying app and database credentials as external secrets
diff --git a/charts/lldap/Chart.yaml b/charts/lldap/Chart.yaml
@@ -8,7 +8,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.3
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/lldap/templates/_helpers.tpl b/charts/lldap/templates/_helpers.tpl
@@ -61,6 +61,13 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the credentials secret
+*/}}
+{{- define "lldap.credentialsSecretName" -}}
+{{ .Values.lldap.secretName | default (printf "%s-credentials" (include "lldap.fullname" .)) }}
+{{- end }}
+
 {{/*
 Build database connection strings as templates
 */}}
@@ -75,4 +82,4 @@ mysql://{{- .Values.mariadb.auth.username -}}:{{- .Values.mariadb.auth.password
 {{- end }}
 {{- define "lldap.externalMariadbConnectString" -}}
 mysql://{{- .Values.externalMariadb.auth.username -}}:{{- .Values.externalMariadb.auth.password -}}@{{- .Values.externalMariadb.auth.host -}}:{{- .Values.externalMariadb.auth.port -}}/{{- .Values.externalMariadb.auth.database -}}
-{{- end }}
+{{- end }}
diff --git a/charts/lldap/templates/bootstrap-job.yaml b/charts/lldap/templates/bootstrap-job.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ include "lldap.fullname" . }}-bootstrap
   # Next annotations are required if the job managed by Argo CD,
   # so Argo CD can relaunch the job on every app sync action
-  annotations: 
+  annotations:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
@@ -23,10 +23,10 @@ spec:
             - name: LLDAP_ADMIN_USERNAME
               value: "{{ .Values.lldap.ldapUserDN }}"
             - name: LLDAP_ADMIN_PASSWORD
-              valueFrom: 
-                secretKeyRef: 
-                  name: {{ include "lldap.fullname" . }}-credentials
-                  key: ldapUserPass
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lldap.credentialsSecretName" . }}
+                  key: {{ .Values.lldap.ldapUserPassKey }}
             - name: DO_CLEANUP
               value: "{{ .Values.bootstrap.cleanup }}"
           volumeMounts:
diff --git a/charts/lldap/templates/deployment.yaml b/charts/lldap/templates/deployment.yaml
@@ -59,22 +59,32 @@ spec:
             - name: LLDAP_HTTP_PORT
               value: "{{ .Values.service.http.port }}"
             - name: LLDAP_JWT_SECRET
-              valueFrom: 
-                secretKeyRef: 
-                  name: {{ include "lldap.fullname" . }}-credentials
-                  key: jwtSecret
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lldap.credentialsSecretName" . }}
+                  key: {{ .Values.lldap.jwtSecretKey }}
             - name: LLDAP_LDAP_USER_PASS
-              valueFrom: 
-                secretKeyRef: 
-                  name: {{ include "lldap.fullname" . }}-credentials
-                  key: ldapUserPass
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lldap.credentialsSecretName" . }}
+                  key: {{ .Values.lldap.ldapUserPassKey }}
             - name: LLDAP_DATABASE_URL
             {{- if .Values.postgresql.enabled }}
               value: {{ include "lldap.postgresConnectString" . | quote }}
+            {{- else if and .Values.externalPostgresql.enabled .Values.externalPostgresql.fromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalPostgresql.fromSecret }}
+                  key: {{ .Values.externalPostgresql.uriKey }}
             {{- else if .Values.externalPostgresql.enabled }}
               value: {{ include "lldap.externalPostgresConnectString" . | quote }}
             {{- else if .Values.mariadb.enabled }}
               value: {{ include "lldap.mariadbConnectString" . | quote }}
+            {{- else if and .Values.externalMariadb.enabled .Values.externalMariadb.fromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.externalMariadb.fromSecret }}
+                  key: {{ .Values.externalMariadb.uriKey }}
             {{- else if .Values.externalMariadb.enabled }}
               value: {{ include "lldap.externalMariadbConnectString" . | quote }}
             {{- else }}
@@ -87,7 +97,10 @@ spec:
             - name: LLDAP_VERBOSE
               value: "{{ .Values.lldap.verbose }}"
             - name: LLDAP_KEY_SEED
-              value: "{{ .Values.lldap.keySeed }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lldap.credentialsSecretName" . }}
+                  key: {{ .Values.lldap.keySeedKey }}
             {{- if $.Values.lldap.smtp.enablePasswordReset }}
