From 714de8d1ced7c115303e60c8ba78231948901384 Mon Sep 17 00:00:00 2001 From: Julio Caicedo Date: Sun, 30 Nov 2025 20:53:58 -0500 Subject: [PATCH 1/2] feat: Add existing secret support for OpenLDAP and Keycloak credentials, and introduce a production values example. --- Chart.yaml | 12 +++-- templates/_helpers.tpl | 8 ++++ templates/keycloak-deployment.yaml | 19 +++++++- templates/keycloak-secret.yaml | 4 +- templates/openldap-deployment.yaml | 4 +- templates/openldap-secret.yaml | 2 +- values.schema.json | 72 +++++++++++++++++++++++++----- values.yaml | 19 ++++++++ 8 files changed, 114 insertions(+), 26 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index f97eff8..2dc077a 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ldap-stack description: OpenLDAP + phpLDAPadmin + Keycloak stack for centralized identity management with SSO support type: application -version: 1.0.0 +version: 1.1.0 appVersion: "2.6.0" annotations: artifacthub.io/signKey: | @@ -28,15 +28,13 @@ annotations: artifacthub.io/prerelease: "false" artifacthub.io/changes: | - kind: added - description: Initial release with OpenLDAP, phpLDAPadmin, and Keycloak + description: Support for existingSecret in OpenLDAP credentials - kind: added - description: LDAP Federation auto-configuration for Keycloak + description: Support for existingSecret in Keycloak admin credentials - kind: added - description: Bootstrap support for automatic OU creation + description: Support for existingSecret in Keycloak database credentials - kind: added - description: NetworkPolicy, PodDisruptionBudget, and ServiceMonitor support - - kind: added - description: Multiple service types (ClusterIP, NodePort, LoadBalancer) + description: Production values example with LoadBalancer and external secrets keywords: - ldap - openldap diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e545269..da5de94 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -131,14 +131,22 @@ app.kubernetes.io/component: keycloak Secret name for OpenLDAP credentials */}} {{- define "ldap-stack.openldap.secretName" -}} +{{- if .Values.openldap.existingSecret -}} +{{- .Values.openldap.existingSecret }} +{{- else -}} {{- printf "%s-openldap-credentials" (include "ldap-stack.fullname" .) }} +{{- end -}} {{- end }} {{/* Secret name for Keycloak credentials */}} {{- define "ldap-stack.keycloak.secretName" -}} +{{- if .Values.keycloak.existingSecret -}} +{{- .Values.keycloak.existingSecret }} +{{- else -}} {{- printf "%s-keycloak-credentials" (include "ldap-stack.fullname" .) }} +{{- end -}} {{- end }} {{/* diff --git a/templates/keycloak-deployment.yaml b/templates/keycloak-deployment.yaml index e382567..ccc5491 100644 --- a/templates/keycloak-deployment.yaml +++ b/templates/keycloak-deployment.yaml @@ -50,12 +50,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "ldap-stack.keycloak.secretName" . }} - key: admin-username + key: {{ .Values.keycloak.secretKeys.adminUsername | default "admin-username" }} - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ include "ldap-stack.keycloak.secretName" . }} - key: admin-password + key: {{ .Values.keycloak.secretKeys.adminPassword | default "admin-password" }} - name: KC_HEALTH_ENABLED value: "true" - name: KC_METRICS_ENABLED @@ -74,6 +74,20 @@ spec: value: {{ .Values.keycloak.production.database.port | quote }} - name: KC_DB_URL_DATABASE value: {{ .Values.keycloak.production.database.database | quote }} + {{- if .Values.keycloak.production.database.existingSecret }} + # Database credentials from existing secret + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.keycloak.production.database.existingSecret }} + key: {{ .Values.keycloak.production.database.secretKeys.username | default "username" }} + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.keycloak.production.database.existingSecret }} + key: {{ .Values.keycloak.production.database.secretKeys.password | default "password" }} + {{- else }} + # Database credentials from values - name: KC_DB_USERNAME value: {{ .Values.keycloak.production.database.username | quote }} - name: KC_DB_PASSWORD @@ -82,6 +96,7 @@ spec: name: {{ include "ldap-stack.keycloak.secretName" . }} key: db-password {{- end }} + {{- end }} # LDAP connection info (for realm import and reference) - name: LDAP_URL value: {{ include "ldap-stack.openldap.url" . | quote }} diff --git a/templates/keycloak-secret.yaml b/templates/keycloak-secret.yaml index 3921cbd..f4b11fd 100644 --- a/templates/keycloak-secret.yaml +++ b/templates/keycloak-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keycloak.enabled }} +{{- if and .Values.keycloak.enabled (not .Values.keycloak.existingSecret) }} apiVersion: v1 kind: Secret metadata: @@ -9,7 +9,7 @@ type: Opaque data: admin-username: {{ required "keycloak.admin.username is required" .Values.keycloak.admin.username | b64enc | quote }} admin-password: {{ required "keycloak.admin.password is required" .Values.keycloak.admin.password | b64enc | quote }} - {{- if and (not .Values.keycloak.devMode) .Values.keycloak.production.database.password }} + {{- if and (not .Values.keycloak.devMode) .Values.keycloak.production.database.password (not .Values.keycloak.production.database.existingSecret) }} db-password: {{ .Values.keycloak.production.database.password | b64enc | quote }} {{- end }} {{- end }} diff --git a/templates/openldap-deployment.yaml b/templates/openldap-deployment.yaml index e2302c6..274dc75 100644 --- a/templates/openldap-deployment.yaml +++ b/templates/openldap-deployment.yaml @@ -41,12 +41,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "ldap-stack.openldap.secretName" . }} - key: admin-password + key: {{ .Values.openldap.secretKeys.adminPassword | default "admin-password" }} - name: LDAP_CONFIG_PASSWORD valueFrom: secretKeyRef: name: {{ include "ldap-stack.openldap.secretName" . }} - key: config-password + key: {{ .Values.openldap.secretKeys.configPassword | default "config-password" }} - name: LDAP_TLS value: {{ .Values.openldap.tls.enabled | quote }} - name: LDAP_TLS_ENFORCE diff --git a/templates/openldap-secret.yaml b/templates/openldap-secret.yaml index d1a3e4f..53ff14f 100644 --- a/templates/openldap-secret.yaml +++ b/templates/openldap-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.openldap.enabled }} +{{- if and .Values.openldap.enabled (not .Values.openldap.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/values.schema.json b/values.schema.json index e335e2c..370b75f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -66,11 +66,10 @@ }, "config": { "type": "object", - "description": "LDAP Configuration (REQUIRED)", + "description": "LDAP Configuration", "required": [ "organisation", - "domain", - "adminPassword" + "domain" ], "properties": { "organisation": { @@ -86,8 +85,7 @@ }, "adminPassword": { "type": "string", - "description": "Admin password", - "minLength": 1 + "description": "Admin password (required if existingSecret is not set)" }, "configPassword": { "type": "string", @@ -95,6 +93,24 @@ } } }, + "existingSecret": { + "type": "string", + "description": "Name of existing secret containing OpenLDAP credentials" + }, + "secretKeys": { + "type": "object", + "description": "Keys in the existing secret", + "properties": { + "adminPassword": { + "type": "string", + "default": "admin-password" + }, + "configPassword": { + "type": "string", + "default": "config-password" + } + } + }, "tls": { "type": "object", "description": "TLS Configuration", @@ -442,19 +458,33 @@ }, "admin": { "type": "object", - "description": "Keycloak admin credentials (REQUIRED)", - "required": [ - "username", - "password" - ], + "description": "Keycloak admin