Skip to content

Commit

Permalink
Merge pull request #200 from jp-gouin/feat/simplify-cert
Browse files Browse the repository at this point in the history
simplify certificate trust during replication
  • Loading branch information
jp-gouin authored Oct 22, 2024
2 parents 954c071 + 790b849 commit 906c2cc
Show file tree
Hide file tree
Showing 8 changed files with 86 additions and 18 deletions.
43 changes: 43 additions & 0 deletions .bin/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-ca
spec:
commonName: Self-Signed CA
secretName: selfsigned-ca
isCA: true
issuerRef:
name: selfsigned
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-ca
spec:
ca:
secretName: selfsigned-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: custom-cert
spec:
commonName: openldap-stack-ha.default.svc
dnsNames:
- "openldap-stack-ha.default.svc"
- "openldap-stack-ha.default.svc.cluster.local"
- "*.openldap-stack-ha-headless.default.svc.cluster.local"
secretName: custom-cert
issuerRef:
name: selfsigned-ca
kind: Issuer
group: cert-manager.io
2 changes: 2 additions & 0 deletions .github/actions/setup/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ runs:
/tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865
kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}'
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml
kubectl rollout status deployments -n cert-manager
- name: setup chaos mesh
if: ${{ inputs.install-chaos == 'true' }}
shell: bash
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/ci-ha.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ jobs:
- name: setup certs
shell: bash
run: |
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
cp tls.crt ca.crt
kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml
- name: deploy openldap-stack-ha
shell: bash
run: |
Expand Down Expand Up @@ -46,7 +44,16 @@ jobs:
run: |
echo "verify certificate"
echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt
if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi
if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi
- name: fetch logs
shell: bash
run: |
echo "kubectl logs openldap-stack-ha-0"
kubectl logs openldap-stack-ha-0
echo "kubectl logs openldap-stack-ha-1"
kubectl logs openldap-stack-ha-1
echo "kubectl logs openldap-stack-ha-2"
kubectl logs openldap-stack-ha-2
- name: apply chaos tests
shell: bash
run: |
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/ci-readonly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,7 @@ jobs:
- name: setup certs
shell: bash
run: |
openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
cp tls.crt ca.crt
kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml
- name: deploy openldap-stack-ha
shell: bash
run: |
Expand All @@ -36,7 +34,7 @@ jobs:
run: |
echo "verify certificate"
echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt
if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi
if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi
- name: test write on main cluster
shell: bash
run: |
Expand Down
2 changes: 1 addition & 1 deletion Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ dependencies:
- bitnami-common
version: ~2
home: https://www.openldap.org
version: 4.3.0
version: 4.3.1
appVersion: 2.6.7
description: Community developed LDAP software
icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@ Parameters related to the configuration of the application.
| `replication.retry` | retry period for replication in sec | `60` |
| `replication.timeout` | timeout for replication in sec | `1` |
| `replication.starttls` | starttls replication | `critical` |
| `replication.tls_reqcert` | tls certificate validation for replication | `never` |
| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` |
| `replication.tls_reqcert` | override the tls_reqcert parameter (default if never and demand when `initTLSSecret.tls_enabled = true` ) | `never` |
| `replication.tls_cacert` | override the location of tls_cacert to trust (allowed when `initTLSSecret.tls_enabled = true` ) | `nil` |
| `replication.interval` | interval for replication | `00:00:00:10` |
| `replication.clusterName` | Set the clustername for replication | "cluster.local" |

Expand Down
28 changes: 22 additions & 6 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,24 @@ Generate olcServerID list
{{- end -}}

{{- define "openldap.replication.tls_cacert" -}}
{{- if .Values.replication.tls_cacert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}}
{{- if .Values.initTLSSecret.tls_enabled -}}
{{- if .Values.replication.tls_cacert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}}
{{- else }}
{{- printf "tls_cacert=/opt/bitnami/openldap/certs/ca.crt" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "openldap.replication.tls_reqcert" -}}
{{- if .Values.initTLSSecret.tls_enabled -}}
{{- if .Values.replication.tls_reqcert -}}
{{- printf "tls_cacert=%s" .Values.replication.tls_reqcert -}}
{{- else }}
{{- printf "tls_reqcert=demand" -}}
{{- end -}}
{{- else }}
{{- printf "tls_reqcert=never" -}}
{{- end -}}
{{- end -}}

Expand All @@ -81,12 +97,12 @@ Generate olcSyncRepl list
{{- $retry := .Values.replication.retry }}
{{- $timeout := .Values.replication.timeout }}
{{- $starttls := .Values.replication.starttls }}
{{- $tls_reqcert := .Values.replication.tls_reqcert }}
{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }}
{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
{{- $nodeCount := .Values.replicaCount | int }}
{{- range $index0 := until $nodeCount }}
{{- $index1 := $index0 | add1 }}
olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }}
olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} {{ $tls_reqcert }} {{ $tls_cacert }}
{{- end -}}
{{- end -}}

Expand All @@ -103,7 +119,7 @@ Generate olcSyncRepl list
{{- $retry := .Values.replication.retry }}
{{- $timeout := .Values.replication.timeout }}
{{- $starttls := .Values.replication.starttls }}
{{- $tls_reqcert := .Values.replication.tls_reqcert }}
{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }}
{{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }}
{{- $interval := .Values.replication.interval }}
{{- $nodeCount := .Values.replicaCount | int }}
Expand All @@ -122,7 +138,7 @@ Generate olcSyncRepl list
retry="{{ $retry }} +"
timeout={{ $timeout }}
starttls={{ $starttls }}
tls_reqcert={{ $tls_reqcert }}
{{ $tls_reqcert }}
{{ $tls_cacert }}
{{- end -}}
{{- end -}}
Expand Down
4 changes: 3 additions & 1 deletion values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,9 @@ replication:
timeout: 1
interval: 00:00:00:10
starttls: "critical"
tls_reqcert: "never"
# override the tls_reqcert parameter (default if never and demand when initTLSSecret.tls_enabled = true )
# tls_reqcert: "never"
# override the location of tls_cacert to trust (allowed when initTLSSecret.tls_enabled = true )
# tls_cacert: "/etc/ssl/certs/ca-certificates.crt"
## Persist data to a persistent volume
persistence:
Expand Down

0 comments on commit 906c2cc

Please sign in to comment.