Merge pull request #755 from oruharo/ldap-tls

Supports TLS for LDAP authentication
cosmo-workspace · Jun 11, 2023 · bd60d99 · bd60d99
2 parents aacf3fc + 459c1cf
commit bd60d99
Show file tree

Hide file tree

Showing 8 changed files with 300 additions and 322 deletions.
diff --git a/charts/cosmo-dashboard/templates/dashboard.yaml b/charts/cosmo-dashboard/templates/dashboard.yaml
@@ -98,10 +98,15 @@ spec:
         - --tls-key=/app/cert/tls.key
         - --tls-cert=/app/cert/tls.crt
         {{- end }}
-        {{- if .Values.ldapURL }}
-        - --ldap-url={{ .Values.ldapURL }}
-        - --ldap-user-attr={{ .Values.ldapUserAttr }}
-        - --ldap-basedn={{ .Values.ldapBaseDn }}
+        {{- if .Values.auth.ldap.enabled }}
+        - --ldap-url={{ .Values.auth.ldap.url }}
+        - --ldap-user-attr={{ .Values.auth.ldap.userAttr }}
+        - --ldap-basedn={{ .Values.auth.ldap.baseDn }}
+        - --ldap-insecure-skip-verify={{ .Values.auth.ldap.tls.insecure }}
+        - --ldap-start-tls={{ .Values.auth.ldap.tls.startTls }}
+        {{- if .Values.auth.ldap.tls.secretName }}
+        - --ldap-ca-cert=/app/ldapCert/ca.crt
+        {{- end }}
         {{- end }}
         command:
         - /app/dashboard
@@ -128,20 +133,31 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 10 }}
-        {{- if not .Values.insecure }}
         volumeMounts:
+        {{- if not .Values.insecure }}
         - mountPath: /app/cert
           name: cert
           readOnly: true
         {{- end }}
+        {{- if .Values.auth.ldap.tls.secretName }}
+        - mountPath: /app/ldapCert
+          name: ldap-cert
+          readOnly: true
+        {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "cosmo-dashboard.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
-      {{- if not .Values.insecure }}
       volumes:
+      {{- if not .Values.insecure }}
       - name: cert
         secret:
           defaultMode: 420
           secretName: {{ .Values.cert.secretName }}
       {{- end }}
+      {{- if .Values.auth.ldap.tls.secretName }}
+      - name: ldap-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.auth.ldap.tls.secretName }}
+      {{- end }}
diff --git a/charts/cosmo-dashboard/values.yaml b/charts/cosmo-dashboard/values.yaml
@@ -69,6 +69,22 @@ logTimeEncoding: iso8601
 
 maxMinutes: 180
 
+auth:
+  ldap:
+    enabled: false
+    # url is ldap server url. protocol is supported "ldap://" or "ldaps://"
+    url: "ldap://example.com:389"
+    # sAMAccountname=USERX,dc=example,dc=com
+    # ^^^^^^^^^^^^^^       ^^^^^^^^^^^^^^^^^
+    #   user-attr               baseDn
+    baseDn: "dc=example,dc=com"
+    # usually sAMAccountname or uid or cn
+    userAttr: "sAMAccountname"
+    tls:
+      insecure: false
+      secretName: ""
+      startTls: false
+
 cert:
   secretName: dashboard-server-cert
   enableCertManager: true
@@ -79,10 +95,6 @@ cert:
 
 insecure: true
 
-ldapURL: ""
-ldapUserAttr: ""
-ldapBaseDn: ""
-
 localRunTest:
   enabled: false
   dashboardEndpoint:

