v1.0.4

templates/ldap.toml.j2

@@ -0,0 +1,63 @@
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "openldap.auth.svc.cluster.local"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
+use_ssl = false
+# If set to true, use LDAP with STARTTLS instead of LDAPS
+start_tls = false
+# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"])
+# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
+# Starting with Grafana v11.0 only ciphers with ECDHE support are accepted for TLS 1.2 connections.
+tls_ciphers = []
+# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1 (only for Grafana v10.4 or earlier), TLS1.2, TLS1.3.
+min_tls_version = ""
+# set to true if you want to skip SSL cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Search user bind dn
+bind_dn = "cn=readonly,dc=eom,dc=dev"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = "{{ ldap_readonly_password }}"
+# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
+# bind_password = '$__env{LDAP_BIND_PASSWORD}'
+
+# Timeout in seconds. Applies to each host specified in the 'host' entry (space separated).
+timeout = 30
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
+search_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))"
+
+# An array of base dns to search through
+search_base_dns = ["dc=eom,dc=dev"]
+
+group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+group_search_filter_user_attribute = "uid"
+group_search_base_dns = ["dc=eom,dc=dev"]
+
+# Specify names of the LDAP attributes your LDAP uses
+[servers.attributes]
+username = "uid"
+email =  "mail"
+name = "givenName"
+surname = "sn"
+
+[[servers.group_mappings]]
+group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
+org_id = 2
+org_role = "Admin"
+grafana_admin = true
+
+[[servers.group_mappings]]
+group_dn = "cn=DevOps Members,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
+org_id = 2
+org_role = "Viewer"
+grafana_admin = true

templates/values.yaml.j2

@@ -260,17 +260,17 @@ mastodon:
     auth_method: plain
     ca_file: /etc/ssl/certs/ca-certificates.crt
     delivery_method: smtp
-    domain:
+    domain: mail.eom.dev
     enable_starttls: "auto"
-    from_address: notifications@example.com
+    from_address: mastodon@mail.eom.dev
     return_path:
     openssl_verify_mode: peer
     port: 587
     reply_to:
-    server: smtp.mailgun.org
-    tls: false
-    login:
-    password:
+    server: mail.eom.dev
+    tls: true
+    login: mastodon
+    password: {{ mastodon_mail_password }}
     # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
     # password must be located in keys named `login` and `password` respectively.
     existingSecret:
@@ -455,19 +455,18 @@ mastodon:
 ingress:
   enabled: true
   annotations:
-    cert-manager.io/cluster-issuer: ca-issuer
     # For choosing an ingress ingressClassName is preferred over annotations
     # kubernetes.io/ingress.class: nginx
     #
     # To automatically request TLS certificates use one of the following
     # kubernetes.io/tls-acme: "true"
-    # cert-manager.io/cluster-issuer: "letsencrypt"
+    cert-manager.io/cluster-issuer: ca-issuer
     #
     # ensure that NGINX's upload size matches Mastodon's
     #   for the K8s ingress controller:
     # nginx.ingress.kubernetes.io/proxy-body-size: 40m
     #   for the NGINX ingress controller:
-    # nginx.org/client-max-body-size: 40m
+    nginx.org/client-max-body-size: 40m
   # -- you can specify the ingressClassName if it differs from the default
   ingressClassName: nginx
   hosts:
@@ -487,13 +486,13 @@ ingress:
     annotations:
     ingressClassName:
     hosts:
-      - host: streaming.mastodon.local
+      - host: streaming.mastodon.eom.dev
         paths:
           - path: "/"
     tls:
       - secretName: mastodon-tls
         hosts:
-          - streaming.mastodon.local
+          - streaming.mastodon.eom.dev
 
 # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
 elasticsearch:
@@ -534,7 +533,7 @@ postgresql:
     # you must set a password; the password generated by the postgresql chart will
     # be rotated on each upgrade:
     # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
-    password: {{ mastodon_postgres_password }}
+    password: "{{ mastodon_postgres_password }}"
     # Set the password for the "postgres" admin user
     # set this to the same value as above if you've previously installed
     # this chart and you're having problems getting mastodon to connect to the DB
@@ -567,7 +566,7 @@ redis:
   auth:
     # -- you must set a password; the password generated by the redis chart will be
     # rotated on each upgrade:
-    password: ""
+    password: "{{ mastodon_redis_password }}"
     # setting password for an existing redis instance will store it in a new Secret
     # you can also specify the name of an existing Secret
     # with a key of redis-password set to the password you want
@@ -696,13 +695,13 @@ externalAuth:
     host: openldap.auth.svc.cluster.local
     port: 389
     method: plain
-    # tls_no_verify: true
+    tls_no_verify: true
     base: dc=eom,dc=dev
     bind_dn: cn=readonly,dc=eom,dc=dev
     password: {{ ldap_readonly_password }}
     uid: uid
     mail: mail
-    search_filter: (|(objectClass=inetOrgPerson))
+    search_filter: "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%{uid}))"
     # uid_conversion:
     #   enabled: true
     #   search: "., -"