From a0d41c6f056f303a4875ebddb65e7eb0417ebe07 Mon Sep 17 00:00:00 2001
From: Dreaded_X <tim@huizinga.dev>
Date: Tue, 22 Apr 2025 10:49:39 +0200
Subject: [PATCH] Added option to load lldap password from file

---
 manifests/deployment.yaml | 15 ++++++++++-----
 src/lldap.rs              | 18 ++++++++++++++++--
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
index 10dead4..2576275 100644
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -31,6 +31,10 @@ spec:
             requests:
               cpu: 50m
               memory: 100Mi
+          volumeMounts:
+            - name: credentials
+              readOnly: true
+              mountPath: "/secrets/credentials"
           env:
             - name: RUST_LOG
               value: info,lldap_controller=debug
@@ -38,10 +42,11 @@ spec:
               value: "http://lldap:17170"
             - name: LLDAP_USERNAME
               value: admin
-            - name: LLDAP_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: lldap-credentials
-                  key: lldap-ldap-user-pass
+            - name: LLDAP_PASSWORD_FILE
+              value: /secrets/credentials/password
             - name: LLDAP_BIND_DN
               value: uid={username},ou=people,dc=huizinga,dc=dev
+      volumes:
+        - name: credentials
+          secret:
+            secretName: siranga-lldap-credentials
diff --git a/src/lldap.rs b/src/lldap.rs
index 6e21840..53e253a 100644
--- a/src/lldap.rs
+++ b/src/lldap.rs
@@ -30,6 +30,8 @@ pub enum Error {
     GraphQl(#[from] GraphQlError),
     #[error("Missing environment variable: {0}")]
     MissingEnvironmentVariable(&'static str),
+    #[error("Could not read password file: {0}")]
+    CouldNotReadPasswordFile(#[from] std::io::Error),
 }
 
 pub type Result<T, E = Error> = std::result::Result<T, E>;
@@ -55,11 +57,23 @@ pub struct LldapConfig {
 
 impl LldapConfig {
     pub fn try_from_env() -> Result<Self> {
+        let password = std::env::var("LLDAP_PASSWORD_FILE").map_or_else(
+            |_| {
+                std::env::var("LLDAP_PASSWORD").map_err(|_| {
+                    Error::MissingEnvironmentVariable("LLDAP_PASSWORD or LLDAP_PASSWORD_FILE")
+                })
+            },
+            |path| {
+                std::fs::read_to_string(path)
+                    .map(|v| v.trim().into())
+                    .map_err(|err| err.into())
+            },
+        )?;
+
         Ok(Self {
             username: std::env::var("LLDAP_USERNAME")
                 .map_err(|_| Error::MissingEnvironmentVariable("LLDAP_USERNAME"))?,
-            password: std::env::var("LLDAP_PASSWORD")
-                .map_err(|_| Error::MissingEnvironmentVariable("LLDAP_PASSWORD"))?,
+            password,
             url: std::env::var("LLDAP_URL")
                 .map_err(|_| Error::MissingEnvironmentVariable("LLDAP_URL"))?,
         })