[lldap] Support ldaps, use rootless image for read only filesystem, fix selectorLabels

alexmorbo · alexmorbo · commit 1fbbc0cd7274 · 2025-06-11T13:10:03.000+03:00
diff --git a/charts/lldap/Chart.yaml b/charts/lldap/Chart.yaml
@@ -3,7 +3,7 @@ kubeVersion: ">=1.23.0-0"
 name: lldap
 description: LLDAP helm chart for Kubernetes
 type: application
-version: 1.0.6
+version: 1.0.7
 appVersion: "0.6.1"
 maintainers:
   - name: AlexMorbo
diff --git a/charts/lldap/README.md b/charts/lldap/README.md
@@ -1,7 +1,7 @@
 
 # lldap
 
-![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square)
+![Version: 1.0.7](https://img.shields.io/badge/Version-1.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.6.1](https://img.shields.io/badge/AppVersion-0.6.1-informational?style=flat-square)
 
 LLDAP helm chart for Kubernetes
 
@@ -33,10 +33,9 @@ helm install lldap oci://ghcr.io/alexmorbo/helm-charts/lldap
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| annotations | object | `{}` |  |
-| env.GID | string | `"1001"` |  |
+| env.GID | string | `"1000"` |  |
 | env.TZ | string | `"UTC"` |  |
-| env.UID | string | `"1001"` |  |
+| env.UID | string | `"1000"` |  |
 | extraEnv | list | `[]` | Environment variables to add to the lldap pods |
 | extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add to the lldap pods |
 | extraInitContainers | list | `[]` |  |
@@ -62,7 +61,8 @@ helm install lldap oci://ghcr.io/alexmorbo/helm-charts/lldap
 | persistence.size | string | `"100Mi"` | Size of persistent disk |
 | persistence.storageClass | string | `""` |  |
 | persistence.volumeName | string | `""` | Name of the permanent volume to reference in the claim. Can be used to bind to existing volumes. |
-| podSecurityContext.fsGroup | int | `65534` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext.fsGroup | int | `1000` |  |
 | podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
@@ -75,17 +75,19 @@ helm install lldap oci://ghcr.io/alexmorbo/helm-charts/lldap
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | securityContext.privileged | bool | `false` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
-| securityContext.runAsGroup | int | `65534` |  |
+| securityContext.runAsGroup | int | `1000` |  |
 | securityContext.runAsNonRoot | bool | `true` |  |
-| securityContext.runAsUser | int | `65534` |  |
+| securityContext.runAsUser | int | `1000` |  |
 | securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | service.annotations | object | `{}` |  |
 | service.http_port | int | `17170` |  |
 | service.ldap_port | int | `3890` |  |
+| service.ldaps_enabled | bool | `false` |  |
+| service.ldaps_port | int | `6360` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template |
 | tolerations | list | `[]` |  |
-| updateStrategy | object | `{"type":"Recreate"}` | Deployment strategy |
+| updateStrategy | object | `{"type":"RollingUpdate"}` | Deployment strategy |
diff --git a/charts/lldap/templates/_helpers.tpl b/charts/lldap/templates/_helpers.tpl
@@ -82,3 +82,10 @@ Create the name of the secret to use
 {{- define "lldap.secretName" -}}
 {{- printf "%s-secret" (include "lldap.fullname" .) }}
 {{- end }}
+
+{{/*
+Create the name of the tls secret to use
+*/}}
+{{- define "lldap.certsSecretName" -}}
+{{- printf "%s-tls" (include "lldap.fullname" .) }}
+{{- end }}
diff --git a/charts/lldap/templates/deployment.yaml b/charts/lldap/templates/deployment.yaml
@@ -4,22 +4,25 @@ metadata:
   name: {{ include "lldap.fullname" . }}
   labels:
     {{- include "lldap.labels" . | nindent 4 }}
-  {{- with .Values.annotations }}
+  {{- with .Values.podAnnotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      {{- include "lldap.labels" . | nindent 6 }}
+      {{- include "lldap.selectorLabels" . | nindent 6 }}
   strategy:
     type: {{ .Values.updateStrategy.type }}
   template:
     metadata:
       labels:
         {{- include "lldap.labels" . | nindent 8 }}
-      {{- with .Values.annotations }}
+        {{- with .Values.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -37,10 +40,18 @@ spec:
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- $imageSuffix := "" }}
+          {{- if .Values.securityContext.readOnlyRootFilesystem }}
