Merge pull request #1 from cetic/develop

Develop

Chart.yaml

@@ -1,5 +1,5 @@
 name: postgresql
-version: 0.1.1
+version: 0.1.2
 appVersion: 11.5.0
 description: PostgreSQL is an open-source object-relational database management system (ORDBMS) emphasizing extensibility and technical standards compliance.
 keywords:

README.md

@@ -35,6 +35,9 @@ The following items can be set via `--set` flag during installation or configure
 - **Disable**: The data does not survive the termination of a pod.
 - **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamic provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
 
+#### How to use LDAP:
+LDAP is used only to validate the user name/password pairs. Therefore the user must already exist in the database before LDAP can be used for authentication. If you **enable ldap** a **CronJob** will be activated, it will run the tool [pg-ldap-sync](https://github.com/cetic/pg-ldap-sync-docker) that will copy users from your ldap server to your database.
+
 ### Install the chart
 
 Install the postgresql helm chart with a release name `my-release`:
@@ -70,6 +73,7 @@ The following table lists the configurable parameters of the postgresql chart an
 | `postgresql.dataDir`                                                        | PostgreSQL data dir folder                                                                                         | `/var/lib/postgresql/data`      |
 | `postgresql.config`                                                         | Runtime Config Parameters                                                                                          | `nil`                           |
 | `postgresql.pghba`                                                          | Content of pg\_hba.conf                                                                                            | `nil (do not create pg_hba.conf)`|
+| `postgresql.initdbscripts`                                                          | Content of initdbscripts.sh ( commands to be executed at the start of postgres )                                                                                           | `nil (do not create initdbscripts.sh)`|
 | `postgresql.configMap`                                                      | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil`|
 | `extraEnv`                                                                  | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template.        | `{}`                            |
 | **Service**                                                                 |

templates/configmap.yaml

@@ -1,5 +1,5 @@
 ---
-{{- if and (or (.Files.Glob "configs/postgresql.conf") (.Files.Glob "configs/pg_hba.conf") .Values.postgresql.config .Values.postgresql.pghba) (not .Values.postgresql.configMap) }}
+{{- if and (or (.Files.Glob "configs/postgresql.conf") (.Files.Glob "configs/pg_hba.conf") (.Files.Glob "configs/initdbscripts.sh") .Values.postgresql.config .Values.postgresql.pghba .Values.postgresql.initdbscripts) (not .Values.postgresql.configMap) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -24,6 +24,12 @@ data:
   pg_hba.conf: |
 {{ .Values.postgresql.pghba  | indent 4 }}
 {{- end }}
+{{- if (.Files.Glob "configs/initdbscripts.sh") }}
+{{ (.Files.Glob "configs/initdbscripts.sh").AsConfig | indent 2 }}
+{{- else if .Values.postgresql.initdbscripts }}
+  initdbscripts.sh: |
+{{ .Values.postgresql.initdbscripts  | indent 4 }}
+{{- end }}
 {{- end }}
 #
 # A ConfigMap spec for pgldap-config.yaml 
@@ -44,3 +50,5 @@ data:
   pgldap-config.yaml: |
 {{ .Values.ldap.pgldapconfig | indent 4}}
 {{- end }}
+
+

templates/statefulset.yaml

@@ -103,6 +103,12 @@ spec:
           subPath: pg_hba.conf
           readOnly: false
         {{- end }}
+        {{- if or (.Files.Glob "configs/initdbscripts.sh") .Values.postgresql.initdbscripts .Values.configMap }}
+        - name: postgresql-config-initdbscripts
+          mountPath: /docker-entrypoint-initdb.d/initdbscripts.sh
+          subPath: initdbscripts.sh
+          readOnly: false
+        {{- end }}
         {{- if or (.Files.Glob "configs/postgresql.conf") .Values.postgresql.config .Values.configMap }}
         - name: postgresql-config
           mountPath: {{ .Values.persistence.mountPath }}/conf/postgresql.conf
@@ -126,6 +132,14 @@ spec:
            - key: postgresql.conf
              path: postgresql.conf
       {{- end }}
+      {{- if or (.Files.Glob "configs/initdbscripts.sh") .Values.postgresql.initdbscripts .Values.postgresql.configMap}}
+      - name: postgresql-config-initdbscripts
+        configMap:
+          name: {{ template "postgresql.fullname" . }}-configuration
+          items:
+           - key: initdbscripts.sh
+             path: initdbscripts.sh
+      {{- end }}
 {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
       - name: data
         persistentVolumeClaim:

values.yaml

@@ -34,7 +34,6 @@ service:
   # - 10.10.10.0/24
 
 ## Postgresql values
-
 postgresql:
   username: postgres
   password: postgres
@@ -58,10 +57,12 @@ postgresql:
   ## Default: do not create pg_hba.conf
   ## Alternatively, you can put your pg_hba.conf under the files/ directory
   # pghba: |-
-    #   local all all trust
-    #   host all all localhost trust
-    #   host mydatabase mysuser 192.168.0.0/24 md5
-
+  #   local all all trust
+  #   host all all localhost trust
+  #   host mydatabase mysuser 192.168.0.0/24 md5
+  #initdbscripts: |-
+    #!/bin/sh
+    #echo "helloworld"
   ## ConfigMap with PostgreSQL configuration
   ## NOTE: This will override postgresql.config and postgresql.pghba
   # configMap:
@@ -101,12 +102,57 @@ securityContext:
 
 ldap:
   enabled: false
-    #pgldapconfig: |-
+  pgldapconfig: |-
     # Reference: https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config.yaml
     # Connection parameters to LDAP server
+    ldap_connection:
+      host: example.com
+      port: 389
+      auth:
+        method: :simple
+        username: cn=admin,dc=example,dc=com
+        password: -password-goes-here-
+
+      # Search parameters for LDAP users which should be synchronized
+    ldap_users:
+      base: OU=People,dc=example,dc=com
+      # LDAP filter (according to RFC 2254)
+      # defines to users in LDAP to be synchronized
+      filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
+      # this attribute is used as PG role name
+      name_attribute: sAMAccountName
+      # lowercase name for use as PG role name
+      lowercase_name: true
+    ldap_groups:
+        base: OU=people,dc=example,dc=com
+        filter: (|(cn=group1)(cn=group2)(cn=group3))
+        # this attribute is used as PG role name
+        name_attribute: cn
+        # this attribute must reference to all member DN's of the given group
+        member_attribute: member
+    # Connection parameters to PostgreSQL server
+    # see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
+    pg_connection:
+      host: 
+      dbname: postgres # the db name is usually "postgres"
+      user: postgres # the user name is usually "postgres"
+      password: postgres # kubectl get secret --namespace fadi <pod_name> -o jsonpath="{.data.postgresql-password}" | base64 --decode
+    pg_users:
+      # Filter for identifying LDAP generated users in the database.
+      # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+      filter: rolcanlogin AND NOT rolsuper
+      # Options for CREATE RULE statements
+      create_options: LOGIN
+    pg_groups:
+      # Filter for identifying LDAP generated groups in the database.
+      # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+      filter: NOT rolcanlogin AND NOT rolsuper
+      # Options for CREATE RULE statements
+      create_options: NOLOGIN
+      grant_options:
 
   cron:
-    schedule: "0 * * * *"
+    schedule: "*/1 * * * *"
     repo: ceticasbl/pg-ldap-sync
     tag: latest
     restartPolicy: Never
@@ -146,6 +192,11 @@ persistence:
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
 ##
+
+## initdb scripts
+## Specify dictionary of scripts to be run at first boot
+## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
+##
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little