Merge pull request #157 from tchellomello/ldaps

Added ability to specify LDAP CA cert
2026-03-26 21:33:14 +00:00 · 2021-04-01 09:56:52 +02:00
parent d3f7594aea 658cf92a3b
commit 210ac2c419
13 changed files with 87 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
         * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx)
         * [Privileged Tasks](#privileged-tasks)
         * [Containers Resource Requirements](#containers-resource-requirements)
+         * [LDAP Certificate Authority](#ldap-certificate-authority)
   * [Development](#development)
      * [Testing](#testing)
         * [Testing in Docker](#testing-in-docker)
@@ -317,6 +318,30 @@ spec:
      memory: 2Gi
 ```

+#### LDAP Certificate Authority
+
+If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret.
+
+| Name                             | Description                             | Default |
+| -------------------------------- | --------------------------------------- | --------|
+| ldap_cacert_secret               | LDAP Certificate Authority secret name  |  ''     |
+
+
+Example of customization could be:
+
+```yaml
+---
+spec:
+  ...
+  ldap_cacert_secret: <resourcename>-ldap-ca-cert
+```
+
+To create the secret, you can use the command below:
+
+```sh
+# kubectl create secret generic <resourcename>-ldap-ca-cert --from-file=ldap-ca.crt=<PATH/TO/YOUR/CA/PEM/FILE>
+```
+
 ## Development

 ### Testing
--- a/ansible/templates/crd.yml.j2
+++ b/ansible/templates/crd.yml.j2
@@ -242,6 +242,9 @@ spec:
                development_mode:
                  description: If the deployment should be done in development mode
                  type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
              type: object
            status:
              properties:
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -393,6 +393,9 @@ spec:
                development_mode:
                  description: If the deployment should be done in development mode
                  type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
              type: object
            status:
              properties:
--- a/deploy/crds/awx_v1beta1_crd.yaml
+++ b/deploy/crds/awx_v1beta1_crd.yaml
@@ -242,6 +242,9 @@ spec:
                development_mode:
                  description: If the deployment should be done in development mode
                  type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
              type: object
            status:
              properties:
--- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
@@ -261,6 +261,11 @@ spec:
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: LDAP Certificate Authority Trust Bundle
+        path: ldap_cacert_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
      - displayName: Tower Task Args
        path: tower_task_args
        x-descriptors:
--- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml
@@ -22,6 +22,9 @@ spec:
              ca_trust_bundle:
                description: Path where the trusted CA bundle is available
                type: string
+              ldap_cacert_secret:
+                 description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                 type: string
              deployment_type:
                description: Name of the deployment type
                type: string
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -123,4 +123,8 @@ tower_postgres_configuration_secret: ''

 ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"

+# Secret to lookup that provides the LDAP CACert trusted bundle
+#
+ldap_cacert_secret: ''
+
 development_mode: false
--- a/roles/installer/tasks/load_ldap_cacert_secret.yml
+++ b/roles/installer/tasks/load_ldap_cacert_secret.yml
@@ -0,0 +1,12 @@
+---
+- name: Retrieve LDAP CA Certificate Secret
+  community.kubernetes.k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ ldap_cacert_secret }}'
+  register: ldap_cacert
+
+- name: Load LDAP CA Certificate Secret content
+  set_fact:
+    ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}'
+  when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]'
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -2,6 +2,11 @@
 - name: Include secret key configuration tasks
  include_tasks: secret_key_configuration.yml

+- name: Load LDAP CAcert certificate
+  include_tasks: load_ldap_cacert_secret.yml
+  when:
+    - ldap_cacert_secret != ''
+
 - name: Include admin password configuration tasks
  include_tasks: admin_password_configuration.yml

--- a/roles/installer/templates/ldap.py.j2
+++ b/roles/installer/templates/ldap.py.j2
@@ -0,0 +1,6 @@
+AUTH_LDAP_GLOBAL_OPTIONS = {
+{% if ldap_cacert_ca_crt %}
+    ldap.OPT_X_TLS_REQUIRE_CERT: True,
+    ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
+{% endif %}
+}
--- a/roles/installer/templates/tower_app_credentials.yaml.j2
+++ b/roles/installer/templates/tower_app_credentials.yaml.j2
@@ -8,3 +8,4 @@ metadata:
 data:
  credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}"
  environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}"
+  ldap_py: "{{ lookup('template', 'ldap.py.j2') | b64encode }}"
--- a/roles/installer/templates/tower_deployment.yaml.j2
+++ b/roles/installer/templates/tower_deployment.yaml.j2
@@ -57,6 +57,12 @@ spec:
            - name: "{{ meta.name }}-nginx-certs"
              mountPath: "/etc/nginx/pki"
              readOnly: true
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+            - name: "{{ meta.name }}-ldap-cacert"
+              mountPath: /etc/openldap/certs/ldap-ca.crt
+              subPath: ldap-ca.crt
+              readOnly: true
 {% endif %}
            - name: "{{ secret_key_secret_name }}"
              mountPath: /etc/tower/SECRET_KEY
@@ -197,6 +203,14 @@ spec:
                path: 'web.key'
              - key: tls.crt
                path: 'web.crt'
+{% endif %}
+{% if ldap_cacert_ca_crt %}
+        - name: "{{ meta.name }}-ldap-cacert"
+          secret:
+            secretName: "{{ ldap_cacert_secret }}"
+            items:
+              - key: ldap-ca.crt
+                path: 'ldap-ca.crt'
 {% endif %}
        - name: "{{ meta.name }}-application-credentials"
          secret:
@@ -206,6 +220,8 @@ spec:
                path: 'credentials.py'
              - key: environment_sh
                path: 'environment.sh'
+              - key: ldap_py
+                path: 'ldap.py'
        - name: "{{ secret_key_secret_name }}"
          secret:
            secretName: '{{ secret_key_secret_name }}'
--- a/roles/installer/vars/main.yml
+++ b/roles/installer/vars/main.yml
@@ -1,3 +1,4 @@
 ---
 postgres_initdb_args: '--auth-host=scram-sha-256'
 postgres_host_auth_method: 'scram-sha-256'
+ldap_cacert_ca_crt: ''