Skip to content

Latest commit

 

History

History
67 lines (47 loc) · 3.68 KB

use-ldap-gitops.md

File metadata and controls

67 lines (47 loc) · 3.68 KB

Use LDAP for Authentication

Here are the deployment steps required to use Code Dx with LDAP with a GitOps deployment that uses SealedSecrets and helm-operator:

Note: If you're not using a GitOps deployment, refer to these LDAP instructions.

  1. Complete the guided setup to determine the setup command(s) for using GitOps to deploy Code Dx on your Kubernetes cluster. End the guided setup with the option to save your setup command to a file.

Note: If you're planning to use LDAPS and your LDAP server uses either a self-signed certificate or a certificate issued by a CA other than a well-known one, you must select a custom cacerts file and add the certificate for your LDAP server.

  1. Create a file named codedx-ldap-creds-props and add your LDAP codedx.props values. For example, you can set the LDAP URL, systemUsername, systemPassword, and authenticationMechanism by adding these values to your codedx-ldap-creds-props file:
auth.ldap.url = ldap://10.0.1.27
auth.ldap.systemUsername = CN=Code Dx Service Account,CN=Managed Service Accounts,DC=dc,DC=codedx,DC=local
auth.ldap.systemPassword = ************
auth.ldap.authenticationMechanism = simple

Note: If you're planning to use LDAPS, switch ldap:// to ldaps://.

  1. Generate a Kubernetes SealedSecret named codedx-ldap in the Code Dx namespace by running kubeseal. For example, if your Code Dx namespace is cdx-app, run the following command after specifying the correct kubeseal parameters for your SealedSecrets deployment:
kubectl -n cdx-app create secret generic codedx-ldap --from-file=codedx-ldap-creds-props -o yaml --dry-run=client | kubeseal --controller-name=sealed-secrets --controller-namespace=adm --format yaml --cert ./sealed-secrets.pem > sealedsecret-cdx-app-codedx-ldap-creds-props.yaml

Note: Depending on your kubectl version, you may need to replace --dry-run=client with --dry-run=true.

  1. Open your codedx-extra-props.yaml file and merge the following content after specifying your own userSearchTemplate value. If you do not yet have a codedx-extra-props.yaml file, create a new one and add the following content after specifying your own userSearchTemplate value.

Note: You can use multiple codedx-extra-props.yaml files, but avoid specifying overlapping configuration that could get lost at install-time. For example, do not specify codedxProps.extra sections in multiple files.

# set ldap/ldaps to false when not using network policies
networkPolicy:
  codedx:
    ldap: true
    ldaps: true

codedxProps:
  extra:
  - type: secret
    name: codedx-ldap
    key: codedx-ldap-creds-props
  # Add some less-sensitive config in the chart itself for easier configuration
  - type: values
    key: codedx-ldap-props
    values:
    - "auth.ldap.userSearchTemplate = cn={0},cn=Users,dc=dc,dc=codedx,dc=local"

Note: Use spaces for the indents shown above. Indenting with tab characters will cause a failure at install-time.

  1. Locate the run-setup.ps1 file generated by guided-setup.ps1 and make a copy named run-setup-custom.ps1. Edit run-setup-custom.ps1 by appending the following parameter to the setup.ps1 command line, specifying the path to your codedx-extra-props.yaml file:
 -extraCodeDxValuesPaths '/path/to/codedx-extra-props.yaml'
  1. Follow the instructions provided at the end of guided-setup.ps1, but replace the run-setup.ps1 reference with run-setup-custom.ps1:
pwsh "/path/to/run-setup-custom.ps1"
  1. Copy the SealedSecret file you generated (e.g., sealedsecret-cdx-app-codedx-ldap-creds-props.yaml) to your work directory's GitOps/SealedSecret directory.