Update ldap users int ldap-test

Rollback CN node name generating Replace generating standalone certs path
cetic · Dec 3, 2022 · 9a0bd90 · 9a0bd90
1 parent 751c3d3
commit 9a0bd90
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 38 deletions.
diff --git a/configs/authorizers.xml b/configs/authorizers.xml
@@ -48,7 +48,7 @@
         <property name="Users File">./auth-conf/users.xml</property>
         <property name="Legacy Authorized Users File"></property>
         {{- range $i := until $replicas }}
-        <property name="Initial User Identity {{ $i }}">CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
+        <property name="Initial User Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
         {{- end }}
         {{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }}
         <property name="Initial User Identity admin">{{.Values.auth.ldap.initialAdmin}}</property>
@@ -125,10 +125,10 @@
         <property name="Manager DN">{{.Values.auth.ldap.managerDN}}</property>
         <property name="Manager Password">{{.Values.auth.ldap.managerPassword}}</property>
         <property name="TLS - Keystore">/opt/nifi/nifi-current/tls/keystore.jks</property>
-        <property name="TLS - Keystore Password">{{.Values.auth.SSL.keystorePassword}}</property>
-        <property name="TLS - Keystore Type">jks</property>
+        <property name="TLS - Keystore Password">{{.Values.auth.SSL.keystorePasswd}}</property>
+        <property name="TLS - Keystore Type">JKS</property>
         <property name="TLS - Truststore">/opt/nifi/nifi-current/tls/truststore.jks</property>
-        <property name="TLS - Truststore Password">{{.Values.auth.SSL.truststorePassword}}</property>
+        <property name="TLS - Truststore Password">{{.Values.auth.SSL.truststorePasswd}}</property>
         <property name="TLS - Truststore Type">JKS</property>
         <property name="TLS - Client Auth">NONE</property>
         <property name="TLS - Protocol">TLS</property>
@@ -230,7 +230,7 @@
         {{- end}}
         <property name="Legacy Authorized Users File"></property>
         {{- range $i := until $replicas }}
-        <property name="Node Identity {{ $i }}">CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
+        <property name="Node Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
         {{- end }}
         <property name="Node Identity"></property>
     </accessPolicyProvider>

diff --git a/configs/nifi.properties b/configs/nifi.properties
@@ -147,7 +147,7 @@ nifi.sensitive.props.algorithm={{ .Values.properties.algorithm }}
 nifi.sensitive.props.provider=BC
 nifi.sensitive.props.additional.keys=
 
-{{if .Values.auth.clientAuth.enabled}}
+{{- if .Values.auth.clientAuth.enabled }}
 nifi.security.keystore=/opt/nifi/nifi-current/config-data/certs/keystore.jks
 nifi.security.keystoreType=jks
 nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
@@ -157,18 +157,26 @@ nifi.security.truststoreType=jks
 nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
 nifi.security.user.authorizer=managed-authorizer
 nifi.security.user.login.identity.provider=
-{{else if .Values.auth.ldap.enabled}}
+{{- else if .Values.auth.ldap.enabled }}
+{{- if .Values.certManager.enabled }}
 nifi.security.keystore=/opt/nifi/nifi-current/tls/keystore.jks
+{{- else }}
+nifi.security.keystore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/keystore.jks
+{{- end }}
 nifi.security.keystoreType=jks
 nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
 nifi.security.keyPasswd={{.Values.auth.SSL.keystorePasswd}}
+{{- if .Values.certManager.enabled }}
 nifi.security.truststore=/opt/nifi/nifi-current/tls/truststore.jks
+{{- else }}
+nifi.security.truststore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/truststore.jks
+{{- end }}
 nifi.security.truststoreType=jks
 nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
 proxiedEntity={{.Values.auth.ldap.initialAdmin}}
 nifi.security.user.authorizer=managed-authorizer
 nifi.security.user.login.identity.provider=ldap-provider
-{{else if .Values.auth.oidc.enabled}}
+{{- else if .Values.auth.oidc.enabled }}
 nifi.security.keystore=/opt/nifi/nifi-current/conf/keystore.p12
 nifi.security.keystoreType=PKCS12
 nifi.security.keystorePasswd=
@@ -177,7 +185,7 @@ nifi.security.truststore=/opt/nifi/nifi-current/conf/truststore.p12
 nifi.security.truststoreType=PKCS12
 nifi.security.truststorePasswd=
 nifi.security.user.authorizer=managed-authorizer
-{{ else }}
+{{- else }}
 nifi.security.keystore=./conf/keystore.p12
 nifi.security.keystoreType=PKCS12
 nifi.security.keystorePasswd=
@@ -187,10 +195,10 @@ nifi.security.truststoreType=PKCS12
 nifi.security.truststorePasswd=
 nifi.security.user.login.identity.provider=single-user-provider
 nifi.security.user.authorizer=single-user-authorizer
-{{end}}
+{{- end }}
 nifi.security.needClientAuth={{.Values.properties.needClientAuth}}
 
-{{if .Values.auth.oidc.enabled}}
+{{- if .Values.auth.oidc.enabled }}
 # OpenId Connect SSO Properties #
 nifi.security.user.oidc.discovery.url={{.Values.auth.oidc.discoveryUrl}}
 nifi.security.user.oidc.connect.timeout=5 secs
@@ -200,7 +208,7 @@ nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}}
 nifi.security.user.oidc.preferred.jwsalgorithm=
 nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}}
 nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}}
-{{end}}
+{{- end }}
 
 
 # Apache Knox SSO Properties #

diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
@@ -251,12 +251,12 @@ spec:
 
 {{- /* if .Values.certManager.enabled */}}{{ else }}
 
-          if [ ! -r "${NIFI_HOME}/conf/nifi-cert.pem" ]
+          if [ ! -r "${NIFI_HOME}/tls/nifi-cert.pem" ]
           then
             /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone \
-              -n '{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
+              -n '{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
               -C '{{.Values.auth.admin}}' \
-              -o "${NIFI_HOME}/conf/" \
+              -o "${NIFI_HOME}/tls" \
               -P {{.Values.auth.SSL.truststorePasswd}} \
               -S {{.Values.auth.SSL.keystorePasswd}} \
               --nifiPropertiesFile /opt/nifi/nifi-current/conf/nifi.properties
@@ -523,11 +523,8 @@ spec:
               {{- end }}
             {{- end }}
           {{- end }}
-{{- if .Values.certManager.enabled }}
           - name: "tls"
             mountPath: /opt/nifi/nifi-current/tls
-            readOnly: true
-{{- /* if .Values.certManager.enabled */}}{{ end }}
           {{- if .Values.extraVolumeMounts }}
 {{ toYaml .Values.extraVolumeMounts | indent 10 }}
           {{- end }}
@@ -755,12 +752,12 @@ spec:
           items:
             - key: "logback.xml"
               path: "logback.xml"
+      - name: "tls"
+        emptyDir: {}
 {{- if .Values.certManager.enabled }}
       - name: secret-reader-token
         secret:
           secretName: {{ template "apache-nifi.fullname" $ }}-secret-reader-token
-      - name: tls
-        emptyDir: {}
       {{- range .Values.certManager.caSecrets }}
       - name: {{ include "apache-nifi.fullname" $ }}-{{ . }}
         secret:

diff --git a/tests/03-ldap-values.yaml b/tests/03-ldap-values.yaml
@@ -8,7 +8,8 @@ auth:
   ldap:
     enabled: true
     host: ldap://openldap:389
-    searchBase: ou=users,dc=example,dc=org
-    admin: cn=user1,ou=users,dc=example,dc=org
-    pass: password1
+    userSearchBase: ou=users,dc=example,dc=org
+    managerDN: cn=user1,ou=users,dc=example,dc=org
+    initialAdmin: cn=user1,ou=users,dc=example,dc=org
+    managerPassword: password1
     authStrategy: SIMPLE
diff --git a/values.yaml b/values.yaml
@@ -125,10 +125,10 @@ logbackXml:
 # Nifi User Authentication
 auth:
   # If set while LDAP is enabled, this value will be used for the initial admin and not the ldap bind dn / admin
-  admin: nifiAdmin # Initial Admin account username from LDAP-server. You can set the property aka env var
+  admin: CN=admin, OU=NIFI # Initial Admin account username. You can set the property aka env var
   SSL:
-    keystorePassword: changeMe
-    truststorePassword: changeMe
+    keystorePasswd: changeMe
+    truststorePasswd: changeMe
 
   # Automaticaly disabled if OIDC or LDAP enabled
   singleUser:
@@ -143,19 +143,19 @@ auth:
     host: ldap://ldap-server.example.com:389
     userSearchBase: ou=People,dc=example,dc=com
     initialAdmin: nifiAdmin # LDAP account for initialize as admin user
-    userSearchFilter: (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
-    userIdentityAttribute: uid
+    userSearchFilter: (objectClass=*) # (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
+    userIdentityAttribute: # uid
     authenticationStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
     identityStrategy: USE_USERNAME # USE_DN or USE_USERNAME
     authExpiration: 12 hours
-    groupSearchBase: ou=Groups,dc=example,dc=com
-    groupObjectClass: groupOfNames
-    referralStrategy: FOLLOW
-    groupNameAttribute: cn
-    groupMemberAttribute: member
+    groupSearchBase: # ou=Groups,dc=example,dc=com
+    groupObjectClass: group # groupOfNames
+    referralStrategy: IGNORE # FOLLOW
+    groupNameAttribute: # cn
+    groupMemberAttribute: # member
     groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
     userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
-    userGroupNameAttribute: memberOf
+    userGroupNameAttribute: # memberOf
     managerDN: uid=nifiAdmin,ou=People,dc=example,dc=com # account DN for connection to LDAP-server. You can set the property aka env var
     managerPassword: changeMechangeMe # account password for connection to LDAP-server. You can set the property aka env var
     providerUserSearchFilter: (uid={0})
@@ -379,16 +379,16 @@ openshift:
 ca:
   ## If true, enable the nifi-toolkit certificate authority
   enabled: false
+  persistence:
+    enabled: true
+  server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
   envFrom: []
   image:
     repository: apache/nifi-toolkit
-  persistence:
-    enabled: false
     accessModes: [ReadWriteOnce]
     storageClass : ''
     initContainer:
       image: busybox:1.32.0
-  server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
   service:
     port: 9090
   token: sixteenCharacters
@@ -409,7 +409,7 @@ certManager:
   keystorePasswd: changeme
   truststorePasswd: changeme
   replaceDefaultTrustStore: false
-  # For security reason, define secret aka source of env variable for keystorePassword and truststorePassword
+  # For security reason, define secret aka source of env variable for keystorePasswd and truststorePasswd
   envFrom: {}
   # - secretRef:
   #     name: test