SPSH-837: LDAP im AutoDeployment befuellen (#575)

* adjust configuration for LDAP to accept environmental variables for cluster use

* fix lint

* fixing

* deleted ldap-deployment

* adjust values.yaml

* adjust seeding to create LDAP entries

* add ldap-admin-password to secret.yaml

* ldap-address now depending on Release-namespace

* fix lint

* fix ldapClient issue when seeding

* disconnect from LDAP on moduleDestroy

* rm commented code

---------

Co-authored-by: aimee-889 <[email protected]>

.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml

@@ -65,7 +65,7 @@ jobs:
       container_registry: "ghcr.io"
       fail_on_vulnerabilites: false
       report_location: "Dockerfile"
-  
+
   scheduled_trivy_scan:
     name: "Scheduled trivy scan of latest image"
     if: ${{ github.event_name == 'schedule' }}
@@ -86,10 +86,10 @@ jobs:
 
   select_helm_version_generation_and_image_tag_generation:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
-    needs: 
+    needs:
       - scan_helm
     runs-on: ubuntu-latest
-    outputs: 
+    outputs:
       SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }}
       SELECT_IMAGE_TAG_GENERATION: ${{ steps.select_generation.outputs.SELECT_IMAGE_TAG_GENERATION }}
     steps:
@@ -105,7 +105,7 @@ jobs:
           fi
   release_helm:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
-    needs: 
+    needs:
       - select_helm_version_generation_and_image_tag_generation
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@5
     secrets: inherit
@@ -120,7 +120,7 @@ jobs:
 
   create_branch_identifier:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
-    needs: 
+    needs:
       - branch_meta
     uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3
     with:
@@ -165,4 +165,4 @@ jobs:
       - create_branch_identifier_for_deletion
     runs-on: ubuntu-latest
     steps:
-      - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done" 
+      - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done"

charts/dbildungs-iam-server/config/config.json

@@ -28,9 +28,9 @@
     "USE_TLS": false
   },
   "LDAP": {
-    "URL": "ldap://dbildungs-iam-server-ldap",
+    "URL": "ldap://spsh-xxx.svc.cluster.local",
     "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
-    "PASSWORD": "admin"
+    "ADMIN_PASSWORD": "password"
   },
   "DATA": {
     "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"

charts/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl

@@ -41,4 +41,9 @@
               secretKeyRef:
                   name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
                   key: itslearning-password
-{{- end}}
+          - name: LDAP_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: ldap-admin-password
+{{- end}}

charts/dbildungs-iam-server/templates/configmap.yaml

@@ -15,4 +15,6 @@ data:
   FRONTEND_OIDC_CALLBACK_URL: "https://{{ .Values.backendHostname }}/api/auth/login"
   FRONTEND_DEFAULT_LOGIN_REDIRECT: "https://{{ .Values.backendHostname }}/"
   FRONTEND_LOGOUT_REDIRECT: "https://{{ .Values.backendHostname }}/"
-  BACKEND_HOSTNAME: "{{.Values.backendHostname}}"
+  BACKEND_HOSTNAME: "{{ .Values.backendHostname }}"
+  LDAP_URL: '{{ .Values.ldap.url | replace "spsh-xxx" .Release.Namespace }}'
+  LDAP_BIND_DN: "{{ .Values.ldap.bindDN }}"

charts/dbildungs-iam-server/templates/secret.yaml

@@ -12,6 +12,7 @@ data:
   db-username: {{ .Values.database.username }}
   keycloak-adminSecret: {{ .Values.auth.keycloak_adminSecret }}
   keycloak-clientSecret: {{ .Values.auth.keycloak_clientSecret }}
+  ldap-admin-password: {{ .Values.auth.ldap_admin_password }}
   itslearning-endpoint: {{ .Values.auth.itslearning_endpoint }}
   itslearning-username: {{ .Values.auth.itslearning_username }}
   itslearning-password: {{ .Values.auth.itslearning_password }}

charts/dbildungs-iam-server/values.yaml

@@ -26,12 +26,19 @@ database:
   password: ""
   username: "dbildungs_iam_server"
 