             - name: LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET
               value: "{{ .Values.lldap.smtp.enablePasswordReset }}"
@@ -104,10 +117,10 @@ spec:
             - name: LLDAP_SMTP_OPTIONS__REPLY_TO
               value: "{{ .Values.lldap.smtp.replyTo }}"
             - name: LLDAP_SMTP_OPTIONS__PASSWORD
-              valueFrom: 
-                secretKeyRef: 
-                  name: {{ include "lldap.fullname" . }}-credentials
-                  key: smtpPassword
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lldap.credentialsSecretName" . }}
+                  key: {{ .Values.lldap.smtp.passwordKey }}
             {{- end }}
             {{- if $.Values.lldap.ldaps.enabled }}
             - name: LLDAP_LDAPS_OPTIONS__ENABLED
diff --git a/charts/lldap/templates/secret.yaml b/charts/lldap/templates/secret.yaml
@@ -1,9 +1,12 @@
+{{ if not .Values.lldap.secretName }}
 kind: Secret
 apiVersion: v1
 type: Opaque
 metadata:
   name: {{ include "lldap.fullname" . }}-credentials
 data:
-  jwtSecret: {{ .Values.lldap.jwtSecret | b64enc }}
-  ldapUserPass: {{ .Values.lldap.ldapUserPass | b64enc }}
-  smtpPassword: {{ .Values.lldap.smtp.password | b64enc }}
+  {{ .Values.lldap.jwtSecretKey }}: {{ .Values.lldap.jwtSecret | b64enc }}
+  {{ .Values.lldap.ldapUserPassKey }}: {{ .Values.lldap.ldapUserPass | b64enc }}
+  {{ .Values.lldap.smtp.passwordKey }}: {{ .Values.lldap.smtp.password | b64enc }}
+  {{ .Values.lldap.keySeedKey }}: {{ .Values.lldap.keySeedKey | b64enc }}
+{{ end }}
diff --git a/charts/lldap/values.schema.json b/charts/lldap/values.schema.json
@@ -188,6 +188,20 @@
           "required": [],
           "title": "enabled",
           "type": "boolean"
+        },
+        "fromSecret": {
+          "default": null,
+          "description": "Name of the secret containing the database URI",
+          "required": [],
+          "title": "fromSecret",
+          "type": "string"
+        },
+        "uriKey": {
+          "default": null,
+          "description": "Name of the secret key containing the database URI",
+          "required": [],
+          "title": "uriKey",
+          "type": "string"
         }
       },
       "required": [],
@@ -239,6 +253,20 @@
           "required": [],
           "title": "enabled",
           "type": "boolean"
+        },
+        "fromSecret": {
+          "default": null,
+          "description": "Name of the secret containing the database URI",
+          "required": [],
+          "title": "fromSecret",
+          "type": "string"
+        },
+        "uriKey": {
+          "default": null,
+          "description": "Name of the secret key containing the database URI",
+          "required": [],
+          "title": "uriKey",
+          "type": "string"
         }
       },
       "required": [],
@@ -435,20 +463,41 @@
           "title": "gid",
           "type": "integer"
         },
+        "secretName": {
+          "default": null,
+          "description": "Name of Kubernetes secret containing credentials",
+          "required": [],
+          "title": "secretName",
+          "type": "string"
+        },
         "jwtSecret": {
           "default": "REPLACE_WITH_RANDOM",
           "description": "Random secret for JWT signature.\nThis secret should be random, and should be shared with application servers that need to\nconsume the JWTs. Changing this secret will invalidate all user sessions and require them\nto re-login. You can generate it with (on linux):\nLC_ALL=C tr -dc 'A-Za-z0-9!#%\u0026'\\''()*+,-./:;\u003c=\u003e?@[\\]^_{|}~' \u003c/dev/urandom | head -c 32; echo ''",
           "required": [],
           "title": "jwtSecret",
           "type": "string"
         },
+        "jwtSecretKey": {
+          "default": "jwtSecret",
+          "description": "Name of the JWT signature key in the credentials secret",
+          "required": [],
+          "title": "jwtSecretKey",
+          "type": "string"
+        },
         "keySeed": {
           "default": "REPLACE_WITH_RANDOM",
           "description": "Seed to generate the server private key. This can be any random string, the recommendation\nis that it's at least 12 characters long.",
           "required": [],
           "title": "keySeed",
           "type": "string"
         },
+        "keySeedKey": {
+          "default": "keySeed",
+          "description": "Name of the key containing the private key seed in the credentials secret",
