Merge pull request #140 from cloudbees/ldap

[Blueprint 02-At scale] Migration to helm-openldap/openldap-stack-ha: Avoid hardcoded secrets in ldif file
cloudbees · May 21, 2024 · 4a7dc29 · 4a7dc29
2 parents 5b75d88 + e9bbc45
commit 4a7dc29
Show file tree

Hide file tree

Showing 19 changed files with 86 additions and 177 deletions.
diff --git a/README.md b/README.md
@@ -97,7 +97,7 @@ The CloudBees CI add-on uses `helms release` for its resources definition, makin
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
 | create_k8s_secrets | Create the Kubernetes secret cbci-secrets. It can be consumed by CloudBees CasC. | `bool` | `false` | no |
 | helm_config | CloudBees CI Helm chart configuration. | `any` | <pre>{<br>  "values": [<br>    ""<br>  ]<br>}</pre> | no |
-| k8s_secrets_file | Secrets file .yml path containing the secrets names:values for cbci-secrets. | `string` | `"secrets-values.yml"` | no |
+| k8s_secrets | Secrets file .yml as a string containing the secrets names:values. It is required when create_k8s_secrets is enabled. | `string` | `"secrets-values.yml"` | no |
 | prometheus_target | Creates a service monitor to discover the CloudBees CI Prometheus target dynamically. It is designed to be enabled with the AWS EKS Terraform Addon Kube Prometheus Stack. | `bool` | `false` | no |
 
 ### Outputs

diff --git a/blueprints/02-at-scale/README.md b/blueprints/02-at-scale/README.md
@@ -58,7 +58,6 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 |------|-------------|------|---------|:--------:|
 | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
-| grafana_admin_password | Grafana admin password. | `string` | `"change.me"` | no |
 | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
 | tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
@@ -87,6 +86,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 | efs_access_points | Amazon EFS access points. |
 | efs_arn | Amazon EFS ARN. |
 | eks_cluster_arn | Amazon EKS cluster ARN. |
+| global_password | Random string that is used as the global password. |
 | grafana_dashboard | Provides access to Grafana dashboards. |
 | kubeconfig_add | Add kubeconfig to the local configuration to access the Kubernetes API. |
 | kubeconfig_export | Export the KUBECONFIG environment variable to access the Kubernetes API. |
@@ -95,9 +95,9 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 | prometheus_dashboard | Provides access to Prometheus dashboards. |
 | s3_cbci_arn | CloudBees CI Amazon S3 bucket ARN. |
 | s3_cbci_name | CloudBees CI Amazon S3 bucket name. It is required by CloudBees CI for workspace caching and artifact management. |
-| velero_backup_on_demand | Takes an on-demand Velero backup from the schedule for selected controller using Block Storage. |
-| velero_backup_schedule | Creates a Velero backup schedule for selected controller using Block Storage and deletes the existing schedulle, if it exists. |
-| velero_restore | Restores selected controller using Block Storage from a backup. |
+| velero_backup_on_demand | Takes an on-demand Velero backup from the schedule for the selected controller that is using block storage. |
+| velero_backup_schedule | Creates a Velero backup schedule for the selected controller that is using block storage, and then deletes the existing schedule, if it exists. |
+| velero_restore | Restores the selected controller that is using block storage from a backup. |
 | vpc_arn | VPC ID. |
 <!-- END_TF_DOCS -->
 

diff --git a/blueprints/02-at-scale/casc/oc/items/items-admin-jobs-folder.yaml b/blueprints/02-at-scale/casc/oc/items/items-admin-jobs-folder.yaml
@@ -83,7 +83,7 @@ items:
                   store:
                     s3Store:
                       #TODO: Use variables
-                      #bucketName: ${cbci_s3}
+                      #bucketName: ${cbciS3}
                       bucketName: "cbci-bp02-s3"
                       bucketFolder: cbci/backup
                       region: us-east-1

diff --git a/blueprints/02-at-scale/casc/oc/items/items-root.yaml b/blueprints/02-at-scale/casc/oc/items/items-root.yaml
@@ -40,7 +40,7 @@ items:
               "cloudbees.prometheus": "true"
     properties:
       - configurationAsCode:
-          bundle: "main/none-ha"
+          bundle: "ldap/none-ha"
   # Casc, HA
   - kind: managedController
     name: team-c-ha
@@ -74,4 +74,4 @@ items:
               "cloudbees.prometheus": "true"
     properties:
       - configurationAsCode:
-          bundle: "main/ha"
+          bundle: "ldap/ha"
diff --git a/blueprints/02-at-scale/casc/oc/jcasc/main.yaml b/blueprints/02-at-scale/casc/oc/jcasc/main.yaml
@@ -8,15 +8,15 @@ unclassified:
       name: "casc-mm-store"
       retriever:
         SCM:
-          defaultVersion: ${casc_branch}
+          defaultVersion: ${cascBranch}
           scmSource:
             git:
               credentialsId: "GH-token"
-              remote: ${scm_casc_mm_store}
+              remote: ${scmCascMmStore}
               traits:
               - "gitBranchDiscovery"
               - headWildcardFilter:
-                  includes: ${casc_branch}
+                  includes: ${cascBranch}
               - sparseCheckoutPaths:
                   extension:
                     sparseCheckoutPaths:

