From 5c76b97b4411507625e297f0eeb2dd291cfaa8f9 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 07:26:31 +0000 Subject: [PATCH 01/18] bump k8s version --- .bin/singleNode.yaml | 42 ++++++++++++++++++++++++++++++++++++++++ .github/workflows/ci.yml | 4 ++-- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/.bin/singleNode.yaml b/.bin/singleNode.yaml index 856065c..777a11c 100644 --- a/.bin/singleNode.yaml +++ b/.bin/singleNode.yaml @@ -1,6 +1,7 @@ logLevel: debug global: ldapDomain: "singlenode.org" + existingSecret: "my-super-secret" resources: limits: cpu: "128m" @@ -8,10 +9,51 @@ resources: replicaCount: 1 replication: enabled: false +# customLdifFiles: +# 0-root.ldif: |- +# dn: dc=singlenode,dc=org +# objectClass: top +# objectClass: dcObject +# objectClass: organization +# o: MY-DOMAIN +# dc: singlenode +# 02-users-group.ldif: |- +# dn: ou=users,dc=singlenode,dc=org +# ou: users +# objectClass: organizationalUnit +# objectClass: top +# 01-admin-read-user.ldif: |- +# dn: cn=admin-read,dc=singlenode,dc=org +# cn: admin-read +# mail: admin-read@singlenode.org +# objectClass: inetOrgPerson +# objectClass: top +# userPassword: {SSHA}E2vRX2ssn7ckfjXBzP27SZH9Ast4rOEo +# sn: Admin read only +# customAcls: |- +# dn: olcDatabase={2}mdb,cn=config +# changetype: modify +# replace: olcAccess +# olcAccess: {0}to * +# by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage +# by * break +# olcAccess: {1}to attrs=userPassword,shadowLastChange +# by self write +# by dn="cn=admin,dc=singlenode,dc=org" write +# by anonymous auth by * none +# olcAccess: {2}to * +# by dn="cn=admin-read,dc=singlenode,dc=org" read +# by dn="cn=admin,dc=singlenode,dc=org" write +# by self read +# by * none ltb-passwd: ingress: hosts: - "ssl-ldap2.example" + # ldap: + # searchBase: "ou=users,dc=singlenode,dc=org" + # bindDN: "cn=admin-read,dc=singlenode,dc=org" + # passKey: LDAP_ADMIN_READ_PASSWORD phpldapadmin: ingress: hosts: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 203e2a1..fa6ef62 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,9 +20,9 @@ jobs: - name: setup cluster shell: bash run: | - curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 chmod +x /tmp/kind - /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c + /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - name: setup chaos mesh From b0b287d134085f26500d6e1d4365ee3b8fe09041 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 08:18:43 +0000 Subject: [PATCH 02/18] fix #162 --- .github/workflows/ci.yml | 2 +- templates/serviceaccount.yaml | 13 +++++++++++++ templates/statefulset.yaml | 7 +++---- values.yaml | 15 ++++++++++++--- 4 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 templates/serviceaccount.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fa6ef62..055ee23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: run: | curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 chmod +x /tmp/kind - /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e + /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - name: setup chaos mesh diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml new file mode 100644 index 0000000..b545361 --- /dev/null +++ b/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "openldap.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index f30f536..0822c02 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -142,9 +142,8 @@ spec: - mountPath: /bitnami name: data {{- end }} - {{- /* - serviceAccountName: {{ template "openldap.serviceAccountName" . }} -*/ -}} + + serviceAccountName: {{ template "openldap.serviceAccountName" . }} {{- include "openldap.imagePullSecrets" . | nindent 6 }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} @@ -363,4 +362,4 @@ spec: {{- else if (not .Values.persistence.enabled) }} - name: data emptyDir: {} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/values.yaml b/values.yaml index 66b60dd..ebdda7a 100644 --- a/values.yaml +++ b/values.yaml @@ -122,7 +122,7 @@ pdb: # userPasswords: bitnami1, bitnami2 ## Group to create and add list of user above -## Default set by bitnami image + ## Default set by bitnami image # group: readers # Custom openldap schema files used to be used in addition to default schemas @@ -365,16 +365,25 @@ sidecars: {} ## command: ['sh', '-c', 'echo "hello world"'] ## initContainers: {} -## ServiceAccount configuration + +## Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## serviceAccount: - ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## @param serviceAccount.create Enable creation of ServiceAccount for Apache pod ## create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} ## @section Init Container Parameters From 2497c919bff17fa7fa58195765dc84357174381f Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 08:36:04 +0000 Subject: [PATCH 03/18] debug ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 055ee23..cd5f889 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 9 ]; then exit 1 ; fi + if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 9 ]; then cat /tmp/test-write.txt ; fi if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi - name: test memberOf shell: bash From a4ef3a1dcb720118ddbc043abb8d3e1cd06de446 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 08:46:29 +0000 Subject: [PATCH 04/18] debug ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd5f889..c1a70a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 9 ]; then cat /tmp/test-write.txt ; fi + if [ ! $(grep -q "Einstein" /tmp/test-write.txt ]; then exit 1 ; fi if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi - name: test memberOf shell: bash From ba343928cdd214210c8bc759bc7e8d4a0762a72f Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 09:18:51 +0000 Subject: [PATCH 05/18] debug ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1a70a5..e293dfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,7 +76,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if [ ! $(grep -q "Einstein" /tmp/test-write.txt ]; then exit 1 ; fi + if [ ! $(grep -q "Einstein" /tmp/test-write.txt) ]; then exit 1 ; fi if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi - name: test memberOf shell: bash From ff4b0e7e2f5858e294692cefe9549d5f6aebbbb3 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 09:25:44 +0000 Subject: [PATCH 06/18] debug ci --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e293dfd..463544c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,6 +76,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt + cat /tmp/test-write.txt if [ ! $(grep -q "Einstein" /tmp/test-write.txt) ]; then exit 1 ; fi if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi - name: test memberOf From 06bf6bc6f7e054ee5b3388d87abde61186e7e151 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 09:54:52 +0000 Subject: [PATCH 07/18] debug ci --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 463544c..7534d0a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,8 +76,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - cat /tmp/test-write.txt - if [ ! $(grep -q "Einstein" /tmp/test-write.txt) ]; then exit 1 ; fi + if ! grep -q "Einstein" /tmp/test-write.txt; then exit 1 ; fi if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi - name: test memberOf shell: bash From 1022e6eee99dd09ceed5af68dcf5ee896c28d338 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 12:22:28 +0000 Subject: [PATCH 08/18] debug ci --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7534d0a..fd84ad5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -76,8 +76,8 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if ! grep -q "Einstein" /tmp/test-write.txt; then exit 1 ; fi - if ! grep -q "objectClass: ownCloud" /tmp/test-write.txt; then echo exit 1; fi + if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi + if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi - name: test memberOf shell: bash run: | From 7b8fe8ef72b4d5975c812770d5d3ca9c8ae67557 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 14:46:41 +0000 Subject: [PATCH 09/18] debug ci --- .github/actions/setup/action.yaml | 34 +++++++++++ .github/workflows/base/base.yml | 19 ++++++ .github/workflows/tests/ci-ha.yml | 74 +++++++++++++++++++++++ .github/workflows/tests/ci-other.yml | 33 ++++++++++ .github/workflows/tests/ci-singlenode.yml | 27 +++++++++ 5 files changed, 187 insertions(+) create mode 100644 .github/actions/setup/action.yaml create mode 100644 .github/workflows/base/base.yml create mode 100644 .github/workflows/tests/ci-ha.yml create mode 100644 .github/workflows/tests/ci-other.yml create mode 100644 .github/workflows/tests/ci-singlenode.yml diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml new file mode 100644 index 0000000..fabf92c --- /dev/null +++ b/.github/actions/setup/action.yaml @@ -0,0 +1,34 @@ +name: 'Setup env' +description: 'Greet someone' +inputs: + install-chaos: + description: 'Setup ChaosMesh' + required: true + default: false +runs: + using: "composite" + steps: + - name: Lint + shell: bash + run: | + curl -fsSL -o /tmp/get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + chmod 700 /tmp/get_helm.sh + /tmp/get_helm.sh + helm lint . + - name: setup cluster + shell: bash + run: | + curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 + chmod +x /tmp/kind + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + rm -f kubectl + sudo apt update + sudo apt-get install -y ldap-utils + /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 + kubectl apply -f https://projectcontour.io/quickstart/contour.yaml + kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' + - name: setup chaos mesh + shell: bash + run: | + curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind \ No newline at end of file diff --git a/.github/workflows/base/base.yml b/.github/workflows/base/base.yml new file mode 100644 index 0000000..5fae60d --- /dev/null +++ b/.github/workflows/base/base.yml @@ -0,0 +1,19 @@ +name: Setup +on: + push: + branches: + - "*" + pull_request: + branches: + - "master" + - "bitnami" +jobs: + call-ci-singlenode: + uses: ./.github/workflows/tests/ci-singlenode.yml + call-ci-other: + uses: ./.github/workflows/tests/ci-other.yml + call-ci-ha: + uses: ./.github/workflows/tests/ci-ha.yml + + + diff --git a/.github/workflows/tests/ci-ha.yml b/.github/workflows/tests/ci-ha.yml new file mode 100644 index 0000000..4313546 --- /dev/null +++ b/.github/workflows/tests/ci-ha.yml @@ -0,0 +1,74 @@ +name: Test-HA +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: true + - name: setup certs + shell: bash + run: | + openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 + cp tls.crt ca.crt + kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + - name: deploy openldap-stack-ha + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -f .bin/myval.yaml . + kubectl rollout status sts openldap-stack-ha + - name: verify deployment + shell: bash + run: | + echo "test access to openldap database" + sleep 10 + LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' + - name: test phpldapadmin access + shell: bash + run: | + echo "test access to phpldapadmin" + echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts + curl phpldapadmin.example:8080 + - name: test self service pwd access + shell: bash + run: | + echo "test access to ssp" + curl ssl-ldap2.example:8080 + - name: verify certs + shell: bash + run: | + echo "verify certificate" + echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt + if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + - name: apply chaos tests + shell: bash + run: | + echo "test access to openldap database" + kubectl apply -f .bin/chaos.yaml + - name: test write + shell: bash + run: | + echo "Write test to openldap database" + LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt + if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi + if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi + - name: test memberOf + shell: bash + run: | + echo "MemberOf test to openldap database" + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" > /tmp/test-write.txt + if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 2 ]; then exit 1 ; fi + if ! grep -q "uid=test1,ou=People,dc=example,dc=org" /tmp/test-write.txt; then echo exit 1; fi + - name: chaos tests + shell: bash + run: | + echo "test access to openldap database" + for i in {1..20}; do LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done \ No newline at end of file diff --git a/.github/workflows/tests/ci-other.yml b/.github/workflows/tests/ci-other.yml new file mode 100644 index 0000000..24c55f2 --- /dev/null +++ b/.github/workflows/tests/ci-other.yml @@ -0,0 +1,33 @@ +name: Test-Other +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: false + - name: deploy openldap-stack-ha-disable-ldap-port + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . + kubectl -n no-ldap-port create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port + - name: verify no ldap port deployment + shell: bash + run: | + echo "test access to openldap database" + echo "Write test to openldap database" + LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt + cat /tmp/test-write.txt + if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi + + + diff --git a/.github/workflows/tests/ci-singlenode.yml b/.github/workflows/tests/ci-singlenode.yml new file mode 100644 index 0000000..34b7981 --- /dev/null +++ b/.github/workflows/tests/ci-singlenode.yml @@ -0,0 +1,27 @@ +name: Test-SingleNode +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: false + - name: deploy openldap-stack-ha-single-node + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . + kubectl rollout status sts openldap-stack-ha -n single + - name: verify single node deployment + shell: bash + run: | + echo "test access to openldap database" + LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt + cat /tmp/test-single-node.txt + if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi \ No newline at end of file From f251dab5e668c8bf4ffa8edbb158de191b83af2b Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 14:48:00 +0000 Subject: [PATCH 10/18] debug ci --- .github/workflows/base/base.yml | 5 +- .github/workflows/ci.yml | 126 ++------------------------------ 2 files changed, 8 insertions(+), 123 deletions(-) diff --git a/.github/workflows/base/base.yml b/.github/workflows/base/base.yml index 5fae60d..d564650 100644 --- a/.github/workflows/base/base.yml +++ b/.github/workflows/base/base.yml @@ -13,7 +13,4 @@ jobs: call-ci-other: uses: ./.github/workflows/tests/ci-other.yml call-ci-ha: - uses: ./.github/workflows/tests/ci-ha.yml - - - + uses: ./.github/workflows/tests/ci-ha.yml \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd84ad5..d564650 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: Qualif +name: Setup on: push: branches: @@ -8,121 +8,9 @@ on: - "master" - "bitnami" jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Lint - shell: bash - run: | - helm lint . - - name: setup cluster - shell: bash - run: | - curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 - chmod +x /tmp/kind - /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 - kubectl apply -f https://projectcontour.io/quickstart/contour.yaml - kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - - name: setup chaos mesh - shell: bash - run: | - curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind - - name: setup certs - shell: bash - run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt - - name: deploy openldap-stack-ha - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -f .bin/myval.yaml . - kubectl rollout status sts openldap-stack-ha - - name: verify deployment - shell: bash - run: | - echo "test access to openldap database" - sudo apt-get install -y ldap-utils - sleep 10 - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' - - name: test phpldapadmin access - shell: bash - run: | - echo "test access to phpldapadmin" - echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts - curl phpldapadmin.example:8080 - - name: test self service pwd access - shell: bash - run: | - echo "test access to ssp" - curl ssl-ldap2.example:8080 - - name: verify certs - shell: bash - run: | - echo "verify certificate" - echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi - - name: apply chaos tests - shell: bash - run: | - echo "test access to openldap database" - kubectl apply -f .bin/chaos.yaml - - name: test write - shell: bash - run: | - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi - if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi - - name: test memberOf - shell: bash - run: | - echo "MemberOf test to openldap database" - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" > /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 2 ]; then exit 1 ; fi - if ! grep -q "uid=test1,ou=People,dc=example,dc=org" /tmp/test-write.txt; then echo exit 1; fi - - name: chaos tests - shell: bash - run: | - echo "test access to openldap database" - for i in {1..20}; do LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done - - name: deploy openldap-stack-ha-single-node - shell: bash - run: | - helm delete openldap-stack-ha - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . - kubectl rollout status sts openldap-stack-ha -n single - - name: verify single node deployment - shell: bash - run: | - echo "test access to openldap database" - sudo apt-get install -y ldap-utils - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt - cat /tmp/test-single-node.txt - if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi - - name: deploy openldap-stack-ha-disable-ldap-port - shell: bash - run: | - helm delete -n single openldap-stack-ha - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . - kubectl -n no-ldap-port create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt - kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port - - name: verify no ldap port deployment - shell: bash - run: | - echo "test access to openldap database" - sudo apt-get install -y ldap-utils - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - cat /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi - - - + call-ci-singlenode: + uses: ./.github/workflows/tests/ci-singlenode.yml + call-ci-other: + uses: ./.github/workflows/tests/ci-other.yml + call-ci-ha: + uses: ./.github/workflows/tests/ci-ha.yml \ No newline at end of file From 27ea54146fc7ad657a3a0b8136caf5de16082b57 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 21 May 2024 14:48:54 +0000 Subject: [PATCH 11/18] debug ci --- .github/workflows/ci-ha.yml | 74 +++++++++++++++++++++++++++++ .github/workflows/ci-other.yml | 33 +++++++++++++ .github/workflows/ci-singlenode.yml | 27 +++++++++++ .github/workflows/ci.yml | 6 +-- 4 files changed, 137 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/ci-ha.yml create mode 100644 .github/workflows/ci-other.yml create mode 100644 .github/workflows/ci-singlenode.yml diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml new file mode 100644 index 0000000..4313546 --- /dev/null +++ b/.github/workflows/ci-ha.yml @@ -0,0 +1,74 @@ +name: Test-HA +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: true + - name: setup certs + shell: bash + run: | + openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 + cp tls.crt ca.crt + kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + - name: deploy openldap-stack-ha + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -f .bin/myval.yaml . + kubectl rollout status sts openldap-stack-ha + - name: verify deployment + shell: bash + run: | + echo "test access to openldap database" + sleep 10 + LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' + - name: test phpldapadmin access + shell: bash + run: | + echo "test access to phpldapadmin" + echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts + curl phpldapadmin.example:8080 + - name: test self service pwd access + shell: bash + run: | + echo "test access to ssp" + curl ssl-ldap2.example:8080 + - name: verify certs + shell: bash + run: | + echo "verify certificate" + echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt + if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + - name: apply chaos tests + shell: bash + run: | + echo "test access to openldap database" + kubectl apply -f .bin/chaos.yaml + - name: test write + shell: bash + run: | + echo "Write test to openldap database" + LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt + if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi + if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi + - name: test memberOf + shell: bash + run: | + echo "MemberOf test to openldap database" + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" > /tmp/test-write.txt + if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 2 ]; then exit 1 ; fi + if ! grep -q "uid=test1,ou=People,dc=example,dc=org" /tmp/test-write.txt; then echo exit 1; fi + - name: chaos tests + shell: bash + run: | + echo "test access to openldap database" + for i in {1..20}; do LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done \ No newline at end of file diff --git a/.github/workflows/ci-other.yml b/.github/workflows/ci-other.yml new file mode 100644 index 0000000..24c55f2 --- /dev/null +++ b/.github/workflows/ci-other.yml @@ -0,0 +1,33 @@ +name: Test-Other +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: false + - name: deploy openldap-stack-ha-disable-ldap-port + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . + kubectl -n no-ldap-port create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port + - name: verify no ldap port deployment + shell: bash + run: | + echo "test access to openldap database" + echo "Write test to openldap database" + LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt + cat /tmp/test-write.txt + if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi + + + diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml new file mode 100644 index 0000000..34b7981 --- /dev/null +++ b/.github/workflows/ci-singlenode.yml @@ -0,0 +1,27 @@ +name: Test-SingleNode +on: + workflow_call: +jobs: + qualif: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v1 + - name: Run custom action + # Use the location in the repository (without action.yml) + uses: ./.github/actions/setup + with: + install-chaos: false + - name: deploy openldap-stack-ha-single-node + shell: bash + run: | + cd "$GITHUB_WORKSPACE" + helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . + kubectl rollout status sts openldap-stack-ha -n single + - name: verify single node deployment + shell: bash + run: | + echo "test access to openldap database" + LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt + cat /tmp/test-single-node.txt + if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d564650..195004a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,8 +9,8 @@ on: - "bitnami" jobs: call-ci-singlenode: - uses: ./.github/workflows/tests/ci-singlenode.yml + uses: ./.github/workflows/ci-singlenode.yml call-ci-other: - uses: ./.github/workflows/tests/ci-other.yml + uses: ./.github/workflows/ci-other.yml call-ci-ha: - uses: ./.github/workflows/tests/ci-ha.yml \ No newline at end of file + uses: ./.github/workflows/ci-ha.yml \ No newline at end of file From 0bd6bac5483611281d493372544a0936526ff52b Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:19:23 +0000 Subject: [PATCH 12/18] create existing secret for ci-singleNode --- .github/workflows/base/base.yml | 16 ----- .github/workflows/ci-singlenode.yml | 1 + .github/workflows/tests/ci-ha.yml | 74 ----------------------- .github/workflows/tests/ci-other.yml | 33 ---------- .github/workflows/tests/ci-singlenode.yml | 27 --------- 5 files changed, 1 insertion(+), 150 deletions(-) delete mode 100644 .github/workflows/base/base.yml delete mode 100644 .github/workflows/tests/ci-ha.yml delete mode 100644 .github/workflows/tests/ci-other.yml delete mode 100644 .github/workflows/tests/ci-singlenode.yml diff --git a/.github/workflows/base/base.yml b/.github/workflows/base/base.yml deleted file mode 100644 index d564650..0000000 --- a/.github/workflows/base/base.