From 86e7b00a2dcdc6fa76b6317adbf4e4ae4d9c3f3e Mon Sep 17 00:00:00 2001 From: Michiel Date: Tue, 5 Apr 2022 15:39:36 +0200 Subject: [PATCH] [bitnami/nginx] Remove nginx-ldap-auth-daemon dependency for Bitnami Nginx Chart (#9645) * Remove nginx-ldap-auth-daemon dependency for Bitnami Nginx Chart Signed-off-by: michield * Update README information about major version upgrade Signed-off-by: michield * Remove nginx-server-block-paths Signed-off-by: michield * Remove remaining server-block-path logic Signed-off-by: michield * Fix indentation Signed-off-by: michield * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * [bitnami/nginx] Update components versions Signed-off-by: Bitnami Containers Co-authored-by: michield Co-authored-by: Bitnami Containers --- bitnami/nginx/Chart.yaml | 2 +- bitnami/nginx/README.md | 272 +++++------------- bitnami/nginx/templates/NOTES.txt | 1 - bitnami/nginx/templates/_helpers.tpl | 20 +- bitnami/nginx/templates/deployment.yaml | 81 +----- .../nginx/templates/ldap-daemon-secrets.yaml | 20 -- .../templates/server-block-configmap.yaml | 5 +- bitnami/nginx/values.yaml | 147 +--------- 8 files changed, 88 insertions(+), 460 deletions(-) delete mode 100644 bitnami/nginx/templates/ldap-daemon-secrets.yaml diff --git a/bitnami/nginx/Chart.yaml b/bitnami/nginx/Chart.yaml index 8d85c04bc1..6875f27c40 100644 --- a/bitnami/nginx/Chart.yaml +++ b/bitnami/nginx/Chart.yaml @@ -25,4 +25,4 @@ name: nginx sources: - https://github.com/bitnami/bitnami-docker-nginx - https://www.nginx.org -version: 9.9.9 +version: 10.0.0 diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index 45cf7806e0..a5e569272d 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -76,83 +76,83 @@ The command removes all the Kubernetes components associated with the chart and ### NGINX parameters -| Name | Description | Value | -| -------------------- | -------------------------------------------------------------------- | --------------------- | -| `image.registry` | NGINX image registry | `docker.io` | -| `image.repository` | NGINX image repository | `bitnami/nginx` | -| `image.tag` | NGINX image tag (immutable tags are recommended) | `1.21.5-debian-10-r3` | -| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Set to true if you would like to see extra information on logs | `false` | -| `hostAliases` | Deployment pod host aliases | `[]` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` | -| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | -| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| Name | Description | Value | +| -------------------- | -------------------------------------------------------------------- | ---------------------- | +| `image.registry` | NGINX image registry | `docker.io` | +| `image.repository` | NGINX image repository | `bitnami/nginx` | +| `image.tag` | NGINX image tag (immutable tags are recommended) | `1.21.6-debian-10-r65` | +| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` | +| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | ### NGINX deployment parameters -| Name | Description | Value | -| --------------------------------------- | ----------------------------------------------------------------------------------------- | ------- | -| `replicaCount` | Number of NGINX replicas to deploy | `1` | -| `updateStrategy.type` | NGINX deployment strategy type | `""` | -| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | -| `podLabels` | Additional labels for NGINX pods | `{}` | -| `podAnnotations` | Annotations for NGINX pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | -| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | -| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | -| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `{}` | -| `priorityClassName` | Priority class name | `""` | -| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `false` | -| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | -| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | -| `containerSecurityContext.enabled` | Enabled NGINX containers' Security Context | `false` | -| `containerSecurityContext.runAsUser` | Set NGINX container's Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set NGINX container's Security Context runAsNonRoot | `true` | -| `containerPorts.http` | Sets http port inside NGINX container | `8080` | -| `containerPorts.https` | Sets https port inside NGINX container | `""` | -| `resources.limits` | The resources limits for the NGINX container | `{}` | -| `resources.requests` | The requested resources for the NGINX container | `{}` | -| `livenessProbe.enabled` | Enable livenessProbe | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `customLivenessProbe` | Override default liveness probe | `{}` | -| `customReadinessProbe` | Override default readiness probe | `{}` | -| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | -| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | -| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | -| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | -| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | -| `extraVolumes` | Array to add extra volumes | `[]` | -| `extraVolumeMounts` | Array to add extra mount | `[]` | -| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `false` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | -| `serviceAccount.autoMount` | Auto-mount the service account token in the pod | `false` | -| `sidecars` | Sidecar parameters | `[]` | -| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | -| `initContainers` | Extra init containers | `[]` | -| `pdb.create` | Created a PodDisruptionBudget | `false` | -| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | -| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `0` | +| Name | Description | Value | +| --------------------------------------- | ----------------------------------------------------------------------------------------- | --------------- | +| `replicaCount` | Number of NGINX replicas to deploy | `1` | +| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | +| `podLabels` | Additional labels for NGINX pods | `{}` | +| `podAnnotations` | Annotations for NGINX pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | +| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | +| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | +| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `{}` | +| `priorityClassName` | Priority class name | `""` | +| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `false` | +| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | +| `containerSecurityContext.enabled` | Enabled NGINX containers' Security Context | `false` | +| `containerSecurityContext.runAsUser` | Set NGINX container's Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set NGINX container's Security Context runAsNonRoot | `true` | +| `containerPorts.http` | Sets http port inside NGINX container | `8080` | +| `containerPorts.https` | Sets https port inside NGINX container | `""` | +| `resources.limits` | The resources limits for the NGINX container | `{}` | +| `resources.requests` | The requested resources for the NGINX container | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | +| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `extraVolumes` | Array to add extra volumes | `[]` | +| `extraVolumeMounts` | Array to add extra mount | `[]` | +| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | +| `serviceAccount.autoMount` | Auto-mount the service account token in the pod | `false` | +| `sidecars` | Sidecar parameters | `[]` | +| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | +| `initContainers` | Extra init containers | `[]` | +| `pdb.create` | Created a PodDisruptionBudget | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `0` | ### Custom NGINX application parameters @@ -162,7 +162,7 @@ The command removes all the Kubernetes components associated with the chart and | `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` | | `cloneStaticSiteFromGit.image.registry` | Git image registry | `docker.io` | | `cloneStaticSiteFromGit.image.repository` | Git image repository | `bitnami/git` | -| `cloneStaticSiteFromGit.image.tag` | Git image tag (immutable tags are recommended) | `2.34.1-debian-10-r33` | +| `cloneStaticSiteFromGit.image.tag` | Git image tag (immutable tags are recommended) | `2.35.1-debian-10-r64` | | `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` | | `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` | @@ -180,41 +180,6 @@ The command removes all the Kubernetes components associated with the chart and | `staticSitePVC` | Name of existing PVC with the server static site content | `""` | -### LDAP parameters - -| Name | Description | Value | -| ----------------------------------------------- | ---------------------------------------------------------------------------------------- | -------------------------------- | -| `ldapDaemon.enabled` | Enable LDAP Auth Daemon proxy | `false` | -| `ldapDaemon.image.registry` | LDAP AUth Daemon Image registry | `docker.io` | -| `ldapDaemon.image.repository` | LDAP Auth Daemon Image repository | `bitnami/nginx-ldap-auth-daemon` | -| `ldapDaemon.image.tag` | LDAP Auth Daemon Image tag (immutable tags are recommended) | `0.20200116.0-debian-10-r556` | -| `ldapDaemon.image.pullPolicy` | LDAP Auth Daemon Image pull policy | `IfNotPresent` | -| `ldapDaemon.port` | LDAP Auth Daemon port | `8888` | -| `ldapDaemon.ldapConfig.uri` | LDAP Server URI, `ldap[s]:/:` | `""` | -| `ldapDaemon.ldapConfig.baseDN` | LDAP root DN to begin the search for the user | `""` | -| `ldapDaemon.ldapConfig.bindDN` | DN of user to bind to LDAP | `""` | -| `ldapDaemon.ldapConfig.bindPassword` | Password for the user to bind to LDAP | `""` | -| `ldapDaemon.ldapConfig.filter` | LDAP search filter for search | `""` | -| `ldapDaemon.ldapConfig.httpRealm` | LDAP HTTP auth realm | `""` | -| `ldapDaemon.ldapConfig.httpCookieName` | HTTP cookie name to be used in LDAP Auth | `""` | -| `ldapDaemon.nginxServerBlock` | NGINX server block that configures LDAP communication. Overrides `ldapDaemon.ldapConfig` | `""` | -| `ldapDaemon.existingNginxServerBlockSecret` | Name of existing Secret with a NGINX server block to use for LDAP communication | `""` | -| `ldapDaemon.