Allow for configuring of ActiveDirectory at init

hazelcast · Sep 18, 2023 · 154f493 · 154f493
1 parent 336cab7
commit 154f493
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 46 deletions.
diff --git a/stable/hazelcast-enterprise/templates/mancenter-statefulset.yaml b/stable/hazelcast-enterprise/templates/mancenter-statefulset.yaml
@@ -164,19 +164,33 @@ spec:
         - name: MC_LICENSE_KEY
           value: {{ .Values.hazelcast.licenseKey }}
         {{- end }}
+        {{- $securityResetCommand := "" }}
+        {{- $securityConfigureCommand := "" }}
+        {{- with .Values.mancenter.security}}
+          {{- if or .activeDirectory.enabled .devMode.enabled}}
+            {{- $securityResetCommand = "./bin/mc-conf.sh security reset --lenient=true -H /data; " }}
+          {{- end }}
+          {{- if .activeDirectory.enabled }}
+            {{- with .activeDirectory }}
+              {{- $adminGroups := join ";" .adminGroups }}
+              {{- $userGroups := join ";" .userGroups }} 
+              {{- $readOnlyGroups := join ";" .readOnlyGroups }}
+              {{- $metricOnlyGroups := join ";" .metricOnlyGroups }}
+              {{- $nestedGroups := ternary "--nested-group-search" "" .nestedGroupSearch }}
+              {{- $securityConfigureCommand = printf "./bin/mc-conf.sh active-directory configure --home=/data --lenient=true --url='%s' --domain='%s' --user-search-filter='%s' --admin-groups='%s' --read-write-groups='%s' --read-only-groups='%s' --metrics-only-groups='%s' %s --verbose; " .url .domain .userSearchFilter  $adminGroups $userGroups $readOnlyGroups $metricOnlyGroups $nestedGroups }}
+            {{- end }}
+          {{- else if or $.Values.mancenter.devMode.enabled .devMode.enabled }}
+            {{- $securityConfigureCommand = "./bin/mc-conf.sh dev-mode configure; " }}
+          {{- end }}
+        {{- end }}
         {{- $clusterConfigCommand := "" }}
         {{- if .Values.mancenter.clusterConfig.create }}
         {{- $clusterConfigCommand = "./bin/mc-conf.sh cluster add --lenient=true -H /data -cc /config/hazelcast-client.yaml; " }}
         {{- end }}
-        {{- if .Values.mancenter.devMode.enabled }}
-        - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}./bin/mc-conf.sh dev-mode configure"
-        {{- else if .Values.mancenter.clusterConfig.create }}
         - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}"
-        {{- end }}
+          value: "{{ $securityResetCommand }}{{ $securityConfigureCommand }}{{ $clusterConfigCommand }}{{ $securityResetCommand }}{{ $securityConfigureCommand }}"
         - name: JAVA_OPTS
-          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
+          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} {{ if $securityResetCommand }} -Dhazelcast.mc.lock.skip=true {{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
         {{- with .Values.mancenter.env }}
           {{- toYaml . | nindent 8 }}
         {{- end }}        
@@ -245,4 +259,4 @@ spec:
         requests:
           storage: {{ .Values.mancenter.persistence.size | quote }}
   {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/stable/hazelcast-enterprise/values.yaml b/stable/hazelcast-enterprise/values.yaml
@@ -354,11 +354,6 @@ mancenter:
     # pullSecrets:
     # - myRegistryKeySecretName
 
-  # Dev mode is for the Hazelcast clusters running on your local for development
-  # or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
-  devMode:
-    enabled: false
-
   # ingress configuration for mancenter
   ingress:
     enabled: false
@@ -388,9 +383,35 @@ mancenter:
   # licenseKeySecretName is the name of the secret where the Hazelcast Management Center License Key is stored (can be used instead of licenseKey)
   # licenseKeySecretName:
 
+  # Dev mode is for the Hazelcast clusters running on your local for development or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
+  # Deprected in favor of the `security` config block.
+  # This is mutually exclusive with adminCredentialsSecretName
+  devMode:
+    enabled: false
+
   # adminCredentialsSecretName is Kubernetes Secret Name for admin credentials. Secret has to contain `username` and `password` literals. please check Management Center documentation for password requirements
+  # If this is set it will conflict with devMode or security.activeDirectory.enabled == true
   # adminCredentialsSecretName:
 
+  security:
+    # The follow options are mutually exclusive
+    devMode:
+      enabled: false
+    activeDirectory:
+      enabled: false
+      url: ldap://localhost:10389
+      domain: example.com
+      userSearchFilter: "(&(objectClass=user)(userPrincipalName={0}))"
+      nestedGroupSearch: true
+      adminGroups: #[]
+        - HazelcastMCAdmin
+      userGroups: #[]
+        - HazelcastMCUser
+      readOnlyGroups: #[]
+        - HazelcastMCReadonlyUser
+      metricOnlyGroups: #[]
+        - HazelcastMCMetricsOnlyUser
+
   # existingConfigMap defines a ConfigMap which contains Hazelcast Client configuration file(s) that are used instead of hazelcast-client.yaml configuration below
   # existingConfigMap:
   # yaml is the Hazelcast Client YAML configuration file
@@ -401,6 +422,10 @@ mancenter:
           enabled: true
           service-name: ${serviceName}
           namespace: ${namespace}
+  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
+  clusterConfig:
+    # create is a flag used to enable cluster config creation
+    create: true
 
   # annotations is an array of metadata for Management Center Statefulset
   annotations: {}
@@ -512,10 +537,6 @@ mancenter:
     # failureThreshold is the minimum consecutive failures for the probe to be considered failed after having succeeded
     failureThreshold: 3
 
-  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
-  clusterConfig:
-    # create is a flag used to enable cluster config creation
-    create: true
   # secretsMountName is the secret name that is mounted as '/data/secrets/' (e.g. with keystore/trustore files)
   # secretsMountName:
 

diff --git a/stable/hazelcast/templates/mancenter-statefulset.yaml b/stable/hazelcast/templates/mancenter-statefulset.yaml
@@ -164,19 +164,33 @@ spec:
         - name: MC_LICENSE_KEY
           value: {{ .Values.hazelcast.licenseKey }}
         {{- end }}
+        {{- $securityResetCommand := "" }}
+        {{- $securityConfigureCommand := "" }}
+        {{- with .Values.mancenter.security}}
+          {{- if or .activeDirectory.enabled .devMode.enabled}}
+            {{- $securityResetCommand = "./bin/mc-conf.sh security reset --lenient=true -H /data; " }}
+          {{- end }}
+          {{- if .activeDirectory.enabled }}
+            {{- with .activeDirectory }}
+              {{- $adminGroups := join ";" .adminGroups }}
+              {{- $userGroups := join ";" .userGroups }} 
+              {{- $readOnlyGroups := join ";" .readOnlyGroups }}
+              {{- $metricOnlyGroups := join ";" .metricOnlyGroups }}
+              {{- $nestedGroups := ternary "--nested-group-search" "" .nestedGroupSearch }}
+              {{- $securityConfigureCommand = printf "./bin/mc-conf.sh active-directory configure --home=/data --lenient=true --url='%s' --domain='%s' --user-search-filter='%s' --admin-groups='%s' --read-write-groups='%s' --read-only-groups='%s' --metrics-only-groups='%s' %s --verbose; " .url .domain .userSearchFilter  $adminGroups $userGroups $readOnlyGroups $metricOnlyGroups $nestedGroups }}
+            {{- end }}
+          {{- else if or $.Values.mancenter.devMode.enabled .devMode.enabled }}
+            {{- $securityConfigureCommand = "./bin/mc-conf.sh dev-mode configure; " }}
+          {{- end }}
+        {{- end }}
         {{- $clusterConfigCommand := "" }}
         {{- if .Values.mancenter.clusterConfig.create }}
         {{- $clusterConfigCommand = "./bin/mc-conf.sh cluster add --lenient=true -H /data -cc /config/hazelcast-client.yaml; " }}
         {{- end }}
-        {{- if .Values.mancenter.devMode.enabled }}
-        - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}./bin/mc-conf.sh dev-mode configure"
-        {{- else if .Values.mancenter.clusterConfig.create }}
         - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}"
-        {{- end }}
+          value: "{{ $securityResetCommand }}{{ $securityConfigureCommand }}{{ $clusterConfigCommand }}{{ $securityResetCommand }}{{ $securityConfigureCommand }}"
         - name: JAVA_OPTS
-          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
+          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} {{ if $securityResetCommand }} -Dhazelcast.mc.lock.skip=true {{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
         {{- with .Values.mancenter.env }}
           {{- toYaml . | nindent 8 }}
         {{- end }}        

diff --git a/stable/hazelcast/values.yaml b/stable/hazelcast/values.yaml
@@ -121,8 +121,6 @@ livenessProbe:
   path: /hazelcast/health/node-state
   # port that will be used in liveness probe calls
   # port:
-  # HTTPS or HTTP scheme
-  scheme: HTTP
 
