Skip to content

feat: Add existing secret support for OpenLDAP and Keycloak credentia… #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
2 commits merged into from
Dec 1, 2025
Merged

feat: Add existing secret support for OpenLDAP and Keycloak credentia… #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
714de8d
feat: Add existing secret support for OpenLDAP and Keycloak credentia…
llulioscesar Dec 1, 2025
6bfa8ce
feat: Introduce explicit `storageClass` option for OpenLDAP persisten…
llulioscesar Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: ldap-stack
description: OpenLDAP + phpLDAPadmin + Keycloak stack for centralized identity management with SSO support
type: application
version: 1.0.0
version: 1.1.0
appVersion: "2.6.0"
annotations:
artifacthub.io/signKey: |
Expand All @@ -28,15 +28,13 @@ annotations:
artifacthub.io/prerelease: "false"
artifacthub.io/changes: |
- kind: added
description: Initial release with OpenLDAP, phpLDAPadmin, and Keycloak
description: Support for existingSecret in OpenLDAP credentials
- kind: added
description: LDAP Federation auto-configuration for Keycloak
description: Support for existingSecret in Keycloak admin credentials
- kind: added
description: Bootstrap support for automatic OU creation
description: Support for existingSecret in Keycloak database credentials
- kind: added
description: NetworkPolicy, PodDisruptionBudget, and ServiceMonitor support
- kind: added
description: Multiple service types (ClusterIP, NodePort, LoadBalancer)
description: Production values example with LoadBalancer and external secrets
keywords:
- ldap
- openldap
Expand Down
8 changes: 8 additions & 0 deletions templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,14 +131,22 @@ app.kubernetes.io/component: keycloak
Secret name for OpenLDAP credentials
*/}}
{{- define "ldap-stack.openldap.secretName" -}}
{{- if .Values.openldap.existingSecret -}}
{{- .Values.openldap.existingSecret }}
{{- else -}}
{{- printf "%s-openldap-credentials" (include "ldap-stack.fullname" .) }}
{{- end -}}
{{- end }}

{{/*
Secret name for Keycloak credentials
*/}}
{{- define "ldap-stack.keycloak.secretName" -}}
{{- if .Values.keycloak.existingSecret -}}
{{- .Values.keycloak.existingSecret }}
{{- else -}}
{{- printf "%s-keycloak-credentials" (include "ldap-stack.fullname" .) }}
{{- end -}}
{{- end }}

