search

wandb / helm-charts

Our official helm charts for deploying wandb into k8s
MIT License
18 stars 8 forks source link

feat: Add support to ldap custom certs #60

Closed flamarion closed 9 months ago

flamarion commented 9 months ago

feat: Add support to ldap custom certs

flamarion commented 9 months ago

The requirement will be for the customer to create a ConfigMap with the certificate.

  1. Create configmap in wandb-helm namespace with the LDAP TLS cert.

kubectl -n wandb-helm create configmap my-ldap-cert-super-local --from-file=wandb.local.crt

  1. Prepare the LDAP configuration in values.yaml
ldap:
  enabled: true
  # LDAP server address including "ldap://" or "ldaps://"
  host: "ldaps://blablabla.com.br"
  # LDAP search base to use for finding users
  baseDN: "thisisthesearchbase"
  # LDAP user to bind with (if not using anonymous bind)
  bindDN: "thisisthebinddn"
  # Secret name and key with LDAP password to bind with (if not using anonymous bind)
  bindPassword: "thisisthebindpw"
  # LDAP attribute for email and group ID attribute names as comma separated string values.
  attributes: "theseareattributes"
  # LDAP group allow list
  groupAllowList: "thesearegroups"
  # Enable LDAP TLS
  tls: true
  # ConfigMap name and key with CA certificate for LDAP server
  tlsCert:
    configMap:
      name: "my-ldap-cert-super-local"
      key: "wandb.local.crt"

  1. Deploy the helm using the local branch (note the revision number :D )

    $ helm upgrade --install --namespace wandb-helm --create-namespace wandb-helm wandb/ -f values.yaml
Release "wandb-helm" has been upgraded. Happy Helming!
NAME: wandb-helm
LAST DEPLOYED: Mon Jan 15 15:04:51 2024
NAMESPACE: wandb-helm
STATUS: deployed
REVISION: 7
NOTES:
http://wandbtest.lab.local/

  2. New pod created

    $ kubectl get pods -n wandb-helm
NAME                          READY   STATUS    RESTARTS   AGE
wandb-helm-5d4f6db77f-58r7g   0/1     Running   0          7s
wandb-helm-5dbb94fcdc-hkvs2   1/1     Running   0          30m

  3. It will not start because all configurations are fake and will fail. The idea is to demonstrate if the values are getting set.

    
{"level":"INFO","time":"2024-01-15T14:14:24.765271899Z","info":{"program":"gorilla","source":"mnt/ramdisk/core/services/gorilla/cmd/gorilla.go:1252","pid":1056},"data":{},"message":"parsed schema","dd.trace_id":""}
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]: github.com/wandb/core/services/connectors.loadLDAPAttributes({0xc000086077, 0x12}) /mnt/ramdisk/core/services/connectors/ldap.go:661 +0x126 github.com/wandb/core/services/connectors.MakeLDAPStore({0xc00008601f?, 0xc00180a018?}, {0x53c9560, 0x7f88660}) /mnt/ramdisk/core/services/connectors/ldap.go:243 +0x64b github.com/wandb/core/services/gorilla/cmd.(*gorillaCommander).MainCmd(0xc0014eb940, {0xc0014eba30, 0x1, 0x1}) /mnt/ramdisk/core/services/gorilla/cmd/gorilla.go:1382 +0x85a5 main.main() /mnt/ramdisk/core/services/gorilla/cmd/megabinary/main.go:76 +0x442