 # Hazelcast Readiness probe
 readinessProbe:
@@ -142,8 +140,6 @@ readinessProbe:
   path: /hazelcast/health/ready
   # port that will be used in readiness probe calls
   # port:
-  # HTTPS or HTTP scheme
-  scheme: HTTP
 
 # Configure resource requests and limits
 # ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -217,11 +213,6 @@ securityContext:
   # readOnlyRootFilesystem is a flag to enable readOnlyRootFilesystem for the Hazelcast security context
   readOnlyRootFilesystem: true
 
-# Hazelcast Jet Engine
-jet:
-  # enabled is a flag to enabled Jet engine
-  enabled: true
-
 # Allows to enable a Prometheus to scrape pods, implemented for Hazelcast version >= 3.12 (or 'latest')
 metrics:
   enabled: false
@@ -270,9 +261,6 @@ metrics:
   #        description: |
   #          Hazelcast instance {{ "{{ $labels.pod }}" }} is using {{ "{{ $value }}" }}% of its available memory.
 
-# secretsMountName is the secret name that is mounted as '/data/secrets/' (e.g. with keystore/trustore files)
-# secretsMountName:
-
 # customVolume is the configuration for any volume mounted as '/data/custom/' and exposed to classpath (e.g. to mount a volume with custom JARs)
 # customVolume:
 
@@ -299,6 +287,11 @@ env: []
   #       key: db-username
   #       name: servicename-db-creds
 
+# Hazelcast Jet Engine
+jet:
+  # enabled is a flag to enabled Jet engine
+  enabled: true
+
 # Hazelcast Management Center application properties
 mancenter:
   # enabled is a flag to enable Management Center application
@@ -324,11 +317,6 @@ mancenter:
     # pullSecrets:
     # - myRegistryKeySecretName
 
-  # Dev mode is for the Hazelcast clusters running on your local for development
-  # or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
-  devMode:
-    enabled: false
-
   # ingress configuration for mancenter
   ingress:
     enabled: false
@@ -358,9 +346,35 @@ mancenter:
   # licenseKeySecretName is the name of the secret where the Hazelcast Management Center License Key is stored (can be used instead of licenseKey)
   # licenseKeySecretName:
 
+  # Dev mode is for the Hazelcast clusters running on your local for development or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
+  # Deprected in favor of the `security` config block.
+  # This is mutually exclusive with adminCredentialsSecretName
+  devMode:
+    enabled: false
+
   # adminCredentialsSecretName is Kubernetes Secret Name for admin credentials. Secret has to contain `username` and `password` literals. please check Management Center documentation for password requirements
+  # If this is set it will conflict with devMode or security.activeDirectory.enabled == true
   # adminCredentialsSecretName:
 
+  security:
+    # The follow options are mutually exclusive
+    devMode:
+      enabled: false
+    activeDirectory:
+      enabled: false
+      url: ldap://localhost:10389
+      domain: example.com
+      userSearchFilter: "(&(objectClass=user)(userPrincipalName={0}))"
+      nestedGroupSearch: true
+      adminGroups: #[]
+        - HazelcastMCAdmin
+      userGroups: #[]
+        - HazelcastMCUser
+      readOnlyGroups: #[]
+        - HazelcastMCReadonlyUser
+      metricOnlyGroups: #[]
+        - HazelcastMCMetricsOnlyUser
+
   # existingConfigMap defines a ConfigMap which contains Hazelcast Client configuration file(s) that are used instead of hazelcast-client.yaml configuration below
   # existingConfigMap:
   # yaml is the Hazelcast Client YAML configuration file
@@ -371,6 +385,10 @@ mancenter:
           enabled: true
           service-name: ${serviceName}
           namespace: ${namespace}
+  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
+  clusterConfig:
+    # create is a flag used to enable cluster config creation
+    create: true
 
   # annotations is an array of metadata for Management Center Statefulset
   annotations: {}
@@ -482,10 +500,6 @@ mancenter:
     # failureThreshold is the minimum consecutive failures for the probe to be considered failed after having succeeded
     failureThreshold: 3
 
-  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
-  clusterConfig:
-    # create is a flag used to enable cluster config creation
-    create: true
   # secretsMountName is the secret name that is mounted as '/data/secrets/' (e.g. with keystore/trustore files)
   # secretsMountName:
 
@@ -575,4 +589,4 @@ test:
 
 ## Array of extra objects to deploy with the release
 ##
-extraDeploy: []
+extraDeploy: []