fix: include TLS config in initial cn=config entry

slapadd doesn't understand LDIF change records (changetype: modify). Move TLS configuration attributes directly into the cn=config entry instead of using a separate modify operation.
feat: trigger CD pipeline after image push
2025-12-28 02:06:15 +01:00 · 2025-12-28 01:12:13 +01:00 · 2025-12-28 01:00:33 +01:00
3 changed files with 55 additions and 39 deletions
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@ -273,23 +273,36 @@ jobs:
        if: always()
        run: docker logout ${{ env.REGISTRY }} || true
-  # Stage 7: Update CD pipeline (trigger deployment)
+  # Stage 7: Trigger CD pipeline for terraform-docker-openldap
  update-cd:
    runs-on: ubuntu-latest
    needs: push
    if: needs.push.result == 'success'
    steps:
-      - name: Trigger CD pipeline
+      - name: Trigger terraform-docker-openldap pipeline
        run: |
          echo "=============================================="
-          echo "  Ready to update CD pipeline"
+          echo "  Triggering CD pipeline"
          echo "=============================================="
          echo "New version: ${{ needs.push.outputs.version }}"
          echo "Full image:  ${{ needs.push.outputs.full_image }}"
          echo ""
-          echo "TODO: Add step to update version in CD repository"
+
-          echo "This could be:"
+          # Trigger the Gitea Actions workflow via repository dispatch
-          echo "  - Update docker-compose.yml in infra repo"
+          curl -X POST \
-          echo "  - Update Helm values"
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-          echo "  - Trigger ArgoCD sync"
+            -H "Content-Type: application/json" \
            "${{ vars.GITEA_URL }}/api/v1/repos/wbyc/terraform-docker-openldap/actions/workflows/pipeline.yaml/dispatches" \
            -d '{
              "ref": "main",
              "inputs": {
                "image_tag": "${{ needs.push.outputs.version }}"
              }
            }' || {
              echo "::warning::Failed to trigger CD pipeline"
              exit 1
            }
          echo "=============================================="
          echo "  CD pipeline triggered successfully"
          echo "=============================================="
--- a/scripts/init-config.sh
+++ b/scripts/init-config.sh
@ -13,6 +13,20 @@ export LDAP_ADMIN_PASSWORD_HASH LDAP_CONFIG_PASSWORD_HASH
 # Create initial slapd.d configuration
 rm -rf /etc/openldap/slapd.d/*
 # Build TLS attributes if enabled
 TLS_CONFIG=""
 if [ "$LDAP_TLS_ENABLED" = "true" ] && [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
    log_info "Adding TLS configuration..."
    TLS_CONFIG="olcTLSCertificateFile: ${LDAP_TLS_CERT_FILE}
 olcTLSCertificateKeyFile: ${LDAP_TLS_KEY_FILE}"
    if [ -f "$LDAP_TLS_CA_FILE" ]; then
        TLS_CONFIG="${TLS_CONFIG}
 olcTLSCACertificateFile: ${LDAP_TLS_CA_FILE}"
    fi
    TLS_CONFIG="${TLS_CONFIG}
 olcTLSVerifyClient: ${LDAP_TLS_VERIFY_CLIENT}"
 fi
 # Create base cn=config LDIF
 cat > /tmp/init-config.ldif << EOF
 dn: cn=config
@ -21,6 +35,7 @@ cn: config
 olcArgsFile: /run/openldap/slapd.args
 olcPidFile: /run/openldap/slapd.pid
 olcLogLevel: ${LDAP_LOG_LEVEL}
 ${TLS_CONFIG}
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
@ -68,35 +83,6 @@ olcDbIndex: entryUUID eq
 olcDbMaxSize: 1073741824
 EOF
 # Add TLS configuration if enabled and certs exist
 if [ "$LDAP_TLS_ENABLED" = "true" ] && [ -f "$LDAP_TLS_CERT_FILE" ] && [ -f "$LDAP_TLS_KEY_FILE" ]; then
    log_info "Adding TLS configuration..."
    cat >> /tmp/init-config.ldif << EOF
 dn: cn=config
 changetype: modify
 add: olcTLSCertificateFile
 olcTLSCertificateFile: ${LDAP_TLS_CERT_FILE}
 -
 add: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: ${LDAP_TLS_KEY_FILE}
 EOF
    if [ -f "$LDAP_TLS_CA_FILE" ]; then
        cat >> /tmp/init-config.ldif << EOF
 -
 add: olcTLSCACertificateFile
 olcTLSCACertificateFile: ${LDAP_TLS_CA_FILE}
 EOF
    fi
    cat >> /tmp/init-config.ldif << EOF
 -
 add: olcTLSVerifyClient
 olcTLSVerifyClient: ${LDAP_TLS_VERIFY_CLIENT}
 EOF
 fi
 # Import the configuration
 log_info "Importing cn=config with slapadd..."