+            {{- $imageSuffix = "-rootless" }}
+          {{- end }}
           {{- if .Values.image.sha }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}@sha256:{{ .Values.image.sha }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ $imageSuffix }}@sha256:{{ .Values.image.sha }}"
           {{- else }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ $imageSuffix }}"
+          {{- end }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- with .Values.resources }}
@@ -69,6 +80,14 @@ spec:
                 secretKeyRef:
                   name: {{ include "lldap.secretName" . }}
                   key: lldap-ldap-user-pass
+            {{- if .Values.service.ldaps_enabled }}
+            - name: LLDAP_LDAPS_OPTIONS__ENABLED
+              value: "true"
+            - name: LLDAP_LDAPS_OPTIONS__CERT_FILE
+              value: "/etc/ssl/certs/tls.crt"
+            - name: LLDAP_LDAPS_OPTIONS__KEY_FILE
+              value: "/etc/ssl/certs/tls.key"
+            {{- end }}
           {{- with .Values.extraEnv }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -83,17 +102,32 @@ spec:
             - name: ldap
               containerPort: {{ .Values.service.ldap_port }}
               protocol: TCP
-          {{- if .Values.persistence.enabled }}
+            {{- if .Values.service.ldaps_enabled }}
+            - name: ldaps
+              containerPort: {{ .Values.service.ldaps_port }}
+              protocol: TCP
+            {{- end }}
           volumeMounts:
             - mountPath: /data
               name: lldap-data
-          {{- end }}
-      {{- if .Values.persistence.enabled }}
+            {{- if .Values.service.ldaps_enabled }}
+            - mountPath: /etc/ssl/certs
+              name: lldap-certs
+            {{- end }}
       volumes:
         - name: lldap-data
+          {{- if .Values.persistence.enabled }}
           persistentVolumeClaim:
             claimName: {{ include "lldap.persistenceName" . }}
-      {{- end }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        {{- if .Values.service.ldaps_enabled }}
+        - name: lldap-certs
+          secret:
+            secretName: {{ include "lldap.certsSecretName" . }}
+            defaultMode: 0644
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/lldap/templates/ingress.yaml b/charts/lldap/templates/ingress.yaml
@@ -20,7 +20,7 @@ spec:
         {{- range .hosts }}
         - {{ . | quote }}
         {{- end }}
-      secretName: {{ .secretName }}
+      secretName: {{ include "lldap.certsSecretName" $ }}
     {{- end }}
   {{- end }}
   rules:
diff --git a/charts/lldap/templates/service.yaml b/charts/lldap/templates/service.yaml
@@ -15,6 +15,12 @@ spec:
       targetPort: ldap
       protocol: TCP
       name: ldap
+    {{- if .Values.service.ldaps_enabled }}
+    - port: {{ .Values.service.ldaps_port }}
+      targetPort: ldaps
+      protocol: TCP
+      name: ldaps
+    {{- end }}
     - port: {{ .Values.service.http_port }}
       targetPort: http
       protocol: TCP
diff --git a/charts/lldap/values.yaml b/charts/lldap/values.yaml
@@ -12,11 +12,11 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-annotations: {}
+podAnnotations: {}
 
 # -- Deployment strategy
 updateStrategy:
-  type: Recreate
+  type: RollingUpdate
 
 # -- Environment variables to add to the lldap pods
 extraEnv: []
@@ -60,8 +60,8 @@ persistence:
 
 env:
   TZ: "UTC"
-  GID: "1001"
-  UID: "1001"
+  GID: "1000"
+  UID: "1000"
 
 resources: {}
 #  limits:
@@ -78,7 +78,7 @@ tolerations: []
 affinity: {}
 
 podSecurityContext:
-  fsGroup: 65534
+  fsGroup: 1000
   fsGroupChangePolicy: OnRootMismatch
 
 securityContext:
@@ -89,16 +89,18 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   privileged: false
-  runAsUser: 65534
-  runAsGroup: 65534
+  runAsUser: 1000
+  runAsGroup: 1000
   seccompProfile:
     type: RuntimeDefault
 
 service:
   type: ClusterIP
   annotations: {}
   ldap_port: 3890
+  ldaps_port: 6360
   http_port: 17170
+  ldaps_enabled: false
 
 ingress:
   enabled: false
@@ -112,6 +114,5 @@ ingress:
         - path: /
           pathType: ImplementationSpecific
   tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
+  #  - hosts:
   #      - chart-example.local