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `ldapDaemon.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `ldapDaemon.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `ldapDaemon.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `ldapDaemon.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `ldapDaemon.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `ldapDaemon.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `ldapDaemon.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `ldapDaemon.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `ldapDaemon.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `ldapDaemon.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `ldapDaemon.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `ldapDaemon.customLivenessProbe` | Custom Liveness probe | `{}` | -| `ldapDaemon.customReadinessProbe` | Custom Rediness probe | `{}` | - - ### Traffic Exposure parameters | Name | Description | Value | @@ -256,7 +221,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` | | `metrics.image.registry` | NGINX Prometheus exporter image registry | `docker.io` | | `metrics.image.repository` | NGINX Prometheus exporter image repository | `bitnami/nginx-exporter` | -| `metrics.image.tag` | NGINX Prometheus exporter image tag (immutable tags are recommended) | `0.10.0-debian-10-r8` | +| `metrics.image.tag` | NGINX Prometheus exporter image tag (immutable tags are recommended) | `0.10.0-debian-10-r98` | | `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` | @@ -346,89 +311,6 @@ serverBlock: |- In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `existingServerBlockConfigmap` parameter. Note that this will override the previous option. -### Enabling LDAP - -In some scenarios, you may require users to authenticate in order to gain access to protected resources. By enabling LDAP, NGINX will make use of an Authorization Daemon to proxy those identification requests against a given LDAP Server. - -``` - ------------ -------------- --------------- - | NGINX | -----> | NGINX | -----> | LDAP | - | server | <----- | ldap daemon | <----- | server | - ------------ -------------- --------------- -``` - -In order to enable LDAP authentication you can set the `ldapDaemon.enabled` property and follow these steps: - -1. NGINX server needs to be configured to be self-aware of the proxy. In order to do so, use the `ldapDaemon.nginxServerBlock` property to provide with an additional server block, that will instruct NGINX to use it (see `values.yaml`). Alternatively, you can specify this server block configuration using an external Secret using the property `ldapDaemon.existingNginxServerBlockSecret`. - -2. Supply your LDAP Server connection details either in the aforementioned server block (setting request headers) or specifying them in `ldapDaemon.ldapConfig`. e.g. The following two approaches are equivalent: - -_Approach A) Specify connection details using the `ldapDaemon.ldapConfig` property_ - -```yaml -ldapDaemon: - enabled: true - ldapConfig: - uri: "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT" - baseDN: "dc=example,dc=org" - bindDN: "cn=admin,dc=example,dc=org" - bindPassword: "adminpassword" - - nginxServerBlock: |- - server { - listen 0.0.0.0:{{ .Values.containerPorts.http }}; - - # You can provide a special subPath or the root - location = / { - auth_request /auth-proxy; - } - - location = /auth-proxy { - internal; - - proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }}; - } - } -``` - -_Approach B) Specify connection details directly in the server block_ - -```yaml -ldapDaemon: - enabled: true - nginxServerBlock: |- - server { - listen 0.0.0.0:{{ .Values.containerPorts.http }}; - - # You can provide a special subPath or the root - location = / { - auth_request /auth-proxy; - } - - location = /auth-proxy { - internal; - - proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }}; - - ############################################################### - # YOU SHOULD CHANGE THE FOLLOWING TO YOUR LDAP CONFIGURATION # - ############################################################### - - # URL and port for connecting to the LDAP server - proxy_set_header X-Ldap-URL "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT"; - - # Base