[Blueprint 02-At scale] Migration to helm-openldap/openldap-stack-ha (part I)

blueprints/02-at-scale/README.md

@@ -57,7 +57,6 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 |------|-------------|------|---------|:--------:|
 | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
-| grafana_admin_password | Grafana admin password. | `string` | `"change.me"` | no |
 | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
 | tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
@@ -86,6 +85,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 | efs_access_points | Amazon EFS access points. |
 | efs_arn | Amazon EFS ARN. |
 | eks_cluster_arn | Amazon EKS cluster ARN. |
+| global_password | Random string that is used as the global password. |
 | grafana_dashboard | Provides access to Grafana dashboards. |
 | kubeconfig_add | Add kubeconfig to the local configuration to access the Kubernetes API. |
 | kubeconfig_export | Export the KUBECONFIG environment variable to access the Kubernetes API. |

blueprints/02-at-scale/casc/oc/variables/variables.yaml

@@ -2,10 +2,10 @@ variables:
   - message: "Welcome to the CloudBees CI blueprint add-on: At scale!"
   - scm_casc_mm_store: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
   - casc_branch: main
-  - ldap_ManagerDN: "cn=admin,dc=acme,dc=org"
+  - ldap_ManagerDN: "cn=admin,dc=example,dc=org"
   - ldap_ManagerPasswordSecret: "admin"
-  - ldap_RootDN: "dc=acme,dc=org"
-  - ldap_Server: "ldap-service.auth.svc.cluster.local"
+  - ldap_RootDN: "dc=example,dc=org"
+  - ldap_Server: "openldap-stack.auth.svc.cluster.local"
   - ldap_UserSearch: "cn={0}"
   #Issue #70
   #- cbci_s3: "cbci-bp02-s3"

blueprints/02-at-scale/k8s/openldap-stack-values.yml

@@ -0,0 +1,117 @@
+# Copyright (c) CloudBees, Inc.
+
+#https://artifacthub.io/packages/helm/helm-openldap/openldap-stack-ha
+
+global:
+  adminUser: "admin"
+  adminPassword: ${password}
+  configUser: "admin"
+  configPassword: ${password}
+
+customLdifFiles:
+  00-root.ldif: |-
+    dn: dc=example,dc=org
+    o: Example, Inc
+    objectclass: dcObject
+    objectclass: organization
+
+  01-groups.ldif: |-
+    dn: ou=Groups,dc=example,dc=org
+    changetype: add
+    objectclass: organizationalUnit
+    ou: Groups
+
+    dn: cn=CI_Admins,ou=Groups,dc=example,dc=org
+    changetype: add
+    cn: CI_Admins
+    objectclass: groupOfUniqueNames
+    uniqueMember: cn=${admin_user_outputs},dc=example,dc=org
+    uniqueMember: cn=admin_cbci_b,dc=example,dc=org
+
+    dn: cn=Dev_Team_X,ou=Groups,dc=example,dc=org
+    changetype: add
+    cn: Dev_Team_X
+    objectclass: groupOfUniqueNames
+    uniqueMember: cn=developer_1,dc=example,dc=org
+    uniqueMember: cn=developer_2,dc=example,dc=org
+
+    dn: cn=Dev_Team_Y,ou=Groups,dc=example,dc=org
+    changetype: add
+    cn: Dev_Team_Y
+    objectclass: groupOfUniqueNames
+    uniqueMember: cn=developer_3,dc=example,dc=org
+    uniqueMember: cn=developer_4,dc=example,dc=org
+
+  02-users.ldif: |-
+    dn: cn=developer_1,dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: developer_1
+    givenname: developer_1
+    sn: Developer 1
+    displayname: Developer User 1
+    mail: developer.1@gmail.com
+    userpassword: ${password}
+
+    dn: cn=developer_2,dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: developer_2
+    givenname: developer_2
+    sn: Developer 2
+    displayname: Developer User 2
+    mail: developer.2@gmail.com
+    userpassword: ${password}
+
+    dn: cn=developer_3,dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: developer_3
+    givenname: developer_3
+    sn: Developer 3
+    displayname: Developer User 3
+    mail: developer.3@gmail.com
+    userpassword: ${password}
+
+    dn: cn=developer_4,dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: developer_4
+    givenname: developer_4
+    sn: Developer 4
+    displayname: Developer User 4
+    mail: developer.4@gmail.com
+    userpassword: ${password}
+
+    dn: cn=${admin_user_outputs},dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: ${admin_user_outputs}
+    givenname: a${admin_user_outputs}
+    sn: AdminCBCIA
+    displayname: Admin CBCI A
+    mail: admin_cbci.a@gmail.com
+    userpassword: ${password}
+
+    dn: cn=admin_cbci_b,dc=example,dc=org
+    changetype: add
+    objectclass: inetOrgPerson
+    cn: admin_cbci_b
+    givenname: admin_cbci_b
+    sn: AdminCBCIB
+    displayname: Admin CBCI B
+    mail: admin_cbci_b@gmail.com
+    userpassword: ${password}
+
+logLevel: debug
+
+replicaCount: 1
+
+replication:
+  enabled: false
+
+ltb-passwd:
+  enabled : false
+
+phpldapadmin:
+  enabled: true

blueprints/02-at-scale/k8s/secrets-values.yml.example

@@ -1,8 +1,5 @@
 # Copyright (c) CloudBees, Inc.
 
-# Secret password for admin_cbci_a that belongs to the CI_Admins group (refer to .docker/ldap/data.ldif)
-secJenkinsPass: "admin_pass" # Required. Do not update!
-
 secGithubUser: "exampleUser" #Required for OC casc security.yaml
 secGithubToken: "ExampleToken" #Required for OC casc security.yaml
 # secLicenseCert: |

blueprints/02-at-scale/main.tf

@@ -66,6 +66,15 @@ locals {
 
   cbci_agent_podtemplname_validation = "maven-and-go-ondemand"
 
+  global_password = random_string.global_pass_string.result
+
+}
+
+resource "random_string" "global_pass_string" {
+  length  = 16
+  special = false
+  upper   = true
+  lower   = true
 }
 
 resource "time_static" "epoch" {
@@ -194,7 +203,7 @@ module "eks_blueprints_addons" {
     set_sensitive = [
       {
         name  = "grafana.adminPassword"
-        value = var.grafana_admin_password
+        value = local.global_password
       }
     ]
   }
@@ -246,11 +255,16 @@ module "eks_blueprints_addons" {
   }
   #Additional Helm Releases
   helm_releases = {
-    osixia-openldap = {
-      name             = "osixia-openldap"
+    openldap-stack = {
+      chart            = "openldap-stack-ha"
+      chart_version    = "4.2.2"
       namespace        = "auth"
       create_namespace = true
-      chart            = "k8s/osixia-openldap"
+      repository       = "https://jp-gouin.github.io/helm-openldap/"
+      values = [templatefile("k8s/openldap-stack-values.yml", {
+        password           = local.global_password
+        admin_user_outputs = local.cbci_admin_user
+      })]
     }
     aws-node-termination-handler = {
       name          = "aws-node-termination-handler"

blueprints/02-at-scale/outputs.tf

@@ -164,3 +164,8 @@ output "grafana_dashboard" {
   description = "Provides access to Grafana dashboards."
   value       = "kubectl port-forward svc/kube-prometheus-stack-grafana 50002:80 -n kube-prometheus-stack"
 }
+
+output "global_password" {
+  description = "Random string that is used as the global password."
+  value       = local.global_password
+}