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Setup -on: - push: - branches: - - "*" - pull_request: - branches: - - "master" - - "bitnami" -jobs: - call-ci-singlenode: - uses: ./.github/workflows/tests/ci-singlenode.yml - call-ci-other: - uses: ./.github/workflows/tests/ci-other.yml - call-ci-ha: - uses: ./.github/workflows/tests/ci-ha.yml \ No newline at end of file diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml index 34b7981..5d4a018 100644 --- a/.github/workflows/ci-singlenode.yml +++ b/.github/workflows/ci-singlenode.yml @@ -17,6 +17,7 @@ jobs: run: | cd "$GITHUB_WORKSPACE" helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . + kubectl create secret generic my-super-secret -n single --from-literal=LDAP_ADMIN_PASSWORD=Not@SecurePassw0rd --from-literal=LDAP_CONFIG_ADMIN_PASSWORD=Not@SecurePassw0rd kubectl rollout status sts openldap-stack-ha -n single - name: verify single node deployment shell: bash diff --git a/.github/workflows/tests/ci-ha.yml b/.github/workflows/tests/ci-ha.yml deleted file mode 100644 index 4313546..0000000 --- a/.github/workflows/tests/ci-ha.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: Test-HA -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: true - - name: setup certs - shell: bash - run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt - - name: deploy openldap-stack-ha - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -f .bin/myval.yaml . - kubectl rollout status sts openldap-stack-ha - - name: verify deployment - shell: bash - run: | - echo "test access to openldap database" - sleep 10 - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' - - name: test phpldapadmin access - shell: bash - run: | - echo "test access to phpldapadmin" - echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts - curl phpldapadmin.example:8080 - - name: test self service pwd access - shell: bash - run: | - echo "test access to ssp" - curl ssl-ldap2.example:8080 - - name: verify certs - shell: bash - run: | - echo "verify certificate" - echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi - - name: apply chaos tests - shell: bash - run: | - echo "test access to openldap database" - kubectl apply -f .bin/chaos.yaml - - name: test write - shell: bash - run: | - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi - if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi - - name: test memberOf - shell: bash - run: | - echo "MemberOf test to openldap database" - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' "(memberOf=cn=testgroup,ou=Group,dc=example,dc=org)" > /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 2 ]; then exit 1 ; fi - if ! grep -q "uid=test1,ou=People,dc=example,dc=org" /tmp/test-write.txt; then echo exit 1; fi - - name: chaos tests - shell: bash - run: | - echo "test access to openldap database" - for i in {1..20}; do LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done \ No newline at end of file diff --git a/.github/workflows/tests/ci-other.yml b/.github/workflows/tests/ci-other.yml deleted file mode 100644 index 24c55f2..0000000 --- a/.github/workflows/tests/ci-other.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Test-Other -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: false - - name: deploy openldap-stack-ha-disable-ldap-port - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . - kubectl -n no-ldap-port create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt - kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port - - name: verify no ldap port deployment - shell: bash - run: | - echo "test access to openldap database" - echo "Write test to openldap database" - LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif - LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - cat /tmp/test-write.txt - if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi - - - diff --git a/.github/workflows/tests/ci-singlenode.yml b/.github/workflows/tests/ci-singlenode.yml deleted file mode 100644 index 34b7981..0000000 --- a/.github/workflows/tests/ci-singlenode.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Test-SingleNode -on: - workflow_call: -jobs: - qualif: - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v1 - - name: Run custom action - # Use the location in the repository (without action.yml) - uses: ./.github/actions/setup - with: - install-chaos: false - - name: deploy openldap-stack-ha-single-node - shell: bash - run: | - cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . - kubectl rollout status sts openldap-stack-ha -n single - - name: verify single node deployment - shell: bash - run: | - echo "test access to openldap database" - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt - cat /tmp/test-single-node.txt - if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi \ No newline at end of file From 46f726496209417551d459c34744185d32f554e7 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:33:41 +0000 Subject: [PATCH 13/18] create existing secret for ci-singleNode --- .bin/disableLdapPort.yaml | 8 +----- .bin/singleNode.yaml | 41 ----------------------------- .github/workflows/ci-other.yml | 1 - .github/workflows/ci-singlenode.yml | 3 ++- 4 files changed, 3 insertions(+), 50 deletions(-) diff --git a/.bin/disableLdapPort.yaml b/.bin/disableLdapPort.yaml index 6f3d70c..ed20a96 100644 --- a/.bin/disableLdapPort.yaml +++ b/.bin/disableLdapPort.yaml @@ -16,10 +16,4 @@ service: sslLdapPortNodePort: 30636 type: NodePort initTLSSecret: - tls_enabled: true - image: - registry: docker.io - repository: alpine/openssl - tag: latest - pullPolicy: IfNotPresent - secret: "custom-cert" + tls_enabled: false diff --git a/.bin/singleNode.yaml b/.bin/singleNode.yaml index 777a11c..0695355 100644 --- a/.bin/singleNode.yaml +++ b/.bin/singleNode.yaml @@ -9,51 +9,10 @@ resources: replicaCount: 1 replication: enabled: false -# customLdifFiles: -# 0-root.ldif: |- -# dn: dc=singlenode,dc=org -# objectClass: top -# objectClass: dcObject -# objectClass: organization -# o: MY-DOMAIN -# dc: singlenode -# 02-users-group.ldif: |- -# dn: ou=users,dc=singlenode,dc=org -# ou: users -# objectClass: organizationalUnit -# objectClass: top -# 01-admin-read-user.ldif: |- -# dn: cn=admin-read,dc=singlenode,dc=org -# cn: admin-read -# mail: admin-read@singlenode.org -# objectClass: inetOrgPerson -# objectClass: top -# userPassword: {SSHA}E2vRX2ssn7ckfjXBzP27SZH9Ast4rOEo -# sn: Admin read only -# customAcls: |- -# dn: olcDatabase={2}mdb,cn=config -# changetype: modify -# replace: olcAccess -# olcAccess: {0}to * -# by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage -# by * break -# olcAccess: {1}to attrs=userPassword,shadowLastChange -# by self write -# by dn="cn=admin,dc=singlenode,dc=org" write -# by anonymous auth by * none -# olcAccess: {2}to * -# by dn="cn=admin-read,dc=singlenode,dc=org" read -# by dn="cn=admin,dc=singlenode,dc=org" write -# by self read -# by * none ltb-passwd: ingress: hosts: - "ssl-ldap2.example" - # ldap: - # searchBase: "ou=users,dc=singlenode,dc=org" - # bindDN: "cn=admin-read,dc=singlenode,dc=org" - # passKey: LDAP_ADMIN_READ_PASSWORD phpldapadmin: ingress: hosts: diff --git a/.github/workflows/ci-other.yml b/.github/workflows/ci-other.yml index 24c55f2..6986eca 100644 --- a/.github/workflows/ci-other.yml +++ b/.github/workflows/ci-other.yml @@ -17,7 +17,6 @@ jobs: run: | cd "$GITHUB_WORKSPACE" helm install openldap-stack-ha -n no-ldap-port --create-namespace -f .bin/disableLdapPort.yaml . - kubectl -n no-ldap-port create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt kubectl -n no-ldap-port rollout status sts openldap-stack-ha -n no-ldap-port - name: verify no ldap port deployment shell: bash diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml index 5d4a018..a6fd514 100644 --- a/.github/workflows/ci-singlenode.yml +++ b/.github/workflows/ci-singlenode.yml @@ -16,8 +16,9 @@ jobs: shell: bash run: | cd "$GITHUB_WORKSPACE" - helm install openldap-stack-ha -n single --create-namespace -f .bin/singleNode.yaml . + kubectl create ns single kubectl create secret generic my-super-secret -n single --from-literal=LDAP_ADMIN_PASSWORD=Not@SecurePassw0rd --from-literal=LDAP_CONFIG_ADMIN_PASSWORD=Not@SecurePassw0rd + helm install openldap-stack-ha -n single -f .bin/singleNode.yaml . kubectl rollout status sts openldap-stack-ha -n single - name: verify single node deployment shell: bash From 850ca5b6375234663d122a8d53d10a27a5071869 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:48:52 +0000 Subject: [PATCH 14/18] debug ci --- .github/actions/setup/action.yaml | 1 + .github/workflows/ci-ha.