DN - proxy_set_header X-Ldap-BaseDN "dc=example,dc=org"; - - # Bind DN - proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org"; - - # Bind password - proxy_set_header X-Ldap-BindPass "adminpassword"; - } - } -``` - ### Adding extra environment variables In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. @@ -471,6 +353,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 10.0.0 + +This major release no longer uses the bitnami/nginx-ldap-auth-daemon container as a dependency since its upstream project is not actively maintained. + ### To 8.0.0 [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. diff --git a/bitnami/nginx/templates/NOTES.txt b/bitnami/nginx/templates/NOTES.txt index 9d631d5066..d821d18da7 100644 --- a/bitnami/nginx/templates/NOTES.txt +++ b/bitnami/nginx/templates/NOTES.txt @@ -48,6 +48,5 @@ To access NGINX from outside the cluster, follow the steps below: {{- include "common.warnings.rollingTag" .Values.image }} {{- include "common.warnings.rollingTag" .Values.cloneStaticSiteFromGit.image }} -{{- include "common.warnings.rollingTag" .Values.ldapDaemon.image }} {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "nginx.validateValues" . }} diff --git a/bitnami/nginx/templates/_helpers.tpl b/bitnami/nginx/templates/_helpers.tpl index 6090d92da2..ba2dab3669 100644 --- a/bitnami/nginx/templates/_helpers.tpl +++ b/bitnami/nginx/templates/_helpers.tpl @@ -13,13 +13,6 @@ Return the proper GIT image name {{ include "common.images.image" (dict "imageRoot" .Values.cloneStaticSiteFromGit.image "global" .Values.global) }} {{- end -}} -{{/* -Return the proper DAP Auth Daemon image name -*/}} -{{- define "nginx.ldapDaemon.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.ldapDaemon.image "global" .Values.global) }} -{{- end -}} - {{/* Return the proper Prometheus metrics image name */}} @@ -31,7 +24,7 @@ Return the proper Prometheus metrics image name Return the proper Docker Image Registry Secret Names */}} {{- define "nginx.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.ldapDaemon.image .Values.metrics.image) "global" .Values.global) }} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "global" .Values.global) }} {{- end -}} {{/* @@ -69,17 +62,6 @@ Return the custom NGINX server block configmap. {{- end -}} {{- end -}} -{{/* -Return the custom NGINX server block secret for LDAP. -*/}} -{{- define "ldap.nginxServerBlockSecret" -}} -{{- if .Values.ldapDaemon.existingNginxServerBlockSecret -}} - {{- printf "%s" (tpl .Values.ldapDaemon.existingNginxServerBlockSecret $) -}} -{{- else -}} - {{- printf "%s-ldap-daemon" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - {{/* Compile all warnings into a single message, and call fail. */}} diff --git a/bitnami/nginx/templates/deployment.yaml b/bitnami/nginx/templates/deployment.yaml index a1e9ccfc1c..e8108daf83 100644 --- a/bitnami/nginx/templates/deployment.yaml +++ b/bitnami/nginx/templates/deployment.yaml @@ -200,17 +200,9 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: - {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.ldapDaemon.enabled }} - - name: nginx-server-block-paths - mountPath: /opt/bitnami/nginx/conf/server_blocks - {{- end }} {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} - name: nginx-server-block - mountPath: /opt/bitnami/nginx/conf/server_blocks/common - {{- end }} - {{- if .Values.ldapDaemon.enabled }} - - name: nginx-server-block-ldap - mountPath: /opt/bitnami/nginx/conf/server_blocks/ldap + mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} {{- if (include "nginx.useStaticSite" .) }} - name: staticsite @@ -219,57 +211,6 @@ spec: {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} - {{- if .Values.ldapDaemon.enabled }} - - name: ldap-daemon - image: {{ include "nginx.ldapDaemon.image" . }} - imagePullPolicy: {{ .Values.ldapDaemon.image.pullPolicy | quote }} - env: - - name: NGINXLDAP_PORT_NUMBER - value: {{ .Values.ldapDaemon.port | quote }} - - name: NGINXLDAP_LDAP_URI - value: {{ .Values.ldapDaemon.ldapConfig.uri | quote }} - - name: NGINXLDAP_LDAP_BASE_DN - value: {{ .Values.ldapDaemon.ldapConfig.baseDN | quote }} - - name: NGINXLDAP_LDAP_BIND_DN - value: {{ .Values.ldapDaemon.ldapConfig.bindDN | quote }} - - name: NGINXLDAP_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.names.fullname" . }}-ldap-daemon - key: ldap-daemon-ldap-bind-password - - name: NGINXLDAP_LDAP_FILTER - value: {{ .Values.ldapDaemon.ldapConfig.filter | quote }} - - name: NGINXLDAP_HTTP_REALM - value: {{ .Values.ldapDaemon.ldapConfig.httpRealm | quote }} - - name: NGINXLDAP_HTTP_COOKIE_NAME - value: {{ .Values.ldapDaemon.ldapConfig.httpCookieName | quote }} - ports: - - name: ldap-daemon - containerPort: {{ .Values.ldapDaemon.port }} - {{- if .Values.ldapDaemon.livenessProbe.enabled }} - livenessProbe: - tcpSocket: - port: ldap-daemon - periodSeconds: {{ .Values.ldapDaemon.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.ldapDaemon.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.ldapDaemon.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.ldapDaemon.livenessProbe.failureThreshold }} - {{- else if .Values.ldapDaemon.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ldapDaemon.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.ldapDaemon.readinessProbe.enabled }} - readinessProbe: - tcpSocket: - port: ldap-daemon - initialDelaySeconds: {{ .Values.ldapDaemon.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.ldapDaemon.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.ldapDaemon.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.ldapDaemon.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.ldapDaemon.readinessProbe.failureThreshold }} - {{- else if .Values.ldapDaemon.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.ldapDaemon.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - {{- end }} {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "nginx.metrics.image" . }} @@ -300,23 +241,12 @@ spec: {{- with .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} + {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumes (include "nginx.useStaticSite" .) }} volumes: - - name: nginx-server-block-paths - configMap: - name: {{ template "common.names.fullname" . }}-server-block - items: - - key: server-blocks-paths.conf - path: server-blocks-paths.conf - {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumes (include "nginx.useStaticSite" .) }} {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} - name: nginx-server-block configMap: name: {{ include "nginx.serverBlockConfigmapName" . }} - {{- if or .Values.serverBlock }} - items: - - key: server-block.conf - path: server-block.conf - {{- end }} {{- end }} {{- if (include "nginx.useStaticSite" .) }} - name: staticsite @@ -325,9 +255,4 @@ spec: {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- end }} - {{- end }} - {{- if .Values.ldapDaemon.enabled }} - - name: nginx-server-block-ldap - secret: - secretName: {{ include "ldap.nginxServerBlockSecret" . }} - {{- end }} + {{- end }} diff --git a/bitnami/nginx/templates/ldap-daemon-secrets.yaml b/bitnami/nginx/templates/ldap-daemon-secrets.yaml deleted file mode 100644 index 0ee127e975..0000000000 --- a/bitnami/nginx/templates/ldap-daemon-secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.ldapDaemon.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "common.names.fullname" . }}-ldap-daemon - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - ldap-daemon-ldap-bind-password: {{ .Values.ldapDaemon.ldapConfig.bindPassword | b64enc | quote }} -{{- if (not .Values.ldapDaemon.existingNginxServerBlockSecret) }} - ldap_nginx.conf: |- -{{ tpl .Values.ldapDaemon.nginxServerBlock . | b64enc | indent 4 }} -{{- end }} -{{- end }} diff --git a/bitnami/nginx/templates/server-block-configmap.yaml b/bitnami/nginx/templates/server-block-configmap.yaml index 9bb1202930..9a48876d0c 100644 --- a/bitnami/nginx/templates/server-block-configmap.yaml +++ b/bitnami/nginx/templates/server-block-configmap.yaml @@ -1,13 +1,10 @@ +{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ template "common.names.fullname" . }}-server-block labels: {{- include "common.labels.standard" . | nindent 4 }} data: - server-blocks-paths.conf: |- - include "/opt/bitnami/nginx/conf/server_blocks/ldap/*.conf"; - include "/opt/bitnami/nginx/conf/server_blocks/common/*.conf"; -{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} server-block.conf: |- {{ include "common.tplvalues.render" ( dict "value" .Values.serverBlock "context" $ ) | indent 4 }} {{- end }} diff --git a/bitnami/nginx/values.yaml b/bitnami/nginx/values.yaml index 64fcb9095d..3c5a2a4c5d 100644 --- a/bitnami/nginx/values.yaml +++ b/bitnami/nginx/values.yaml @@ -52,7 +52,7 @@ commonAnnotations: {} image: registry: docker.io repository: bitnami/nginx - tag: 1.21.6-debian-10-r65 + tag: 1.21.6-debian-10-r67 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -344,7 +344,7 @@ cloneStaticSiteFromGit: image: registry: docker.io repository: bitnami/git - tag: 2.35.1-debian-10-r64 + tag: 2.35.1-debian-10-r65 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -429,147 +429,6 @@ staticSiteConfigmap: "" ## staticSitePVC: "" -## @section LDAP parameters - -## LDAP Auth Daemon Properties -## Daemon that will proxy LDAP requests between NGINX and a given LDAP Server -## -ldapDaemon: - ## @param ldapDaemon.enabled Enable LDAP Auth Daemon proxy - ## - enabled: false - ## Bitnami NGINX LDAP Auth Daemon image - ## ref: https://hub.docker.com/r/bitnami/nginx-ldap-auth-daemon/tags/ - ## @param ldapDaemon.image.registry LDAP AUth Daemon Image registry - ## @param ldapDaemon.image.repository LDAP Auth Daemon