Openldap config: fix #40

georchestra / helm-georchestra

geOrchestra helm chart

3 stars 6 forks source link

Openldap config: fix #40 #47

Closed jeanpommier closed 1 year ago

jeanpommier commented 1 year ago

read the configuration from chart's values file(s)
support passing the password (and possibly other env var alongside) using a secret

Example of valid secret could be

apiVersion: v1
kind: Secret
metadata:
  name: myldapsecret
type: Opaque
data:
  SLAPD_PASSWORD: "bXlzZWNyZXRsZGFwYWRtaW5wYXNzd29yZA=="

where the value is the actual password base64 encoded (echo -n 'mysecretldapadminpassword' | base64)

edevosc2c commented 1 year ago

Thank you for the PR, one remark is that I much prefer to do like it's already possible for database credentials.

Create a Kubernetes Secret anyway if the user doesn't pass one: https://github.com/georchestra/helm-georchestra/blob/main/templates/database/database-geodata-secret.yaml

Instead of having the ability to pass a Kubernetes Secret, but still allow the ability to pass the password through an environment variable.

By the way, this time the CI is throwing a real error :smile:: https://github.com/georchestra/helm-georchestra/actions/runs/6000210528/job/16271828142?pr=47#step:7:34 (I did fix the CI so now it should throw real errors if they are detected)

jeanpommier commented 1 year ago

I much prefer to do like it's already possible for database credentials

Okay, I can update it accordingly. Are you fine with using the

 envFrom:
          - secretRef:

syntax anyway ?

jeanpommier commented 1 year ago

Is this better ?

edevosc2c commented 1 year ago

Good for me but I think one day we should document the structure of each secret :).

jeanpommier commented 1 year ago

Good for me but I think one day we should document the structure of each secret :).

You mean you'd rather have it more explictly loading just the one environment variable ? It's fine by me too

edevosc2c commented 1 year ago

Good for me but I think one day we should document the structure of each secret :).

You mean you'd rather have it more explictly loading just the one environment variable ? It's fine by me too

No, I mean there are a lot of other cases where we allow an external secret but it's undocumented.

jeanpommier commented 1 year ago

CI failure doesn't seem related to this PR, right @edevosc2c ?

edevosc2c commented 1 year ago

mmh that seems like a CI breaking again, that's odd I did my best to get it working properly. I have re-run it in case it would pass again during the night.

I'll check again tomorrow.