credentials (required if existingSecret is not set)", "properties": { "username": { "type": "string", - "minLength": 1 + "description": "Admin username" }, "password": { "type": "string", - "minLength": 1 + "description": "Admin password" + } + } + }, + "existingSecret": { + "type": "string", + "description": "Name of existing secret containing Keycloak admin credentials" + }, + "secretKeys": { + "type": "object", + "description": "Keys in the existing secret", + "properties": { + "adminUsername": { + "type": "string", + "default": "admin-username" + }, + "adminPassword": { + "type": "string", + "default": "admin-password" } } }, @@ -502,6 +532,24 @@ }, "password": { "type": "string" + }, + "existingSecret": { + "type": "string", + "description": "Name of existing secret containing database credentials" + }, + "secretKeys": { + "type": "object", + "description": "Keys in the existing secret", + "properties": { + "username": { + "type": "string", + "default": "username" + }, + "password": { + "type": "string", + "default": "password" + } + } } } } diff --git a/values.yaml b/values.yaml index 60e1483..a500ea3 100644 --- a/values.yaml +++ b/values.yaml @@ -31,6 +31,13 @@ openldap: adminPassword: "" # Admin password configPassword: "" # Config password (optional, defaults to adminPassword) + # Use existing secret for OpenLDAP credentials (recommended for production) + # Secret must contain keys: admin-password, config-password + existingSecret: "" + secretKeys: + adminPassword: "admin-password" + configPassword: "config-password" + # TLS Configuration tls: enabled: true @@ -194,6 +201,13 @@ keycloak: username: "" password: "" + # Use existing secret for Keycloak admin credentials (recommended for production) + # Secret must contain keys: admin-username, admin-password + existingSecret: "" + secretKeys: + adminUsername: "admin-username" + adminPassword: "admin-password" + # Run in development mode (start-dev) devMode: true @@ -208,6 +222,11 @@ keycloak: database: keycloak username: "" password: "" + # Use existing secret for database credentials (recommended for production) + existingSecret: "" + secretKeys: + username: "username" + password: "password" # Service configuration service: From 6bfa8ce3ace7ac96231e63b7a84841400967785f Mon Sep 17 00:00:00 2001 From: Julio Caicedo Date: Sun, 30 Nov 2025 21:00:09 -0500 Subject: [PATCH 2/2] feat: Introduce explicit `storageClass` option for OpenLDAP persistence and add a comprehensive production values example. --- templates/openldap-pvc.yaml | 9 +++++++-- values.yaml | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/templates/openldap-pvc.yaml b/templates/openldap-pvc.yaml index 2faa5ba..111d81a 100644 --- a/templates/openldap-pvc.yaml +++ b/templates/openldap-pvc.yaml @@ -1,4 +1,5 @@ {{- if and .Values.openldap.enabled .Values.openldap.persistence.enabled }} +{{- $storageClass := .Values.openldap.persistence.storageClass | default .Values.global.storageClass }} --- apiVersion: v1 kind: PersistentVolumeClaim @@ -12,7 +13,9 @@ spec: resources: requests: storage: {{ .Values.openldap.persistence.data.size }} - {{- include "ldap-stack.storageClass" . | nindent 2 }} + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} --- apiVersion: v1 kind: PersistentVolumeClaim @@ -26,5 +29,7 @@ spec: resources: requests: storage: {{ .Values.openldap.persistence.config.size }} - {{- include "ldap-stack.storageClass" . | nindent 2 }} + {{- if $storageClass }} + storageClassName: {{ $storageClass }} + {{- end }} {{- end }} diff --git a/values.yaml b/values.yaml index a500ea3..57fb9b4 100644 --- a/values.yaml +++ b/values.yaml @@ -79,7 +79,8 @@ openldap: # Persistence persistence: enabled: true - size: 1Gi + # Storage class (overrides global.storageClass) + storageClass: "" # Separate PVCs for data and config data: size: 1Gi