diff --git a/hack/local-run-test/Makefile b/hack/local-run-test/Makefile
@@ -1,7 +1,8 @@
 SHELL := /bin/bash
 BIN := $(shell pwd)/bin
+PROJ_BIN := $(abspath $(shell pwd)/../../bin)
 export BIN_DIR := $(BIN)
-export PATH := $(BIN):$(PATH)
+export PATH := $(BIN):$(PROJ_BIN):$(PATH)
 export KUBECONFIG := $(BIN)/kubeconfig
 unexport KUBERNETES_SERVICE_PORT
 unexport KUBERNETES_SERVICE_HOST
@@ -305,6 +306,11 @@ install-dashboard: helm kubectl docker-build-dashboard ## Install cosmo dashboar
 		--set ingress.hostName=$(DASHBOARD_HOST) \
 		--set cert.dnsName=$(DASHBOARD_HOST) \
 		--set insecure=false \
+		--set auth.ldap.enabled=true \
+		--set auth.ldap.url="ldaps://open-ldap.cosmo-system.svc.cluster.local" \
+		--set auth.ldap.baseDn="ou=users\,dc=cosmows\,dc=dev" \
+		--set auth.ldap.userAttr=cn \
+		--set auth.ldap.tls.secretName=openldap-cert \
 		--set logLevel=$(LOGLEVEL)
 
 install-dashboard-local: helm kubectl ## Install cosmo dashboard resources.
@@ -318,6 +324,11 @@ install-dashboard-local: helm kubectl ## Install cosmo dashboard resources.
 		--set ingress.enabled=true \
 		--set ingress.hostName=$(DASHBOARD_HOST) \
 		--set cert.dnsName=$(DASHBOARD_HOST) \
+		--set auth.ldap.enabled=true \
+		--set auth.ldap.url="ldap://localhost:389" \
+		--set auth.ldap.baseDn="ou=users\,dc=cosmows\,dc=dev" \
+		--set auth.ldap.userAttr=cn \
+		--set auth.ldap.tls.secretName=openldap-cert \
 		--set insecure=true \
 		--set replicaCount=0 \
 		--set localRunTest.enabled=true \
@@ -353,11 +364,13 @@ add-user: kubectl cosmoctl ## add user
 	-cosmoctl user create team-b-admin --role "team-b-admin" 2> /dev/null
 	-cosmoctl user create team-ab-dev --role "team-a-dev,team-b-dev" 2> /dev/null
 	cosmoctl user reset-password tom --password vvv
+	-cosmoctl user create ldapuser1 --admin --auth-type ldap 2> /dev/null
 
 
 add-workspace: kubectl cosmoctl ## add workspace
 	@echo ====== $@ ======
 	-cosmoctl workspace create --user=tom --template=dev-code-server ws1
+	-cosmoctl workspace create --user=ldapuser1 --template=dev-code-server ldapws1
 	sleep 5
 	-cosmoctl networkrule add proxy11 --user=tom --workspace=ws1 --port=7701 --group proxy1 --path /
 	sleep 1
@@ -393,6 +406,9 @@ run-dashboard-local:
 		--cookie-session-name="$(shell kubectl get secret -n cosmo-system cosmo-auth-env -o=jsonpath={.data.COOKIE_SESSION_NAME} | base64 -d)" \
 		--cookie-hashkey="$(shell kubectl get secret -n cosmo-system cosmo-auth-env -o=jsonpath={.data.COOKIE_HASHKEY} | base64 -d)" \
 		--cookie-blockkey="$(shell kubectl get secret -n cosmo-system cosmo-auth-env -o=jsonpath={.data.COOKIE_BLOCKKEY} | base64 -d)" \
+		--ldap-url=ldap://localhost:389 \
+		--ldap-basedn=ou=users\,dc=cosmows\,dc=dev \
+		--ldap-user-attr=cn \
 		--insecure
 
 run-local: kubectl ## Run test.
@@ -503,9 +519,11 @@ helm-ls: ## helm list
 	-@helm list -a -A
 
 kg: ## Get k0s resources.
-	-@kubectl get node
-	-@kubectl get po -A
-	-@kubectl get ing -A
-	-@kubectl get svc -A
-	-@kubectl get ep -A
-	-@kubectl get application -A
+	-@kubectl get node --show-kind
+	-@kubectl get po -A --show-kind
+	-@kubectl get ing -A --show-kind
+	-@kubectl get ingressroute.traefik.io -A --show-kind
+	-@kubectl get middleware.traefik.io -A --show-kind
+	-@kubectl get svc -A --show-kind
+	-@kubectl get ep -A --show-kind
+	-@kubectl get application -A --show-kind