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index fabf92c..4499ec1 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -29,6 +29,7 @@ runs: kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - name: setup chaos mesh + if: {{ inputs.install-chaos }} shell: bash run: | curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind \ No newline at end of file diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index 4313546..5a24e72 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -58,7 +58,7 @@ jobs: echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/user.ldif LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt - if ! grep "Einstein" /tmp/test-write.txt; then exit 1 ; fi + if ! grep "Einstein" /tmp/test-write.txt; then echo 'no Einstein entry found' ; fi if ! grep "objectClass: ownCloud" /tmp/test-write.txt; then echo 'no ownCloud entry found'; fi - name: test memberOf shell: bash From 1b6f09341df2b2b47622ef5c4d757ff62348f9ed Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:49:24 +0000 Subject: [PATCH 15/18] debug ci --- .github/workflows/ci-singlenode.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml index a6fd514..3099774 100644 --- a/.github/workflows/ci-singlenode.yml +++ b/.github/workflows/ci-singlenode.yml @@ -23,6 +23,7 @@ jobs: - name: verify single node deployment shell: bash run: | + sleep 10 echo "test access to openldap database" LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt cat /tmp/test-single-node.txt From f8dff39c419ff6b9d4ac95d6ae6039f54e059c7a Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:52:08 +0000 Subject: [PATCH 16/18] debug ci --- .github/actions/setup/action.yaml | 2 +- .github/workflows/ci-singlenode.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 4499ec1..dd01fe6 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -29,7 +29,7 @@ runs: kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - name: setup chaos mesh - if: {{ inputs.install-chaos }} + if: ${{ inputs.install-chaos }} shell: bash run: | curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind \ No newline at end of file diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml index 3099774..b391a4e 100644 --- a/.github/workflows/ci-singlenode.yml +++ b/.github/workflows/ci-singlenode.yml @@ -20,6 +20,7 @@ jobs: kubectl create secret generic my-super-secret -n single --from-literal=LDAP_ADMIN_PASSWORD=Not@SecurePassw0rd --from-literal=LDAP_CONFIG_ADMIN_PASSWORD=Not@SecurePassw0rd helm install openldap-stack-ha -n single -f .bin/singleNode.yaml . kubectl rollout status sts openldap-stack-ha -n single + kubectl logs -n single openldap-stack-ha-0 - name: verify single node deployment shell: bash run: | From 9b2868bf689723dc8c90a3b49b9cd4800ab82b36 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 07:58:53 +0000 Subject: [PATCH 17/18] debug ci --- .github/actions/setup/action.yaml | 2 +- .github/workflows/ci-other.yml | 1 + .github/workflows/ci-singlenode.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index dd01fe6..865c815 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -29,7 +29,7 @@ runs: kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - name: setup chaos mesh - if: ${{ inputs.install-chaos }} + if: ${{ inputs.install-chaos == 'true' }} shell: bash run: | curl -sSL https://mirrors.chaos-mesh.org/v2.6.2/install.sh | bash -s -- --local kind \ No newline at end of file diff --git a/.github/workflows/ci-other.yml b/.github/workflows/ci-other.yml index 6986eca..b90f7b6 100644 --- a/.github/workflows/ci-other.yml +++ b/.github/workflows/ci-other.yml @@ -24,6 +24,7 @@ jobs: echo "test access to openldap database" echo "Write test to openldap database" LDAPTLS_REQCERT=never ldapadd -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -f .bin/simpleUser.ldif + sleep 10 LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' > /tmp/test-write.txt cat /tmp/test-write.txt if [ $(grep "numResponses" /tmp/test-write.txt | cut -d ":" -f 2 | tr -d ' ') -ne 3 ]; then exit 1 ; fi diff --git a/.github/workflows/ci-singlenode.yml b/.github/workflows/ci-singlenode.yml index b391a4e..96c5a80 100644 --- a/.github/workflows/ci-singlenode.yml +++ b/.github/workflows/ci-singlenode.yml @@ -26,6 +26,6 @@ jobs: run: | sleep 10 echo "test access to openldap database" - LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt + LDAPTLS_REQCERT=never ldapsearch -o nettimeout=20 -x -D 'cn=admin,dc=singlenode,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=singlenode,dc=org' > /tmp/test-single-node.txt cat /tmp/test-single-node.txt if [ $(grep "numResponses" /tmp/test-single-node.txt | cut -d ":" -f 2 | tr -d ' ') -ne 6 ]; then exit 1 ; fi \ No newline at end of file From 90879346c758e3b94d2580f994dc9e761242f68a Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 22 May 2024 08:24:37 +0000 Subject: [PATCH 18/18] bump container image version --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index ebdda7a..8836081 100644 --- a/values.yaml +++ b/values.yaml @@ -57,7 +57,7 @@ image: #tag: 2.6.3 # Temporary fix repository: jpgouin/openldap - tag: 2.6.6-fix + tag: 2.6.7-fix pullPolicy: Always pullSecrets: []