feat(ldap): Support reading bind username and password from secret

[jsirianni]

Description of Changes

Changes

• Fixed an issue where basic auth username and password is expected even when LDAP is selected for auth
• Added three new options for reading LDAP / AD bind username and password from K8s secret.

New Options

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| auth.ldap.bindCredentialSecret.name | string | `""` | Kubernetes secret name that contains the bind username and password. |
| auth.ldap.bindCredentialSecret.passwordKey | string | `""` | The secret's subPath which contains the bind password. |
| auth.ldap.bindCredentialSecret.usernameKey | string | `""` | The secret's subPath which contains the bind username. |

When .Values.auth.ldap.bindCredentialSecret.name is set, it is assumed that auth.ldap.bindCredentialSecret.passwordKey and auth.ldap.bindCredentialSecret.usernameKey are also set. Instead of reading the plain text credentials, the environment variables will be set by reading from the k8s secret.

Testing

Fire up minikube. I always delete and re-create. Up to you.

minikube delete
minikube start

First, deploy the chart using the existing options. We will update to the secret after.

1. Create the license secret

kubectl create secret generic bindplane \
  --from-literal=license=$BINDPLANE_LICENSE

2. Create values.yaml, Reach out to me for a values file as it contains sensitive values related to our ldap server.
3. Connect to our VPN to access our dev LDAP server
4. Deploy the Helm chart

helm upgrade \
  --install bindplane \
  ./charts/bindplane \
  --values values.yaml

Once the pods are ready, try logging into the server.

1. kubectl port-forward bindplane-0 3011:3001
2. http://localhost:3011

If it is working, try switching to a secret. Use the secret command I gave you, it will look similar to this but contain the real credentials for the dev ldap server.

kubectl create secret generic bindplane-ldap-bind \
  --from-literal=username=REDACTED \
  --from-literal=password='REDACTED'

Update the values.yaml file to use a secret.

...
auth:
...
  ldap:
...
    bindCredentialSecret:
      name: bindplane-ldap-bind
      usernameKey: username
      passwordKey: password
...

Update the deployment. You should see the pods cycle.

helm upgrade \
  --install bindplane \
  ./charts/bindplane \
  --values values.yaml

Once the new BindPlane pod is running, inspect its environment and make sure it is referencing a secret for BINDPLANE_LDAP_BIND_USER and BINDPLANE_LDAP_BIND_PASSWORD.

kubectl get pod bindplane-0 \
  -o json | jq ".spec.containers[0].env"  

It should look like this

  {
    "name": "BINDPLANE_LDAP_BIND_USER",
    "valueFrom": {
      "secretKeyRef": {
        "key": "username",
        "name": "bindplane-ldap-bind",
        "optional": false
      }
    }
  },
  {
    "name": "BINDPLANE_LDAP_BIND_PASSWORD",
    "valueFrom": {
      "secretKeyRef": {
        "key": "password",
        "name": "bindplane-ldap-bind",
        "optional": false
      }
    }
  },

Log into BindPlane again using the port-forwarding command and http://localhost:3011.

Please check that the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)
• CI passes
• Changes to ports, services, or other networking have been tested with istio