From 61aec51d1757684f4fbe0117c080f9a603d01faf Mon Sep 17 00:00:00 2001 From: jpgouin Date: Mon, 21 Oct 2024 19:29:30 +0000 Subject: [PATCH 1/6] add function to define how to trust certificate during replication and when to require cert verification --- .bin/certificate.yaml | 43 +++++++++++++++++++++++++++++++ .github/actions/setup/action.yaml | 1 + .github/workflows/ci-ha.yml | 4 +-- .github/workflows/ci-readonly.yml | 4 +-- README.md | 4 +-- templates/_helpers.tpl | 28 +++++++++++++++----- values.yaml | 4 ++- 7 files changed, 73 insertions(+), 15 deletions(-) create mode 100644 .bin/certificate.yaml diff --git a/.bin/certificate.yaml b/.bin/certificate.yaml new file mode 100644 index 0000000..5df6aa3 --- /dev/null +++ b/.bin/certificate.yaml @@ -0,0 +1,43 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: selfsigned-ca +spec: + commonName: Self-Signed CA + secretName: selfsigned-ca + isCA: true + issuerRef: + name: selfsigned + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca +spec: + ca: + secretName: selfsigned-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: custom-cert +spec: + commonName: openldap.default.svc + dnsNames: + - "openldap.default.svc" + - "openldap.default.svc.cluster.local" + - "*.openldap-headless.default.svc.cluster.local" + secretName: custom-cert + issuerRef: + name: selfsigned-ca + kind: Issuer + group: cert-manager.io \ No newline at end of file diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 7fbf6e8..4361c05 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,6 +28,7 @@ runs: /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.1.1/cert-manager.yaml - name: setup chaos mesh if: ${{ inputs.install-chaos == 'true' }} shell: bash diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index 5a24e72..8888fcd 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -15,9 +15,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | diff --git a/.github/workflows/ci-readonly.yml b/.github/workflows/ci-readonly.yml index e2f832d..4ecfb81 100644 --- a/.github/workflows/ci-readonly.yml +++ b/.github/workflows/ci-readonly.yml @@ -16,9 +16,7 @@ jobs: - name: setup certs shell: bash run: | - openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365 - cp tls.crt ca.crt - kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt + kubectl apply -f $GITHUB_WORKSPACE/.bin/certificate.yaml - name: deploy openldap-stack-ha shell: bash run: | diff --git a/README.md b/README.md index 187ce4f..ea4ee68 100755 --- a/README.md +++ b/README.md @@ -83,8 +83,8 @@ Parameters related to the configuration of the application. | `replication.retry` | retry period for replication in sec | `60` | | `replication.timeout` | timeout for replication in sec | `1` | | `replication.starttls` | starttls replication | `critical` | -| `replication.tls_reqcert` | tls certificate validation for replication | `never` | -| `replication.tls_cacert` | Specifies the file that contains certificates for all Certificate Authorities used in replication. | `nil` | +| `replication.tls_reqcert` | override the tls_reqcert parameter (default if never and demand when `initTLSSecret.tls_enabled = true` ) | `never` | +| `replication.tls_cacert` | override the location of tls_cacert to trust (allowed when `initTLSSecret.tls_enabled = true` ) | `nil` | | `replication.interval` | interval for replication | `00:00:00:10` | | `replication.clusterName` | Set the clustername for replication | "cluster.local" | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index b981f16..292ca4d 100755 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -64,8 +64,24 @@ Generate olcServerID list {{- end -}} {{- define "openldap.replication.tls_cacert" -}} -{{- if .Values.replication.tls_cacert -}} -{{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_cacert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_cacert -}} + {{- else }} + {{- printf "tls_cacert=/opt/bitnami/openldap/certs/ca.crt" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "openldap.replication.tls_reqcert" -}} +{{- if .Values.initTLSSecret.tls_enabled -}} + {{- if .Values.replication.tls_reqcert -}} + {{- printf "tls_cacert=%s" .Values.replication.tls_reqcert -}} + {{- else }} + {{- printf "tls_reqcert=demand" -}} + {{- end -}} +{{- else }} + {{- printf "tls_reqcert=never" -}} {{- end -}} {{- end -}} @@ -81,12 +97,12 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $nodeCount := .Values.replicaCount | int }} {{- range $index0 := until $nodeCount }} {{- $index1 := $index0 | add1 }} - olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} tls_reqcert={{ $tls_reqcert }} {{ $tls_cacert }} + olcSyncRepl: rid=00{{ $index1 }} provider=ldap://{{ $name }}-{{ $index0 }}.{{ $name }}-headless.{{ $namespace }}.svc.{{ $cluster }}:1389 binddn="cn={{ $bindDNUser }},cn=config" bindmethod=simple credentials={{ $configPassword }} searchbase="cn=config" type=refreshAndPersist retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} @@ -103,7 +119,7 @@ Generate olcSyncRepl list {{- $retry := .Values.replication.retry }} {{- $timeout := .Values.replication.timeout }} {{- $starttls := .Values.replication.starttls }} -{{- $tls_reqcert := .Values.replication.tls_reqcert }} +{{- $tls_reqcert := (include "openldap.replication.tls_reqcert" .) }} {{- $tls_cacert := (include "openldap.replication.tls_cacert" .) }} {{- $interval := .Values.replication.interval }} {{- $nodeCount := .Values.replicaCount | int }} @@ -122,7 +138,7 @@ Generate olcSyncRepl list retry="{{ $retry }} +" timeout={{ $timeout }} starttls={{ $starttls }} - tls_reqcert={{ $tls_reqcert }} + {{ $tls_reqcert }} {{ $tls_cacert }} {{- end -}} {{- end -}} diff --git a/values.yaml b/values.yaml index 7c687f5..a6f3f2b 100644 --- a/values.yaml +++ b/values.yaml @@ -237,7 +237,9 @@ replication: timeout: 1 interval: 00:00:00:10 starttls: "critical" - tls_reqcert: "never" + # override the tls_reqcert parameter (default if never and demand when initTLSSecret.tls_enabled = true ) + # tls_reqcert: "never" + # override the location of tls_cacert to trust (allowed when initTLSSecret.tls_enabled = true ) # tls_cacert: "/etc/ssl/certs/ca-certificates.crt" ## Persist data to a persistent volume persistence: From 4aaf52b4bd35e28998934bba3bc010355337a841 Mon Sep 17 00:00:00 2001 From: jpgouin Date: Mon, 21 Oct 2024 19:41:50 +0000 Subject: [PATCH 2/6] add cert-manager for ci --- .github/actions/setup/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 4361c05..3bdd9e3 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,7 +28,7 @@ runs: /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml --image=kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.1.1/cert-manager.yaml + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml - name: setup chaos mesh if: ${{ inputs.install-chaos == 'true' }} shell: bash From 073ad7d28033023766326e7d23a48cca0f4f9ded Mon Sep 17 00:00:00 2001 From: jpgouin Date: Mon, 21 Oct 2024 19:48:40 +0000 Subject: [PATCH 3/6] wait for cert-manager to be running --- .github/actions/setup/action.