Enable TLS for OpenLDAP
Also fix typo in cert name for DriveTrain services.
Change-Id: I604cd663c31018814f7380af56dee5ac9374aaa0
Related-Prod: PROD-23454
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..5130caf 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
volumes:
- /srv/volumes/openldap/database:/var/lib/ldap
- /srv/volumes/openldap/config:/etc/ldap/slapd.d
+ - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+ - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+ - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+ # copy to /container/run/service to avoid issues with owning certs as openldap user
+ # https://github.com/osixia/docker-openldap/issues/59
+ command: --copy-service
environment:
HOSTNAME: ldap01.${_param:openldap_domain}
LDAP_ORGANISATION: "${_param:openldap_organisation}"
LDAP_DOMAIN: "${_param:openldap_domain}"
LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
- LDAP_TLS: "false"
+ LDAP_TLS: "true"
+ LDAP_TLS_VERIFY_CLIENT: try
+ LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+ LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+ LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+ LDAP_TLS_CA_CRT_FILENAME: ca.crt
admin:
networks:
- ldap
diff --git a/haproxy/proxy/listen/phpldapadmin.yml b/haproxy/proxy/listen/phpldapadmin.yml
index b2b7f93..6bbb885 100644
--- a/haproxy/proxy/listen/phpldapadmin.yml
+++ b/haproxy/proxy/listen/phpldapadmin.yml
@@ -2,6 +2,9 @@
_param:
haproxy_phpldapadmin_bind_host: ${_param:haproxy_bind_address}
haproxy_phpldapadmin_bind_port: 8089
+ haproxy_phpldapadmin_ssl:
+ enabled: true
+ pem_file: /etc/haproxy/ssl/drivetrain.pem
haproxy:
proxy:
listen:
@@ -12,9 +15,13 @@
- httpclose
- httplog
balance: source
+ http_request:
+ - action: "add-header X-Forwarded-Proto https"
+ condition: "if { ssl_fc }"
binds:
- address: ${_param:haproxy_phpldapadmin_bind_host}
port: ${_param:haproxy_phpldapadmin_bind_port}
+ ssl: ${_param:haproxy_phpldapadmin_ssl}
servers:
- name: ${_param:cluster_node01_name}
host: ${_param:cluster_node01_address}
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
index 25812f6..c0c20a8 100644
--- a/openldap/client/init.yml
+++ b/openldap/client/init.yml
@@ -3,7 +3,10 @@
parameters:
_param:
openldap_server: ${_param:cluster_vip_address}
- openldap_tls: false
+ openldap_tls:
+ starttls: true
+ keyfile: /etc/haproxy/ssl/drivetrain.key
+ certfile: /etc/haproxy/ssl/drivetrain.crt
openldap:
client:
server:
diff --git a/salt/minion/cert/proxy/drivetrain_ssl.yml b/salt/minion/cert/proxy/drivetrain_ssl.yml
index aecb5fb..5e7cf5f 100644
--- a/salt/minion/cert/proxy/drivetrain_ssl.yml
+++ b/salt/minion/cert/proxy/drivetrain_ssl.yml
@@ -2,7 +2,7 @@
salt:
minion:
cert:
- gerrit:
+ drivetrain:
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
common_name: drivetrain