Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-20 20:17:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/nginx] Remove nginx-ldap-auth-daemon dependency for Bitnami Nginx Chart (#9645)

Browse Source 
* Remove nginx-ldap-auth-daemon dependency for Bitnami Nginx Chart

Signed-off-by: michield <michield@vmware.com>

* Update README information about major version upgrade

Signed-off-by: michield <michield@vmware.com>

* Remove nginx-server-block-paths

Signed-off-by: michield <michield@vmware.com>

* Remove remaining server-block-path logic

Signed-off-by: michield <michield@vmware.com>

* Fix indentation

Signed-off-by: michield <michield@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <containers@bitnami.com>

* [bitnami/nginx] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: michield <michield@vmware.com>
Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
Michiel
2022-04-05 15:39:36 +02:00
committed by GitHub
parent 2dd89eb085
commit 86e7b00a2d
8 changed files with 88 additions and 460 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/nginx/Chart.yaml
View File

@@ -25,4 +25,4 @@ name: nginx
sources:
- https://github.com/bitnami/bitnami-docker-nginx
- https://www.nginx.org
version: 9.9.9
version: 10.0.0

272
bitnami/nginx/README.md
View File

@@ -76,83 +76,83 @@ The command removes all the Kubernetes components associated with the chart and
### NGINX parameters
| Name | Description | Value |
| -------------------- | -------------------------------------------------------------------- | --------------------- |
| `image.registry` | NGINX image registry | `docker.io` |
| `image.repository` | NGINX image repository | `bitnami/nginx` |
| `image.tag` | NGINX image tag (immutable tags are recommended) | `1.21.5-debian-10-r3` |
| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Set to true if you would like to see extra information on logs | `false` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables | `""` |
| Name | Description | Value |
| -------------------- | -------------------------------------------------------------------- | ---------------------- |
| `image.registry` | NGINX image registry | `docker.io` |
| `image.repository` | NGINX image repository | `bitnami/nginx` |
| `image.tag` | NGINX image tag (immutable tags are recommended) | `1.21.6-debian-10-r65` |
| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Set to true if you would like to see extra information on logs | `false` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables | `""` |
### NGINX deployment parameters
| Name | Description | Value |
| --------------------------------------- | ----------------------------------------------------------------------------------------- | ------- |
| `replicaCount` | Number of NGINX replicas to deploy | `1` |
| `updateStrategy.type` | NGINX deployment strategy type | `""` |
| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` |
| `podLabels` | Additional labels for NGINX pods | `{}` |
| `podAnnotations` | Annotations for NGINX pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` |
| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `{}` |
| `priorityClassName` | Priority class name | `""` |
| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `false` |
| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` |
| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` |
| `containerSecurityContext.enabled` | Enabled NGINX containers' Security Context | `false` |
| `containerSecurityContext.runAsUser` | Set NGINX container's Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set NGINX container's Security Context runAsNonRoot | `true` |
| `containerPorts.http` | Sets http port inside NGINX container | `8080` |
| `containerPorts.https` | Sets https port inside NGINX container | `""` |
| `resources.limits` | The resources limits for the NGINX container | `{}` |
| `resources.requests` | The requested resources for the NGINX container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` |
| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` |
| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` |
| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` |
| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` |
| `extraVolumes` | Array to add extra volumes | `[]` |
| `extraVolumeMounts` | Array to add extra mount | `[]` |
| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` |
| `serviceAccount.autoMount` | Auto-mount the service account token in the pod | `false` |
| `sidecars` | Sidecar parameters | `[]` |
| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` |
| `initContainers` | Extra init containers | `[]` |
| `pdb.create` | Created a PodDisruptionBudget | `false` |
| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` |
| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `0` |
| Name | Description | Value |
| --------------------------------------- | ----------------------------------------------------------------------------------------- | --------------- |
| `replicaCount` | Number of NGINX replicas to deploy | `1` |
| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` |
| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` |
| `podLabels` | Additional labels for NGINX pods | `{}` |
| `podAnnotations` | Annotations for NGINX pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` |
| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `{}` |
| `priorityClassName` | Priority class name | `""` |
| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `false` |
| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` |
| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` |
| `containerSecurityContext.enabled` | Enabled NGINX containers' Security Context | `false` |
| `containerSecurityContext.runAsUser` | Set NGINX container's Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set NGINX container's Security Context runAsNonRoot | `true` |
| `containerPorts.http` | Sets http port inside NGINX container | `8080` |
| `containerPorts.https` | Sets https port inside NGINX container | `""` |
| `resources.limits` | The resources limits for the NGINX container | `{}` |
| `resources.requests` | The requested resources for the NGINX container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` |
| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` |
| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` |
| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` |
| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` |
| `extraVolumes` | Array to add extra volumes | `[]` |
| `extraVolumeMounts` | Array to add extra mount | `[]` |
| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` |
| `serviceAccount.autoMount` | Auto-mount the service account token in the pod | `false` |
| `sidecars` | Sidecar parameters | `[]` |
| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` |
| `initContainers` | Extra init containers | `[]` |
| `pdb.create` | Created a PodDisruptionBudget | `false` |
| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` |
| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `0` |
### Custom NGINX application parameters
@@ -162,7 +162,7 @@ The command removes all the Kubernetes components associated with the chart and
| `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` |
| `cloneStaticSiteFromGit.image.registry` | Git image registry | `docker.io` |
| `cloneStaticSiteFromGit.image.repository` | Git image repository | `bitnami/git` |
| `cloneStaticSiteFromGit.image.tag` | Git image tag (immutable tags are recommended) | `2.34.1-debian-10-r33` |
| `cloneStaticSiteFromGit.image.tag` | Git image tag (immutable tags are recommended) | `2.35.1-debian-10-r64` |
| `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` |
| `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` |
@@ -180,41 +180,6 @@ The command removes all the Kubernetes components associated with the chart and
| `staticSitePVC` | Name of existing PVC with the server static site content | `""` |
### LDAP parameters
| Name | Description | Value |
| ----------------------------------------------- | ---------------------------------------------------------------------------------------- | -------------------------------- |
| `ldapDaemon.enabled` | Enable LDAP Auth Daemon proxy | `false` |
| `ldapDaemon.image.registry` | LDAP AUth Daemon Image registry | `docker.io` |
| `ldapDaemon.image.repository` | LDAP Auth Daemon Image repository | `bitnami/nginx-ldap-auth-daemon` |
| `ldapDaemon.image.tag` | LDAP Auth Daemon Image tag (immutable tags are recommended) | `0.20200116.0-debian-10-r556` |
| `ldapDaemon.image.pullPolicy` | LDAP Auth Daemon Image pull policy | `IfNotPresent` |
| `ldapDaemon.port` | LDAP Auth Daemon port | `8888` |
| `ldapDaemon.ldapConfig.uri` | LDAP Server URI, `ldap[s]:/<hostname>:<port>` | `""` |
| `ldapDaemon.ldapConfig.baseDN` | LDAP root DN to begin the search for the user | `""` |
| `ldapDaemon.ldapConfig.bindDN` | DN of user to bind to LDAP | `""` |
| `ldapDaemon.ldapConfig.bindPassword` | Password for the user to bind to LDAP | `""` |
| `ldapDaemon.ldapConfig.filter` | LDAP search filter for search | `""` |
| `ldapDaemon.ldapConfig.httpRealm` | LDAP HTTP auth realm | `""` |
| `ldapDaemon.ldapConfig.httpCookieName` | HTTP cookie name to be used in LDAP Auth | `""` |
| `ldapDaemon.nginxServerBlock` | NGINX server block that configures LDAP communication. Overrides `ldapDaemon.ldapConfig` | `""` |
| `ldapDaemon.existingNginxServerBlockSecret` | Name of existing Secret with a NGINX server block to use for LDAP communication | `""` |