{{/*
Expand Down
19 changes: 17 additions & 2 deletions templates/keycloak-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,12 @@ spec:
valueFrom:
secretKeyRef:
name: {{ include "ldap-stack.keycloak.secretName" . }}
key: admin-username
key: {{ .Values.keycloak.secretKeys.adminUsername | default "admin-username" }}
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "ldap-stack.keycloak.secretName" . }}
key: admin-password
key: {{ .Values.keycloak.secretKeys.adminPassword | default "admin-password" }}
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_METRICS_ENABLED
Expand All @@ -74,6 +74,20 @@ spec:
value: {{ .Values.keycloak.production.database.port | quote }}
- name: KC_DB_URL_DATABASE
value: {{ .Values.keycloak.production.database.database | quote }}
{{- if .Values.keycloak.production.database.existingSecret }}
# Database credentials from existing secret
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.keycloak.production.database.existingSecret }}
key: {{ .Values.keycloak.production.database.secretKeys.username | default "username" }}
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.keycloak.production.database.existingSecret }}
key: {{ .Values.keycloak.production.database.secretKeys.password | default "password" }}
{{- else }}
# Database credentials from values
- name: KC_DB_USERNAME
value: {{ .Values.keycloak.production.database.username | quote }}
- name: KC_DB_PASSWORD
Expand All @@ -82,6 +96,7 @@ spec:
name: {{ include "ldap-stack.keycloak.secretName" . }}
key: db-password
{{- end }}
{{- end }}
# LDAP connection info (for realm import and reference)
- name: LDAP_URL
value: {{ include "ldap-stack.openldap.url" . | quote }}
Expand Down
4 changes: 2 additions & 2 deletions templates/keycloak-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.keycloak.enabled }}
{{- if and .Values.keycloak.enabled (not .Values.keycloak.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -9,7 +9,7 @@ type: Opaque
data:
admin-username: {{ required "keycloak.admin.username is required" .Values.keycloak.admin.username | b64enc | quote }}
admin-password: {{ required "keycloak.admin.password is required" .Values.keycloak.admin.password | b64enc | quote }}
{{- if and (not .Values.keycloak.devMode) .Values.keycloak.production.database.password }}
{{- if and (not .Values.keycloak.devMode) .Values.keycloak.production.database.password (not .Values.keycloak.production.database.existingSecret) }}
db-password: {{ .Values.keycloak.production.database.password | b64enc | quote }}
{{- end }}
{{- end }}
4 changes: 2 additions & 2 deletions templates/openldap-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,12 @@ spec:
valueFrom:
secretKeyRef:
name: {{ include "ldap-stack.openldap.secretName" . }}
key: admin-password
key: {{ .Values.openldap.secretKeys.adminPassword | default "admin-password" }}
- name: LDAP_CONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "ldap-stack.openldap.secretName" . }}
key: config-password
key: {{ .Values.openldap.secretKeys.configPassword | default "config-password" }}
- name: LDAP_TLS
value: {{ .Values.openldap.tls.enabled | quote }}
- name: LDAP_TLS_ENFORCE
Expand Down
9 changes: 7 additions & 2 deletions templates/openldap-pvc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{{- if and .Values.openldap.enabled .Values.openldap.persistence.enabled }}
{{- $storageClass := .Values.openldap.persistence.storageClass | default .Values.global.storageClass }}
---
apiVersion: v1
kind: PersistentVolumeClaim
Expand All @@ -12,7 +13,9 @@ spec:
resources:
requests:
storage: {{ .Values.openldap.persistence.data.size }}
{{- include "ldap-stack.storageClass" . | nindent 2 }}
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
---
apiVersion: v1
kind: PersistentVolumeClaim
Expand All @@ -26,5 +29,7 @@ spec:
resources:
requests:
storage: {{ .Values.openldap.persistence.config.size }}
{{- include "ldap-stack.storageClass" . | nindent 2 }}
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion templates/openldap-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.openldap.enabled }}
{{- if and .Values.openldap.enabled (not .Values.openldap.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
72 changes: 60 additions & 12 deletions values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,10 @@
},
"config": {
"type": "object",
"description": "LDAP Configuration (REQUIRED)",
"description": "LDAP Configuration",
"required": [
"organisation",
"domain",
"adminPassword"
"domain"
],
"properties": {
"organisation": {
Expand All @@ -86,15 +85,32 @@
},
"adminPassword": {
"type": "string",
"description": "Admin password",
"minLength": 1
"description": "Admin password (required if existingSecret is not set)"
},
"configPassword": {
"type": "string",
"description": "Config password (optional, defaults to adminPassword)"
}
}
},
"existingSecret": {
"type": "string",
"description": "Name of existing secret containing OpenLDAP credentials"
},
"secretKeys": {
"type": "object",
"description": "Keys in the existing secret",
"properties": {
"adminPassword": {
"type": "string",
"default": "admin-password"
},
"configPassword": {
"type": "string",
"default": "config-password"
}
}
},
"tls": {
"type": "object",
"description": "TLS Configuration",
Expand Down Expand Up @@ -442,19 +458,33 @@
},
"admin": {
"type": "object",
"description": "Keycloak admin credentials (REQUIRED)",
"required": [
"username",
"password"
],
"description": "Keycloak admin credentials (required if existingSecret is not set)",
"properties": {
"username": {
"type": "string",
"minLength": 1
"description": "Admin username"
},
"password": {
"type": "string",
"minLength": 1
"description": "Admin password"
}
}
},
"existingSecret": {
"type": "string",
"description": "Name of existing secret containing Keycloak admin credentials"
},
"secretKeys": {
"type": "object",
"description": "Keys in the existing secret",
"properties": {
"adminUsername": {
"type": "string",
"default": "admin-username"
},
"adminPassword": {
"type": "string",
"default": "admin-password"
}
}
},
Expand Down Expand Up @@ -502,6 +532,24 @@
},
"password": {
"type": "string"
},
"existingSecret": {
"type": "string",
"description": "Name of existing secret containing database credentials"
},
"secretKeys": {
"type": "object",
"description": "Keys in the existing secret",
"properties": {
"username": {
"type": "string",
"default": "username"
},
"password": {
"type": "string",
"default": "password"
}
}
}
}
}
Expand Down
22 changes: 21 additions & 1 deletion values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ openldap:
adminPassword: "" # Admin password
configPassword: "" # Config password (optional, defaults to adminPassword)

# Use existing secret for OpenLDAP credentials (recommended for production)
# Secret must contain keys: admin-password, config-password
existingSecret: ""
secretKeys:
adminPassword: "admin-password"
configPassword: "config-password"

# TLS Configuration
tls:
enabled: true
Expand Down Expand Up @@ -72,7 +79,8 @@ openldap:
# Persistence
persistence:
enabled: true
size: 1Gi
# Storage class (overrides global.storageClass)
storageClass: ""
# Separate PVCs for data and config
data:
size: 1Gi
Expand Down Expand Up @@ -194,6 +202,13 @@ keycloak:
username: ""
password: ""

# Use existing secret for Keycloak admin credentials (recommended for production)
# Secret must contain keys: admin-username, admin-password
existingSecret: ""
secretKeys:
adminUsername: "admin-username"
adminPassword: "admin-password"

# Run in development mode (start-dev)
devMode: true

Expand All @@ -208,6 +223,11 @@ keycloak:
database: keycloak
username: ""
password: ""
# Use existing secret for database credentials (recommended for production)
existingSecret: ""
secretKeys:
username: "username"
password: "password"

# Service configuration
service:
Expand Down