fnux-playground/openldap: add initial TLS/LetsEncrypt support

2021-08-02 09:49:28 +02:00 · 2021-08-02 09:49:28 +02:00 · 2723af1a8e
parent 36f37753a7
commit 2723af1a8e
5 changed files with 90 additions and 7 deletions
--- a/apps/fnux-playground/README.md
+++ b/apps/fnux-playground/README.md
@ -5,9 +5,13 @@ Tests made by Timothée for ungleich.
 ## OpenLDAP

 Simple chart based on [Osixia's OpenLDAP
-image](https://github.com/osixia/docker-openldap).
+image](https://github.com/osixia/docker-openldap). A TLS certificate is
+automatically generated via Let'sEncrypt, but renewal is not handled yet.
+
+TODO: handle TLS certificate renewal.

 ```
+kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet
 helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml
 ```

--- a/apps/fnux-playground/openldap/templates/deployment.yaml
+++ b/apps/fnux-playground/openldap/templates/deployment.yaml
@ -18,10 +18,20 @@ spec:
      labels:
        app: "{{ tpl .Values.identifier . }}-openldap"
    spec:
+      initContainers:
+        - name: wait-for-cert
+          image: busybox
+          command:
+            - "sh"
+            - "-c"
+            - "until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done"
+          volumeMounts:
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+              mountPath: /etc/letsencrypt
      containers:
        - name: "openldap"
          image: "osixia/openldap:{{ .Chart.AppVersion }}"
-          args: ["--loglevel", "info"]
+          args: ["--loglevel", "debug"]
          ports:
            - name: ldap
              containerPort: 389
@ -51,8 +61,16 @@ spec:
            - name: LDAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: "{{ tpl .Values.identifier . }}-openldap"
-                  key: LDAP_ADMIN_PASSWORD
+                  name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
+                  key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
+            - name: LDAP_TLS_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
+            - name: LDAP_TLS_KEY_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/privkey.pem"
+            - name: LDAP_TLS_CA_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
+            - name: LDAP_TLS_VERIFY_CLIENT
+              value: "try"
          volumeMounts:
            - name: "{{ tpl .Values.identifier . }}-openldap-data"
              mountPath: "/etc/ldap/slapd.d"
@ -60,10 +78,48 @@ spec:
            - name: "{{ tpl .Values.identifier . }}-openldap-data"
              mountPath: "/var/lib/ldap"
              subPath: database
-            - name: "{{ tpl .Values.identifier . }}-openldap-data"
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
              mountPath: /container/service/slapd/assets/certs
-              subPath: certs
      volumes:
        - name: "{{ tpl .Values.identifier . }}-openldap-data"
          persistentVolumeClaim:
            claimName: "{{ tpl .Values.identifier . }}-openldap-data"
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ tpl .Values.identifier . }}-getcert
+spec:
+  template:
+    metadata:
+      labels:
+        app: {{ tpl .Values.identifier . }}-openldap
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        ports:
+          - containerPort: 80
+        env:
+          - name: ONLYGETCERT
+            value: "yes"
+          - name: DOMAIN
+            value: "{{ tpl .Values.fqdn . }}"
+          - name: EMAIL
+            value: "{{ .Values.letsencryptEmail }}"
+          {{ if eq .Values.letsencryptStaging "no" }}
+          - name: STAGING
+            value: "no"
+          {{ end }}
+        volumeMounts:
+          - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+            mountPath: /etc/letsencrypt
+      volumes:
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+  backoffLimit: 3
--- a/apps/fnux-playground/openldap/templates/pvc.yaml
+++ b/apps/fnux-playground/openldap/templates/pvc.yaml
@ -4,8 +4,22 @@ metadata:
  name: "{{ tpl .Values.identifier . }}-openldap-data"
 spec:
  accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+
+
--- a/apps/fnux-playground/openldap/templates/service.yaml
+++ b/apps/fnux-playground/openldap/templates/service.yaml
@ -13,3 +13,6 @@ spec:
      name: ldap
    - port: 636
      name: ldaps
+    # Required for TLS certificate generation via LetsEncrypt.
+    - port: 80
+      name: http
--- a/apps/fnux-playground/openldap/values.yaml
+++ b/apps/fnux-playground/openldap/values.yaml
@ -6,3 +6,9 @@ identifier: "{{ .Release.Name }}"
 ldapLogLevel: "256"
 ldapOrganisation: "ungleich glarus ag"
 ldapDomain: "{{ tpl .Values.fqdn . }}"
+ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
+ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
+
+# TLS certificate generation.
+letsencryptEmail: "technik@ungleich.ch"
+letsencryptStaging: "no"