djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0a47aa4843
ContainerImage.Pinniped/test/deploy/tools/cert-issuer.yaml
Ryan Richard a6f95cfff1 Configure openldap to disallow non-TLS clients 
- For testing purposes, we would like to ensure that when we connect
  to the LDAP server we cannot accidentally avoid using TLS or StartTLS.
- Also enabled the openldap `memberOf` overlay in case we want to
  support group search using `memberOf` in the future.
- This required changes to the docker.io/bitnami/openldap container
  image, so we're using our own fork for now. Will submit a PR to
  bitnami/openldap to see if they will accept it (or something similar)
  upstream.
2021-05-18 16:38:12 -07:00

125 lines
3.4 KiB
YAML
Raw Blame History

#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-issuer
namespace: tools
labels:
app: cert-issuer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-issuer
namespace: tools
labels:
app: cert-issuer
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, patch, update, watch, delete]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-issuer
namespace: tools
labels:
app: cert-issuer
subjects:
- kind: ServiceAccount
name: cert-issuer
namespace: tools
roleRef:
kind: Role
name: cert-issuer
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: cert-issuer
namespace: tools
labels:
app: cert-issuer
spec:
template:
spec:
serviceAccountName: cert-issuer
initContainers:
- name: generate-certs
image: cfssl/cfssl:1.5.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
cd /var/certs
cfssl print-defaults config > /tmp/cfssl-default.json
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json
echo "generating CA key..."
cfssl genkey \
-config /tmp/cfssl-default.json \
-initca /tmp/csr.json \
| cfssljson -bare ca
echo "generating Dex server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "dex.tools.svc.cluster.local" \
-hostname "dex.tools.svc.cluster.local" \
/tmp/csr.json \
| cfssljson -bare dex
# Cheat and add 127.0.0.1 as an IP SAN so we can use the ldaps port through port forwarding.
# Also allow the server to be accessed by multiple Service names to different Services
# can provide/hide different ports.
echo "generating LDAP server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "ldap.tools.svc.cluster.local" \
-hostname "ldap.tools.svc.cluster.local,ldaps.tools.svc.cluster.local,ldapstarttls.tools.svc.cluster.local,127.0.0.1" \
/tmp/csr.json \
| cfssljson -bare ldap
chmod -R 777 /var/certs
echo
echo "generated certificates:"
ls -l /var/certs
echo
echo "CA cert..."
cat ca.pem | openssl x509 -text
echo
echo "Dex cert..."
cat dex.pem | openssl x509 -text
echo
echo "LDAP cert..."
cat ldap.pem | openssl x509 -text
volumeMounts:
- name: certs
mountPath: /var/certs
containers:
- name: save-certs
image: bitnami/kubectl
command: ["/bin/bash"]
args:
- -c
- |
kubectl create secret generic -n tools certs --from-file=/var/certs \
--dry-run=client --output yaml | kubectl apply -f -
volumeMounts:
- name: certs
mountPath: /var/certs
volumes:
- name: certs
emptyDir: {}
restartPolicy: Never
Reference in New Issue View Git Blame Copy Permalink