From 510ead0632c880e8bb61cff55fa1f0077bf4bcaf Mon Sep 17 00:00:00 2001
From: "Shiba, Sidney (sx3394)" <sx3394@att.com>
Date: Thu, 8 Apr 2021 19:17:58 -0500
Subject: [PATCH] Dex integration with LDAP Instance - Charts

This patchset adds the LDAP connector in the dex chart value where it
can be customized to connect to the lab's ITTESTSERVICES LDAP instance.

The certificates needed by Dex is generated by Cert-Manager in the Ephemeral cluster (Secret named
dex-apiserver-secret) and this Secret is then moved to the Target cluster through the command
"airshipctl phase run clusterctl-move".

This Secret (i.e., tls.crt) is used by API server for the OIDC plugin configuration, which MUST
be done on the KubeadmControlPlane resource in the Ephemeral cluster.

This patchset implements the Approach 1 described in https://hackmd.io/bdPFHBBSQy-IrpPe1U9itg.

Change-Id: I58419cad6b8d770285ceb84a3a3a0e8b3380ef15
---
 charts/dex-aio/templates/Deployment-dex.yaml |  3 +-
 charts/dex-aio/values.yaml                   | 67 +++++++++++++++++++-
 2 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/charts/dex-aio/templates/Deployment-dex.yaml b/charts/dex-aio/templates/Deployment-dex.yaml
index 394d3e2e..adbcca76 100644
--- a/charts/dex-aio/templates/Deployment-dex.yaml
+++ b/charts/dex-aio/templates/Deployment-dex.yaml
@@ -105,7 +105,8 @@ spec:
           - serve
           - /etc/dex/dex.yaml
         env:
-          - name: LDAP_BINDPW
+          # - name: LDAP_BINDPW
+          - name: {{ .Values.params.ldap.config.bind_pw_env }}
             valueFrom:
               secretKeyRef:
                 name: {{ template "helpers.labels.fullname" . }}
diff --git a/charts/dex-aio/values.yaml b/charts/dex-aio/values.yaml
index 79dfc2cc..01a16e23 100644
--- a/charts/dex-aio/values.yaml
+++ b/charts/dex-aio/values.yaml
@@ -5,7 +5,7 @@
 images:
   applications:
     dex:
-      tag: v2.20.0
+      tag: v2.28.1
       name: dexidp/dex
       repo: quay.io
     nginx:
@@ -47,7 +47,28 @@ params:
     client_id: my-cluster
     client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
   ldap:
-    bind_password: super-secure
+    bind_password: "super-secure"
+    name: ITTESTSERVICES
+    config:
+      host: ldap.test.com
+      port: 636
+      bind_dn: uid@ldap.services.test.com
+      bind_pw_env: LDAP_BINDPW
+      username_prompt: SSO Username
+      user_search:
+        base_dn: dc=ldap,dc=services,dc=test,dc=com
+        filter: "(objectClass=person)"
+        username: cn
+        idAttr: cn
+        emailAttr: name
+        nameAttr: name
+      group_search:
+        base_dn: ou=groups,dc=ldap,dc=services,dc=test,dc=com
+        filter: "(objectClass=group)"
+        userMatchers:
+          userAttr: name
+          groupAttr: member
+        nameAttr: name
 
 over_rides:
   deployment:
@@ -84,6 +105,48 @@ config:
       - token
       - id_token
       skipApprovalScreen: true
+    connectors:
+    - type: ldap
+      name: "{{ .Values.params.ldap.name }}"
+      id: ldap
+      config:
+        # LDAPS without certificate validation:
+        host: "{{ .Values.params.ldap.config.host }}:{{ .Values.params.ldap.config.port }}"
+        insecureNoSSL: false
+        insecureSkipVerify: true
+
+        bindDN: "{{ .Values.params.ldap.config.bind_dn }}"
+        bindPW: "${{ .Values.params.ldap.config.bind_pw_env }}"
+
+        # usernamePrompt: Email Address
+        usernamePrompt: "{{ .Values.params.ldap.config.username_prompt }}"
+
+        userSearch:
+          # The directory directly above the user entry.
+          baseDN: "{{ .Values.params.ldap.config.user_search.base_dn }}"
+          filter: "{{ .Values.params.ldap.config.user_search.filter }}"
+          # Expect user to enter "attuid" when logging in.
+          username: "{{ .Values.params.ldap.config.user_search.username }}"
+          idAttr: "{{ .Values.params.ldap.config.user_search.idAttr }}"
+          # When an email address is not available, use another value unique to the user, like name.
+          emailAttr: "{{ .Values.params.ldap.config.user_search.emailAttr }}"
+          nameAttr: "{{ .Values.params.ldap.config.user_search.nameAttr }}"
+
+        groupSearch:
+          # The directory directly above the group entry.
+          # baseDN: cn=groups,cn=compat,dc=example,dc=org
+          baseDN: "{{ .Values.params.ldap.config.group_search.base_dn }}"
+          filter: "{{ .Values.params.ldap.config.group_search.filter }}"
+
+          # The group search needs to match the "cn" attribute on
+          # the user with the "member" attribute on the group.
+          userMatchers:
+          - userAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.userAttr }}"
+            groupAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.groupAttr }}"
+
+          # Unique name of the group.
+          nameAttr: "{{ .Values.params.ldap.config.group_search.nameAttr }}"
+
     staticClients:
     - id: "{{ .Values.params.oidc.client_id }}"
       name: "{{ .Values.params.site.name }}"