Added tls support to nfs-ldap

genesis-community · Oct 20, 2022 · 575a0d3 · 575a0d3
1 parent b13895a
commit 575a0d3
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 17 deletions.
diff --git a/hooks/blueprint b/hooks/blueprint
@@ -51,8 +51,11 @@ generate_dynamic_isolation_segments() {
   fi
   if want_feature "nfs-volume-services" ; then
     iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs.yml )
-    if want_feature "nfs-ldap" ; then
+    if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then
       iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap.yml )
+      if want_feature "nfs-ldap-tls" ; then
+        iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml )
+      fi
     fi
   fi
   if want_feature "smb-volume-services" ; then
@@ -61,7 +64,7 @@ generate_dynamic_isolation_segments() {
 
   for group in $isolation_groups; do
     additional_trusted_certs=''
-    if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null  ; then 
+    if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null  ; then
       additional_trusted_certs='overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml'
     fi
     dynamic_segment_fragment_file="overlay/dynamic/isolation_segments_$group.yml"
@@ -255,13 +258,17 @@ for want in $GENESIS_REQUESTED_FEATURES; do
       ;;
     nfs-volume-services|cf-deployments/operations/enable-nfs-volume-services) features+=( "nfs-volume-services" ) ;;
     smb-volume-services|cf-deployments/operations/enable-smb-volume-services) features+=( "smb-volume-services" ) ;;
-    nfs-ldap|cf-deployments/operations/enable-nfs-ldap)
+    nfs-ldap|nfs-ldap-tls|cf-deployments/operations/enable-nfs-ldap)
       if ! want_feature 'nfs-volume-services' && ! want_feature "cf-deployments/operations/enable-nfs-volume-services" ; then
         abort=1
         describe >&2 \
           "#R[ERROR]} Feature #c{$want} cannot be specified without feature #c{nfs-volume-services}"
       fi
-      features+=( "nfs-ldap" )
+      if [[ $want == "nfs-ldap-tls" ]] ; then
+        features+=( "nfs-ldap-tls" )
+      else
+        features+=( "nfs-ldap" )
+      fi
       ;;
     local-postgres-db|local-mysql-db|mysql-db|postgres-db) db_specified=1; features+=( "$want" ) ;;
     bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) features+=( "$want" ) ;;
@@ -444,11 +451,23 @@ for want in $GENESIS_REQUESTED_FEATURES; do
           "overlay/addons/nfs-volume-service.yml" \
         )
       fi
-      if want_feature "nfs-ldap" ; then
+      if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then
         manifest+=( \
           "cf-deployment/operations/enable-nfs-ldap.yml" \
           "overlay/addons/nfs-ldap.yml" \
         )
+        if want_feature "nfs-ldap-tls"; then
+          manifest+=( overlay/addons/nfs-ldap-tls.yml )
+          # If user provided their own nfs-ldap-ca path, delete the default
+          if jq <<<"$params" -e '."nfs-ldap-ca-cert-ca"' &> /dev/null ; then
+            remove_unused_secret_ops_file="operations/dynamic/remove-unused-nfs-ldap-ca-cert.yml"
+            cat <<EOF > "$remove_unused_secret_ops_file"
+- type: remove
+  path: /variables/name=nfs-ldap-ca-cert
+EOF
+            manifest+=( "$remove_unused_secret_ops_file" )
+          fi
+        fi
       fi
       ;;
     smb-volume-services)

diff --git a/overlay/addons/nfs-ldap-tls.yml b/overlay/addons/nfs-ldap-tls.yml
@@ -0,0 +1,18 @@
+params:
+  nfs-ldap-ca-cert-ca: ((nfs-ldap-ca-cert.ca))
+
+instance_groups:
+- name: diego-cell
+  jobs:
+  - name: nfsv3driver
+    properties:
+      nfsv3driver:
+        ldap_ca_cert: (( grab params.nfs-ldap-ca-cert-ca ))
+
+variables:
+- name: nfs-ldap-ca-cert
+  type: certificate
+  options:
+    common_name: NFSLDAPCA
+    is_ca: true
+
diff --git a/overlay/addons/nfs-ldap.yml b/overlay/addons/nfs-ldap.yml
@@ -12,4 +12,3 @@ params:
   nfs-ldap-port: 389
   nfs-ldap-proto: tcp
   nfs-ldap-fqdn: (( param "Provide value for NFS LDAP fqdn" ))
-
diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml
@@ -0,0 +1,7 @@
+instance_groups:
+- name: (( grab meta.name ))
+  jobs:
+  - name: nfsv3driver
+    properties:
+      nfsv3driver:
+        ldap_ca_cert: (( grab meta.nfs-ldap-ca-cert-ca || params.nfs-ldap-ca-cert-ca ))
diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml
@@ -1,14 +1,13 @@
 instance_groups:
 - name: (( grab meta.name ))
   jobs:
-    - name: nfsv3driver
-      properties:
-        nfsv3driver:
-          ldap_svc_user:     ((nfs-ldap-service-user))
-          ldap_svc_password: ((nfs-ldap-service-password))
-          ldap_host:         ((nfs-ldap-host))
-          ldap_port:         ((nfs-ldap-port))
-          ldap_proto:        ((nfs-ldap-proto))
-          ldap_user_fqdn:    ((nfs-ldap-fqdn))
-          allowed-in-source: ""
-          ldap_ca_cert:      (( grab params.nfs-ldap-ca-cert-ca || "((nfs-ldap-ca-cert.ca))" ))
+  - name: nfsv3driver
+    properties:
+      nfsv3driver:
+        ldap_svc_user:     ((nfs-ldap-service-user))
+        ldap_svc_password: ((nfs-ldap-service-password))
+        ldap_host:         ((nfs-ldap-host))
+        ldap_port:         ((nfs-ldap-port))
+        ldap_proto:        ((nfs-ldap-proto))
+        ldap_user_fqdn:    ((nfs-ldap-fqdn))
+        allowed-in-source: ""
Original file line number	Diff line number	Diff line change
Expand Up		@@ -12,4 +12,3 @@ params:
		nfs-ldap-port: 389
		nfs-ldap-proto: tcp
		nfs-ldap-fqdn: (( param "Provide value for NFS LDAP fqdn" ))