-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Blueprint 02-At scale] Migration to helm-openldap/openldap-stack-ha (part I) #140
Changes from 13 commits
2461d52
81d56f5
7b03742
152f194
87acb13
812eb76
2057eb3
f507f8b
a8f8311
b0ccb68
3094544
643bcfc
3c5d134
0072ba3
44d2178
8da46a7
4457a03
ea28c16
2112e4b
b3670a0
2956470
26061e0
7f54859
929d7c2
34933e0
4eb885d
59713f4
ed31b61
5f42e79
08234dd
fea0242
4c563f2
179df16
f71506a
6814aac
3397e61
fe66954
bc021d3
ff8388c
e092815
e9bbc45
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
This file was deleted.
This file was deleted.
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
# Copyright (c) CloudBees, Inc. | ||
|
||
#https://artifacthub.io/packages/helm/helm-openldap/openldap-stack-ha | ||
|
||
global: | ||
adminUser: "admin" | ||
adminPassword: ${password} | ||
configUser: "admin" | ||
configPassword: ${password} | ||
|
||
customLdifFiles: | ||
00-root.ldif: |- | ||
dn: dc=example,dc=org | ||
o: Example, Inc | ||
objectclass: dcObject | ||
objectclass: organization | ||
|
||
01-groups.ldif: |- | ||
dn: ou=Groups,dc=example,dc=org | ||
changetype: add | ||
objectclass: organizationalUnit | ||
ou: Groups | ||
|
||
dn: cn=CI_Admins,ou=Groups,dc=example,dc=org | ||
changetype: add | ||
cn: CI_Admins | ||
objectclass: groupOfUniqueNames | ||
uniqueMember: cn=${admin_user_outputs},dc=example,dc=org | ||
uniqueMember: cn=admin_cbci_b,dc=example,dc=org | ||
|
||
dn: cn=Dev_Team_X,ou=Groups,dc=example,dc=org | ||
changetype: add | ||
cn: Dev_Team_X | ||
objectclass: groupOfUniqueNames | ||
uniqueMember: cn=developer_1,dc=example,dc=org | ||
uniqueMember: cn=developer_2,dc=example,dc=org | ||
|
||
dn: cn=Dev_Team_Y,ou=Groups,dc=example,dc=org | ||
changetype: add | ||
cn: Dev_Team_Y | ||
objectclass: groupOfUniqueNames | ||
uniqueMember: cn=developer_3,dc=example,dc=org | ||
uniqueMember: cn=developer_4,dc=example,dc=org | ||
|
||
02-users.ldif: |- | ||
dn: cn=developer_1,dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: developer_1 | ||
givenname: developer_1 | ||
sn: Developer 1 | ||
displayname: Developer User 1 | ||
mail: developer.1@gmail.com | ||
userpassword: ${password} | ||
|
||
dn: cn=developer_2,dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: developer_2 | ||
givenname: developer_2 | ||
sn: Developer 2 | ||
displayname: Developer User 2 | ||
mail: developer.2@gmail.com | ||
userpassword: ${password} | ||
|
||
dn: cn=developer_3,dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: developer_3 | ||
givenname: developer_3 | ||
sn: Developer 3 | ||
displayname: Developer User 3 | ||
mail: developer.3@gmail.com | ||
userpassword: ${password} | ||
|
||
dn: cn=developer_4,dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: developer_4 | ||
givenname: developer_4 | ||
sn: Developer 4 | ||
displayname: Developer User 4 | ||
mail: developer.4@gmail.com | ||
userpassword: ${password} | ||
|
||
dn: cn=${admin_user_outputs},dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: ${admin_user_outputs} | ||
givenname: a${admin_user_outputs} | ||
sn: AdminCBCIA | ||
displayname: Admin CBCI A | ||
mail: admin_cbci.a@gmail.com | ||
userpassword: ${password} | ||
|
||
dn: cn=admin_cbci_b,dc=example,dc=org | ||
changetype: add | ||
objectclass: inetOrgPerson | ||
cn: admin_cbci_b | ||
givenname: admin_cbci_b | ||
sn: AdminCBCIB | ||
displayname: Admin CBCI B | ||
mail: admin_cbci_b@gmail.com | ||
userpassword: ${password} | ||
|
||
logLevel: debug | ||
|
||
replicaCount: 1 | ||
|
||
replication: | ||
enabled: false | ||
|
||
ltb-passwd: | ||
enabled : false | ||
|
||
phpldapadmin: | ||
enabled: true |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -66,6 +66,15 @@ locals { | |
|
||
cbci_agent_podtemplname_validation = "maven-and-go-ondemand" | ||
|
||
global_password = random_string.global_pass_string.result | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Perhaps use a change trigger to allow someone to rotate the password every once in a while? variable "change_trigger" {
description = "Change this value to generate a new random string"
default = "initial"
}
resource "random_string" "global_pass_string" {
length = 16
special = false
upper = true
lower = true
keepers = {
change_trigger = var.change_trigger
}
} There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sboardwell Thanks for your review! :) Avoid hardcoding secrets is a must and it needs to be handle since you ran this Quickstart for the very first time (day 0). See as example the first admin secret when you make a fresh installation for Jenkins CI. Regarding rotating secrets (although is a best practice) I believe it is something you need done once you are ready to extend from this blueprint towards your custom blueprint (day 1). There are many other things to do in that list, for example: Deploying the cluster in your own existing VPC or EKS, updating the Authentication Realm, etc. |
||
|
||
} | ||
|
||
resource "random_string" "global_pass_string" { | ||
length = 16 | ||
special = false | ||
upper = true | ||
lower = true | ||
} | ||
|
||
resource "time_static" "epoch" { | ||
|
@@ -194,7 +203,7 @@ module "eks_blueprints_addons" { | |
set_sensitive = [ | ||
{ | ||
name = "grafana.adminPassword" | ||
value = var.grafana_admin_password | ||
value = local.global_password | ||
} | ||
] | ||
} | ||
|
@@ -252,6 +261,17 @@ module "eks_blueprints_addons" { | |
create_namespace = true | ||
chart = "k8s/osixia-openldap" | ||
} | ||
openldap-stack = { | ||
chart = "openldap-stack-ha" | ||
chart_version = "4.2.2" | ||
namespace = "auth-2" | ||
create_namespace = true | ||
repository = "https://jp-gouin.github.io/helm-openldap/" | ||
values = [templatefile("k8s/openldap-stack-values.yml", { | ||
password = local.global_password | ||
admin_user_outputs = local.cbci_admin_user | ||
})] | ||
} | ||
aws-node-termination-handler = { | ||
name = "aws-node-termination-handler" | ||
namespace = "kube-system" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure that these will are real email addresses. I will create an issue to offer a replacement here. Either custom domain, or potentially even a
+
address solution such asmyuser+dev1@acme.org
, etc.