+
+ldap:
+  url: ldap://dbildungs-iam-ldap.spsh-xxx.svc.cluster.local
+  bindDN: cn=admin,dc=schule-sh,dc=de
+
+
 auth:
   # existingSecret: Refers to a secret already present in the cluster, which is required.
   existingSecret: ""
   secretName: dbildungs-iam-server
   keycloak_adminSecret: ""
   keycloak_clientSecret: ""
+  ldap_admin_password: ""
   secrets_json: ""
   frontend_sessionSecret: ""
   itslearning_endpoint: ""
@@ -155,23 +162,3 @@ redis:
   extraEnvVars: []
   extraVolumes: []
   extraVolumeMounts: []
-
-ldap:
-  image:
-    repository: docker.io/osixia/openldap
-    tag: "1.5.0"
-    pullPolicy: IfNotPresent
-  resources:
-    limits:
-      cpu: 2
-      memory: 4G
-      ephemeral-storage: 2Gi
-    requests:
-      cpu: 200m
-      memory: 200Mi
-  adminPassword: admin
-  configPassword: config
-  service:
-    type: ClusterIP
-    ports:
-      ldap: 389

config/config.json

@@ -38,7 +38,7 @@
     "LDAP": {
         "URL": "ldap://localhost",
         "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
-        "PASSWORD": "admin"
+        "ADMIN_PASSWORD": "admin"
     },
     "DATA": {
         "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"

src/console/console.module.ts

@@ -24,6 +24,7 @@ import { Migrator, TSMigrationGenerator } from '@mikro-orm/migrations';
 import { DbInitMigrationConsole } from './dbmigrate/db-init-migration.console.js';
 import { DbCreateMigrationConsole } from './dbmigrate/db-create-migration.console.js';
 import { DbApplyMigrationConsole } from './dbmigrate/db-apply-migration.console.js';
+import { LdapModule } from '../core/ldap/ldap.module.js';
 
 @Module({
     imports: [
@@ -34,6 +35,7 @@ import { DbApplyMigrationConsole } from './dbmigrate/db-apply-migration.console.
         RolleModule,
         ServiceProviderModule,
         PersonenKontextModule,
+        LdapModule,
         DbSeedModule,
         LoggerModule.register(ConsoleModule.name),
         ConfigModule.forRoot({

src/console/dbseed/db-seed.console-mocked-db-seed-repo.integration-spec.ts

@@ -24,6 +24,7 @@ import { DbSeedStatus } from './repo/db-seed.entity.js';
 import { DBiamPersonenkontextService } from '../../modules/personenkontext/domain/dbiam-personenkontext.service.js';
 import { DbSeedReferenceRepo } from './repo/db-seed-reference.repo.js';
 import { PersonenKontextModule } from '../../modules/personenkontext/personenkontext.module.js';
+import { LdapClient } from '../../core/ldap/domain/ldap-client.js';
 
 describe('DbSeedConsoleMockedDbSeedRepo', () => {
     let module: TestingModule;
@@ -57,6 +58,10 @@ describe('DbSeedConsoleMockedDbSeedRepo', () => {
                     provide: DbSeedRepo,
                     useValue: createMock<DbSeedRepo>(),
                 },
+                {
+                    provide: LdapClient,
+                    useValue: createMock<LdapClient>(),
+                },
             ],
         })
             .overrideModule(KeycloakConfigModule)

src/console/dbseed/db-seed.module.ts

@@ -13,9 +13,11 @@ import { KeycloakAdministrationModule } from '../../modules/keycloak-administrat
 import { DbSeedRepo } from './repo/db-seed.repo.js';
 import { DBiamPersonenkontextRepo } from '../../modules/personenkontext/persistence/dbiam-personenkontext.repo.js';
 import { DbSeedReferenceRepo } from './repo/db-seed-reference.repo.js';
+import { LdapModule } from '../../core/ldap/ldap.module.js';
 
 @Module({
     imports: [
+        LdapModule,
         PersonModule,
         PersonenKontextModule,
         OrganisationModule,