test rollout of helm chart

.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml

@@ -133,7 +133,7 @@ jobs:
       - create_branch_identifier
       - release_helm
       - build_image_on_push
-    uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@4 # Branch name needs to get used here
+    uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@DBP-799-openldap-image-helm-chart # Branch name needs to get used here
     with:
       dbildungs_iam_server_branch: ${{ needs.branch_meta.outputs.ticket }}
       schulportal_client_branch: ${{ needs.branch_meta.outputs.ticket }}

README.md

@@ -49,8 +49,6 @@ Parameters related to the configuration of the application.
 | `initTLSSecret.secret`                       | Secret containing TLS cert and key must contain the keys tls.key , tls.crt and ca.crt                                                                       | `""`                |
 | `customSchemaFiles` | Custom openldap schema files used in addition to default schemas                                                                    | `""`                |
 | `customLdifFiles`                       | Custom openldap configuration files used to override default settings                                                                      | `""`                |
-| `customLdifCm`                       | Existing configmap with custom ldif. Can't be use with customLdifFiles                                                            | `""`                |
-| `customAcls`                       | Custom openldap ACLs. Overrides default ones.                                                                      | `""`                |
 | `replication.enabled`              | Enable the multi-master replication | `true` |
 | `replication.retry`              | retry period for replication in sec | `60` |
 | `replication.timeout`              | timeout for replication  in sec| `1` |
@@ -91,7 +89,6 @@ Parameters related to Kubernetes.
 | `service.enableLdapPort`                 | Enable LDAP port on the service and headless service                                                                                | `true`              |
 | `service.enableSslLdapPort`                 | Enable SSL LDAP port on the service and headless service                                                                         | `true`              |
 | `service.ldapPortNodePort`                 | Nodeport of External service port for LDAP if service.type is NodePort                                                                                                            | `nil`               |
-| `service.loadBalancerIP`           | IP address to assign to load balancer (if supported)                                                                                      | `""`                |
 | `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported)                                                                           | `[]`                |
 | `service.sslLdapPortNodePort`                 | Nodeport of External service port for SSL if service.type is NodePort                                                                                                            | `nil`               |
 | `service.type`                     | Service type can be ClusterIP, NodePort, LoadBalancer                                                                                                                              | `ClusterIP`         |
@@ -107,7 +104,6 @@ Parameters related to Kubernetes.
 | `customStartupProbe`                     | Startup probe configuration                                                                                                               | `[see values.yaml]` |
 | `resources`                        | Container resource requests and limits in yaml                                                                                            | `{}`                |
 | `podSecurityContext`              | Enabled OPENLDAP  pods' Security Context | `true` |``
-| `containerSecurityContext`              | Set OPENLDAP  pod's Security Context fsGroup | `true` |
 | `existingConfigmap`              | existingConfigmap The name of an existing ConfigMap with your custom configuration for OPENLDAP  | `` |
 | `podLabels`              | podLabels Extra labels for OPENLDAP  pods| `{}` |
 | `podAnnotations`              | podAnnotations Extra annotations for OPENLDAP  pods | `{}` |