| `ldapDaemon.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `ldapDaemon.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `ldapDaemon.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `ldapDaemon.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `ldapDaemon.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `ldapDaemon.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `ldapDaemon.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `ldapDaemon.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `ldapDaemon.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `ldapDaemon.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `ldapDaemon.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `ldapDaemon.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `ldapDaemon.customLivenessProbe` | Custom Liveness probe | `{}` |
| `ldapDaemon.customReadinessProbe` | Custom Rediness probe | `{}` |
### Traffic Exposure parameters
| Name | Description | Value |
@@ -256,7 +221,7 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` |
| `metrics.image.registry` | NGINX Prometheus exporter image registry | `docker.io` |
| `metrics.image.repository` | NGINX Prometheus exporter image repository | `bitnami/nginx-exporter` |
| `metrics.image.tag` | NGINX Prometheus exporter image tag (immutable tags are recommended) | `0.10.0-debian-10-r8` |
| `metrics.image.tag` | NGINX Prometheus exporter image tag (immutable tags are recommended) | `0.10.0-debian-10-r98` |
| `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` |
@@ -346,89 +311,6 @@ serverBlock: |-
In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `existingServerBlockConfigmap` parameter. Note that this will override the previous option.
### Enabling LDAP
In some scenarios, you may require users to authenticate in order to gain access to protected resources. By enabling LDAP, NGINX will make use of an Authorization Daemon to proxy those identification requests against a given LDAP Server.
```
------------ -------------- ---------------
| NGINX | -----> | NGINX | -----> | LDAP |
| server | <----- | ldap daemon | <----- | server |
------------ -------------- ---------------
```
In order to enable LDAP authentication you can set the `ldapDaemon.enabled` property and follow these steps:
1. NGINX server needs to be configured to be self-aware of the proxy. In order to do so, use the `ldapDaemon.nginxServerBlock` property to provide with an additional server block, that will instruct NGINX to use it (see `values.yaml`). Alternatively, you can specify this server block configuration using an external Secret using the property `ldapDaemon.existingNginxServerBlockSecret`.
2. Supply your LDAP Server connection details either in the aforementioned server block (setting request headers) or specifying them in `ldapDaemon.ldapConfig`. e.g. The following two approaches are equivalent:
_Approach A) Specify connection details using the `ldapDaemon.ldapConfig` property_
```yaml
ldapDaemon:
enabled: true
ldapConfig:
uri: "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT"
baseDN: "dc=example,dc=org"
bindDN: "cn=admin,dc=example,dc=org"
bindPassword: "adminpassword"
nginxServerBlock: |-
server {
listen 0.0.0.0:{{ .Values.containerPorts.http }};
# You can provide a special subPath or the root
location = / {
auth_request /auth-proxy;
}
location = /auth-proxy {
internal;
proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }};
}
}
```
_Approach B) Specify connection details directly in the server block_
```yaml
ldapDaemon:
enabled: true
nginxServerBlock: |-
server {
listen 0.0.0.0:{{ .Values.containerPorts.http }};
# You can provide a special subPath or the root
location = / {
auth_request /auth-proxy;
}
location = /auth-proxy {
internal;
proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }};
###############################################################
# YOU SHOULD CHANGE THE FOLLOWING TO YOUR LDAP CONFIGURATION #
###############################################################
# URL and port for connecting to the LDAP server
proxy_set_header X-Ldap-URL "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT";
# Base DN
proxy_set_header X-Ldap-BaseDN "dc=example,dc=org";
# Bind DN
proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org";
# Bind password
proxy_set_header X-Ldap-BindPass "adminpassword";
}
}
```
### Adding extra environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property.
@@ -471,6 +353,10 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 10.0.0
This major release no longer uses the bitnami/nginx-ldap-auth-daemon container as a dependency since its upstream project is not actively maintained.
### To 8.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.

1
bitnami/nginx/templates/NOTES.txt
View File

@@ -48,6 +48,5 @@ To access NGINX from outside the cluster, follow the steps below:
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.cloneStaticSiteFromGit.image }}
{{- include "common.warnings.rollingTag" .Values.ldapDaemon.image }}
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
{{- include "nginx.validateValues" . }}

20
bitnami/nginx/templates/_helpers.tpl
View File

@@ -13,13 +13,6 @@ Return the proper GIT image name
{{ include "common.images.image" (dict "imageRoot" .Values.cloneStaticSiteFromGit.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper DAP Auth Daemon image name
*/}}
{{- define "nginx.ldapDaemon.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.ldapDaemon.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Prometheus metrics image name
*/}}
@@ -31,7 +24,7 @@ Return the proper Prometheus metrics image name
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "nginx.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.ldapDaemon.image .Values.metrics.image) "global" .Values.global) }}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "global" .Values.global) }}
{{- end -}}
{{/*
@@ -69,17 +62,6 @@ Return the custom NGINX server block configmap.
{{- end -}}
{{- end -}}
{{/*
Return the custom NGINX server block secret for LDAP.
*/}}
{{- define "ldap.nginxServerBlockSecret" -}}
{{- if .Values.ldapDaemon.existingNginxServerBlockSecret -}}
{{- printf "%s" (tpl .Values.ldapDaemon.existingNginxServerBlockSecret $) -}}
{{- else -}}
{{- printf "%s-ldap-daemon" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}

81
bitnami/nginx/templates/deployment.yaml
View File

@@ -200,17 +200,9 @@ spec:
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.ldapDaemon.enabled }}
- name: nginx-server-block-paths
mountPath: /opt/bitnami/nginx/conf/server_blocks
{{- end }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }}
- name: nginx-server-block
mountPath: /opt/bitnami/nginx/conf/server_blocks/common
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: nginx-server-block-ldap
mountPath: /opt/bitnami/nginx/conf/server_blocks/ldap
mountPath: /opt/bitnami/nginx/conf/server_blocks
{{- end }}
{{- if (include "nginx.useStaticSite" .) }}
- name: staticsite
@@ -219,57 +211,6 @@ spec:
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: ldap-daemon
image: {{ include "nginx.ldapDaemon.image" . }}
imagePullPolicy: {{ .Values.ldapDaemon.image.pullPolicy | quote }}
env:
- name: NGINXLDAP_PORT_NUMBER
value: {{ .Values.ldapDaemon.port | quote }}
- name: NGINXLDAP_LDAP_URI
value: {{ .Values.ldapDaemon.ldapConfig.uri | quote }}
- name: NGINXLDAP_LDAP_BASE_DN
value: {{ .Values.ldapDaemon.ldapConfig.baseDN | quote }}
- name: NGINXLDAP_LDAP_BIND_DN
value: {{ .Values.ldapDaemon.ldapConfig.bindDN | quote }}
- name: NGINXLDAP_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "common.names.fullname" . }}-ldap-daemon
key: ldap-daemon-ldap-bind-password
- name: NGINXLDAP_LDAP_FILTER
value: {{ .Values.ldapDaemon.ldapConfig.filter | quote }}
- name: NGINXLDAP_HTTP_REALM
value: {{ .Values.ldapDaemon.ldapConfig.httpRealm | quote }}
- name: NGINXLDAP_HTTP_COOKIE_NAME
value: {{ .Values.ldapDaemon.ldapConfig.httpCookieName | quote }}
ports:
- name: ldap-daemon
containerPort: {{ .Values.ldapDaemon.port }}
{{- if .Values.ldapDaemon.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: ldap-daemon
periodSeconds: {{ .Values.ldapDaemon.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.ldapDaemon.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.ldapDaemon.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.ldapDaemon.livenessProbe.failureThreshold }}
{{- else if .Values.ldapDaemon.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ldapDaemon.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.ldapDaemon.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: ldap-daemon
initialDelaySeconds: {{ .Values.ldapDaemon.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.ldapDaemon.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.ldapDaemon.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.ldapDaemon.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.ldapDaemon.readinessProbe.failureThreshold }}
{{- else if .Values.ldapDaemon.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ldapDaemon.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "nginx.metrics.image" . }}
@@ -300,23 +241,12 @@ spec:
{{- with .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
{{- end }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumes (include "nginx.useStaticSite" .) }}
volumes:
- name: nginx-server-block-paths
configMap:
name: {{ template "common.names.fullname" . }}-server-block
items:
- key: server-blocks-paths.conf
path: server-blocks-paths.conf
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumes (include "nginx.useStaticSite" .) }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }}
- name: nginx-server-block
configMap:
name: {{ include "nginx.serverBlockConfigmapName" . }}
{{- if or .Values.serverBlock }}
items:
- key: server-block.conf
path: server-block.conf
{{- end }}
{{- end }}
{{- if (include "nginx.useStaticSite" .) }}
- name: staticsite
@@ -325,9 +255,4 @@ spec:
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: nginx-server-block-ldap
secret:
secretName: {{ include "ldap.nginxServerBlockSecret" . }}
{{- end }}
{{- end }}

