Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide Encryption for External Password for LDAP Backend for Dex #128

Closed
lb4368 opened this issue Apr 27, 2021 · 6 comments
Closed

Provide Encryption for External Password for LDAP Backend for Dex #128

lb4368 opened this issue Apr 27, 2021 · 6 comments
Assignees
@sshiba
Labels
2-Manifests Relates to manifest/document set related issues enhancement New feature or request priority/critical Items critical to be implemented, usually by the next release size l 5-7+ days [multiple functional areas; complex function or capability, or multiple PSs]
Milestone
v2.1

Comments

@lb4368
Copy link

lb4368 commented Apr 27, 2021
edited
Loading

Problem description (if applicable)
When configuring and LDAP back-end for the Dex OIDC provider (#19), the LDAP credentials must be included in the configuration that is applied to the target server. These provided credentials must be stored/encrypted such that there no access to the clear text password during site deployment.

Proposed change
Provide a mechanism to securely provide external LDAP credentials to a site build in such a way that can be used to provide the values to the Dex configuration when applied to a cluster during airshipctl phase.
@lb4368 lb4368 added enhancement New feature or request triage labels Apr 27, 2021
@jezogwza jezogwza added 2-Manifests Relates to manifest/document set related issues priority/critical Items critical to be implemented, usually by the next release and removed triage labels Apr 28, 2021
@jezogwza jezogwza added this to the v2.1 milestone Apr 28, 2021
@eak13 eak13 mentioned this issue Apr 30, 2021
Closed
@sshiba
Copy link
Contributor

sshiba commented May 10, 2021

Alexey is working on the feature providing the encryption for external passwords. After this feature is merged I can apply it to the LDAP password.

@eak13 eak13 added the size l 5-7+ days [multiple functional areas; complex function or capability, or multiple PSs] label May 11, 2021
airshipbot pushed a commit that referenced this issue May 20, 2021
@aodinokov82
Adding a place for external secrets to be stored on site level
2946a13 
1. Reflecting changes done in [1] to treasuremap.
2. Changing airshipctl ref to [1]
3. Making static validation work, since it was merged before [1]
4. Adding dex.ldap.bind_password to imported secrets
5. Adding dex.oidc.clientSecret to generated secrets
6. Due to the added new site - increasing the validation timeout
7. Adding replacement for [2]

[1]
https://review.opendev.org/c/airship/airshipctl/+/786286

[2]
https://review.opendev.org/c/airship/treasuremap/+/788991

Relates-To: #128
Change-Id: I473ace3d7aae85ebe76b73253108c6f1b6ca6e95
@aodinokov
Copy link

aodinokov commented May 25, 2021
edited
Loading

https://review.opendev.org/c/airship/treasuremap/+/790512 has been merged.

the needed replacement was introduced there: https://review.opendev.org/c/airship/treasuremap/+/790512/33/manifests/function/dex-aio/replacements/update-dex.yaml

I think this part can be closed.

@sshiba
Copy link
Contributor

sshiba commented May 26, 2021
edited
Loading

Encrypted the password provided for LDAP test itservices in https://review.opendev.org/c/airship/treasuremap/+/791835/.
I agree with Alexey that this issue can be closed.

@michaelfix
Copy link

@sshiba , spoke to @lb4368 , and we believe this issue remains open until https://review.opendev.org/c/airship/treasuremap/+/791835/ is merged.

@sshiba
Copy link
Contributor

sshiba commented May 28, 2021

https://review.opendev.org/c/airship/treasuremap/+/791835 is ready for review. Just waiting for zuul to pass first.

airshipbot pushed a commit that referenced this issue Jun 17, 2021
Treasuremap - Dex/API server w/ Catalogue Support
7e89d65 
This patchset introduces the VariableCatalogue and respective
Replacement transformers for the Dex/API server. It also implements the
kustomization of LDAP values through patches.

The VariableCatalogue for Dex/API server is located under
manifests/function/treasuremap-base-catalogues/utility-catalogue.yaml.

The replacement transformers for Dex HelmRelease and API server are
located at:
- Dex HelmRelease: manifests/function/dex-aio/replacements
- API Server: manifests/function/k8scontrol-ha/replacements

The API server replacement transformer is invoked when executing the
command "airshipctl phase run controlplane-ephemeral".

The dex-aio service replacement transformer is invoked when executing
the command "airshipctl phase run workload-target". During this phase
the LDAP values are also "kustomized" through patchesStrategicMerge.
Similar patch was add for the subclusters/provide-infra.
Also updated dex-aio nodeSelector to deploy pod on the worker node.

This patchset also supports the LDAP Group authentication.

It also updated
treasuremap/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
with the encrypted LDAP Binding password.

Relates-To: #135, #137, #128
Change-Id: Ie7eef44a8f0e9d02860a94a4140841d8662f8c85
@sshiba
Copy link
Contributor

sshiba commented Jun 17, 2021

PS https://review.opendev.org/c/airship/treasuremap/+/791835 has been merged completing this issue.

@lb4368 lb4368 closed this as completed Jun 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sshiba sshiba

Labels
2-Manifests Relates to manifest/document set related issues enhancement New feature or request priority/critical Items critical to be implemented, usually by the next release size l 5-7+ days [multiple functional areas; complex function or capability, or multiple PSs]
Projects
None yet
Milestone
v2.1
Development

No branches or pull requests
6 participants
@lb4368 @aodinokov @michaelfix @sshiba @eak13 @jezogwza