templates/statefulset.yaml

@@ -71,9 +71,6 @@ spec:
               sed -i -e "s/%%CONFIG_PASSWORD%%/${LDAP_CONFIG_ADMIN_PASSWORD}/g" /custom_config/*
               sed -i -e "s/%%ADMIN_PASSWORD%%/${LDAP_ADMIN_PASSWORD}/g" /custom_config/*
             {{- end }}
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
           {{- if .Values.initTLSSecret.resources }}
           resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }}
           {{- end }}
@@ -92,12 +89,6 @@ spec:
       {{- end }}
             - name: custom-schema-files
               mountPath: /custom-schemas/
-    {{- end }}
-    {{- if or (.Values.customLdifFiles) (.Values.customLdifCm) }}
-            - name: cm-custom-ldif-files
-              mountPath: /cm-ldifs/
-            - name: custom-ldif-files
-              mountPath: /custom-ldifs/
     {{- end }}
             - name: cm-replication
               mountPath: "/cm-schemas-acls"
@@ -126,9 +117,6 @@ spec:
               cp -Lr /tmp-certs/* /certs
               [ -e /certs/ca.crt ] || cp -a /certs/tls.crt /certs/ca.crt
               echo "Files related to TLS moved where they belong"
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
           {{- if .Values.initTLSSecret.resources }}
           resources: {{- toYaml .Values.initTLSSecret.resources | nindent 12 }}
           {{- end }}
@@ -169,9 +157,6 @@ spec:
         - name: {{ .Chart.Name }}
           image: {{ include "openldap.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
-          {{- end }}
           env:
             - name: POD_NAME
               valueFrom:
@@ -259,10 +244,7 @@ spec:
               subPath: {{ $file }}.ldif
             {{- end }}
 {{- end }}
-{{- if or (.Values.customLdifFiles) (.Values.customLdifCm) }}
-            - name: custom-ldif-files
-              mountPath: /ldifs/
-{{- end }}
+
 {{- range .Values.customFileSets }}
 {{- $fs := . }}
 {{- range .files }}
@@ -293,9 +275,6 @@ spec:
         - name: ldap-configuration
           secret:
             secretName: ldap-configuration
-        # - name: ldap-configuration
-        #   configMap:
-        #     name: ldap-configuration
         - name: cm-replication
           configMap:
             name: {{ template "openldap.fullname" . }}-replication
@@ -310,13 +289,6 @@ spec:
         - name: custom-ldif-files
           emptyDir:
             medium: Memory
-{{- else if .Values.customLdifCm }}
-        - name: cm-custom-ldif-files
-          configMap:
-            name: {{ .Values.customLdifCm }}
-        - name: custom-ldif-files
-          emptyDir:
-            medium: Memory
 {{- else if .Values.customLdifSecret }}
         - name: cm-custom-ldif-files
           secret:

values.yaml

@@ -1,5 +1,3 @@
-# Default values for openldap.
-
 # Please, note that this will override the image parameters, including dependencies, configured to use the global value
 global:
   imageRegistry: ""
@@ -18,6 +16,10 @@ global:
   ldapPort: 389                               # LDAP_PORT_NUMBER
   sslLdapPort: 636                            # LDAP_LDAPS_PORT_NUMBER
 
+nameOverride: ""
+fullnameOverride: ""
+
+
 # this is not so clean 
 existingSecret:
   enabled: true
@@ -29,9 +31,6 @@ image:
   pullPolicy: Always
   pullSecrets: []
 
-# Valid log levels: none, error, warning, info (default), debug, trace
-logLevel: info
-
 extraLabels: {}
 
 service:
@@ -40,25 +39,22 @@ service:
   # ldapPortNodePort:
   # sslLdapPortNodePort:
 
-  # Disable if you do not want to expose port on service
   enableLdapPort: true
   enableSslLdapPort: true
 
   sessionAffinity: None
   # type: ClusterIP
   type: LoadBalancer
   externalIp: false
+  # if enabled you need to have to set the LOADBALANCER_IP key with value in the existingSecret
   # externalIp: true
   SourceRangesRestriction: false
-  # SourceRangesRestriction: true
-  # Only for staging and Prod 
-  # loadBalancerIP: 
+  # if enabled you need to have to set the LOADBALANCER_SOURCERANGES key with value in the existingSecret
   # servicecenter für den prometheus blackbox exporter freischalten
-  # loadBalancerSourceRanges: [""]
+  # SourceRangesRestriction: true
   # enableLdapPort: false
 
 
-
 # Use the env variables from https://hub.docker.com/r/bitnami/openldap/
 env:
   BITNAMI_DEBUG: "true"
@@ -68,7 +64,7 @@ env:
   # Configuration
   LDAP_SKIP_DEFAULT_TREE: "no"
   LDAP_ULIMIT_NOFILES: "1024" # staging and prod: 4096
-  # if something is not needed it can get removed by just not mentioning it here # order is importand, do not put nis in front, always append
+  # if something is not needed it can get removed by just not mentioning it here # order is importand, do not put nis in front, always append it
   # is this is enabled replication is not working
   # LDAP_EXTRA_SCHEMAS: cosine,inetorgperson,nis
 
