diff --git a/tests/templates/kuttl/ldap/10-install-openldap.yaml b/tests/templates/kuttl/ldap/10-install-openldap.yaml index 9114da5..d2362ea 100644 --- a/tests/templates/kuttl/ldap/10-install-openldap.yaml +++ b/tests/templates/kuttl/ldap/10-install-openldap.yaml @@ -18,18 +18,42 @@ spec: spec: containers: - name: openldap - image: bitnamilegacy/openldap:2.5 + image: bitnamilegacy/openldap:2.6 env: + # LDAP baseDN of the LDAP tree + - name: LDAP_ROOT + value: dc=stackable,dc=tech + # LDAP database admin user - name: LDAP_ADMIN_USERNAME value: admin + # LDAP database admin password - name: LDAP_ADMIN_PASSWORD value: admin + # Comma separated list of LDAP users to create in the default LDAP tree + - name: LDAP_USERS + value: integrationtest + # Comma separated list of passwords to use for LDAP users + - name: LDAP_PASSWORDS + value: integrationtest + # Name for the user's organizational unit + - name: LDAP_USER_OU + value: users + # Name for the group's organizational unit + - name: LDAP_GROUP_OU + value: groups + # Group used to group created users + - name: LDAP_GROUP + value: testgroup + # Whether to enable TLS for traffic or not - name: LDAP_ENABLE_TLS value: "yes" + # File containing the certificate file for the TLS traffic - name: LDAP_TLS_CERT_FILE value: /tls/tls.crt + # File containing the key for certificate - name: LDAP_TLS_KEY_FILE value: /tls/tls.key + # File containing the CA of the certificate - name: LDAP_TLS_CA_FILE value: /tls/ca.crt ports: diff --git a/tests/templates/kuttl/ldap/11-assert.yaml b/tests/templates/kuttl/ldap/11-assert.yaml deleted file mode 100644 index 387b79c..0000000 --- a/tests/templates/kuttl/ldap/11-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestAssert -timeout: 600 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: create-ldap-user -status: - succeeded: 1 diff --git a/tests/templates/kuttl/ldap/11-create-ldap-user.yaml b/tests/templates/kuttl/ldap/11-create-ldap-user.yaml deleted file mode 100644 index 0d0a016..0000000 --- a/tests/templates/kuttl/ldap/11-create-ldap-user.yaml +++ /dev/null @@ -1,107 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: create-ldap-user -spec: - template: - spec: - containers: - - name: create-ldap-user - image: bitnamilegacy/openldap:2.5 - command: - - /bin/bash - - -euxo - - pipefail - - -c - args: - - | - ldapadd \ - -D cn=admin,dc=example,dc=org \ - -w admin \ - -f /stackable/ldap-users/integrationtest \ - || true - - ldappasswd \ - -D cn=admin,dc=example,dc=org \ - -w admin \ - -s integrationtest \ - cn=integrationtest,ou=users,dc=example,dc=org - - # Check that the user works - ldapsearch \ - -D cn=integrationtest,ou=users,dc=example,dc=org \ - -w integrationtest \ - -b ou=users,dc=example,dc=org - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LDAPURI - value: ldaps://openldap.$(NAMESPACE).svc.cluster.local:1636/ - - name: LDAPTLS_CACERT - value: /stackable/tls/ca.crt - volumeMounts: - - name: ldap-users - mountPath: /stackable/ldap-users - - name: tls - mountPath: /stackable/tls - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - resources: - requests: - memory: 128Mi - cpu: 100m - limits: - memory: 128Mi - cpu: 400m - volumes: - - name: ldap-users - configMap: - name: ldap-users - - name: tls - ephemeral: - volumeClaimTemplate: - metadata: - annotations: - secrets.stackable.tech/class: tls - spec: - storageClassName: secrets.stackable.tech - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "1" - serviceAccountName: test-service-account - securityContext: - fsGroup: 1000 - restartPolicy: OnFailure ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: ldap-users -data: - integrationtest: | - dn: cn=integrationtest,ou=users,dc=example,dc=org - objectClass: inetOrgPerson - objectClass: posixAccount - objectClass: shadowAccount - cn: integrationtest - uid: integrationtest - givenName: Stackable - sn: Integration-Test - mail: integrationtest@stackable.de - uidNumber: 16842 - gidNumber: 100 - homeDirectory: /home/integrationtest - loginShell: /bin/bash - userPassword: {crypt}x - shadowLastChange: 0 - shadowMax: 0 - shadowWarning: 0 diff --git a/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2 b/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2 index d5130a6..6ee2c86 100644 --- a/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2 +++ b/tests/templates/kuttl/ldap/20_opensearch-security-config.yaml.j2 @@ -34,6 +34,17 @@ stringData: config: dynamic: authc: + # Allow internal authentication for debugging purposes, so that OpenSearch Dashboards can + # be used which uses the internal user kibanaserver. + internal_auth: + order: 0 + http_enabled: true + transport_enabled: true + http_authenticator: + type: basic + challenge: false + authentication_backend: + type: internal ldap: http_enabled: true transport_enabled: true @@ -48,11 +59,28 @@ stringData: hosts: - openldap.$NAMESPACE.svc.cluster.local:1636 pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/ca.crt - userbase: ou=users,dc=example,dc=org + userbase: ou=users,dc=stackable,dc=tech + username_attribute: uid + usersearch: (cn={0}) + verify_hostnames: true + authz: + ldap: + http_enabled: true + transport_enabled: true + authorization_backend: + type: ldap + config: + enable_ssl: true + hosts: + - openldap.$NAMESPACE.svc.cluster.local:1636 + pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/ca.crt + userbase: ou=users,dc=stackable,dc=tech username_attribute: uid usersearch: (cn={0}) verify_hostnames: true - authz: {} + rolesearch: (member={0}) + rolebase: ou=groups,dc=stackable,dc=tech + rolename: cn internal_users.yml: | --- # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh @@ -82,6 +110,20 @@ stringData: _meta: type: roles config_version: 2 + + test-role: + reserved: false + cluster_permissions: + - indices:data/write/bulk* + index_permissions: + - index_patterns: + - "*" + allowed_actions: + - indices:admin/create + - indices:admin/delete + - indices:admin/mapping/put + - indices:data/write/bulk* + - indices:data/write/index roles_mapping.yml: | --- _meta: @@ -92,13 +134,16 @@ stringData: reserved: false backend_roles: - admin - users: - - integrationtest kibana_server: reserved: true users: - kibanaserver + + test-role: + reserved: false + backend_roles: + - testgroup tenants.yml: | --- _meta: