Initial LDAP support in local dev (#1287)

vmware-tanzu · Nov 14, 2019 · c84798e · c84798e · jeunii · Dec 11, 2019
1 parent a3809e6
commit c84798e
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 7 deletions.
diff --git a/docs/user/manifests/kubeapps-local-dev-dex-values.yaml b/docs/user/manifests/kubeapps-local-dev-dex-values.yaml
@@ -24,4 +24,42 @@ config:
     hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
     username: "kubeapps-user"
     userID: "08a8684b-db88-4b73-90a9-3cd1661f5467"
+  connectors:
+  - type: ldap
+    name: OpenLDAP
+    id: ldap
+    config:
+      host: ldap-openldap.ldap:389
+
+      # No TLS for this setup.
+      insecureNoSSL: true
+
+      # This would normally be a read-only user.
+      bindDN: cn=admin,dc=example,dc=org
+      bindPW: password
+
+      usernamePrompt: Email Address
+
+      userSearch:
+        baseDN: ou=People,dc=example,dc=org
+        filter: "(objectClass=person)"
+        username: mail
+        # "DN" (case sensitive) is a special attribute name. It indicates that
+        # this value should be taken from the entity's DN not an attribute on
+        # the entity.
+        idAttr: DN
+        emailAttr: mail
+        nameAttr: cn
+
+      groupSearch:
+        baseDN: ou=Groups,dc=example,dc=org
+        filter: "(objectClass=groupOfNames)"
+
+        # A user is a member of a group when their DN matches
+        # the value of a "member" attribute on the group entity.
+        userAttr: DN
+        groupAttr: member
+
+        # The group name should be the "cn" value.
+        nameAttr: cn
 grpc: false
diff --git a/docs/user/manifests/kubeapps-local-dev-openldap-values.yaml b/docs/user/manifests/kubeapps-local-dev-openldap-values.yaml
@@ -0,0 +1,38 @@
+adminPassword: password
+customLdifFiles:
+  01-kubeapps-dev.ldif: |-
+    dn: ou=People,dc=example,dc=org
+    objectClass: organizationalUnit
+    ou: People
+    
+    dn: cn=jane,ou=People,dc=example,dc=org
+    objectClass: person
+    objectClass: inetOrgPerson
+    sn: doe
+    cn: jane
+    mail: kubeapps-operator-ldap@example.org
+    userpassword: password
+    
+    dn: cn=john,ou=People,dc=example,dc=org
+    objectClass: person
+    objectClass: inetOrgPerson
+    sn: doe
+    cn: john
+    mail: kubeapps-user-ldap@example.org
+    userpassword: password
+    
+    # Group definitions.
+    dn: ou=Groups,dc=example,dc=org
+    objectClass: organizationalUnit
+    ou: Groups
+    
+    dn: cn=admins,ou=Groups,dc=example,dc=org
+    objectClass: groupOfNames
+    cn: admins
+    member: cn=john,ou=People,dc=example,dc=org
+    member: cn=jane,ou=People,dc=example,dc=org
+    
+    dn: cn=developers,ou=Groups,dc=example,dc=org
+    objectClass: groupOfNames
+    cn: developers
+    member: cn=jane,ou=People,dc=example,dc=org
diff --git a/docs/user/manifests/kubeapps-local-dev-users-rbac.yaml b/docs/user/manifests/kubeapps-local-dev-users-rbac.yaml
@@ -11,6 +11,9 @@ subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: oidc:kubeapps-operator@example.com
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: oidc:kubeapps-operator-ldap@example.org
 # kubeapps-user has access only to the kubeapps-user-namespace namespace
 ---
 kind: Namespace
@@ -31,4 +34,7 @@ subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: oidc:kubeapps-user@example.com
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: oidc:kubeapps-user-ldap@example.org
 
diff --git a/script/deploy-dev.mk b/script/deploy-dev.mk
@@ -27,7 +27,11 @@ update-apiserver-etc-hosts:
 	kubectl -n kube-system exec kube-apiserver-kubeapps-control-plane -- \
 		sh -c "echo '$(shell kubectl -n dex get svc -o=jsonpath='{.items[0].spec.clusterIP}') dex.dex' >> /etc/hosts"
 
-deploy-dev: deploy-dex update-apiserver-etc-hosts
+deploy-openldap:
+	helm install stable/openldap --name ldap --namespace ldap \
+		--values ./docs/user/manifests/kubeapps-local-dev-openldap-values.yaml
+
+deploy-dev: deploy-dex deploy-openldap update-apiserver-etc-hosts
 	helm install ./chart/kubeapps --namespace kubeapps --name kubeapps \
 		--values ./docs/user/manifests/kubeapps-local-dev-values.yaml \
 		--values ./docs/user/manifests/kubeapps-local-dev-auth-proxy-values.yaml
@@ -36,17 +40,21 @@ deploy-dev: deploy-dex update-apiserver-etc-hosts
 	@echo "kubectl -n dex port-forward svc/dex 32000\n"
 	@echo "and in another terminal using the same cluster,\n"
 	@echo "kubectl -n kubeapps port-forward svc/kubeapps 3000:80\n"
-	@echo "You can then open http://localhost:3000 and login as either of"
+	@echo "You can then open http://localhost:3000 and login with email as either of"
 	@echo "  kubeapps-operator@example.com:password"
 	@echo "  kubeapps-user@example.com:password"
+	@echo "or with LDAP as either of"
+	@echo "  kubeapps-operator-ldap@example.org:password"
+	@echo "  kubeapps-user-ldap@example.org:password"
 	@echo "to authenticate with the corresponding permissions."
 
 reset-dev:
 	helm delete --purge kubeapps || true
 	helm delete --purge dex || true
-	kubectl delete namespace dex kubeapps || true
-	helm reset || true
-	kubectl delete -f ./docs/user/manifests/kubeapps-local-dev-tiller-rbac.yaml || true
-	kubectl delete -f ./docs/user/manifests/kubeapps-local-dev-users-rbac.yaml
+	helm delete --purge ldap || true
+	kubectl delete namespace --wait dex ldap kubeapps || true
+	helm reset --force --tiller-connection-timeout 5 || true
+	kubectl delete --wait -f ./docs/user/manifests/kubeapps-local-dev-tiller-rbac.yaml || true
+	kubectl delete --wait -f ./docs/user/manifests/kubeapps-local-dev-users-rbac.yaml || true
 
-.PHONY: deploy-dex deploy-dev reset-dev update-apiserver-etc-hosts
+.PHONY: deploy-dex deploy-dev deploy-openldap reset-dev update-apiserver-etc-hosts