Image repository - ## @param ldapDaemon.image.tag LDAP Auth Daemon Image tag (immutable tags are recommended) - ## @param ldapDaemon.image.pullPolicy LDAP Auth Daemon Image pull policy - ## - image: - registry: docker.io - repository: bitnami/nginx-ldap-auth-daemon - tag: 0.20200116.0-debian-10-r632 - pullPolicy: IfNotPresent - ## @param ldapDaemon.port LDAP Auth Daemon port - ## - port: 8888 - ## LDAP Auth Daemon Configuration - ## - ## These different properties define the form of requests performed - ## against the given LDAP server - ## - ## BEWARE THAT THESE VALUES WILL BE IGNORED IF A CUSTOM LDAP SERVER BLOCK - ## ALREADY SPECIFIES THEM. - ## - ## - ldapConfig: - ## @param ldapDaemon.ldapConfig.uri LDAP Server URI, `ldap[s]:/:` - ## Must follow the pattern -> ldap[s]:/: - ## - uri: "" - ## @param ldapDaemon.ldapConfig.baseDN LDAP root DN to begin the search for the user - ## - baseDN: "" - ## @param ldapDaemon.ldapConfig.bindDN DN of user to bind to LDAP - ## - bindDN: "" - ## @param ldapDaemon.ldapConfig.bindPassword Password for the user to bind to LDAP - ## - bindPassword: "" - ## @param ldapDaemon.ldapConfig.filter LDAP search filter for search - ## - filter: "" - ## @param ldapDaemon.ldapConfig.httpRealm LDAP HTTP auth realm - ## - httpRealm: "" - ## @param ldapDaemon.ldapConfig.httpCookieName HTTP cookie name to be used in LDAP Auth - ## - httpCookieName: "" - ## @param ldapDaemon.nginxServerBlock [string] NGINX server block that configures LDAP communication. Overrides `ldapDaemon.ldapConfig` - ## NGINX Configuration File containing the directives (that define how LDAP requests are performed) and tells NGINX to - ## use the LDAP Daemon as proxy. Besides, it defines the routes that will require of LDAP auth - ## in order to be accessed. - ## - ## If LDAP directives are provided, they will take precedence over - ## the ones specified in ldapConfig. - ## - ## This will be evaluated as a template. - ## - nginxServerBlock: |- - server { - listen 0.0.0.0:{{ .Values.containerPorts.http }}; - - # You can provide a special subPath or the root - location = / { - auth_request /auth-proxy; - } - - location = /auth-proxy { - internal; - - proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }}; - - ############################################################### - # YOU SHOULD CHANGE THE FOLLOWING TO YOUR LDAP CONFIGURATION # - ############################################################### - - # URL and port for connecting to the LDAP server - # proxy_set_header X-Ldap-URL "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT"; - - # Base DN - # proxy_set_header X-Ldap-BaseDN "dc=example,dc=org"; - - # Bind DN - # proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org"; - - # Bind password - # proxy_set_header X-Ldap-BindPass "adminpassword"; - } - } - ## @param ldapDaemon.existingNginxServerBlockSecret Name of existing Secret with a NGINX server block to use for LDAP communication - ## Use an existing Secret holding an NGINX Configuration file that configures LDAP requests - ## If provided, both nginxServerBlock and ldapConfig properties are ignored. - ## - existingNginxServerBlockSecret: "" - ## LDAP Auth Daemon containers' liveness probe. - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## @param ldapDaemon.livenessProbe.enabled Enable livenessProbe - ## @param ldapDaemon.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param ldapDaemon.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param ldapDaemon.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param ldapDaemon.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param ldapDaemon.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - timeoutSeconds: 5 - periodSeconds: 10 - failureThreshold: 6 - successThreshold: 1 - ## LDAP Auth Daemon containers' readiness probe. - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## @param ldapDaemon.readinessProbe.enabled Enable readinessProbe - ## @param ldapDaemon.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param ldapDaemon.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param ldapDaemon.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param ldapDaemon.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param ldapDaemon.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - timeoutSeconds: 3 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - ## @param ldapDaemon.customLivenessProbe Custom Liveness probe - ## - customLivenessProbe: {} - ## @param ldapDaemon.customReadinessProbe Custom Rediness probe - ## - customReadinessProbe: {} - ## @section Traffic Exposure parameters ## NGINX Service properties @@ -780,7 +639,7 @@ metrics: image: registry: docker.io repository: bitnami/nginx-exporter - tag: 0.10.0-debian-10-r98 + tag: 0.10.0-debian-10-r100 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace.