[Bitwardenrs] A feature add on for ldapsync and vpn (#734)

* Bitwardenrs-ldap: Implement ldapsync and vpn extra container * Add blank new line Signed-off-by: Christopher Golden <christopher.golden@bike24.net>
2025-01-23 15:39:02 +00:00 · 2021-03-29 17:34:48 +02:00 · 2021-03-29 17:34:48 +02:00 · 8def5650cd
commit 8def5650cd
parent c98cae2e31
7 changed files with 137 additions and 2 deletions
--- a/charts/stable/bitwardenrs/README.md
+++ b/charts/stable/bitwardenrs/README.md
@ -62,6 +62,14 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
 helm install bitwardenrs k8s-at-home/bitwardenrs -f values.yaml
 ```

+### Ldap-Sync
+
+Via [vividboarder/bitwarden_rs_ldap](https://github.com/ViViDboarder/bitwarden_rs_ldap) it is possible to fetch your user base from an ldap server of your choosing. If ldapSync.enabled is true you will get the opportunity to use an ldap server which could assist with inviting users.
+
+With the ldapSync.extraContainers and ldapSync.extraVolumes values you're able to customize the ldap-sync pod.
+
+For example with environments that require a secure connection to an LDAP server you can add a VPN container, which enables the sync container to communicate over a VPN.
+
 ## Custom configuration

 N/A
@ -129,6 +137,11 @@ N/A
 | ingress.hosts[0].host | string | `"chart-example.local"` |  |
 | ingress.hosts[0].paths | list | `[]` |  |
 | ingress.tls | list | `[]` |  |
+| ldapSync.configToml | string | `"bitwarden_url = \"http://bitwarden:80\"\nbitwarden_admin_token = \"admin\"\nldap_host = \"ldap\"\nldap_bind_dn = \"cn=admin,dc=example,dc=org\"\nldap_bind_password = \"admin\"\nldap_search_base_dn = \"dc=example,dc=org\"\nldap_search_filter = \"(&(objectClass=*)(uid=*))\"\nldap_sync_interval_seconds = 10"` |  |
+| ldapSync.enabled | bool | `false` |  |
+| ldapSync.existingSecret | string | `""` |  |
+| ldapSync.extraContainers | list | `[]` |  |
+| ldapSync.extraVolumes | list | `[]` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | persistence.accessMode | string | `"ReadWriteOnce"` |  |
--- a/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl
+++ b/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl
@ -3,6 +3,14 @@
 {{- end -}}

 {{- define "custom.custom.configuration" -}}
+### Ldap-Sync
+
+Via [vividboarder/bitwarden_rs_ldap](https://github.com/ViViDboarder/bitwarden_rs_ldap) it is possible to fetch your user base from an ldap server of your choosing. If ldapSync.enabled is true you will get the opportunity to use an ldap server which could assist with inviting users.
+
+With the ldapSync.extraContainers and ldapSync.extraVolumes values you're able to customize the ldap-sync pod.
+
+For example with environments that require a secure connection to an LDAP server you can add a VPN container, which enables the sync container to communicate over a VPN.
