Support ldap auth + small fixes

2023-10-30 21:50:28 +01:00 · 2023-10-30 21:50:28 +01:00 · cf1f536658
commit cf1f536658
parent 3212e80baf
4 changed files with 67 additions and 5 deletions
--- a/manage.nomad.hcl
+++ b/manage.nomad.hcl
@ -5,7 +5,9 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
  type = "batch"
 [[- if and (has .pg.manage "cron") (ne .pg.manage.cron "") ]]
  periodic {
-    cron             = [[ .pg.manage.cron | toJSON ]]
+    crons           = [
+      [[ .pg.manage.cron | toJSON ]]
+    ]
    prohibit_overlap = true
  }
 [[- else ]]
@ -67,6 +69,8 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
        LDAP2PG_MODE = [[ .pg.manage.mode | toJSON ]]
      }

+[[ template "common/file_env.tpl" .pg.manage.env ]]
+
      template {
        data =<<_EOF
 PGHOST=localhost
@ -74,7 +78,7 @@ PGPORT=5432
 PGUSER=postgres
 PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}
 _EOF
-        destination = "secrets/env"
+        destination = "secrets/pg-manage.env"
        uid = 100000
        gid = 100000
        perms = 0400
--- a/postgres.nomad.hcl
+++ b/postgres.nomad.hcl
@ -380,6 +380,11 @@ _EOT
        gid         = 100000
        env         = true
      }
+
+      resources {
+        cpu    = 10
+        memory = 24
+      }
    }
 [[- end ]]
  }
--- a/templates/patroni.yml.tpl
+++ b/templates/patroni.yml.tpl
@ -53,6 +53,11 @@ postgresql:
    - local   all         postgres                  peer
    - local   replication postgres                  peer
    - local   all         postgres                  scram-sha-256
+[[- if .pg.server.ldap_auth.enabled ]]
+    - host    all         +ldap_roles  127.0.0.0/8  ldap ldapserver="[[ join .pg.server.ldap_auth.servers " " ]]" ldapport=[[ .pg.server.ldap_auth.port ]] [[ if .pg.server.ldap_auth.starttls ]]ldaptls=1 [[ end ]]ldapbasedn="[[ .pg.server.ldap_auth.base_dn ]]"
+    [[- if and (has .pg.server.ldap_auth "bind_dn") (has .pg.server.ldap_auth "bind_password") ]] ldapbinddn="[[ .pg.server.ldap_auth.bind_dn ]]" ldapbindpasswd="[[ .pg.server.ldap_auth.bind_password ]]" [[ end -]]
+    ldapsearchfilter="[[ .pg.server.ldap_auth.search_filter ]]"
+[[- end ]]
    - host    all         all          127.0.0.0/8  scram-sha-256
    - host    replication backup       127.0.0.0/8  scram-sha-256
    - hostssl replication replicator   0.0.0.0/0    cert clientcert=verify-full map=patroni-map
--- a/variables.yml
+++ b/variables.yml
@ -63,6 +63,34 @@ pg:
      archive_timeout: 900
      wal_keep_size: 512

+    # You can configure ldap auth for postgres
+    # users needing ldap auth should be members of the ldap_roles role in postgres
+    ldap_auth:
+
+      # Is the auth enabled
+      enabled: false
+
+      # List of servers to try to connect to
+      servers:
+        - localhost
+
+      # Port
+      port: 389
+
+      # Should StartTLS be used to connect
+      starttls: true
+
+      # The base DN where postgres will start looking for users
+      base_dn: OU=People,DC=example,DC=org
+
+      # Search filter to find matching users
+      search_filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_DBA,OU=Roles,DC=example,DC=org)(sAMAccountName=$username))"
+
+      # Optional bind DN and password to do the search operation
+      # If undefined, the search will be done anonymously
+      #bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org
+      bind_password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}'
+
    # Resource allocation for the container
    resources:
      cpu: 500
@ -134,28 +162,41 @@ pg:
  manage:
    # Image to use
    image: danielberteaud/ldap2pg:6.0-1
+
    # Resource allocation
    resources:
      cpu: 20
      memory: 32
+
    # Additional env var
    env: {}
+
    # Connection to postgres through the service mesg
    consul:
      connect:
        upstreams:
          - destination_name: "[[ .pg.instance ]]"
            local_bind_port: 5432
+
    # List of databases to create (so permissions can be applied)
    # For each database, a role with the same name (and NOLOGIN) will be created and be owner of the database
+    # databases:
+    #   - name: vaultwarden
+    #   - name: odoo
+    #     owner: erp
+    #     encoding: UTF-8
+    #     locale: fr_FR.utf8
    databases: []
+
    # Schedule to run ldap2pg regularily, to ensure permissions are up to date
    # This is especially useful when syncing roles from LDAP
    # An empty string disable running the job as a cron
    cron: ""
+
    # mode can be dry (no change will be made) or real
    #
    mode: dry
+
    # Default config for ldap2pg (except for rules which are handled separately)
    default_config:
      version: 6
@ -228,17 +269,20 @@ pg:
          - name: dba
            comment: "Databases admins"
            options: SUPERUSER NOLOGIN
-            parents: managed_roles
+            parents:
+              - managed_roles

          - name: rewind
            comment: "Databases rewinder"
            options: LOGIN
-            parents: managed_roles
+            parents:
+              - managed_roles

          - name: vault
            comment: "Hashicorp Vault"
            options: CREATEROLE LOGIN
-            parents: managed_roles
+            parents:
+              - managed_roles

      - grant:
          role: vault
@ -250,6 +294,10 @@ pg:
          privileges: rewinder
          databases: postgres

+      - grant:
+          role: dba
+          privileges: owner
+
    # Additional custom rules to apply (will be appended to default_rules)
    rules: []