6. Connected to the new pod to check if the content is according to the configured
```bash
 $ kubectl -n wandb-helm exec -ti wandb-helm-5d4f6db77f-58r7g -- bash
 wandb@wandb-helm-5d4f6db77f-58r7g:~$ env | grep LDAP
LOCAL_LDAP_BASE_DN=thisisthesearchbase
LOCAL_LDAP_GROUP_ALLOW_LIST=thesearegroups
LOCAL_LDAP_ATTRIBUTES=theseareattributes
LOCAL_LDAP_LOGIN=true
LOCAL_LDAP_ADDRESS=ldaps://blablabla.com.br
LOCAL_LDAP_BIND_DN=thisisthebinddn
GORILLA_LDAP_CONNECTION_STRING=ldaps://thisisthebinddn:thisisthebindpw@blablabla.com.br/thisisthesearchbase?attributes=theseareattributes&userBaseDN=&groupBaseDN=&userObjectClass=&groupObjectClass=&groupAllowList=thesearegroups&tls=true
LOCAL_LDAP_TLS_ENABLE=true
GORILLA_LDAP_LOGIN=true
GORILLA_LDAP_GROUP_SYNC=false
LOCAL_LDAP_BIND_PW=thisisthebindpw

wandb@wandb-helm-5d4f6db77f-58r7g:~$ cat /var/run/secrets/wandb.ai/ldap/ca.crt
-----BEGIN CERTIFICATE-----
MIIDnzCCAocCFGOeXz1eYRBUa5lWnkKABec6UYcJMA0GCSqGSIb3DQEBCwUAMIGH
MQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDETMBEGA1UEBwwKQW1lcnNm
b29ydDEMMAoGA1UECgwDVyZCMQswCQYDVQQLDAJDUzEMMAoGA1UEAwwDVyZCMSgw
JgYJKoZIhvcNAQkBFhlmbGFtYXJpb24uam9yZ2VAd2FuZGIuY29tMB4XDTIyMTEw
OTE0NDE0NVoXDTI1MDIxMTE0NDE0NVowgY8xCzAJBgNVBAYTAk5MMRAwDgYDVQQI
DAdVdHJlY2h0MRMwEQYDVQQHDApBbWVyc2Zvb3J0MQwwCgYDVQQKDANXJkIxCzAJ
BgNVBAsMAkNTMRQwEgYDVQQDDAt3YW5kYi5sb2NhbDEoMCYGCSqGSIb3DQEJARYZ
ZmxhbWFyaW9uLmpvcmdlQHdhbmRiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANpKgT8gnKVaLEXZtBPLkA6EiWimgSMoWTbpztD6e38mKitneuMg
EzknXySfLfMGxWfhlMIWys4itgCwyU38w+B+atkukq1M/C/+dmt971TMLnHX8EHw
D2M9zRGqBlTBl5AcA8e7bGWE2Oqi2bPj5vSVva0Bpds2Ga5llAp+HXmrPvmCjw0T
BElxxkNZIWxB/rXaOj1unrVBudWQ9O1Aw5LkjUoeX9WPb4EYXr/kqZyeJtGlv7O0
LBr/hbkjHazOZQGYwYiWQ3iAF2krvfZNt1BYWuUBg8DzICaw9pr2kk6o2q1Rac7j
nCG4+mq4Nlfxo9d5AHIMXgIYioECPvYgSk0CAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEAVyXLNaHeVmjwMf/+gccdn+ofn/nfHAaXhn4Z65ZWp4tRf6wnETUOpqZyK5z5
yK0nhsEt0oLwrIxjknHEgdetW9WpweHiUmP3W4axjoo2vuWdmvufVTjSdX5A0I2L
Gv2ab/9bTmBoyXlmq+wrdCozqEFE39Q6ra9kPz/q8HyaPpqn+LC4lRcnXhoGMGym
L9h8+Q6wjwcxIWVjvFH1ixN4tJ5LiKIymiVF/ldXupxW/a4xCTQ6y2Nfq/K78XSu
n+zcEbvKkj1DdUvFRwFBp1YVQPf84QFpgOecbWqjTF8HU1QT4rjJx2iNwT2ZL0HP
azVaicRXC88frzZr9jcSEkiSsg==
-----END CERTIFICATE-----
wandb@wandb-helm-5d4f6db77f-58r7g:~$