+
 {{ template "custom.custom.configuration.header" . }}

 N/A
--- a/charts/stable/bitwardenrs/templates/_helpers.tpl
+++ b/charts/stable/bitwardenrs/templates/_helpers.tpl
@ -51,6 +51,20 @@ app.kubernetes.io/name: {{ include "bitwardenrs.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}

+{{/*
+Ldap labels
+*/}}
+{{- define "bitwardenrsLdap.labels" -}}
+helm.sh/chart: {{ include "bitwardenrs.chart" . }}
+{{ include "bitwardenrsLdap.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "bitwardenrsLdap.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "bitwardenrs.name" . }}-ldap
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}
--- a/charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml
+++ b/charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml
@ -0,0 +1,46 @@
+{{- if and (.Values.ldapSync.enabled) (not .Values.ldapSync.existinSecret) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{- include "bitwardenrsLdap.labels" . | nindent 4 }}
+  name: {{ include "bitwardenrs.name" . }}-ldap
+spec:
+  selector:
+    matchLabels:
+      {{- include "bitwardenrsLdap.selectorLabels" . | nindent 6 }}
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        {{- include "bitwardenrsLdap.selectorLabels" . | nindent 8 }}
+    spec:
+      initContainers:
+      containers:
+        - name: ldap-sync
+          image: vividboarder/bitwarden_rs_ldap
+          imagePullPolicy: Always 
+          env:
+            - name: CONFIG_PATH
+              value: "/etc/bitwarden/config.toml"
+            - name: RUST_BACKTRACE
+              value: "full"
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/bitwarden
+              name: {{ if .Values.ldapSync.existingSecret }}{{ .Values.ldapSync.existingSecret }}{{ else }}{{ include "bitwardenrs.name" . }}-ldap{{ end }}
+              readOnly: true
+      {{- if .Values.ldapSync.extraContainers }}
+      {{- toYaml .Values.ldapSync.extraContainers | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: {{ include "bitwardenrs.name" . }}-ldap
+          secret:
+            defaultMode: 420
+            secretName: {{ if .Values.ldapSync.existingSecret }}{{ .Values.ldapSync.existingSecret }}{{ else }}{{ include "bitwardenrs.name" . }}-ldap{{ end }}
+        {{- if .Values.ldapSync.extraVolumes }}
+        {{- toYaml .Values.ldapSync.extraVolumes | nindent 8 }}
+        {{- end }}
+{{- end }}
--- a/charts/stable/bitwardenrs/templates/secret-ldapsync.yaml
+++ b/charts/stable/bitwardenrs/templates/secret-ldapsync.yaml
@ -0,0 +1,11 @@
+{{- if and (.Values.ldapSync.enabled) (not .Values.ldapSync.existinSecret) }}
+apiVersion: v1
+data:
+  config.toml: {{ .Values.ldapSync.configToml | b64enc }}
+kind: Secret
+metadata:
+  labels:
+  {{- include "bitwardenrsLdap.labels" . | nindent 4 }}
+  name: {{ include "bitwardenrs.name" . -}}-ldap
+type: Opaque
+{{- end }}
--- a/charts/stable/bitwardenrs/templates/secret.yaml
+++ b/charts/stable/bitwardenrs/templates/secret.yaml
@ -4,8 +4,8 @@ kind: Secret
 metadata:
  name: {{ template "bitwardenrs.fullname" . }}
  labels:
-  {{- include "bitwardenrs.labels" . | nindent 4 }}
+    {{- include "bitwardenrs.labels" . | nindent 4 }}
 type: Opaque
 data:
  admin-token: {{ randAlphaNum 48 | b64enc | quote }}
-  {{- end }}
+{{- end }}
--- a/charts/stable/bitwardenrs/values.yaml
+++ b/charts/stable/bitwardenrs/values.yaml
@ -176,3 +176,46 @@ nodeSelector: {}
 tolerations: []

 affinity: {}
+
+ldapSync:
+  enabled: false
+  # Configuration file for ldap server connection
+  configToml: |-
+    bitwarden_url = "http://bitwarden:80"
+    bitwarden_admin_token = "admin"
+    ldap_host = "ldap"
+    ldap_bind_dn = "cn=admin,dc=example,dc=org"
+    ldap_bind_password = "admin"
+    ldap_search_base_dn = "dc=example,dc=org"
+    ldap_search_filter = "(&(objectClass=*)(uid=*))"
+    ldap_sync_interval_seconds = 10
+  # Use existing secret for config.toml
+  existingSecret: ""
+  # Add extra containers
+  extraContainers: []
+    # - name: vpn
+    #   image: dperson/openvpn-client
+    #   command: ["/bin/sh","-c"]
+    #   args: ["openvpn --config 'vpn/client.ovpn' --script-security 3;"]
+    #   stdin: true
+    #   tty: true
+    #   securityContext:
+    #     privileged: true
+    #     capabilities:
+    #       add:
+    #         - NET_ADMIN
+    #   env:
+    #     - name: DE
+    #       value: "Berlin"
+    #   volumeMounts:
+    #     - name: bitwardenrs-vpn
+    #       mountPath: /vpn/client.ovpn
+    #       subPath: client.ovpn
+  # Add extra volumes
+  extraVolumes: []
+    # - name: bitwarden-vpn
+    #   secret:
+    #     secretName: bitwardenrs-vpn
+    #     items:
+    #       - key: client.ovpn
+    #         path: client.ovpn