 /usr/sbin/slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/init-config.ldif
--- a/scripts/init-replication.sh
+++ b/scripts/init-replication.sh
@ -91,13 +91,30 @@ IFS="$OLD_IFS"
 # Configure syncrepl and mirrormode on the database
 log_info "Configuring syncrepl and mirrormode..."
 # Check if olcSyncRepl attribute already exists
 if ldapsearch -Y EXTERNAL -H "$LDAPI_SOCKET" -b "olcDatabase={1}mdb,cn=config" -s base "(olcSyncRepl=*)" olcSyncRepl 2>/dev/null | grep -q "olcSyncRepl:"; then
    SYNCREPL_OP="replace"
    log_info "Updating existing syncrepl configuration..."
 else
    SYNCREPL_OP="add"
    log_info "Adding new syncrepl configuration..."
 fi
 # Check if olcMirrorMode attribute already exists
 if ldapsearch -Y EXTERNAL -H "$LDAPI_SOCKET" -b "olcDatabase={1}mdb,cn=config" -s base "(olcMirrorMode=*)" olcMirrorMode 2>/dev/null | grep -q "olcMirrorMode:"; then
    MIRRORMODE_OP="replace"
 else
    MIRRORMODE_OP="add"
 fi
 cat > /tmp/repl-syncrepl.ldif << EOF
 dn: olcDatabase={1}mdb,cn=config
 changetype: modify
-replace: olcSyncRepl
+${SYNCREPL_OP}: olcSyncRepl
 ${SYNCREPL_CONFIG}
 -
-replace: olcMirrorMode
+${MIRRORMODE_OP}: olcMirrorMode
 olcMirrorMode: TRUE
 EOF
Author	SHA1	Message	Date
Patrick de Ruiter	c66df72e8d	fix: include TLS config in initial cn=config entry Some checks failed CI Pipeline / lint (push) Successful in 20s Details CI Pipeline / build (push) Successful in 1m2s Details CI Pipeline / test (push) Successful in 1m2s Details CI Pipeline / security-scan (push) Successful in 1m32s Details CI Pipeline / autotag (push) Successful in 25s Details CI Pipeline / push (push) Successful in 22s Details CI Pipeline / update-cd (push) Failing after 17s Details slapadd doesn't understand LDIF change records (changetype: modify). Move TLS configuration attributes directly into the cn=config entry instead of using a separate modify operation.	2025-12-28 02:06:15 +01:00
Patrick de Ruiter	9b15cc31cb	feat: trigger CD pipeline after image push Some checks failed CI Pipeline / lint (push) Successful in 17s Details CI Pipeline / build (push) Successful in 40s Details CI Pipeline / test (push) Successful in 1m5s Details CI Pipeline / security-scan (push) Successful in 1m22s Details CI Pipeline / autotag (push) Successful in 17s Details CI Pipeline / push (push) Successful in 19s Details CI Pipeline / update-cd (push) Failing after 16s Details Add stage 7 to trigger terraform-docker-openldap pipeline via Gitea API after successfully pushing a new image to the registry. This enables automatic deployment of new container versions. Requires GITEA_TOKEN secret and GITEA_URL variable to be configured.	2025-12-28 01:12:13 +01:00
Patrick de Ruiter	d5405f3bba	fix: handle first-time syncrepl configuration All checks were successful CI Pipeline / lint (push) Successful in 28s Details CI Pipeline / build (push) Successful in 1m12s Details CI Pipeline / test (push) Successful in 1m8s Details CI Pipeline / security-scan (push) Successful in 1m38s Details CI Pipeline / autotag (push) Successful in 24s Details CI Pipeline / push (push) Successful in 21s Details CI Pipeline / update-cd (push) Successful in 15s Details Check if olcSyncRepl and olcMirrorMode attributes exist before deciding whether to use 'add' or 'replace' operation. Previously the script always used 'replace' which fails on first-time setup when the attributes don't exist yet.	2025-12-28 01:00:33 +01:00