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 3bdd9e3..d1b320b 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -29,6 +29,7 @@ runs: kubectl apply -f https://projectcontour.io/quickstart/contour.yaml kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}' kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml + kubectl rollout status deployments -n cert-manager - name: setup chaos mesh if: ${{ inputs.install-chaos == 'true' }} shell: bash From 2394a629c624684d538bcdcef6d6f506277d1759 Mon Sep 17 00:00:00 2001 From: jpgouin Date: Tue, 22 Oct 2024 07:06:02 +0000 Subject: [PATCH 4/6] add logs in github action --- .github/workflows/ci-ha.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index 8888fcd..e8e6574 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -44,7 +44,16 @@ jobs: run: | echo "verify certificate" echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi + - name: fetch logs + shell: bash + run: | + echo "kubectl logs openldap-0" + kubectl logs openldap-0 + echo "kubectl logs openldap-1" + kubectl logs openldap-1 + echo "kubectl logs openldap-2" + kubectl logs openldap-2 - name: apply chaos tests shell: bash run: | From 63cd936b70e00871ea66831378508a855c19fdf1 Mon Sep 17 00:00:00 2001 From: jpgouin Date: Tue, 22 Oct 2024 07:15:37 +0000 Subject: [PATCH 5/6] fix certficate to match common name of svc --- .bin/certificate.yaml | 8 ++++---- .github/workflows/ci-ha.yml | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.bin/certificate.yaml b/.bin/certificate.yaml index 5df6aa3..bef91d5 100644 --- a/.bin/certificate.yaml +++ b/.bin/certificate.yaml @@ -31,11 +31,11 @@ kind: Certificate metadata: name: custom-cert spec: - commonName: openldap.default.svc + commonName: openldap-stack-ha.default.svc dnsNames: - - "openldap.default.svc" - - "openldap.default.svc.cluster.local" - - "*.openldap-headless.default.svc.cluster.local" + - "openldap-stack-ha.default.svc" + - "openldap-stack-ha.default.svc.cluster.local" + - "*.openldap-stack-ha-headless.default.svc.cluster.local" secretName: custom-cert issuerRef: name: selfsigned-ca diff --git a/.github/workflows/ci-ha.yml b/.github/workflows/ci-ha.yml index e8e6574..d119ced 100644 --- a/.github/workflows/ci-ha.yml +++ b/.github/workflows/ci-ha.yml @@ -48,12 +48,12 @@ jobs: - name: fetch logs shell: bash run: | - echo "kubectl logs openldap-0" - kubectl logs openldap-0 - echo "kubectl logs openldap-1" - kubectl logs openldap-1 - echo "kubectl logs openldap-2" - kubectl logs openldap-2 + echo "kubectl logs openldap-stack-ha-0" + kubectl logs openldap-stack-ha-0 + echo "kubectl logs openldap-stack-ha-1" + kubectl logs openldap-stack-ha-1 + echo "kubectl logs openldap-stack-ha-2" + kubectl logs openldap-stack-ha-2 - name: apply chaos tests shell: bash run: | From 790b849c94d1c955c1919aa039f22897f027959d Mon Sep 17 00:00:00 2001 From: jpgouin Date: Tue, 22 Oct 2024 09:01:39 +0000 Subject: [PATCH 6/6] bump chart version --- .github/workflows/ci-readonly.yml | 2 +- Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-readonly.yml b/.github/workflows/ci-readonly.yml index 4ecfb81..8a7bbf5 100644 --- a/.github/workflows/ci-readonly.yml +++ b/.github/workflows/ci-readonly.yml @@ -34,7 +34,7 @@ jobs: run: | echo "verify certificate" echo | openssl s_client -showcerts -servername example.com -connect localhost:30636 2>/dev/null | openssl x509 -inform pem -noout -text > /tmp/test-cert.txt - if ! grep -q "CN = example.com" /tmp/test-cert.txt; then echo exit 1; fi + if ! grep -q "CN = Self-Signed CA" /tmp/test-cert.txt; then exit 1; fi - name: test write on main cluster shell: bash run: | diff --git a/Chart.yaml b/Chart.yaml index 0889252..a541c38 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -13,7 +13,7 @@ dependencies: - bitnami-common version: ~2 home: https://www.openldap.org -version: 4.3.0 +version: 4.3.1 appVersion: 2.6.7 description: Community developed LDAP software icon: https://raw.githubusercontent.com/jp-gouin/helm-openldap/master/logo.png