Add stunnel for ldap as part of service template

2023-07-06 17:16:36 -07:00 · 2023-07-06 17:16:36 -07:00 · 8650ab973a
parent acc80868f9
commit 8650ab973a
2 changed files with 47 additions and 5 deletions
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@ -9,13 +9,13 @@ job "lldap" {

      port "web" {
        host_network = "wesher"
-        to = 17170
      }

      port "ldap" {
        host_network = "wesher"
-        to = 3890
      }
+
+      port "tls" {}
    }

    service {
@ -24,6 +24,12 @@ job "lldap" {
      port = "ldap"
    }

+    service {
+      name = "lldap-tls"
+      provider = "nomad"
+      port = "tls"
+    }
+
    service {
      name = "ldap-admin"
      provider = "nomad"
@ -39,7 +45,7 @@ job "lldap" {
      driver = "docker"

      config {
-        image = "nitnelave/lldap:v0.4.3"
+        image = "nitnelave/lldap:latest"
        ports = ["ldap", "web"]
        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
      }
@ -51,7 +57,7 @@ job "lldap" {

      template {
        data = <<EOH
-ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
+ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"

 {{ with nomadVar "nomad/jobs/lldap" -}}
 database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
@ -157,6 +163,7 @@ SELECT 'NOOP';

      config {
        image = "alpine:3.17"
+        ports = ["tls"]
        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
      }

@ -180,6 +187,12 @@ syslog = no
 foreground = yes
 delay = yes

+[ldap_server]
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
+
 [mysql_client]
 client = yes
 accept = 127.0.0.1:3306
@ -191,6 +204,15 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
      }

+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/lldap/lldap/stunnel" -}}
+{{ .allowed_psks }}
+{{- end }}
+EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel_psk.txt"
+      }
+
      template {
        data = <<EOF
 {{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -267,6 +267,16 @@ accept = 127.0.0.1:6379
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
+%{~ endif }
+
+%{~ if use_ldap }
+[ldap_client]
+client = yes
+accept = 127.0.0.1:389
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "lldap-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt
 %{~ endif }
        EOF
        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
@ -274,21 +284,31 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt

      %{~ if use_mysql }
      template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
        data = <<EOF
 {{- with nomadVar "nomad/jobs/${name}" }}{{ .mysql_stunnel_psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }
      %{ endif }
-
      %{~ if use_redis }
      template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
        data = <<EOF
 {{- with nomadVar "nomad/jobs/${name}" }}{{ .redis_stunnel_psk }}{{ end -}}
 EOF
        destination = "$${NOMAD_SECRETS_DIR}/redis_stunnel_psk.txt"
      }
      %{~ endif }
+      %{~ if use_ldap }
+      template {
+        # TODO: move psk to nomad/jobs/name/name/stunnel
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/${name}" }}{{ .ldap_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
+      }
+      %{~ endif }
    }
    %{~ endif }
  }