Enable setting the CA for replication.

[chalharu]

What this PR does / why we need it:

Enable the configuration of the Certificate Authority for replication to validate certificates signed by a custom root certificate.

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you updated the readme?
• Is this PR backward compatible? If it is not backward compatible, please discuss open a ticket first

[jp-gouin]

Hi thanks @chalharu for the PR.
I tried it and did not see any change.

I created a secret for the certificate and put it under custom-cert. Then I used the following values:

initTLSSecret:
  tls_enabled: true
  image:
    registry: docker.io
    repository: alpine/openssl
    tag: latest
    pullPolicy: IfNotPresent
  secret: "custom-cert" 
replication:
  tls_cacert: /opt/bitnami/openldap/certs/ca.crt

Since the custom-cert is mounted under /opt/bitnami/openldap/certs/ca.crt I assume this is what I should set for tls_cacert (?)

Am I using your PR correctly ?

[chalharu]

The certificate has not been validated, possibly because 'never' is still specified for tls_reqcert.

helm-openldap/values.yaml

Line 240 in d6d98f3

tls_reqcert: "never"

Please change the setting to one of the following options: 'allow', 'try', or 'demand'.

[jp-gouin]

Here is what I tried:
tls_reqcert: "try"
tls_reqcert: "always"
tls_reqcert: "demand"

I created a certificate with the following SAN :

X509v3 Subject Alternative Name: 
                DNS:openldap-1.openldap-headless.openldapfeat.svc.cluster.local, DNS:openldap-0.openldap-headless.openldapfeat.svc.cluster.local, DNS:openldap-2.openldap-headless.openldapfeat.svc.cluster.local, DNS:test.example.com

I got the same in the log for each tls_reqcert

penldap-0 openldap-stack-ha 670fca1a.0ba24633 0x7f6928c5e6c0 conn=1868 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
openldap-1 openldap-stack-ha 670fc812.2f629022 0x7fb2251106c0 conn=1720 fd=16 closed (connection lost)
openldap-0 openldap-stack-ha 670fca1a.0ba4c21d 0x7f6928c5e6c0 conn=1868 op=0 RESULT tag=120 err=2 qtime=0.000016 etime=0.000229 text=unsupported extended operation
openldap-0 openldap-stack-ha 670fca1a.0ba8f3fc 0x7f69237fe6c0 conn=1868 op=1 UNBIND
openldap-1 openldap-stack-ha 670fc813.2f88d8d6 0x7fb22490f6c0 slap_client_connect: URI=ldap://openldap-2.openldap-headless.openldapfeat.svc.cluster.local:1389 Error, ldap_start_tls failed (2)
openldap-0 openldap-stack-ha 670fca1a.0bac7f66 0x7f69237fe6c0 conn=1868 fd=14 closed
openldap-0 openldap-stack-ha 670fca20.173cd0fb 0x7f6922ffd6c0 conn=1869 fd=14 ACCEPT from IP=10.244.2.1:58790 (IP=0.0.0.0:1389)
openldap-2 openldap-stack-ha 670fc785.0b4f6dfc 0x7f8ec53ee6c0 do_syncrepl: rid=001 rc 2 retrying
openldap-0 openldap-stack-ha 670fca20.173d79ed 0x7f692945f6c0 conn=1870 fd=16 ACCEPT from IP=10.244.2.1:58792 (IP=0.0.0.0:1389)
openldap-2 openldap-stack-ha 670fc786.0b6cc18a 0x7f8ebffff6c0 slap_client_connect: URI=ldap://openldap-0.openldap-headless.openldapfeat.svc.cluster.local:1389 Error, ldap_start_tls failed (2)

Can you share with me , how you tested it and how you generate your certs ? Many thanks

[chalharu]

I created a certificate with the following SAN using cert-manager :

            X509v3 Subject Alternative Name:
                DNS:openldap.openldap.svc, DNS:openldap.openldap.svc.cluster.local, DNS:*.openldap-headless.openldap.svc.cluster.local

For the complete cert-manager YAML configuration and values.yaml, please refer to the following Gist: Gist Link.