From 68bbbba0dfbae77b1f502ca4a7af4e8a0b3a537f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 08:20:14 +0200 Subject: [PATCH 1/3] fnux-playground/openldap: set upgrade policy, fix service endpoints --- apps/fnux-playground/openldap/templates/deployment.yaml | 4 ++++ apps/fnux-playground/openldap/templates/service.yaml | 4 +++- apps/fnux-playground/openldap/values.yaml | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/fnux-playground/openldap/templates/deployment.yaml b/apps/fnux-playground/openldap/templates/deployment.yaml index 9668566..6541d6b 100644 --- a/apps/fnux-playground/openldap/templates/deployment.yaml +++ b/apps/fnux-playground/openldap/templates/deployment.yaml @@ -6,6 +6,10 @@ metadata: app: openldap spec: replicas: 1 + strategy: + # Delete old pod before starting the new one - slapd doesn't react well + # with two instances hitting the same database. + type: "Recreate" selector: matchLabels: app: "{{ tpl .Values.identifier . }}-openldap" diff --git a/apps/fnux-playground/openldap/templates/service.yaml b/apps/fnux-playground/openldap/templates/service.yaml index 8028395..f4007a3 100644 --- a/apps/fnux-playground/openldap/templates/service.yaml +++ b/apps/fnux-playground/openldap/templates/service.yaml @@ -1,11 +1,13 @@ apiVersion: v1 kind: Service metadata: - name: "{{ tpl .Values.identifier . }}" + name: "{{ .Release.Name }}" labels: app: openldap spec: type: ClusterIP + selector: + app: "{{ tpl .Values.identifier . }}-openldap" ports: - port: 389 name: ldap diff --git a/apps/fnux-playground/openldap/values.yaml b/apps/fnux-playground/openldap/values.yaml index 9ca7b47..eb5073f 100644 --- a/apps/fnux-playground/openldap/values.yaml +++ b/apps/fnux-playground/openldap/values.yaml @@ -2,6 +2,7 @@ clusterDomain: "c1.k8s.ooo" fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" identifier: "{{ .Release.Name }}" +# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; ldapLogLevel: "256" ldapOrganisation: "ungleich glarus ag" ldapDomain: "{{ tpl .Values.fqdn . }}" From 36f37753a7459f5757ddbc4c8b1e2133fc3c880b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 08:20:58 +0200 Subject: [PATCH 2/3] fnux-playground: add configuration for ldap1.fnux-playground deployment --- apps/fnux-playground/README.md | 2 +- apps/fnux-playground/ldap1.fnux-playground.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 apps/fnux-playground/ldap1.fnux-playground.yaml diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md index 7c8d134..562313c 100644 --- a/apps/fnux-playground/README.md +++ b/apps/fnux-playground/README.md @@ -8,7 +8,7 @@ Simple chart based on [Osixia's OpenLDAP image](https://github.com/osixia/docker-openldap). ``` -helm install ldap1 ./openldap +helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml ``` ## Matrix Synapse diff --git a/apps/fnux-playground/ldap1.fnux-playground.yaml b/apps/fnux-playground/ldap1.fnux-playground.yaml new file mode 100644 index 0000000..9026f01 --- /dev/null +++ b/apps/fnux-playground/ldap1.fnux-playground.yaml @@ -0,0 +1,6 @@ +clusterDomain: "c1.k8s.ooo" + +# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2; +ldapLogLevel: "256" +ldapOrganisation: "ungleich glarus ag" +ldapDomain: "ungleich.ch" From 2723af1a8e1eb6b7b6376d97bb4a092926549d02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 2 Aug 2021 09:49:28 +0200 Subject: [PATCH 3/3] fnux-playground/openldap: add initial TLS/LetsEncrypt support --- apps/fnux-playground/README.md | 6 +- .../openldap/templates/deployment.yaml | 66 +++++++++++++++++-- .../openldap/templates/pvc.yaml | 16 ++++- .../openldap/templates/service.yaml | 3 + apps/fnux-playground/openldap/values.yaml | 6 ++ 5 files changed, 90 insertions(+), 7 deletions(-) diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md index 562313c..c8c71ef 100644 --- a/apps/fnux-playground/README.md +++ b/apps/fnux-playground/README.md @@ -5,9 +5,13 @@ Tests made by Timothée for ungleich. ## OpenLDAP Simple chart based on [Osixia's OpenLDAP -image](https://github.com/osixia/docker-openldap). +image](https://github.com/osixia/docker-openldap). A TLS certificate is +automatically generated via Let'sEncrypt, but renewal is not handled yet. + +TODO: handle TLS certificate renewal. ``` +kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml ``` diff --git a/apps/fnux-playground/openldap/templates/deployment.yaml