From 575a0d3cb29bf1cbd2dbf8a7551da7c1dc455cfb Mon Sep 17 00:00:00 2001 From: Dennis Bell Date: Wed, 19 Oct 2022 19:58:07 -0700 Subject: [PATCH] Added tls support to nfs-ldap --- hooks/blueprint | 29 +++++++++++++++---- overlay/addons/nfs-ldap-tls.yml | 18 ++++++++++++ overlay/addons/nfs-ldap.yml | 1 - .../isolation-segment-nfs-ldap-tls.yml | 7 +++++ .../isolation-segment-nfs-ldap.yml | 21 +++++++------- 5 files changed, 59 insertions(+), 17 deletions(-) create mode 100644 overlay/addons/nfs-ldap-tls.yml create mode 100644 overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml diff --git a/hooks/blueprint b/hooks/blueprint index edf29d06..63ea12ac 100755 --- a/hooks/blueprint +++ b/hooks/blueprint @@ -51,8 +51,11 @@ generate_dynamic_isolation_segments() { fi if want_feature "nfs-volume-services" ; then iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs.yml ) - if want_feature "nfs-ldap" ; then + if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap.yml ) + if want_feature "nfs-ldap-tls" ; then + iso_seg_merges+=( overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml ) + fi fi fi if want_feature "smb-volume-services" ; then @@ -61,7 +64,7 @@ generate_dynamic_isolation_segments() { for group in $isolation_groups; do additional_trusted_certs='' - if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null ; then + if jq -e --arg v "$group" '.isolation_segments[] | select( .name == $v ) | .additional_trusted_certs//[] | length > 0' <<<"$1" &>/dev/null ; then additional_trusted_certs='overlay/dynamic-templates/isolation-segment-additional-trusted-certs.yml' fi dynamic_segment_fragment_file="overlay/dynamic/isolation_segments_$group.yml" @@ -255,13 +258,17 @@ for want in $GENESIS_REQUESTED_FEATURES; do ;; nfs-volume-services|cf-deployments/operations/enable-nfs-volume-services) features+=( "nfs-volume-services" ) ;; smb-volume-services|cf-deployments/operations/enable-smb-volume-services) features+=( "smb-volume-services" ) ;; - nfs-ldap|cf-deployments/operations/enable-nfs-ldap) + nfs-ldap|nfs-ldap-tls|cf-deployments/operations/enable-nfs-ldap) if ! want_feature 'nfs-volume-services' && ! want_feature "cf-deployments/operations/enable-nfs-volume-services" ; then abort=1 describe >&2 \ "#R[ERROR]} Feature #c{$want} cannot be specified without feature #c{nfs-volume-services}" fi - features+=( "nfs-ldap" ) + if [[ $want == "nfs-ldap-tls" ]] ; then + features+=( "nfs-ldap-tls" ) + else + features+=( "nfs-ldap" ) + fi ;; local-postgres-db|local-mysql-db|mysql-db|postgres-db) db_specified=1; features+=( "$want" ) ;; bare|partitioned-network|haproxy|tls|no-nats-tls|self-signed|isolation-segments) features+=( "$want" ) ;; @@ -444,11 +451,23 @@ for want in $GENESIS_REQUESTED_FEATURES; do "overlay/addons/nfs-volume-service.yml" \ ) fi - if want_feature "nfs-ldap" ; then + if want_feature "nfs-ldap" || want_feature "nfs-ldap-tls" ; then manifest+=( \ "cf-deployment/operations/enable-nfs-ldap.yml" \ "overlay/addons/nfs-ldap.yml" \ ) + if want_feature "nfs-ldap-tls"; then + manifest+=( overlay/addons/nfs-ldap-tls.yml ) + # If user provided their own nfs-ldap-ca path, delete the default + if jq <<<"$params" -e '."nfs-ldap-ca-cert-ca"' &> /dev/null ; then + remove_unused_secret_ops_file="operations/dynamic/remove-unused-nfs-ldap-ca-cert.yml" + cat < "$remove_unused_secret_ops_file" +- type: remove + path: /variables/name=nfs-ldap-ca-cert +EOF + manifest+=( "$remove_unused_secret_ops_file" ) + fi + fi fi ;; smb-volume-services) diff --git a/overlay/addons/nfs-ldap-tls.yml b/overlay/addons/nfs-ldap-tls.yml new file mode 100644 index 00000000..34aa1a94 --- /dev/null +++ b/overlay/addons/nfs-ldap-tls.yml @@ -0,0 +1,18 @@ +params: + nfs-ldap-ca-cert-ca: ((nfs-ldap-ca-cert.ca)) + +instance_groups: +- name: diego-cell + jobs: + - name: nfsv3driver + properties: + nfsv3driver: + ldap_ca_cert: (( grab params.nfs-ldap-ca-cert-ca )) + +variables: +- name: nfs-ldap-ca-cert + type: certificate + options: + common_name: NFSLDAPCA + is_ca: true + diff --git a/overlay/addons/nfs-ldap.yml b/overlay/addons/nfs-ldap.yml index 498bb9ca..44dbd09c 100644 --- a/overlay/addons/nfs-ldap.yml +++ b/overlay/addons/nfs-ldap.yml @@ -12,4 +12,3 @@ params: nfs-ldap-port: 389 nfs-ldap-proto: tcp nfs-ldap-fqdn: (( param "Provide value for NFS LDAP fqdn" )) - diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml new file mode 100644 index 00000000..a54f3afd --- /dev/null +++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap-tls.yml @@ -0,0 +1,7 @@ +instance_groups: +- name: (( grab meta.name )) + jobs: + - name: nfsv3driver + properties: + nfsv3driver: + ldap_ca_cert: (( grab meta.nfs-ldap-ca-cert-ca || params.nfs-ldap-ca-cert-ca )) diff --git a/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml b/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml index 929fe712..799eed33 100644 --- a/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml +++ b/overlay/dynamic-templates/isolation-segment-nfs-ldap.yml @@ -1,14 +1,13 @@ instance_groups: - name: (( grab meta.name )) jobs: - - name: nfsv3driver - properties: - nfsv3driver: - ldap_svc_user: ((nfs-ldap-service-user)) - ldap_svc_password: ((nfs-ldap-service-password)) - ldap_host: ((nfs-ldap-host)) - ldap_port: ((nfs-ldap-port)) - ldap_proto: ((nfs-ldap-proto)) - ldap_user_fqdn: ((nfs-ldap-fqdn)) - allowed-in-source: "" - ldap_ca_cert: (( grab params.nfs-ldap-ca-cert-ca || "((nfs-ldap-ca-cert.ca))" )) + - name: nfsv3driver + properties: + nfsv3driver: + ldap_svc_user: ((nfs-ldap-service-user)) + ldap_svc_password: ((nfs-ldap-service-password)) + ldap_host: ((nfs-ldap-host)) + ldap_port: ((nfs-ldap-port)) + ldap_proto: ((nfs-ldap-proto)) + ldap_user_fqdn: ((nfs-ldap-fqdn)) + allowed-in-source: ""