From 90b6aa9d780b0920c59a135538634c439b16f605 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 12 Mar 2018 17:57:36 -0500 Subject: [PATCH] Add tls support for ldap This patch set adds TLS support for keystone LDAP. External-tracking: OSH#555 Change-Id: Ice32a31a712b8534a5d1a8f90a8a203710bdb9a9 Signed-off-by: Tin Lam --- keystone/templates/deployment-api.yaml | 11 +++++++++++ keystone/templates/secret-ldap-tls.yaml | 26 +++++++++++++++++++++++++ keystone/values.yaml | 16 +++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 keystone/templates/secret-ldap-tls.yaml diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index 072fd1aaa1..c267795312 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -106,6 +106,12 @@ spec: mountPath: /tmp/keystone-api.sh subPath: keystone-api.sh readOnly: true +{{- if .Values.endpoints.ldap.auth.client.tls.ca }} + - name: keystone-ldap-tls + mountPath: /etc/certs/ldap-certs.cert + subPath: ldap-certs.cert + readOnly: true +{{- end }} {{- if eq .Values.conf.keystone.token.provider "fernet" }} - name: keystone-fernet-keys mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }} @@ -126,6 +132,11 @@ spec: configMap: name: keystone-bin defaultMode: 0555 +{{- if .Values.endpoints.ldap.auth.client.tls.ca }} + - name: keystone-ldap-tls + secret: + secretName: keystone-ldap-tls +{{- end }} {{- if eq .Values.conf.keystone.token.provider "fernet" }} - name: keystone-fernet-keys secret: diff --git a/keystone/templates/secret-ldap-tls.yaml b/keystone/templates/secret-ldap-tls.yaml new file mode 100644 index 0000000000..9b83bec422 --- /dev/null +++ b/keystone/templates/secret-ldap-tls.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.secret_ldap_tls .Values.endpoints.ldap.auth.client.tls.ca }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secrets.ldap.tls }} +type: Opaque +data: + ldap-certs.cert: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }} +{{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 1912ce0232..62cb25765f 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -747,6 +747,8 @@ secrets: oslo_messaging: admin: keystone-rabbitmq-admin keystone: keystone-rabbitmq-user + ldap: + tls: keystone-ldap-tls # typically overriden by environmental # values, but should include all endpoints @@ -833,6 +835,19 @@ endpoints: port: memcache: default: 11211 + ldap: + auth: + client: + tls: + # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at + # /etc/certs/ldap-certs.cert. To ensure keystone uses LDAPS, the + # following key will need to be overrided under section [ldap] or the + # correct domain-specific setting, else it will not be enabled: + # + # use_tls: true + # tls_req_cert: allow # Valid values: demand, never, allow + # tls_cacertfile: /etc/certs/ldap-certs.cert # abs path to the CA cert + ca: null manifests: configmap_bin: true @@ -856,5 +871,6 @@ manifests: secret_fernet_keys: true secret_keystone: true secret_rabbitmq: true + secret_ldap_tls: false service_ingress_api: true service_api: true