+          "required": [],
+          "title": "keySeedKey",
+          "type": "string"
+        },
         "ldapUserDN": {
           "default": "admin",
           "description": "Admin username.\nFor the LDAP interface, a value of \"admin\" here will create the LDAP user\n\"cn=admin,ou=people,dc=example,dc=com\" (with the base DN above). For the administration\ninterface, this is the username.",
@@ -463,6 +512,13 @@
           "title": "ldapUserPass",
           "type": "string"
         },
+        "ldapUserPassKey": {
+          "default": "ldapUserPass",
+          "description": "Name of the LDAP admin password key in the credentials secret",
+          "required": [],
+          "title": "ldapUserPassKey",
+          "type": "string"
+        },
         "ldaps": {
           "description": "Options to configure LDAPS",
           "properties": {
@@ -516,6 +572,13 @@
               "title": "password",
               "type": "string"
             },
+            "passwordKey": {
+              "default": "password",
+              "description": "Name of the SMTP password in the credentials secret",
+              "required": [],
+              "title": "passwordKey",
+              "type": "string"
+            },
             "port": {
               "default": 587,
               "description": "The SMTP port.",
@@ -944,4 +1007,4 @@
   },
   "required": [],
   "type": "object"
-}
+}
diff --git a/charts/lldap/values.yaml b/charts/lldap/values.yaml
@@ -25,13 +25,22 @@ lldap:
   # actually need to own the domain name.
   baseDN: "dc=example,dc=com"
 
+  # -- Name of the Kubernetes secret containing credentials.
+  # If this isn't specified, a secret will be generated with the credentials provided
+  # in the values file. If you want to provide an external secret, for instance when
+  # deploying with GitOps, specify its name here.
+  secretName: ~
+
   # -- Random secret for JWT signature.
   # This secret should be random, and should be shared with application servers that need to
   # consume the JWTs. Changing this secret will invalidate all user sessions and require them
   # to re-login. You can generate it with (on linux):
   # LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
   jwtSecret: REPLACE_WITH_RANDOM
 
+  # -- Name of the JWT signature key in the `.Values.lldap.secretName` Kubernetes secret.
+  jwtSecretKey: jwtSecret
+
   # -- Admin username.
   # For the LDAP interface, a value of "admin" here will create the LDAP user
   # "cn=admin,ou=people,dc=example,dc=com" (with the base DN above). For the administration
@@ -44,10 +53,16 @@ lldap:
   # Note: you can create another admin user for user administration, this is just the default one.
   ldapUserPass: REPLACE_WITH_RANDOM
 
+  # -- Name of the LDAP admin password key in the `.Values.lldap.secretName` Kubernetes secret.
+  ldapUserPassKey: ldapUserPass
+
   # -- Seed to generate the server private key. This can be any random string, the recommendation
   # is that it's at least 12 characters long.
   keySeed: REPLACE_WITH_RANDOM
 
+  # -- Name of the key holding the private key seed in the `.Values.lldap.secretName` Kubernetes secret.
+  keySeedKey: keySeed
+
   uid: 1000
   gid: 1000
   tz: "Etc/UTC"
@@ -70,6 +85,9 @@ lldap:
     user: "sender@gmail.com"
     # -- The SMTP password.
     password: "password"
+    # -- Name of the SMTP password key in the `.Values.lldap.secretName` Kubernetes secret.
+    # Overrides the `.Values.lldap.smtp.password` if a custom secret is defined.
+    passwordKey: smtpPassword
     # -- The header field: how the sender appears in the email. The first
     # is a free-form name, followed by an email between <>. Optional.
     from: "LLDAP Admin <sender@gmail.com>"
@@ -214,6 +232,10 @@ postgresql:
 # --- Enable and configure external postgresql database
 externalPostgresql:
   enabled: false
+  # -- Name of the Kubernetes secret containing the database URI
+  # fromSecret:
+  # -- Name of the secret key containing the database URI
+  # uriKey:
   auth:
     host: ""
     port: 5432
@@ -244,6 +266,10 @@ mariadb:
 # -- Enable and configure external mariadb database
 externalMariadb:
   enabled: false
+  # -- Name of the Kubernetes secret containing the database URI
+  # fromSecret:
+  # -- Name of the secret key containing the database URI
+  # uriKey:
   auth:
     host: ""
     port: 3306