diff --git a/blueprints/02-at-scale/casc/oc/jcasc/security.yaml b/blueprints/02-at-scale/casc/oc/jcasc/security.yaml
@@ -2,11 +2,11 @@ jenkins:
   securityRealm:
     ldap:
       configurations:
-      - managerDN: ${ldap_ManagerDN}
-        managerPasswordSecret: ${ldap_ManagerPasswordSecret}
-        rootDN: ${ldap_RootDN}
-        server: ${ldap_Server}
-        userSearch: ${ldap_UserSearch}
+      - managerDN: ${ldapManagerDN}
+        managerPasswordSecret: ${sec_globalPassword}
+        rootDN: ${ldapRootDN}
+        server: ${ldapServer}
+        userSearch: ${ldapUserSearch}
   authorizationStrategy: "cloudBeesRoleBasedAccessControl"
   remotingSecurity:
     enabled: true
@@ -20,12 +20,12 @@ credentials:
       - usernamePassword:
           description: "GH-User-token"
           id: "GH-User-token"
-          password: ${secGithubUser}
+          password: ${sec_githubUser}
           scope: GLOBAL
-          username: ${secGithubToken}
+          username: ${sec_githubToken}
           usernameSecret: true
       - string:
           description: "GH-ST-token"
           id: "GH-ST-token"
           scope: GLOBAL
-          secret: ${secGithubToken}
+          secret: ${sec_githubToken}
diff --git a/blueprints/02-at-scale/casc/oc/variables/variables.yaml b/blueprints/02-at-scale/casc/oc/variables/variables.yaml
@@ -1,11 +1,10 @@
 variables:
   - message: "Welcome to the CloudBees CI blueprint add-on: At scale!"
-  - scm_casc_mm_store: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
-  - casc_branch: main
-  - ldap_ManagerDN: "cn=admin,dc=acme,dc=org"
-  - ldap_ManagerPasswordSecret: "admin"
-  - ldap_RootDN: "dc=acme,dc=org"
-  - ldap_Server: "ldap-service.auth.svc.cluster.local"
-  - ldap_UserSearch: "cn={0}"
+  - scmCascMmStore: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
+  - cascBranch: ldap
+  - ldapManagerDN: "cn=admin,dc=acme,dc=org"
+  - ldapRootDN: "dc=acme,dc=org"
+  - ldapServer: "openldap-stack.auth.svc.cluster.local"
+  - ldapUserSearch: "cn={0}"
   #Issue #70
-  #- cbci_s3: "cbci-bp02-s3"
+  #- cbciS3: "cbci-bp02-s3"
diff --git a/blueprints/02-at-scale/k8s/cbci-values.yml b/blueprints/02-at-scale/k8s/cbci-values.yml
@@ -19,7 +19,7 @@ OperationsCenter:
     Retriever:
       Enabled: true
       scmRepo: https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git
-      scmBranch: main
+      scmBranch: ldap
       scmBundlePath: blueprints/02-at-scale/casc/oc
       scmPollingInterval: PT20M
 Persistence:

diff --git a/blueprints/02-at-scale/k8s/openldap-stack-values.yml b/blueprints/02-at-scale/k8s/openldap-stack-values.yml
@@ -3,104 +3,105 @@
 #https://artifacthub.io/packages/helm/helm-openldap/openldap-stack-ha
 
 global:
+  ldapDomain: "acme.org"
   adminUser: "admin"
   adminPassword: ${password}
   configUser: "admin"
   configPassword: ${password}
 
 customLdifFiles:
   00-root.ldif: |-
-    dn: dc=example,dc=org
-    o: Example, Inc
+    dn: dc=acme,dc=org
+    o: Acme, Inc
     objectclass: dcObject
     objectclass: organization
-
+  #CloudBees RBAC groups in CasC are mapped to the following LDAP groups.
   01-groups.ldif: |-
-    dn: ou=Groups,dc=example,dc=org
+    dn: ou=Groups,dc=acme,dc=org
     changetype: add
     objectclass: organizationalUnit
     ou: Groups
 
-    dn: cn=CI_Admins,ou=Groups,dc=example,dc=org
+    dn: cn=CI_Admins,ou=Groups,dc=acme,dc=org
     changetype: add
     cn: CI_Admins
     objectclass: groupOfUniqueNames
-    uniqueMember: cn=${admin_user_outputs},dc=example,dc=org
-    uniqueMember: cn=admin_cbci_b,dc=example,dc=org
+    uniqueMember: cn=${admin_user_outputs},dc=acme,dc=org
+    uniqueMember: cn=admin_cbci_b,dc=acme,dc=org
 
-    dn: cn=Dev_Team_X,ou=Groups,dc=example,dc=org
+    dn: cn=Dev_Team_X,ou=Groups,dc=acme,dc=org
     changetype: add
     cn: Dev_Team_X
     objectclass: groupOfUniqueNames
-    uniqueMember: cn=developer_1,dc=example,dc=org
-    uniqueMember: cn=developer_2,dc=example,dc=org
+    uniqueMember: cn=developer_1,dc=acme,dc=org
+    uniqueMember: cn=developer_2,dc=acme,dc=org
 
-    dn: cn=Dev_Team_Y,ou=Groups,dc=example,dc=org
+    dn: cn=Dev_Team_Y,ou=Groups,dc=acme,dc=org
     changetype: add
     cn: Dev_Team_Y
     objectclass: groupOfUniqueNames
-    uniqueMember: cn=developer_3,dc=example,dc=org
-    uniqueMember: cn=developer_4,dc=example,dc=org
-
+    uniqueMember: cn=developer_3,dc=acme,dc=org
+    uniqueMember: cn=developer_4,dc=acme,dc=org
+  #Use the cn users and global password to sign in to CloudBees CI.
   02-users.ldif: |-
-    dn: cn=developer_1,dc=example,dc=org
+    dn: cn=developer_1,dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: developer_1
     givenname: developer_1
     sn: Developer 1
     displayname: Developer User 1
-    mail: developer.1@gmail.com
+    mail: developer.1@acme.com
     userpassword: ${password}
 
-    dn: cn=developer_2,dc=example,dc=org
+    dn: cn=developer_2,dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: developer_2
     givenname: developer_2
     sn: Developer 2
     displayname: Developer User 2
-    mail: developer.2@gmail.com
+    mail: developer.2@acme.com
     userpassword: ${password}
 
-    dn: cn=developer_3,dc=example,dc=org
+    dn: cn=developer_3,dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: developer_3
     givenname: developer_3
     sn: Developer 3
     displayname: Developer User 3
-    mail: developer.3@gmail.com
+    mail: developer.3@acme.com
     userpassword: ${password}
 
-    dn: cn=developer_4,dc=example,dc=org
+    dn: cn=developer_4,dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: developer_4
     givenname: developer_4
     sn: Developer 4
     displayname: Developer User 4
-    mail: developer.4@gmail.com
+    mail: developer.4@acme.com
     userpassword: ${password}
 
-    dn: cn=${admin_user_outputs},dc=example,dc=org
+    dn: cn=${admin_user_outputs},dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: ${admin_user_outputs}
-    givenname: a${admin_user_outputs}
+    givenname: ${admin_user_outputs}
     sn: AdminCBCIA
     displayname: Admin CBCI A
-    mail: admin_cbci.a@gmail.com
+    mail: admin_cbci.a@acme.com
     userpassword: ${password}
 
-    dn: cn=admin_cbci_b,dc=example,dc=org
+    dn: cn=admin_cbci_b,dc=acme,dc=org
     changetype: add
     objectclass: inetOrgPerson
     cn: admin_cbci_b
     givenname: admin_cbci_b
     sn: AdminCBCIB
     displayname: Admin CBCI B
-    mail: admin_cbci_b@gmail.com
+    mail: admin_cbci_b@acme.com
     userpassword: ${password}
 
 logLevel: debug
@@ -113,5 +114,6 @@ replication:
 ltb-passwd:
   enabled : false
 
+# Enable the phpldapadmin web UI service for LDAP management after deployment.
 phpldapadmin:
-  enabled: true
+  enabled: false
diff --git a/blueprints/02-at-scale/k8s/osixia-openldap/.helmignore b/blueprints/02-at-scale/k8s/osixia-openldap/.helmignore
diff --git a/blueprints/02-at-scale/k8s/osixia-openldap/Chart.yaml b/blueprints/02-at-scale/k8s/osixia-openldap/Chart.yaml
diff --git a/blueprints/02-at-scale/k8s/osixia-openldap/templates/ldap-deployment.yaml b/blueprints/02-at-scale/k8s/osixia-openldap/templates/ldap-deployment.yaml
diff --git a/blueprints/02-at-scale/k8s/osixia-openldap/templates/ldap-service.yaml b/blueprints/02-at-scale/k8s/osixia-openldap/templates/ldap-service.yaml
diff --git a/blueprints/02-at-scale/k8s/osixia-openldap/values.yaml b/blueprints/02-at-scale/k8s/osixia-openldap/values.yaml
diff --git a/blueprints/02-at-scale/k8s/secrets-values.yml.example b/blueprints/02-at-scale/k8s/secrets-values.yml.example
@@ -1,10 +1,9 @@
 # Copyright (c) CloudBees, Inc.
 
-# Secret password for admin_cbci_a that belongs to the CI_Admins group (refer to .docker/ldap/data.ldif)
-secJenkinsPass: "admin_pass" # Required. Do not update!
+sec_ldapPassword: ${ldap_password} # Do not change this variable name
 
-secGithubUser: "exampleUser" #Required for OC casc security.yaml
-secGithubToken: "ExampleToken" #Required for OC casc security.yaml
+sec_githubUser: "exampleUser"
+sec_githubToken: "ExampleToken"
 # secLicenseCert: |
 #   License certificate from CloudBees
 # secLicenseKey: |