fnux-playground/openldap: add initial TLS/LetsEncrypt support

apps/fnux-playground/README.md

@@ -5,9 +5,13 @@ Tests made by Timothée for ungleich.
 ## OpenLDAP
 
 Simple chart based on [Osixia's OpenLDAP
-image](https://github.com/osixia/docker-openldap).
+image](https://github.com/osixia/docker-openldap). A TLS certificate is
+automatically generated via Let'sEncrypt, but renewal is not handled yet.
+
+TODO: handle TLS certificate renewal.
 
 ```
+kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet
 helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml
 ```
 

apps/fnux-playground/openldap/templates/deployment.yaml

@@ -18,10 +18,20 @@ spec:
       labels:
         app: "{{ tpl .Values.identifier . }}-openldap"
     spec:
+      initContainers:
+        - name: wait-for-cert
+          image: busybox
+          command:
+            - "sh"
+            - "-c"
+            - "until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done"
+          volumeMounts:
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+              mountPath: /etc/letsencrypt
       containers:
         - name: "openldap"
           image: "osixia/openldap:{{ .Chart.AppVersion }}"
-          args: ["--loglevel", "info"]
+          args: ["--loglevel", "debug"]
           ports:
             - name: ldap
               containerPort: 389
@@ -51,8 +61,16 @@ spec:
             - name: LDAP_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: "{{ tpl .Values.identifier . }}-openldap"
-                  key: LDAP_ADMIN_PASSWORD
+                  name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
+                  key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
+            - name: LDAP_TLS_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
+            - name: LDAP_TLS_KEY_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/privkey.pem"
+            - name: LDAP_TLS_CA_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
+            - name: LDAP_TLS_VERIFY_CLIENT
+              value: "try"
           volumeMounts:
             - name: "{{ tpl .Values.identifier . }}-openldap-data"
               mountPath: "/etc/ldap/slapd.d"
@@ -60,10 +78,48 @@ spec:
             - name: "{{ tpl .Values.identifier . }}-openldap-data"
               mountPath: "/var/lib/ldap"
               subPath: database
-            - name: "{{ tpl .Values.identifier . }}-openldap-data"
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
               mountPath: /container/service/slapd/assets/certs
-              subPath: certs
       volumes:
         - name: "{{ tpl .Values.identifier . }}-openldap-data"
           persistentVolumeClaim:
             claimName: "{{ tpl .Values.identifier . }}-openldap-data"
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ tpl .Values.identifier . }}-getcert
+spec:
+  template:
+    metadata:
+      labels:
+        app: {{ tpl .Values.identifier . }}-openldap
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        ports:
+          - containerPort: 80
+        env:
+          - name: ONLYGETCERT
+            value: "yes"
+          - name: DOMAIN
+            value: "{{ tpl .Values.fqdn . }}"
+          - name: EMAIL
+            value: "{{ .Values.letsencryptEmail }}"
+          {{ if eq .Values.letsencryptStaging "no" }}
+          - name: STAGING
+            value: "no"
+          {{ end }}
+        volumeMounts:
+          - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+            mountPath: /etc/letsencrypt
+      volumes:
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+  backoffLimit: 3

apps/fnux-playground/openldap/templates/pvc.yaml

@@ -4,8 +4,22 @@ metadata:
   name: "{{ tpl .Values.identifier . }}-openldap-data"
 spec:
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
   resources:
     requests:
       storage: 1Gi
   storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+
+

apps/fnux-playground/openldap/templates/service.yaml

@@ -13,3 +13,6 @@ spec:
       name: ldap
     - port: 636
       name: ldaps
+    # Required for TLS certificate generation via LetsEncrypt.
+    - port: 80
+      name: http

apps/fnux-playground/openldap/values.yaml

@@ -6,3 +6,9 @@ identifier: "{{ .Release.Name }}"
 ldapLogLevel: "256"
 ldapOrganisation: "ungleich glarus ag"
 ldapDomain: "{{ tpl .Values.fqdn . }}"
+ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
+ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
+
+# TLS certificate generation.
+letsencryptEmail: "technik@ungleich.ch"
+letsencryptStaging: "no"