TLS and CA certs secrets question

[uhhhh2]

If I am reading the chart correctly, the StatefulSet appears to set the certificate directory described in the docker image to the data volume here.

However, I am having difficulty finding where the TLS and CA secrets described in the values.yml get copied into the data volume.

Where do the TLS and CA secrets get copied into the data volume?

[jp-gouin]

Hi,

yes right now the certificates are not mount in the image.

À volume mount needs to be declared and load the configured secret into the directory Something like :

  volumeMounts:
    - name: certs
      mountPath: "/container/service/slapd/assets/certs »
      readOnly: true
volumes:
  - name: certs
    secret:
      secretName: {{.Values.tls.secret}}

and also set LDAP_TLS_CRT_FILENAME , LDAP_TLS_KEY_FILENAME and LDAP_TLS_CA_CRT_FILENAME accordingly or force the keys of the secret to be tls.key, tls.crt And ca.crt

[jp-gouin]

I add the volume mount for the custom certificate mgt. Is it working for you ?

[uhhhh2]

It should work. Thanks!

[kgibcc]

I'm still having issue getting TLS to work.

Secret defined here

apiVersion: v1
data:
  tls.crt: base64encoded string
  tls.key: base64encoded string
  ca.crt: base64encoded string
kind: Secret
metadata:
  name: openldap-tls
  namespace: operator
type: kubernetes.io/tls

Enabled TLS here

# settings for enabling TLS with custom certificate
customTLS:
  enabled: true
  secret: "openldap-tls"  # The name of a kubernetes.io/tls type secret to use for TLS
  CA:
    enabled: true

Set TLS envvars here

 LDAP_TLS_CRT_FILENAME: "tls.crt"
 LDAP_TLS_KEY_FILENAME: "tls.key"
 # LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
 LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
 LDAP_TLS_ENFORCE: "false"

Results in:

To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
***  INFO   | 2021-05-06 21:31:17 | Running /container/run/startup/:ssl-tools...
***  INFO   | 2021-05-06 21:31:17 | Running /container/run/startup/slapd...
***  INFO   | 2021-05-06 21:31:17 | openldap user and group adjustments
***  INFO   | 2021-05-06 21:31:17 | get current openldap uid/gid info inside container
***  INFO   | 2021-05-06 21:31:17 | -------------------------------------
***  INFO   | 2021-05-06 21:31:17 | openldap GID/UID
***  INFO   | 2021-05-06 21:31:17 | -------------------------------------
***  INFO   | 2021-05-06 21:31:17 | User uid: 911
***  INFO   | 2021-05-06 21:31:17 | User gid: 911
***  INFO   | 2021-05-06 21:31:17 | uid/gid changed: false
***  INFO   | 2021-05-06 21:31:17 | -------------------------------------
***  INFO   | 2021-05-06 21:31:17 | updating file uid/gid ownership
***  INFO   | 2021-05-06 21:31:17 | No certificate file and certificate key provided, generate:
***  INFO   | 2021-05-06 21:31:17 | /container/run/service/slapd/assets/certs/tls.crt and /container/run/service/slapd/assets/certs/tls.key
2021/05/06 21:31:17 [INFO] generate received request
2021/05/06 21:31:17 [INFO] received CSR
2021/05/06 21:31:17 [INFO] generating key: ecdsa-384
2021/05/06 21:31:17 [INFO] encoded CSR
2021/05/06 21:31:17 [INFO] signed certificate with serial number 395190510029425099654701866954228627833255417
mv: cannot move '/tmp/cert.pem' to '/container/run/service/slapd/assets/certs/tls.crt': No such file or directory
mv: cannot move '/tmp/cert-key.pem' to '/container/run/service/slapd/assets/certs/tls.key': No such file or directory
***  INFO   | 2021-05-06 21:31:17 | Link /container/service/:ssl-tools/assets/default-ca/default-ca.pem to /container/run/service/slapd/assets/certs/ca.crt
ln: failed to create symbolic link '/container/run/service/slapd/assets/certs/ca.crt': No such file or directory
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

It doesn't appear to grabbing the data from the secret. I've also copied the certs to the install directory and install doesn't grab them.

How do the certs get passed into the container? Ideally, deployment would read from the secret.

[kgibcc]

ok, that seemed to clear up by installing in a new namespace.

[kgibcc]

Now, up and running in a new namespace, but still having trouble getting server name specified:

***  INFO   | 2021-05-06 22:39:30 | Start OpenLDAP...
***  INFO   | 2021-05-06 22:39:30 | Waiting for OpenLDAP to start...
***  INFO   | 2021-05-06 22:39:30 | Add TLS config...
***  INFO   | 2021-05-06 22:39:31 | Add replication config...
***  INFO   | 2021-05-06 22:39:33 | Stop OpenLDAP...
***  INFO   | 2021-05-06 22:39:33 | Configure ldap client TLS configuration...
***  INFO   | 2021-05-06 22:39:33 | Remove config files...
***  INFO   | 2021-05-06 22:39:33 | First start is done...
***  INFO   | 2021-05-06 22:39:33 | Remove file /container/environment/99-default/default.startup.yaml
***  INFO   | 2021-05-06 22:39:33 | Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.yaml

To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
***  INFO   | 2021-05-06 22:39:33 | Running /container/run/process/slapd/run...
60947025 @(#) $OpenLDAP: slapd 2.4.57+dfsg-1~bpo10+1 (Jan 30 2021 06:59:51) $
    Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
60947025 slapd starting
60947025 slap_client_connect: URI=ldap://openldap-1.openldap-headless.openldap.svc.cluster.local Error, ldap_start_tls failed (-1)
60947025 slap_client_connect: URI=ldap://openldap-1.openldap-headless.openldap.svc.cluster.local Error, ldap_start_tls failed (-1)
60947025 slap_client_connect: URI=ldap://openldap-2.openldap-headless.openldap.svc.cluster.local Error, ldap_start_tls failed (-1)
60947025 slap_client_connect: URI=ldap://openldap-2.openldap-headless.openldap.svc.cluster.local Error, ldap_start_tls failed (-1)

How can I get servername to be ldap://ldap.openldap.svc.cluster.local ? My certs are created for *.openldap.svc.cluster.local

I also updated cert to include *.openldap-headless.openldap.svc.cluster.local and error persists.

[kgibcc]

ahh I see, it's trying to connect to pods that aren't yet running. Seems to be non issue.