20
bitnami/nginx/templates/ldap-daemon-secrets.yaml
View File

@@ -1,20 +0,0 @@
{{- if and .Values.ldapDaemon.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "common.names.fullname" . }}-ldap-daemon
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
ldap-daemon-ldap-bind-password: {{ .Values.ldapDaemon.ldapConfig.bindPassword | b64enc | quote }}
{{- if (not .Values.ldapDaemon.existingNginxServerBlockSecret) }}
ldap_nginx.conf: |-
{{ tpl .Values.ldapDaemon.nginxServerBlock . | b64enc | indent 4 }}
{{- end }}
{{- end }}

5
bitnami/nginx/templates/server-block-configmap.yaml
View File

@@ -1,13 +1,10 @@
{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "common.names.fullname" . }}-server-block
labels: {{- include "common.labels.standard" . | nindent 4 }}
data:
server-blocks-paths.conf: |-
include "/opt/bitnami/nginx/conf/server_blocks/ldap/*.conf";
include "/opt/bitnami/nginx/conf/server_blocks/common/*.conf";
{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }}
server-block.conf: |-
{{ include "common.tplvalues.render" ( dict "value" .Values.serverBlock "context" $ ) | indent 4 }}
{{- end }}

147
bitnami/nginx/values.yaml
View File

@@ -52,7 +52,7 @@ commonAnnotations: {}
image:
registry: docker.io
repository: bitnami/nginx
tag: 1.21.6-debian-10-r65
tag: 1.21.6-debian-10-r67
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -344,7 +344,7 @@ cloneStaticSiteFromGit:
image:
registry: docker.io
repository: bitnami/git
tag: 2.35.1-debian-10-r64
tag: 2.35.1-debian-10-r65
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -429,147 +429,6 @@ staticSiteConfigmap: ""
##
staticSitePVC: ""
## @section LDAP parameters
## LDAP Auth Daemon Properties
## Daemon that will proxy LDAP requests between NGINX and a given LDAP Server
##
ldapDaemon:
## @param ldapDaemon.enabled Enable LDAP Auth Daemon proxy
##
enabled: false
## Bitnami NGINX LDAP Auth Daemon image
## ref: https://hub.docker.com/r/bitnami/nginx-ldap-auth-daemon/tags/
## @param ldapDaemon.image.registry LDAP AUth Daemon Image registry
## @param ldapDaemon.image.repository LDAP Auth Daemon Image repository
## @param ldapDaemon.image.tag LDAP Auth Daemon Image tag (immutable tags are recommended)
## @param ldapDaemon.image.pullPolicy LDAP Auth Daemon Image pull policy
##
image:
registry: docker.io
repository: bitnami/nginx-ldap-auth-daemon
tag: 0.20200116.0-debian-10-r632
pullPolicy: IfNotPresent
## @param ldapDaemon.port LDAP Auth Daemon port
##
port: 8888
## LDAP Auth Daemon Configuration
##
## These different properties define the form of requests performed
## against the given LDAP server
##
## BEWARE THAT THESE VALUES WILL BE IGNORED IF A CUSTOM LDAP SERVER BLOCK
## ALREADY SPECIFIES THEM.
##
##
ldapConfig:
## @param ldapDaemon.ldapConfig.uri LDAP Server URI, `ldap[s]:/<hostname>:<port>`
## Must follow the pattern -> ldap[s]:/<hostname>:<port>
##
uri: ""
## @param ldapDaemon.ldapConfig.baseDN LDAP root DN to begin the search for the user
##
baseDN: ""
## @param ldapDaemon.ldapConfig.bindDN DN of user to bind to LDAP
##
bindDN: ""
## @param ldapDaemon.ldapConfig.bindPassword Password for the user to bind to LDAP
##
bindPassword: ""
## @param ldapDaemon.ldapConfig.filter LDAP search filter for search
##
filter: ""
## @param ldapDaemon.ldapConfig.httpRealm LDAP HTTP auth realm
##
httpRealm: ""
