From 6cbff4d700c87a8a756b39e9b7dd5ffdc093fd32 Mon Sep 17 00:00:00 2001 From: Sergi Philipsen Date: Fri, 10 Feb 2023 10:16:50 +0100 Subject: [PATCH] feat: add support for AD and add property for https (#37) Closes #37 --- charts/zaakbrug/templates/configmap.yaml | 30 +++++++++++++++++-- charts/zaakbrug/templates/deployment.yaml | 10 +++++++ charts/zaakbrug/values.yaml | 19 +++++++++++- .../resources/credentialprovider.properties | 7 ++--- 4 files changed, 58 insertions(+), 8 deletions(-) diff --git a/charts/zaakbrug/templates/configmap.yaml b/charts/zaakbrug/templates/configmap.yaml index 1d8bbd2f1..96069deac 100644 --- a/charts/zaakbrug/templates/configmap.yaml +++ b/charts/zaakbrug/templates/configmap.yaml @@ -13,7 +13,20 @@ data: {{- $name := .Values.frank.dtap.stage | required (printf ".frank.dtap.stage is a required parameter") }} dtap.stage: {{ .Values.frank.dtap.stage }} dtap.side: {{ .Values.frank.dtap.side | default "cluster" }} - configurations.names: {{ .Values.frank.configurations.names | default "" }} + {{- with .Values.frank.configurations.names }} + configurations.names: {{ . }} + {{- end }} + application.security.http.authentication: {{ .Values.frank.security.http.authentication | toString | quote }} + application.security.http.transportGuarantee: {{ .Values.frank.security.http.enforceHttps | ternary "CONFIDENTIAL" "NONE" }} + {{- if .Values.frank.security.http.authentication }} + {{- with .Values.frank.security.http.ad }} + application.security.http.authenticators: AdAuthenticator + application.security.http.authenticators.AdAuthenticator.type: AD + application.security.http.authenticators.AdAuthenticator.baseDn: {{ .baseDn }} + application.security.http.authenticators.AdAuthenticator.url: {{ .url }} + servlet.IAF-API.authenticator: AdAuthenticator + {{- end }} + {{- end }} {{- if .Values.frank.credentials }} {{/* credentialFactory.class: nl.nn.credentialprovider.FileSystemCredentialFactory*/}} credentialFactory.class: nl.nn.credentialprovider.PropertyFileCredentialFactory @@ -183,6 +196,19 @@ data: {{- end }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "zaakbrug.fullname" . }}-roles + labels: + {{- include "zaakbrug.labels" . | nindent 4 }} +data: + ldap-role-mapping.properties: | + IbisTester={{ .Values.frank.security.http.ad.roles.tester }} + IbisAdmin={{ .Values.frank.security.http.ad.roles.admin }} + IbisDataAdmin={{ .Values.frank.security.http.ad.roles.dataAdmin }} + IbisObserver={{ .Values.frank.security.http.ad.roles.observer }} +--- {{- if .Values.zaakbrug.globals }} apiVersion: v1 kind: ConfigMap @@ -202,5 +228,5 @@ metadata: labels: {{- include "zaakbrug.labels" . | nindent 4 }} data: - Profiles.json: {{ .Values.zaakbrug.globals | toJson | quote }} + Profiles.json: {{ .Values.zaakbrug.profiles | toJson | quote }} {{- end }} \ No newline at end of file diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml index eca085ac0..826c7bdf3 100644 --- a/charts/zaakbrug/templates/deployment.yaml +++ b/charts/zaakbrug/templates/deployment.yaml @@ -47,6 +47,10 @@ spec: mountPath: /usr/local/tomcat/conf/Catalina/localhost/ROOT.xml subPath: context.xml readOnly: true + - name: {{ template "zaakbrug.fullname" . }}-roles + mountPath: /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/ldap-role-mapping.properties + subPath: ldap-role-mapping.properties + readOnly: true {{- if .Values.zaakbrug.globals }} - name: {{ template "zaakbrug.fullname" . }}-globals mountPath: /opt/frank/configurations/Translate/Globals.json @@ -73,6 +77,9 @@ spec: - name: http containerPort: 8080 protocol: TCP + - name: https + containerPort: 8443 + protocol: TCP livenessProbe: httpGet: path: /iaf/ @@ -84,6 +91,9 @@ spec: - name: {{ template "zaakbrug.fullname" . }}-config configMap: name: {{ template "zaakbrug.fullname" . }}-config + - name: {{ template "zaakbrug.fullname" . }}-roles + configMap: + name: {{ template "zaakbrug.fullname" . }}-roles - name: {{ template "zaakbrug.fullname" . }}-specifics configMap: name: {{ template "zaakbrug.fullname" . }}-specifics diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml index b8315ec0a..92cbd4104 100644 --- a/charts/zaakbrug/values.yaml +++ b/charts/zaakbrug/values.yaml @@ -98,6 +98,7 @@ timeZone: Etc/UTC zaakbrug: zgw: + # Empty values aren't allowed, so at least fill in the protocol. baseurl: "http://localhost:8000/" endpoint: zaak: "zaken/api/v1/zaken" @@ -136,6 +137,22 @@ zaakbrug: coalesceResultaat: "Toegekend" frank: + security: + http: + authentication: false + enforceHttps: false + # Only supports active directory for now + ad: {} +# # LDAP url e.g.: ldap://172.0.0.1 +# url: +# # Base DN e.g.: DC=example,DC=com +# baseDn: +# # Roles to map to AD roles. e.g. dataAdmin: CN=FunctionalAdministrator,CN=Users,DC=example,DC=com +# roles: +# observer: +# dataAdmin: +# admin: +# tester: # Secret containing the contents of the credentials.properties credentials: # Secret name in the cluster @@ -153,7 +170,7 @@ frank: name: "ZaakBrug" dtap: # (required) Options: LOC, DEV, TST, ACC, PRD - stage: LOC + stage: side: "" # Configurations to load. configurations: diff --git a/src/main/resources/credentialprovider.properties b/src/main/resources/credentialprovider.properties index eec954bdb..ab3e64e1d 100644 --- a/src/main/resources/credentialprovider.properties +++ b/src/main/resources/credentialprovider.properties @@ -1,7 +1,4 @@ -# This file is inclomplete and doens't get used by the Docker image for some reason -# TODO: I'll have to investigate more - credentialFactory.class=nl.nn.credentialprovider.PropertyFileCredentialFactory - -# This has been added to the ENV in the Dockerfile +# TODO: This file will work again if the resources folder will be able to overwrite the AppConstants. +# TODO: Move property back from ENV in the Dockerfile to here. #credentialFactory.map.properties=/opt/frank/secrets/credentials.properties