From 61aec51d1757684f4fbe0117c080f9a603d01faf Mon Sep 17 00:00:00 2001 From: jpgouin Date: Mon, 21 Oct 2024 19:29:30 +0000 Subject: [PATCH] add function to define how to trust certificate during replication and when to require cert verification --- .bin/certificate.yaml | 43 +++++++++++++++++++++++++++++++ .github/actions/setup/action.yaml | 1 + .github/workflows/ci-ha.yml | 4 +-- .github/workflows/ci-readonly.yml | 4 +-- README.md | 4 +-- templates/_helpers.tpl | 28 +++++++++++++++----- values.yaml | 4 ++- 7 files changed, 73 insertions(+), 15 deletions(-) create mode 100644 .bin/certificate.yaml diff --git a/.bin/certificate.yaml b/.bin/certificate.yaml new file mode 100644 index 0000000..5df6aa3 --- /dev/null +++ b/.bin/certificate.yaml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca +spec: + commonName: Self-Signed CA + secretName: selfsigned-ca + isCA: true + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca +spec: + ca: + secretName: selfsigned-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: custom-cert +spec: + commonName: openldap.default.svc + dnsNames: + - "openldap.default.svc" + - "openldap.default.svc.cluster.local" + - "*.openldap-headless.default.svc.cluster.local" + secretName: custom-cert + issuerRef: + name: selfsigned-ca + kind: Issuer + group: cert-manager.io \ No newline at end of file diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 7fbf6e8..4361c05 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,6 +28,7 @@ runs: /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.1.1/cert-manager.yaml - name: setup chaos mesh if: ${{ inputs.install-chaos == 'true' }} shell: bash diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index 5a24e72..8888fcd 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -15,9 +15,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | diff --git a/.github/workflows/ci-readonly.yml b/.github/workflows/ci-readonly.yml index e2f832d..4ecfb81 100644 --- a/.github/workflows/ci-readonly.yml +++ b/.github/workflows/ci-readonly.yml @@ -16,9 +16,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | diff --git a/README.md b/README.md index 187ce4f..ea4ee68 100755 --- a/README.md +++ b/README.md @@ -83,8 +83,8 @@ Parameters related to the configuration of the application. | `replication.retry` | retry period for replication in sec | `60` | | `replication.timeout` | timeout for replication in sec | `1` | | `replication.starttls` | starttls replication | `critical` | -| `replication.tls_reqcert` | tls certificate validation for replication | `never` | -| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` | +| `replication.tls_reqcert` | override the tls_reqcert parameter (default if never and demand when `initTLSSecret.tls_enabled = true` ) | `never` | +| `replication.tls_cacert` | override the location of tls_cacert to trust (allowed when `initTLSSecret.tls_enabled = true` ) | `nil` | | `replication.interval` | interval for replication | `00:00:00:10` | | `replication.clusterName` | Set the clustername for replication | "cluster.local" | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b981f16..292ca4d 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -64,8 +64,24 @@ Generate olcServerID list {{- end -}} {{- define "openldap.replication.tls_cacert" -}} -{{- if .Values.replication.tls_cacert -}} -{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_cacert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} + {{- else }} + {{- printf "tls_cacert=/opt/bitnami/openldap/certs/ca.crt" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "openldap.replication.tls_reqcert" -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_reqcert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_reqcert -}} + {{- else }} + {{- printf "tls_reqcert=demand" -}} + {{- end -}} +{{- else }} + {{- printf "tls_reqcert=never" -}} {{- end -}} {{- end -}} @@ -81,12 +97,12 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} @@ -103,7 +119,7 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $interval := .Values.replication.interval }} {{- $nodeCount := .Values.replicaCount | int }} @@ -122,7 +138,7 @@ Generate olcSyncRepl list retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} - tls_reqcert={{ $tls_reqcert }} + {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} diff --git a/values.yaml b/values.yaml index 7c687f5..a6f3f2b 100644 --- a/values.yaml +++ b/values.yaml @@ -237,7 +237,9 @@ replication: timeout: 1 interval: 00:00:00:10 starttls: "critical" - tls_reqcert: "never" + # override the tls_reqcert parameter (default if never and demand when initTLSSecret.tls_enabled = true ) + # tls_reqcert: "never" + # override the location of tls_cacert to trust (allowed when initTLSSecret.tls_enabled = true ) # tls_cacert: "/etc/ssl/certs/ca-certificates.crt" ## Persist data to a persistent volume persistence: