[Blueprint 02-At scale] Migration to helm-openldap/openldap-stack-ha (part I) #140
Conversation
carlosrodlop
commented
May 15, 2024
•
carlosrodlop
commented
- Including a Global password (created at execution time) to be used for LDAP and others like Grafana
- Addressing [Blueprints, 02-at-scale]: Openldap: Use jp-gouin.github.io/helm-openldap #72 Using Chart
- Avoid hardcoding secrets
- Adapt Casc Bundles
carlosrodlop
changed the title
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
blueprints/02-at-scale/main.tf
Outdated
| @@ -66,6 +66,15 @@ locals { | |||
|
|
|||
| cbci_agent_podtemplname_validation = "maven-and-go-ondemand" | |||
|
|
|||
| global_password = random_string.global_pass_string.result | |||
There was a problem hiding this comment.
Perhaps use a change trigger to allow someone to rotate the password every once in a while?
variable "change_trigger" {
description = "Change this value to generate a new random string"
default = "initial"
}
resource "random_string" "global_pass_string" {
length = 16
special = false
upper = true
lower = true
keepers = {
change_trigger = var.change_trigger
}
}There was a problem hiding this comment.
@sboardwell Thanks for your review! :)
Avoid hardcoding secrets is a must and it needs to be handle since you ran this Quickstart for the very first time (day 0). See as example the first admin secret when you make a fresh installation for Jenkins CI.
Regarding rotating secrets (although is a best practice) I believe it is something you need done once you are ready to extend from this blueprint towards your custom blueprint (day 1). There are many other things to do in that list, for example: Deploying the cluster in your own existing VPC or EKS, updating the Authentication Realm, etc.
carlosrodlop
changed the title
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
Co-authored-by: Kellie Freeman <80066741+kellie-freeman@users.noreply.github.com>
| givenname: developer_1 | ||
| sn: Developer 1 | ||
| displayname: Developer User 1 | ||
| mail: developer.1@gmail.com |
There was a problem hiding this comment.
I'm pretty sure that these will are real email addresses. I will create an issue to offer a replacement here. Either custom domain, or potentially even a + address solution such as myuser+dev1@acme.org, etc.
carlosrodlop
changed the title