## @param ldapDaemon.ldapConfig.httpCookieName HTTP cookie name to be used in LDAP Auth
##
httpCookieName: ""
## @param ldapDaemon.nginxServerBlock [string] NGINX server block that configures LDAP communication. Overrides `ldapDaemon.ldapConfig`
## NGINX Configuration File containing the directives (that define how LDAP requests are performed) and tells NGINX to
## use the LDAP Daemon as proxy. Besides, it defines the routes that will require of LDAP auth
## in order to be accessed.
##
## If LDAP directives are provided, they will take precedence over
## the ones specified in ldapConfig.
##
## This will be evaluated as a template.
##
nginxServerBlock: |-
server {
listen 0.0.0.0:{{ .Values.containerPorts.http }};
# You can provide a special subPath or the root
location = / {
auth_request /auth-proxy;
}
location = /auth-proxy {
internal;
proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }};
###############################################################
# YOU SHOULD CHANGE THE FOLLOWING TO YOUR LDAP CONFIGURATION #
###############################################################
# URL and port for connecting to the LDAP server
# proxy_set_header X-Ldap-URL "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT";
# Base DN
# proxy_set_header X-Ldap-BaseDN "dc=example,dc=org";
# Bind DN
# proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org";
# Bind password
# proxy_set_header X-Ldap-BindPass "adminpassword";
}
}
## @param ldapDaemon.existingNginxServerBlockSecret Name of existing Secret with a NGINX server block to use for LDAP communication
## Use an existing Secret holding an NGINX Configuration file that configures LDAP requests
## If provided, both nginxServerBlock and ldapConfig properties are ignored.
##
existingNginxServerBlockSecret: ""
## LDAP Auth Daemon containers' liveness probe.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param ldapDaemon.livenessProbe.enabled Enable livenessProbe
## @param ldapDaemon.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param ldapDaemon.livenessProbe.periodSeconds Period seconds for livenessProbe
## @param ldapDaemon.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param ldapDaemon.livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param ldapDaemon.livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 6
successThreshold: 1
## LDAP Auth Daemon containers' readiness probe.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param ldapDaemon.readinessProbe.enabled Enable readinessProbe
## @param ldapDaemon.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param ldapDaemon.readinessProbe.periodSeconds Period seconds for readinessProbe
## @param ldapDaemon.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param ldapDaemon.readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param ldapDaemon.readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
initialDelaySeconds: 5
timeoutSeconds: 3
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
## @param ldapDaemon.customLivenessProbe Custom Liveness probe
##
customLivenessProbe: {}
## @param ldapDaemon.customReadinessProbe Custom Rediness probe
##
customReadinessProbe: {}
## @section Traffic Exposure parameters
## NGINX Service properties
@@ -780,7 +639,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/nginx-exporter
tag: 0.10.0-debian-10-r98
tag: 0.10.0-debian-10-r100
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.