Add OpenLDAP stacks (#195)

Felix Hennig · Felix Hennig · commit 197ca462ef38 · 2022-12-27T09:41:48.000Z
## Description Part of: stackabletech/documentation#300 This PR adds two new stacks: - A `tutorial-openldap` stack that sets up an OpenLDAP instance with TLS but without an AuthenticationClass - A `openldap` stack that also installs the AuthenticationClass so it can easily be installed and reused elsewhere
diff --git a/stacks/authentication/openldap-tls-authenticationclass.yaml b/stacks/authentication/openldap-tls-authenticationclass.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: openldap
+spec:
+  provider:
+    ldap:
+      hostname: openldap.default.svc.cluster.local
+      searchBase: ou=users,dc=example,dc=org
+      # The bind credentials are used so an application can bind to the LDAP server
+      bindCredentials:
+        secretClass: ldap-bind-credentials
+      port: 1636
+      tls:
+        verification:
+          server:
+            caCert:
+              secretClass: openldap-tls
+
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: openldap-bind-credentials
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openldap-bind-credentials
+  labels:
+    secrets.stackable.tech/class: openldap-bind-credentials
+stringData:
+  # User and password are defined in the OpenLDAP StatefulSet
+  user: cn=ldapadmin,dc=example,dc=org
+  password: ldapadminpassword
diff --git a/stacks/authentication/openldap-tls.yaml b/stacks/authentication/openldap-tls.yaml
@@ -0,0 +1,96 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: openldap-tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        autoGenerate: true
+        secret:
+          name: openldap-tls-ca
+          namespace: default
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: openldap
+  serviceName: openldap
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: openldap
+    spec:
+      containers:
+        - name: openldap
+          image: docker.io/bitnami/openldap:2.6
+          env:
+            # The Admin credentials. These are used to bind later.
+            - name: LDAP_ADMIN_USERNAME
+              value: ldapadmin
+            - name: LDAP_ADMIN_PASSWORD
+              value: ldapadminpassword
+            # Regular users to create
+            - name: LDAP_USERS
+              value: alice,bob
+            - name: LDAP_PASSWORDS
+              value: alice,bob
+            # Disallow anonymous binding
+            - name: LDAP_ALLOW_ANON_BINDING
+              value: "no"
+            # TLD config
+            - name: LDAP_ENABLE_TLS
+              value: "yes"
+            - name: LDAP_TLS_CERT_FILE
+              value: /tls/tls.crt
+            - name: LDAP_TLS_KEY_FILE
+              value: /tls/tls.key
+            - name: LDAP_TLS_CA_FILE
+              value: /tls/ca.crt
+          ports:
+            - name: ldap
+              containerPort: 1389
+            - name: tls-ldap
+              containerPort: 1636
+          volumeMounts:
+            - name: tls
+              mountPath: /tls
+          startupProbe:
+            tcpSocket:
+              port: 1389
+          readinessProbe:
+            tcpSocket:
+              port: 1389
+      volumes:
+        - name: tls
+          csi:
+            driver: secrets.stackable.tech
+            volumeAttributes:
+              secrets.stackable.tech/class: openldap-tls
+              secrets.stackable.tech/scope: pod
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  type: ClusterIP
+  ports:
+    - name: ldap
+      port: 1389
+      targetPort: ldap
+    - name: tls-ldap
+      port: 1636
+      targetPort: tls-ldap
+  selector:
+    app.kubernetes.io/name: openldap
diff --git a/stacks/stacks-v1.yaml b/stacks/stacks-v1.yaml
@@ -554,3 +554,28 @@ stacks:
       - helmChart: *template-opensearch-dashboards
       - helmChart: *template-vector-aggregator
       - plainYaml: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/logging/vector-aggregator-discovery.yaml
+  tutorial-openldap:
+    description: >-
+      An OpenLDAP instance with two users (alice:alice, bob:bob) and TLS enabled.
+      The bind user credentials are: ldapadmin:ldapadminpassword.
+      No AuthenticationClass is configured, The AuthenticationClass is created manually in the tutorial.
+      Use the 'openldap' Stack for an OpenLDAD with an AuthenticationClass already installed.
+    stackableRelease: 22.11
+    labels:
+      - authentication
+      - ldap
+    manifests:
+      - plainYaml: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/authentication/openldap-tls.yaml
+  openldap:
+    description: >-
+      An OpenLDAP instance with two users (alice:alice, bob:bob) and TLS enabled.
+      The bind user credentials are: ldapadmin:ldapadminpassword.
+      The LDAP AuthenticationClass is called 'ldap' and the SecretClass for the bind credentials is called 'ldap-bind-credentials'.
+      The stack already creates an appropriate Secret, so referring to the 'ldap' AuthenticationClass in your ProductCluster should be enough.
+    stackableRelease: 22.11
+    labels:
+      - authentication
+      - ldap
+    manifests:
+      - plainYaml: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/authentication/openldap-tls.yaml
+      - plainYaml: https://raw.githubusercontent.com/stackabletech/stackablectl/main/stacks/authentication/openldap-tls-authenticationclass.yaml
