diff --git a/.bin/certificate.yaml b/.bin/certificate.yaml new file mode 100644 index 0000000..bef91d5 --- /dev/null +++ b/.bin/certificate.yaml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca +spec: + commonName: Self-Signed CA + secretName: selfsigned-ca + isCA: true + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca +spec: + ca: + secretName: selfsigned-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: custom-cert +spec: + commonName: openldap-stack-ha.default.svc + dnsNames: + - "openldap-stack-ha.default.svc" + - "openldap-stack-ha.default.svc.cluster.local" + - "*.openldap-stack-ha-headless.default.svc.cluster.local" + secretName: custom-cert + issuerRef: + name: selfsigned-ca + kind: Issuer + group: cert-manager.io \ No newline at end of file diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 7fbf6e8..d1b320b 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,6 +28,8 @@ runs: /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml + kubectl rollout status deployments -n cert-manager - name: setup chaos mesh if: ${{ inputs.install-chaos == 'true' }} shell: bash diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index 5a24e72..d119ced 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -15,9 +15,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | @@ -46,7 +44,16 @@ jobs: run: | echo "verify certificate" echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi + - name: fetch logs + shell: bash + run: | + echo "kubectl logs openldap-stack-ha-0" + kubectl logs openldap-stack-ha-0 + echo "kubectl logs openldap-stack-ha-1" + kubectl logs openldap-stack-ha-1 + echo "kubectl logs openldap-stack-ha-2" + kubectl logs openldap-stack-ha-2 - name: apply chaos tests shell: bash run: | diff --git a/.github/workflows/ci-readonly.yml b/.github/workflows/ci-readonly.yml index e2f832d..8a7bbf5 100644 --- a/.github/workflows/ci-readonly.yml +++ b/.github/workflows/ci-readonly.yml @@ -16,9 +16,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | @@ -36,7 +34,7 @@ jobs: run: | echo "verify certificate" echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi - name: test write on main cluster shell: bash run: | diff --git a/Chart.yaml b/Chart.yaml index 0889252..a541c38 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -13,7 +13,7 @@ dependencies: - bitnami-common version: ~2 home: https://www.openldap.org -version: 4.3.0 +version: 4.3.1 appVersion: 2.6.7 description: Community developed LDAP software icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png diff --git a/README.md b/README.md index 187ce4f..ea4ee68 100755 --- a/README.md +++ b/README.md @@ -83,8 +83,8 @@ Parameters related to the configuration of the application. | `replication.retry` | retry period for replication in sec | `60` | | `replication.timeout` | timeout for replication in sec | `1` | | `replication.starttls` | starttls replication | `critical` | -| `replication.tls_reqcert` | tls certificate validation for replication | `never` | -| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` | +| `replication.tls_reqcert` | override the tls_reqcert parameter (default if never and demand when `initTLSSecret.tls_enabled = true` ) | `never` | +| `replication.tls_cacert` | override the location of tls_cacert to trust (allowed when `initTLSSecret.tls_enabled = true` ) | `nil` | | `replication.interval` | interval for replication | `00:00:00:10` | | `replication.clusterName` | Set the clustername for replication | "cluster.local" | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b981f16..292ca4d 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -64,8 +64,24 @@ Generate olcServerID list {{- end -}} {{- define "openldap.replication.tls_cacert" -}} -{{- if .Values.replication.tls_cacert -}} -{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_cacert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} + {{- else }} + {{- printf "tls_cacert=/opt/bitnami/openldap/certs/ca.crt" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "openldap.replication.tls_reqcert" -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_reqcert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_reqcert -}} + {{- else }} + {{- printf "tls_reqcert=demand" -}} + {{- end -}} +{{- else }} + {{- printf "tls_reqcert=never" -}} {{- end -}} {{- end -}} @@ -81,12 +97,12 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} @@ -103,7 +119,7 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $interval := .Values.replication.interval }} {{- $nodeCount := .Values.replicaCount | int }} @@ -122,7 +138,7 @@ Generate olcSyncRepl list retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} - tls_reqcert={{ $tls_reqcert }} + {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} diff --git a/values.yaml b/values.yaml index 7c687f5..a6f3f2b 100644 --- a/values.yaml +++ b/values.yaml @@ -237,7 +237,9 @@ replication: timeout: 1 interval: 00:00:00:10 starttls: "critical" - tls_reqcert: "never" + # override the tls_reqcert parameter (default if never and demand when initTLSSecret.tls_enabled = true ) + # tls_reqcert: "never" + # override the location of tls_cacert to trust (allowed when initTLSSecret.tls_enabled = true ) # tls_cacert: "/etc/ssl/certs/ca-certificates.crt" ## Persist data to a persistent volume persistence: