From 8974e3446a7889720b3541431da8c38db86cbc33 Mon Sep 17 00:00:00 2001 From: Marcelo Moreira de Mello Date: Mon, 29 Mar 2021 16:36:33 -0400 Subject: [PATCH 1/2] Added ability to configure LDAP CA --- README.md | 25 +++++++++++++++++++ ansible/templates/crd.yml.j2 | 3 +++ deploy/awx-operator.yaml | 3 +++ deploy/crds/awx_v1beta1_crd.yaml | 3 +++ .../awx-operator.clusterserviceversion.yaml | 5 ++++ .../manifests/awx.ansible.com_awxs_crd.yaml | 3 +++ roles/installer/defaults/main.yml | 4 +++ .../tasks/load_ldap_cacert_secret.yml | 12 +++++++++ roles/installer/tasks/main.yml | 5 ++++ roles/installer/templates/ldap.py.j2 | 6 +++++ .../templates/tower_app_credentials.yaml.j2 | 1 + .../templates/tower_deployment.yaml.j2 | 16 ++++++++++++ 12 files changed, 86 insertions(+) create mode 100644 roles/installer/tasks/load_ldap_cacert_secret.yml create mode 100644 roles/installer/templates/ldap.py.j2 diff --git a/README.md b/README.md index d5c3dbb1..6a6702da 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [Deploying a specific version of AWX](#deploying-a-specific-version-of-awx) * [Privileged Tasks](#privileged-tasks) * [Containers Resource Requirements](#containers-resource-requirements) + * [LDAP Certificate Authority](#ldap-certificate-authority) * [Development](#development) * [Testing](#testing) * [Testing in Docker](#testing-in-docker) @@ -314,6 +315,30 @@ spec: memory: 2Gi ``` +#### LDAP Certificate Authority + +If the variable `ldap_cacert_secret` is provided, the operator will look for a the data field `ldap-ca.crt` in the specified secret. + +| Name | Description | Default | +| -------------------------------- | --------------------------------------- | --------| +| ldap_cacert_secret | LDAP Certificate Authority secret name | '' | + + +Example of customization could be: + +```yaml +--- +spec: + ... + ldap_cacert_secret: -ldap-ca-cert +``` + +To create the secret, you can use the command below: + +```sh +# kubectl create secret generic -ldap-ca-cert --from-file=ldap-ca.crt= +``` + ## Development ### Testing diff --git a/ansible/templates/crd.yml.j2 b/ansible/templates/crd.yml.j2 index 30922c83..9787b1a3 100644 --- a/ansible/templates/crd.yml.j2 +++ b/ansible/templates/crd.yml.j2 @@ -242,6 +242,9 @@ spec: development_mode: description: If the deployment should be done in development mode type: boolean + ldap_cacert_secret: + description: Secret where can be found the LDAP trusted Certificate Authority Bundle + type: string type: object status: properties: diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 822de43c..5d26a4fa 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -393,6 +393,9 @@ spec: development_mode: description: If the deployment should be done in development mode type: boolean + ldap_cacert_secret: + description: Secret where can be found the LDAP trusted Certificate Authority Bundle + type: string type: object status: properties: diff --git a/deploy/crds/awx_v1beta1_crd.yaml b/deploy/crds/awx_v1beta1_crd.yaml index 30922c83..9787b1a3 100644 --- a/deploy/crds/awx_v1beta1_crd.yaml +++ b/deploy/crds/awx_v1beta1_crd.yaml @@ -242,6 +242,9 @@ spec: development_mode: description: If the deployment should be done in development mode type: boolean + ldap_cacert_secret: + description: Secret where can be found the LDAP trusted Certificate Authority Bundle + type: string type: object status: properties: diff --git a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml index f3d6a65a..6bf2167a 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml @@ -261,6 +261,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: LDAP Certificate Authority Trust Bundle + path: ldap_cacert_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:io.kubernetes:Secret - displayName: Tower Task Args path: tower_task_args x-descriptors: diff --git a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml index 840ef939..76b7bb7a 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx.ansible.com_awxs_crd.yaml @@ -22,6 +22,9 @@ spec: ca_trust_bundle: description: Path where the trusted CA bundle is available type: string + ldap_cacert_secret: + description: Secret where can be found the LDAP trusted Certificate Authority Bundle + type: string deployment_type: description: Name of the deployment type type: string diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 053edf8c..611f11da 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -123,4 +123,8 @@ tower_postgres_configuration_secret: '' ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt" +# Secret to lookup that provides the LDAP CACert trusted bundle +# +ldap_cacert_secret: '' + development_mode: false diff --git a/roles/installer/tasks/load_ldap_cacert_secret.yml b/roles/installer/tasks/load_ldap_cacert_secret.yml new file mode 100644 index 00000000..41667a1b --- /dev/null +++ b/roles/installer/tasks/load_ldap_cacert_secret.yml @@ -0,0 +1,12 @@ +--- +- name: Retrieve LDAP CA Certificate Secret + community.kubernetes.k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ ldap_cacert_secret }}' + register: ldap_cacert + +- name: Load LDAP CA Certificate Secret content + set_fact: + ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}' + when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 58763199..80d6fb25 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -2,6 +2,11 @@ - name: Include secret key configuration tasks include_tasks: secret_key_configuration.yml +- name: Load LDAP CAcert certificate + include_tasks: load_ldap_cacert_secret.yml + when: + - ldap_cacert_secret != '' + - name: Include admin password configuration tasks include_tasks: admin_password_configuration.yml diff --git a/roles/installer/templates/ldap.py.j2 b/roles/installer/templates/ldap.py.j2 new file mode 100644 index 00000000..969e3e59 --- /dev/null +++ b/roles/installer/templates/ldap.py.j2 @@ -0,0 +1,6 @@ +AUTH_LDAP_GLOBAL_OPTIONS = { +{% if ldap_cacert_secret %} + ldap.OPT_X_TLS_REQUIRE_CERT: True, + ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" +{% endif %} +} diff --git a/roles/installer/templates/tower_app_credentials.yaml.j2 b/roles/installer/templates/tower_app_credentials.yaml.j2 index fcbb4994..fc0ac040 100644 --- a/roles/installer/templates/tower_app_credentials.yaml.j2 +++ b/roles/installer/templates/tower_app_credentials.yaml.j2 @@ -8,3 +8,4 @@ metadata: data: credentials_py: "{{ lookup('template', 'credentials.py.j2') | b64encode }}" environment_sh: "{{ lookup('template', 'environment.sh.j2') | b64encode }}" + ldap_py: "{{ lookup('template', 'ldap.py.j2') | b64encode }}" diff --git a/roles/installer/templates/tower_deployment.yaml.j2 b/roles/installer/templates/tower_deployment.yaml.j2 index 53937d0d..370be302 100644 --- a/roles/installer/templates/tower_deployment.yaml.j2 +++ b/roles/installer/templates/tower_deployment.yaml.j2 @@ -57,6 +57,12 @@ spec: - name: "{{ meta.name }}-nginx-certs" mountPath: "/etc/nginx/pki" readOnly: true +{% endif %} +{% if ldap_cacert_secret %} + - name: "{{ meta.name }}-ldap-cacert" + mountPath: /etc/openldap/certs/ldap-ca.crt + subPath: ldap-ca.crt + readOnly: true {% endif %} - name: "{{ secret_key_secret_name }}" mountPath: /etc/tower/SECRET_KEY @@ -197,6 +203,14 @@ spec: path: 'web.key' - key: tls.crt path: 'web.crt' +{% endif %} +{% if ldap_cacert_secret %} + - name: "{{ meta.name }}-ldap-cacert" + secret: + secretName: "{{ ldap_cacert_secret }}" + items: + - key: ldap-ca.crt + path: 'ldap-ca.crt' {% endif %} - name: "{{ meta.name }}-application-credentials" secret: @@ -206,6 +220,8 @@ spec: path: 'credentials.py' - key: environment_sh path: 'environment.sh' + - key: ldap_py + path: 'ldap.py' - name: "{{ secret_key_secret_name }}" secret: secretName: '{{ secret_key_secret_name }}' From 658cf92a3b06717a330df443c181c900444373af Mon Sep 17 00:00:00 2001 From: Marcelo Moreira de Mello Date: Wed, 31 Mar 2021 11:25:25 -0400 Subject: [PATCH 2/2] Make sure we only proceed with ldap-ca.crt is a valid secret --- roles/installer/templates/ldap.py.j2 | 2 +- roles/installer/templates/tower_deployment.yaml.j2 | 4 ++-- roles/installer/vars/main.yml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/installer/templates/ldap.py.j2 b/roles/installer/templates/ldap.py.j2 index 969e3e59..cbfc6f7f 100644 --- a/roles/installer/templates/ldap.py.j2 +++ b/roles/installer/templates/ldap.py.j2 @@ -1,5 +1,5 @@ AUTH_LDAP_GLOBAL_OPTIONS = { -{% if ldap_cacert_secret %} +{% if ldap_cacert_ca_crt %} ldap.OPT_X_TLS_REQUIRE_CERT: True, ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt" {% endif %} diff --git a/roles/installer/templates/tower_deployment.yaml.j2 b/roles/installer/templates/tower_deployment.yaml.j2 index 370be302..40ea2be0 100644 --- a/roles/installer/templates/tower_deployment.yaml.j2 +++ b/roles/installer/templates/tower_deployment.yaml.j2 @@ -58,7 +58,7 @@ spec: mountPath: "/etc/nginx/pki" readOnly: true {% endif %} -{% if ldap_cacert_secret %} +{% if ldap_cacert_ca_crt %} - name: "{{ meta.name }}-ldap-cacert" mountPath: /etc/openldap/certs/ldap-ca.crt subPath: ldap-ca.crt @@ -204,7 +204,7 @@ spec: - key: tls.crt path: 'web.crt' {% endif %} -{% if ldap_cacert_secret %} +{% if ldap_cacert_ca_crt %} - name: "{{ meta.name }}-ldap-cacert" secret: secretName: "{{ ldap_cacert_secret }}" diff --git a/roles/installer/vars/main.yml b/roles/installer/vars/main.yml index 81c42a1e..7ab069c9 100644 --- a/roles/installer/vars/main.yml +++ b/roles/installer/vars/main.yml @@ -1,3 +1,4 @@ --- postgres_initdb_args: '--auth-host=scram-sha-256' postgres_host_auth_method: 'scram-sha-256' +ldap_cacert_ca_crt: ''