DevFW-CICD/forgejo-helm
16
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add multiple LDAP sources (#222)

Browse source 
Add multiple add sources.

Instead of a single entry for ldap configuration we now would have a dictionary for ldap config.

This would be a breaking change for those working with the ldap config.

fixes: #190

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/222
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
This commit is contained in:
luhahn 2021-10-08 20:16:24 +08:00
parent b344673d11
commit 3273b245e7
5 changed files with 65 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
README.md
View file

@ -370,25 +370,26 @@ gitea:
### LDAP Settings ### LDAP Settings
Like the admin user the LDAP settings can be updated, but also disabled or deleted. Like the admin user the LDAP settings can be updated.
All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available. All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items.
```yaml ```yaml
gitea: gitea:
ldap: ldap:
enabled: true - name: MyAwesomeGiteaLdap
name: 'MyAwesomeGiteaLdap' securityProtocol: unencrypted
securityProtocol: unencrypted host: "127.0.0.1"
host: "127.0.0.1" port: "389"
port: "389" userSearchBase: ou=Users,dc=example,dc=com
userSearchBase: ou=Users,dc=example,dc=com userFilter: sAMAccountName=%s
userFilter: sAMAccountName=%s adminFilter: CN=Admin,CN=Group,DC=example,DC=com
adminFilter: CN=Admin,CN=Group,DC=example,DC=com emailAttribute: mail
emailAttribute: mail bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com bindPassword: JustAnotherBindPw
bindPassword: JustAnotherBindPw usernameAttribute: CN
usernameAttribute: CN publicSSHKeyAttribute: publicSSHKey
sshPublicKeyAttribute: sshPublicKey
``` ```
You can also use an existing secret to set the bindDn and bindPassword: You can also use an existing secret to set the bindDn and bindPassword:
@ -407,7 +408,8 @@ stringData:
```yaml ```yaml
gitea: gitea:
ldap: ldap:
existingSecret: gitea-ldap-secret - existingSecret: gitea-ldap-secret
...
``` ```
:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options: :warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:

17
templates/_helpers.tpl
View file

@ -108,21 +108,24 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "gitea.ldap_settings" -}} {{- define "gitea.ldap_settings" -}}
{{- if not (hasKey .Values.gitea.ldap "bindDn") -}} {{- $idx := index . 0 }}
{{- $_ := set .Values.gitea.ldap "bindDn" "" -}} {{- $values := index . 1 }}
{{- if not (hasKey $values "bindDn") -}}
{{- $_ := set $values "bindDn" "" -}}
{{- end -}} {{- end -}}
{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}} {{- if not (hasKey $values "bindPassword") -}}
{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}} {{- $_ := set $values "bindPassword" "" -}}
{{- end -}} {{- end -}}
{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}} {{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
{{- range $key, $val := .Values.gitea.ldap -}} {{- range $key, $val := $values -}}
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}} {{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
{{- if eq $key "bindDn" -}} {{- if eq $key "bindDn" -}}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}} {{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}}
{{- else if eq $key "bindPassword" -}} {{- else if eq $key "bindPassword" -}}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}} {{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}}
{{- else if eq $key "port" -}} {{- else if eq $key "port" -}}
{{- printf "--%s %d " $key ($val | int) -}} {{- printf "--%s %d " $key ($val | int) -}}
{{- else if has $key $flags -}} {{- else if has $key $flags -}}

14
templates/gitea/init.yaml
View file

@ -84,24 +84,28 @@ stringData:
configure_admin_user configure_admin_user
{{- end }} {{- end }}
{{- if .Values.gitea.ldap.enabled }}
function configure_ldap() { function configure_ldap() {
local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }} {{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }}
local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}") local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..." echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }} gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
echo '...installed.' echo '...installed.'
else else
echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..." echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }} gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
echo '...sync settings done.' echo '...sync settings done.'
fi fi
{{- end }}
{{- else }}
echo 'no ldap configuration... skipping.'
{{- end }}
} }
configure_ldap configure_ldap
{{- end }}
{{- if .Values.gitea.oauth.enabled }} {{- if .Values.gitea.oauth.enabled }}
function configure_oauth() { function configure_oauth() {

26
templates/gitea/statefulset.yaml
View file

@ -17,7 +17,9 @@ spec:
metadata: metadata:
annotations: annotations:
checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }} {{- range $idx, $value := .Values.gitea.ldap }}
checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
{{- end }}
checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }} checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
{{- with .Values.gitea.podAnnotations }} {{- with .Values.gitea.podAnnotations }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
@ -79,23 +81,25 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.gitea.ldap.enabled }} {{- if .Values.gitea.ldap }}
{{- if .Values.gitea.ldap.existingSecret }} {{- range $idx, $value := .Values.gitea.ldap }}
- name: GITEA_LDAP_BIND_DN {{- if $value.existingSecret }}
- name: GITEA_LDAP_BIND_DN_{{ $idx }}
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: bindDn key: bindDn
name: {{ .Values.gitea.ldap.existingSecret }} name: {{ $value.existingSecret }}
- name: GITEA_LDAP_PASSWORD - name: GITEA_LDAP_PASSWORD_{{ $idx }}
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: bindPassword key: bindPassword
name: {{ .Values.gitea.ldap.existingSecret }} name: {{ $value.existingSecret }}
{{- else }} {{- else }}
- name: GITEA_LDAP_BIND_DN - name: GITEA_LDAP_BIND_DN_{{ $idx }}
value: {{ .Values.gitea.ldap.bindDn | quote }} value: {{ $value.bindDn | quote }}
- name: GITEA_LDAP_PASSWORD - name: GITEA_LDAP_PASSWORD_{{ $idx }}
value: {{ .Values.gitea.ldap.bindPassword | quote }} value: {{ $value.bindPassword | quote }}
{{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.gitea.admin.existingSecret }} {{- if .Values.gitea.admin.existingSecret }}

29
values.yaml
View file

@ -154,21 +154,20 @@ gitea:
# additionalLabels: # additionalLabels:
# prometheus-release: prom1 # prometheus-release: prom1
ldap: ldap: []
enabled: false # - name: "LDAP 1"
#existingSecret: gitea-ldap-secret # existingSecret:
#name: # securityProtocol:
#securityProtocol: # host:
#host: # port:
#port: # userSearchBase:
#userSearchBase: # userFilter:
#userFilter: # adminFilter:
#adminFilter: # emailAttribute:
#emailAttribute: # bindDn:
#bindDn: # bindPassword:
#bindPassword: # usernameAttribute:
#usernameAttribute: # publicSSHKeyAttribute:
#sshPublicKeyAttribute:
oauth: oauth:
enabled: false enabled: false