From 8def5650cd5e7d1993080475dfece1c28b9e5744 Mon Sep 17 00:00:00 2001
From: Chris Golden <mail@chrisgolden.de>
Date: Mon, 29 Mar 2021 17:34:48 +0200
Subject: [PATCH] [Bitwardenrs] A feature add on for ldapsync and vpn (#734)

* Bitwardenrs-ldap: Implement ldapsync and vpn extra container

* Add blank new line

Signed-off-by: Christopher Golden <christopher.golden@bike24.net>
---
 charts/stable/bitwardenrs/README.md           | 13 ++++++
 .../bitwardenrs/README_CONFIG.md.gotmpl       |  8 ++++
 .../stable/bitwardenrs/templates/_helpers.tpl | 14 ++++++
 .../templates/deployment-ldapsync.yaml        | 46 +++++++++++++++++++
 .../templates/secret-ldapsync.yaml            | 11 +++++
 .../stable/bitwardenrs/templates/secret.yaml  |  4 +-
 charts/stable/bitwardenrs/values.yaml         | 43 +++++++++++++++++
 7 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml
 create mode 100644 charts/stable/bitwardenrs/templates/secret-ldapsync.yaml

diff --git a/charts/stable/bitwardenrs/README.md b/charts/stable/bitwardenrs/README.md
index 4a5023b5..3619c2ce 100644
--- a/charts/stable/bitwardenrs/README.md
+++ b/charts/stable/bitwardenrs/README.md
@@ -62,6 +62,14 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
 helm install bitwardenrs k8s-at-home/bitwardenrs -f values.yaml
 ```
 
+### Ldap-Sync
+
+Via [vividboarder/bitwarden_rs_ldap](https://github.com/ViViDboarder/bitwarden_rs_ldap) it is possible to fetch your user base from an ldap server of your choosing. If ldapSync.enabled is true you will get the opportunity to use an ldap server which could assist with inviting users.
+
+With the ldapSync.extraContainers and ldapSync.extraVolumes values you're able to customize the ldap-sync pod.
+
+For example with environments that require a secure connection to an LDAP server you can add a VPN container, which enables the sync container to communicate over a VPN.
+
 ## Custom configuration
 
 N/A
@@ -129,6 +137,11 @@ N/A
 | ingress.hosts[0].host | string | `"chart-example.local"` |  |
 | ingress.hosts[0].paths | list | `[]` |  |
 | ingress.tls | list | `[]` |  |
+| ldapSync.configToml | string | `"bitwarden_url = \"http://bitwarden:80\"\nbitwarden_admin_token = \"admin\"\nldap_host = \"ldap\"\nldap_bind_dn = \"cn=admin,dc=example,dc=org\"\nldap_bind_password = \"admin\"\nldap_search_base_dn = \"dc=example,dc=org\"\nldap_search_filter = \"(&(objectClass=*)(uid=*))\"\nldap_sync_interval_seconds = 10"` |  |
+| ldapSync.enabled | bool | `false` |  |
+| ldapSync.existingSecret | string | `""` |  |
+| ldapSync.extraContainers | list | `[]` |  |
+| ldapSync.extraVolumes | list | `[]` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | persistence.accessMode | string | `"ReadWriteOnce"` |  |
diff --git a/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl b/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl
index e93d80bf..2ff5e57a 100644
--- a/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl
+++ b/charts/stable/bitwardenrs/README_CONFIG.md.gotmpl
@@ -3,6 +3,14 @@
 {{- end -}}
 
 {{- define "custom.custom.configuration" -}}
+### Ldap-Sync
+
+Via [vividboarder/bitwarden_rs_ldap](https://github.com/ViViDboarder/bitwarden_rs_ldap) it is possible to fetch your user base from an ldap server of your choosing. If ldapSync.enabled is true you will get the opportunity to use an ldap server which could assist with inviting users.
+
+With the ldapSync.extraContainers and ldapSync.extraVolumes values you're able to customize the ldap-sync pod.
+
+For example with environments that require a secure connection to an LDAP server you can add a VPN container, which enables the sync container to communicate over a VPN.
+
 {{ template "custom.custom.configuration.header" . }}
 
 N/A
diff --git a/charts/stable/bitwardenrs/templates/_helpers.tpl b/charts/stable/bitwardenrs/templates/_helpers.tpl
index f1b1b1d5..4a57f9ba 100644
--- a/charts/stable/bitwardenrs/templates/_helpers.tpl
+++ b/charts/stable/bitwardenrs/templates/_helpers.tpl
@@ -51,6 +51,20 @@ app.kubernetes.io/name: {{ include "bitwardenrs.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Ldap labels
+*/}}
+{{- define "bitwardenrsLdap.labels" -}}
+helm.sh/chart: {{ include "bitwardenrs.chart" . }}
+{{ include "bitwardenrsLdap.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "bitwardenrsLdap.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "bitwardenrs.name" . }}-ldap
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}
diff --git a/charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml b/charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml
new file mode 100644
index 00000000..6ad901b0
--- /dev/null
+++ b/charts/stable/bitwardenrs/templates/deployment-ldapsync.yaml
@@ -0,0 +1,46 @@
+{{- if and (.Values.ldapSync.enabled) (not .Values.ldapSync.existinSecret) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{- include "bitwardenrsLdap.labels" . | nindent 4 }}
+  name: {{ include "bitwardenrs.name" . }}-ldap
+spec:
+  selector:
+    matchLabels:
+      {{- include "bitwardenrsLdap.selectorLabels" . | nindent 6 }}
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        {{- include "bitwardenrsLdap.selectorLabels" . | nindent 8 }}
+    spec:
+      initContainers:
+      containers:
+        - name: ldap-sync
+          image: vividboarder/bitwarden_rs_ldap
+          imagePullPolicy: Always 
+          env:
+            - name: CONFIG_PATH
+              value: "/etc/bitwarden/config.toml"
+            - name: RUST_BACKTRACE
+              value: "full"
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/bitwarden
+              name: {{ if .Values.ldapSync.existingSecret }}{{ .Values.ldapSync.existingSecret }}{{ else }}{{ include "bitwardenrs.name" . }}-ldap{{ end }}
+              readOnly: true
+      {{- if .Values.ldapSync.extraContainers }}
+      {{- toYaml .Values.ldapSync.extraContainers | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: {{ include "bitwardenrs.name" . }}-ldap
+          secret:
+            defaultMode: 420
+            secretName: {{ if .Values.ldapSync.existingSecret }}{{ .Values.ldapSync.existingSecret }}{{ else }}{{ include "bitwardenrs.name" . }}-ldap{{ end }}
+        {{- if .Values.ldapSync.extraVolumes }}
+        {{- toYaml .Values.ldapSync.extraVolumes | nindent 8 }}
+        {{- end }}
+{{- end }}
diff --git a/charts/stable/bitwardenrs/templates/secret-ldapsync.yaml b/charts/stable/bitwardenrs/templates/secret-ldapsync.yaml
new file mode 100644
index 00000000..5bfb390c
--- /dev/null
+++ b/charts/stable/bitwardenrs/templates/secret-ldapsync.yaml
@@ -0,0 +1,11 @@
+{{- if and (.Values.ldapSync.enabled) (not .Values.ldapSync.existinSecret) }}
+apiVersion: v1
+data:
+  config.toml: {{ .Values.ldapSync.configToml | b64enc }}
+kind: Secret
+metadata:
+  labels:
+  {{- include "bitwardenrsLdap.labels" . | nindent 4 }}
+  name: {{ include "bitwardenrs.name" . -}}-ldap
+type: Opaque
+{{- end }}
diff --git a/charts/stable/bitwardenrs/templates/secret.yaml b/charts/stable/bitwardenrs/templates/secret.yaml
index 41eb4404..1fc55d67 100644
--- a/charts/stable/bitwardenrs/templates/secret.yaml
+++ b/charts/stable/bitwardenrs/templates/secret.yaml
@@ -4,8 +4,8 @@ kind: Secret
 metadata:
   name: {{ template "bitwardenrs.fullname" . }}
   labels:
-  {{- include "bitwardenrs.labels" . | nindent 4 }}
+    {{- include "bitwardenrs.labels" . | nindent 4 }}
 type: Opaque
 data:
   admin-token: {{ randAlphaNum 48 | b64enc | quote }}
-  {{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/stable/bitwardenrs/values.yaml b/charts/stable/bitwardenrs/values.yaml
index 39bd41a9..150ca0af 100644
--- a/charts/stable/bitwardenrs/values.yaml
+++ b/charts/stable/bitwardenrs/values.yaml
@@ -176,3 +176,46 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+ldapSync:
+  enabled: false
+  # Configuration file for ldap server connection
+  configToml: |-
+    bitwarden_url = "http://bitwarden:80"
+    bitwarden_admin_token = "admin"
+    ldap_host = "ldap"
+    ldap_bind_dn = "cn=admin,dc=example,dc=org"
+    ldap_bind_password = "admin"
+    ldap_search_base_dn = "dc=example,dc=org"
+    ldap_search_filter = "(&(objectClass=*)(uid=*))"
+    ldap_sync_interval_seconds = 10
+  # Use existing secret for config.toml
+  existingSecret: ""
+  # Add extra containers
+  extraContainers: []
+    # - name: vpn
+    #   image: dperson/openvpn-client
+    #   command: ["/bin/sh","-c"]
+    #   args: ["openvpn --config 'vpn/client.ovpn' --script-security 3;"]
+    #   stdin: true
+    #   tty: true
+    #   securityContext:
+    #     privileged: true
+    #     capabilities:
+    #       add:
+    #         - NET_ADMIN
+    #   env:
+    #     - name: DE
+    #       value: "Berlin"
+    #   volumeMounts:
+    #     - name: bitwardenrs-vpn
+    #       mountPath: /vpn/client.ovpn
+    #       subPath: client.ovpn
+  # Add extra volumes
+  extraVolumes: []
+    # - name: bitwarden-vpn
+    #   secret:
+    #     secretName: bitwardenrs-vpn
+    #     items:
+    #       - key: client.ovpn
+    #         path: client.ovpn