Js/include ldap service

.env

@@ -66,6 +66,12 @@ POSTGRES_USER=workshop
 POSTGRES_PASSWORD=workshop
 POSTGRES_DB=workshop
 
+## OpenLDAP ===================================================================
+OPENLDAP_ADMIN_PASSWORD=workshop
+OPENLDAP_ORG_DN=dc=example,dc=com
+OPENLDAP_ORG_DNS=example.com
+OPENLDAP_ORG_NAME="Sensu Workshop"
+
 ## Nginx (Sensu Assets) =======================================================
 NGINX_VERSION=1.19.2
 

Dockerfile

@@ -34,9 +34,12 @@ RUN /mattermost/bin/mmctl version
 # - mmctl
 #
 FROM alpine:latest AS workshop
-RUN apk add curl jq gettext docker-cli docker-compose
+
+RUN apk add curl jq gettext docker-cli docker-compose openldap-clients
 RUN curl -L https://raw.githubusercontent.com/eficode/wait-for/v2.1.3/wait-for -o /usr/bin/wait-for && chmod +x /usr/bin/wait-for
 RUN mkdir /lib64
+RUN echo "TLS_REQCERT never" >> /etc/openldap/ldap.conf
+
 COPY --from=sensu /usr/local/bin/sensuctl /usr/local/bin/
 COPY --from=sensu /opt/sensu/bin/sensu-backend /usr/local/bin/
 COPY --from=vault /bin/vault /usr/local/bin/vault

config/sensu/seeds/ldap-rbac.yaml

@@ -0,0 +1,58 @@
+type: ClusterRoleBinding
+api_version: core/v2
+metadata:
+  name: ldap-cluster-admin
+spec:
+  role_ref:
+    name: cluster-admin
+    type: ClusterRole
+  subjects:
+    - name: "ldap:sensu-cluster-admins"
+      type: Group
+---
+type: ClusterRoleBinding
+api_version: core/v2
+metadata:
+  name: ldap-cluster-view
+spec:
+  role_ref:
+    name: view
+    type: ClusterRole
+  subjects:
+    - name: "ldap:sensu-operations"
+      type: Group
+    - name: "ldap:sensu-trainee"
+      type: Group
+    - name: "ldap:sensu-engineering"
+      type: Group
+    - name: "ldap:sensu-workshop"
+      type: Group
+---
+type: Role
+api_version: core/v2
+metadata:
+  name: ldap:trainee
+  namespace: trainee
+spec:
+  rules:
+    - resources:
+      - "*"
+      verbs:
+      - "*"
+      resource_names: []
+---
+type: RoleBinding
+api_version: core/v2 
+metadata:
+  name: ldap:trainee
+  namespace: trainee
+spec:
+  role_ref:
+    name: ldap:trainee
+    type: Role
+  subjects:
+  - name: "ldap:sensu-trainee"
+    type: Group
+
+
+

config/sensu/seeds/ldap.yaml

@@ -0,0 +1,26 @@
+---
+type: ldap
+api_version: authentication/v2
+metadata:
+  name: openldap
+spec:
+  groups_prefix: ldap
+  servers:
+  - binding:
+      password: workshop
+      user_dn: cn=admin,dc=example,dc=com
+    group_search:
+      attribute: member
+      base_dn: ou=Users,dc=example,dc=com
+      name_attribute: cn
+      object_class: groupOfNames
+    host: openldap
+    insecure: true
+    port: 636
+    security: tls
+    user_search:
+      attribute: uid
+      base_dn: ou=Users,dc=example,dc=com
+      name_attribute: cn
+      object_class: inetOrgPerson
+  username_prefix: ldap

docker-compose-default.yaml

@@ -128,7 +128,44 @@ services:
       interval: 10s
       timeout: 5s
       retries: 6
-
+  # OpenLDAP
+  #
+  # LDAP authentication provider
+  #
+  #
+  openldap:
+    build:
+      context: ./docker/openldap
+      dockerfile: Dockerfile
+    labels:
+    - io.sensu.role=ldap-server
+    healthcheck:
+      test: ldapwhoami -H ldaps://127.0.0.1 -D cn=admin,dc=example,dc=com  -w $$OPENLDAP_ADMIN_PASSWORD
+      interval: 10s
+      timeout: 5s
+      retries: 6
+    deploy:
+      restart_policy:
+        condition: on-failure
+        max_attempts: ${WORKSHOP_SETUP_RETRIES}
+    environment:
+      - OPENLDAP_ORG_NAME
+      - OPENLDAP_ORG_DNS
+      - OPENLDAP_ORG_DN
+      - OPENLDAP_ADMIN_PASSWORD
+    ports:
+      - '389:389'
+      - '636:636'
+    volumes:
+    - type: volume
+      source: openldap_config
+      target: /config
+      consistency: consistent
+    - type: volume
+      source: openldap_data
+      target: /var/lib/ldap
+      consistency: consistent
+
   # Sensu Asset Server
   #
   # Serve Sensu Assets over HTTP using NGINX.
@@ -323,6 +360,8 @@ services:
     - SENSU_BACKEND_CLUSTER_ADMIN_API_KEY
     - VAULT_ADDR
     - VAULT_TOKEN
+    - OPENLDAP_ORG_DN
+    - OPENLDAP_ADMIN_PASSWORD
     - WORKSHOP_HOSTNAME
     - WORKSHOP_SENSU_VERSION
     - WORKSHOP_SENSU_BUILD
@@ -396,3 +435,7 @@ volumes:
     driver: local
   mattermost_plugins_extra:
     driver: local
+  openldap_data:
+    driver: local
+  openldap_config:
+    driver: local

docker/openldap/Dockerfile

@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+
+# Install OpenLDAP
+RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y slapd ldap-utils openssl ca-certificates net-tools
+
+# Copy project files
+COPY resources /app
+RUN mkdir -p /etc/ldap
+COPY resources/ldap.conf /etc/ldap/ldap.conf
+
+# Change to /app/
+WORKDIR /app/
+
+# Add Tini
+ENV TINI_VERSION v0.19.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+RUN chmod +x /tini
+ENTRYPOINT ["/tini", "--"]
+
+# Run your program under Tini
+CMD ["/app/entrypoint.sh"]

docker/openldap/resources/common.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+info(){
+  echo -e "\033[1;34mINFO\033[0m   $1"
+}
+
+warn(){
+  echo -e "\033[0;33mWARN\033[0m   $1"
+}
+
+fatal(){
+  echo -e "\033[0;31mFATAL\033[0m  $1"
+  exit 1
+}
+
+start_ldap(){
+  slapd -F /config/slapd.d -u openldap -g openldap -h 'ldap:// ldaps:// ldapi:///' $@
+}