search

jfrog / charts

JFrog official Helm Charts
https://jfrog.com/integration/helm-repository/
Apache License 2.0
256 stars 445 forks source link

LDAP configurations in Helm chart #1291

Closed vikram383 closed 10 months ago

vikram383 commented 3 years ago

Is this a request for help?:

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

Version of Helm and Kubernetes: helm=v3.4.1 k8s=v1.19.4

Which chart: artifactory helm chart(uses artifactory-pro)

What happened: i want to integrate LDAP configuartions in the chart how to do it ? can we integrate it on system.yaml?

What you expected to happen: LDAP configarations shhould be automated in the chart

How to reproduce it (as minimally and precisely as possible): no idea

Anything else we need to know: when im deploying chart on logs it says system.yaml validation is failed how to recitify that ?

chukka commented 3 years ago

@vikram383 can you please provide more Info on LDAP configurations that you are looking, we are happy to take a pull request if you are interested to raise it

vikram383 commented 3 years ago

Hi chukka thanks for your reply , i want to configure LDAP to artifactory but i couldnt find any relevant documents for that , can you please let me know how to configure LDAP in system.yaml in helm chart if you can send some basic syntax it would be beneficial thanks

vikram383 commented 3 years ago

i want to configure my company LDAP server for certain groups and users

vikram383 commented 3 years ago

if you could attach some relevant document will be fine

JuanSeBestia commented 3 years ago

+1

Mybe here is the answer

vikram383 commented 3 years ago

thanks , how to configure identity access managment in yaml ? i couldnt find that in yaml configuartions

JuanSeBestia commented 3 years ago

Finally is impossible via system.yaml so I create a job to do that

---
apiVersion: batch/v1
kind: Job
metadata:
  name: artifactory-config-patcher
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
    spec:
      securityContext:
        fsGroup: 10001
      imagePullSecrets:
        - name: gitlab-registry
      volumes:
        - name: patcher-file
          secret:
            secretName: artifactory-config-patcher-file
      containers:
        - name: executer
          image: curlimages/curl:7.74.0
          imagePullPolicy: Always
          command:
            - "sh"
            - "-c"
            - >-
              until
              curl -u $ADMIN_USER:$ADMIN_PASSWORD -v
              --connect-timeout 100 $ARTIFACTORY_URL/$HEALTH_API | grep OK; do
              sleep 10; done;
              curl -v --connect-timeout 100 -u $ADMIN_USER:$ADMIN_PASSWORD
              -X PATCH $ARTIFACTORY_URL/$SETTINGS_API
              -H "Content-Type: application/yaml" -T /var/patcher-file/configuration.yaml
          env:
            - name: ARTIFACTORY_URL
              value: http://bio4n-artifactory-jfrog:8081
            - name: SETTINGS_API
              value: artifactory/api/system/configuration
            - name: HEALTH_API
              value: artifactory/api/system/ping
          envFrom:
            - secretRef:
                name: artifactory-admin-credentials
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 200m
              memory: 512Mi
          volumeMounts:
            - name: patcher-file
              mountPath: /var/patcher-file
              readOnly: true
          securityContext:
            runAsUser: 10001
            runAsGroup: 10001
            readOnlyRootFilesystem: true
      restartPolicy: Never
  ttlSecondsAfterFinished: 300
---
apiVersion: v1
stringData:
  ADMIN_PASSWORD: some_password
  ADMIN_USER: some_user_admin
kind: Secret
metadata:
  name: artifactory-admin-credentials
type: Opaque
---
apiVersion: v1
stringData:
  configuration.yaml: |
    security:   #Security configuration (LDAP, SAML, Password Policy, ...)
    ldapSettings:   #LDAP server(s) settings
      x-coniguration-id:   # The unique ID of the LDAP setting
        emailAttribute: mail   #An attribute that can be used to map a user's email to a user created automatically by Artifactory
        ldapPoisoningProtection: true   #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
        ldapUrl: <ldap_url> #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
        search:
          managerDn: <ldap_bindDn>  #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
          managerPassword: <ldap_bindPassword>   #The password of the user binding to the LDAP server when using "search" authentication
          searchBase: <ldap_baseDn>   #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
          searchFilter: (uid={0})  #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
          searchSubTree: true   #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
        userDnPattern: uid={0},$<ldap_baseDn>  #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
        allowUserToAccessProfile: true   #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
        autoCreateUser: true   #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
        enabled: true   #When set, these settings are enabled
kind: Secret
metadata:
  name: artifactory-config-patcher-file
type: Opaque
vikram383 commented 3 years ago

great! is this working with your helm chart? do you have RESTapi calls for RBAC ??

JuanSeBestia commented 3 years ago
  1. yep, is working with helm-chart, FYI I used helm-release of HelmOperator
  2. Nooooo, RBAC for k8s is not necessary, because it use Artifactory API with main credentials
vikram383 commented 3 years ago

Great bro , good job thanks i was asking about identity access management for artifactory i couldnt find any documention for setting permissions for groups (eg dev,test etc) i have found only through UI , so i was asking if there is anything like RESTAPI (similar to ldap configuaration which you have shared )

JuanSeBestia commented 3 years ago

Many configurations in this part https://www.jfrog.com/confluence/display/JFROG/Artifactory+YAML+Configuration works with this implementation.

pbecotte commented 2 years ago

Was just about to implement this, saved me the time. For jfrog- I wasted quite a bit of time with artifactory.config.import.xml before discovering that there didn't seem to be any way to provide partial config with that, since it overwrote any changes made after launch.

gitta-jfrog commented 10 months ago

Hi All, Recently we added the ability to configure LDAP settings via a dedicated REST API - https://jfrog.com/help/r/jfrog-rest-apis/ldap. Closing this ticket.