Skip to content

Commit

Permalink
add function to define how to trust certificate during replication an…
Browse files Browse the repository at this point in the history 
…d when to require cert verification
  • Loading branch information
@jp-gouin
jp-gouin committed Oct 21, 2024
1 parent 954c071 commit 61aec51
Show file tree
Hide file tree
Showing 7 changed files with 73 additions and 15 deletions.
43 changes: 43 additions & 0 deletions .bin/certificate.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-ca
spec:
commonName: Self-Signed CA
secretName: selfsigned-ca
isCA: true
issuerRef:
name: selfsigned
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-ca
spec:
ca:
secretName: selfsigned-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: custom-cert
spec:
commonName: openldap.default.svc
dnsNames:
- "openldap.default.svc"
- "openldap.default.svc.cluster.local"
- "*.openldap-headless.default.svc.cluster.local"
secretName: custom-cert
issuerRef:
name: selfsigned-ca
kind: Issuer
group: cert-manager.io
1 change: 1 addition & 0 deletions .github/actions/setup/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ runs:
/tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865
kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}'
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.1.1/cert-manager.yaml
- name: setup chaos mesh
if: ${{ inputs.install-chaos == 'true' }}
shell: bash
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/ci-ha.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ jobs:
- name: setup certs
shell: bash
run: |
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
cp tls.crt ca.crt
kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml
- name: deploy openldap-stack-ha
shell: bash
run: |
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/ci-readonly.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,7 @@ jobs:
- name: setup certs
shell: bash
run: |
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
cp tls.crt ca.crt
kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml
- name: deploy openldap-stack-ha
shell: bash
run: |
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@ Parameters related to the configuration of the application.
| `replication.retry` | retry period for replication in sec | `60` |
| `replication.timeout` | timeout for replication in sec | `1` |
| `replication.starttls` | starttls replication | `critical` |
| `replication.tls_reqcert` | tls certificate validation for replication | `never` |
| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` |
| `replication.tls_reqcert` | override the tls_reqcert parameter (default if never and demand when `initTLSSecret.tls_enabled = true` ) | `never` |
| `replication.tls_cacert` | override the location of tls_cacert to trust (allowed when `initTLSSecret.tls_enabled = true` ) | `nil` |
| `replication.interval` | interval for replication | `00:00:00:10` |
| `replication.clusterName` | Set the clustername for replication | "cluster.local" |

Expand Down
28 changes: 22 additions & 6 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,24 @@ Generate olcServerID list
{{- end -}}

{{- define "openldap.replication.tls_cacert" -}}
{{- if .Values.replication.tls_cacert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}}
{{- if .Values.initTLSSecret.tls_enabled -}}
{{- if .Values.replication.tls_cacert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}}
{{- else }}
{{- printf "tls_cacert=/opt/bitnami/openldap/certs/ca.crt" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "openldap.replication.tls_reqcert" -}}
{{- if .Values.initTLSSecret.tls_enabled -}}
{{- if .Values.replication.tls_reqcert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_reqcert -}}
{{- else }}
{{- printf "tls_reqcert=demand" -}}
{{- end -}}
{{- else }}
{{- printf "tls_reqcert=never" -}}
{{- end -}}
{{- end -}}

Expand All @@ -81,12 +97,12 @@ Generate olcSyncRepl list
{{- $retry := .Values.replication.retry }}
{{- $timeout := .Values.replication.timeout }}
{{- $starttls := .Values.replication.starttls }}
{{- $tls_reqcert := .Values.replication.tls_reqcert }}
{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }}
{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
{{- $nodeCount := .Values.replicaCount | int }}
{{- range $index0 := until $nodeCount }}
{{- $index1 := $index0 | add1 }}
olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }}
olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} {{ $tls_reqcert }} {{ $tls_cacert }}
{{- end -}}
{{- end -}}

Expand All @@ -103,7 +119,7 @@ Generate olcSyncRepl list
{{- $retry := .Values.replication.retry }}
{{- $timeout := .Values.replication.timeout }}
{{- $starttls := .Values.replication.starttls }}
{{- $tls_reqcert := .Values.replication.tls_reqcert }}
{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }}
{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
{{- $interval := .Values.replication.interval }}
{{- $nodeCount := .Values.replicaCount | int }}
Expand All @@ -122,7 +138,7 @@ Generate olcSyncRepl list
retry="{{ $retry }} +"
timeout={{ $timeout }}
starttls={{ $starttls }}
tls_reqcert={{ $tls_reqcert }}
{{ $tls_reqcert }}
{{ $tls_cacert }}
{{- end -}}
{{- end -}}
Expand Down
4 changes: 3 additions & 1 deletion values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,9 @@ replication:
timeout: 1
interval: 00:00:00:10
starttls: "critical"
tls_reqcert: "never"
# override the tls_reqcert parameter (default if never and demand when initTLSSecret.tls_enabled = true )
# tls_reqcert: "never"
# override the location of tls_cacert to trust (allowed when initTLSSecret.tls_enabled = true )
# tls_cacert: "/etc/ssl/certs/ca-certificates.crt"
## Persist data to a persistent volume
persistence:
Expand Down

0 comments on commit 61aec51

Please sign in to comment.