b/apps/fnux-playground/openldap/templates/deployment.yaml index 6541d6b..7bd9e91 100644 --- a/apps/fnux-playground/openldap/templates/deployment.yaml +++ b/apps/fnux-playground/openldap/templates/deployment.yaml @@ -18,10 +18,20 @@ spec: labels: app: "{{ tpl .Values.identifier . }}-openldap" spec: + initContainers: + - name: wait-for-cert + image: busybox + command: + - "sh" + - "-c" + - "until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done" + volumeMounts: + - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" + mountPath: /etc/letsencrypt containers: - name: "openldap" image: "osixia/openldap:{{ .Chart.AppVersion }}" - args: ["--loglevel", "info"] + args: ["--loglevel", "debug"] ports: - name: ldap containerPort: 389 @@ -51,8 +61,16 @@ spec: - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: "{{ tpl .Values.identifier . }}-openldap" - key: LDAP_ADMIN_PASSWORD + name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}" + key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}" + - name: LDAP_TLS_CRT_FILENAME + value: "live/{{ tpl .Values.fqdn . }}/cert.pem" + - name: LDAP_TLS_KEY_FILENAME + value: "live/{{ tpl .Values.fqdn . }}/privkey.pem" + - name: LDAP_TLS_CA_CRT_FILENAME + value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem" + - name: LDAP_TLS_VERIFY_CLIENT + value: "try" volumeMounts: - name: "{{ tpl .Values.identifier . }}-openldap-data" mountPath: "/etc/ldap/slapd.d" @@ -60,10 +78,48 @@ spec: - name: "{{ tpl .Values.identifier . }}-openldap-data" mountPath: "/var/lib/ldap" subPath: database - - name: "{{ tpl .Values.identifier . }}-openldap-data" + - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" mountPath: /container/service/slapd/assets/certs - subPath: certs volumes: - name: "{{ tpl .Values.identifier . }}-openldap-data" persistentVolumeClaim: claimName: "{{ tpl .Values.identifier . }}-openldap-data" + - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ tpl .Values.identifier . }}-getcert +spec: + template: + metadata: + labels: + app: {{ tpl .Values.identifier . }}-openldap + spec: + restartPolicy: Never + containers: + - name: certbot + image: ungleich/ungleich-certbot + ports: + - containerPort: 80 + env: + - name: ONLYGETCERT + value: "yes" + - name: DOMAIN + value: "{{ tpl .Values.fqdn . }}" + - name: EMAIL + value: "{{ .Values.letsencryptEmail }}" + {{ if eq .Values.letsencryptStaging "no" }} + - name: STAGING + value: "no" + {{ end }} + volumeMounts: + - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" + mountPath: /etc/letsencrypt + volumes: + - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" + persistentVolumeClaim: + claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs + backoffLimit: 3 diff --git a/apps/fnux-playground/openldap/templates/pvc.yaml b/apps/fnux-playground/openldap/templates/pvc.yaml index 66d55ad..360eb6f 100644 --- a/apps/fnux-playground/openldap/templates/pvc.yaml +++ b/apps/fnux-playground/openldap/templates/pvc.yaml @@ -4,8 +4,22 @@ metadata: name: "{{ tpl .Values.identifier . }}-openldap-data" spec: accessModes: - - ReadWriteMany + - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: rook-cephfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: "{{ tpl .Values.identifier . }}-letsencrypt-certs" +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Mi + storageClassName: rook-cephfs + + diff --git a/apps/fnux-playground/openldap/templates/service.yaml b/apps/fnux-playground/openldap/templates/service.yaml index f4007a3..43e86d2 100644 --- a/apps/fnux-playground/openldap/templates/service.yaml +++ b/apps/fnux-playground/openldap/templates/service.yaml @@ -13,3 +13,6 @@ spec: name: ldap - port: 636 name: ldaps + # Required for TLS certificate generation via LetsEncrypt. + - port: 80 + name: http diff --git a/apps/fnux-playground/openldap/values.yaml b/apps/fnux-playground/openldap/values.yaml index eb5073f..f0c48f9 100644 --- a/apps/fnux-playground/openldap/values.yaml +++ b/apps/fnux-playground/openldap/values.yaml @@ -6,3 +6,9 @@ identifier: "{{ .Release.Name }}" ldapLogLevel: "256" ldapOrganisation: "ungleich glarus ag" ldapDomain: "{{ tpl .Values.fqdn . }}" +ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap" +ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD" + +# TLS certificate generation. +letsencryptEmail: "technik@ungleich.ch" +letsencryptStaging: "no"