@@ -89,17 +85,6 @@ pdb:
   minAvailable: 1
   maxUnavailable: ""
 
-## User list to create (comma separated list) , can't be use with customLdifFiles
-## Default set by bitnami image
-# users: user01,user02
-
-## User password to create (comma separated list, one for each user)
-## Default set by bitnami image
-# userPasswords: bitnami1, bitnami2
-
-## Group to create and add list of user above
-  ## Default set by bitnami image
-# group: readers
 
 # Custom openldap schema files used to be used in addition to default schemas
 # Note that the supplied files are sorted by name and inserted into 'LDAP_EXTRA_SCHEMAS' env var
@@ -110,15 +95,11 @@ pdb:
 #   anothercustom.ldif: |-
 #     # another custom schema
 
-## Existing configmap with custom ldif
-# Can't be use with customLdifFiles
-# Same format as customLdifFiles
-# customLdifCm: my-custom-ldif-cm
 
 # Custom openldap configuration files used to override default settings
-# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles
 # can not get loaded if TLS is required ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required
-# Files that chage the general config or create ACL are not allowed here 
+# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles
+# Files that chage the general config or create ACL are not allowed here, insufficient permissions, they get hendled via the ldap-configuration secret
 customLdifFiles:
   00-root.ldif: |-
     dn: dc=schule-sh,dc=de
@@ -127,28 +108,8 @@ customLdifFiles:
     objectClass: organization
     o: SPSH
 
-
-# Custom openldap ACLs
-# If not defined, the following default ACLs are applied:
-# customAcls: |-
-#   dn: olcDatabase={2}mdb,cn=config
-#   changetype: modify
-#   replace: olcAccess
-#   olcAccess: {0}to *
-#     by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
-#     by * break
-#   olcAccess: {1}to attrs=userPassword,shadowLastChange
-#     by self write
-#     by dn="{{ include "global.bindDN" . }}" write
-#     by anonymous auth by * none
-#   olcAccess: {2}to *
-#     by dn="{{ include "global.bindDN" . }}" write
-#     by self read
-#     by * none
-
 replicaCount: 1
 
-
 # have to work on this
 replication:
   enabled: false
@@ -163,18 +124,13 @@ replication:
 # dev = enabled to false? 
 persistence:
   enabled: false
-  # enabled: true
-  # storageClass: "standard-singlewriter"
+  # the existing claim, shall we create that per spsh-pp-release OR in the infa-dbp repository
   # existingClaim: openldap-pvc
   accessModes:
     - ReadWriteOnce
   size: 8Gi
   storageClass: ""
 
-customLivenessProbe: {}
-customReadinessProbe: {}
-customStartupProbe: {}
-
 resources:
   limits:
     cpu: 2
@@ -195,11 +151,6 @@ podSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
 
-containerSecurityContext:
-  enabled: false
-  runAsUser: 1001
-  runAsNonRoot: true
-
 existingConfigmap:
 command: []
 args: []
@@ -238,8 +189,6 @@ serviceAccount:
   annotations: {}  
 
 kubeVersion: ""
-nameOverride: ""
-fullnameOverride: ""
 commonLabels: {}
 commonAnnotations: {}
 clusterDomain: cluster.local
@@ -290,13 +239,13 @@ initSchema:
 ## 'initTlsSecret' init container parameters
 ## need a secret with tls.crt, tls.key and ca.crt keys with associated files
 initTLSSecret:
-  tls_enabled: false
+  tls_enabled: true
   image:
     registry: docker.io
     repository: alpine/openssl
     tag: latest
     pullPolicy: IfNotPresent
-  secret: "dbildungs-iam-ldap-tls" 
+  # secret: "dbildungs-iam-ldap-tls" 
   resources:
     limits: {}
     requests: {}
@@ -331,7 +280,9 @@ startupProbe:
   timeoutSeconds: 1
   successThreshold: 1
   failureThreshold: 30
-
+customLivenessProbe: {}
+customReadinessProbe: {}
+customStartupProbe: {}
 
 ## phpldapadmin
 ## For more parameters check following file: ./charts/phpldapadmin/values.yaml