Provide a simple LDAP service

Add LDAP stack to deploy a simple OpenLDAP configuration and its admin server. This can be used in any cookbook to provide Gerrit an LDAP service for authentication. Feature: Issue 12484 Change-Id: I0cc0276ef37c8a044882e85bfa9f0d5c2eff481a
GerritCodeReview · Mar 27, 2020 · 00e1a5a · 00e1a5a
1 parent 2edb15a
commit 00e1a5a
Show file tree

Hide file tree

Showing 3 changed files with 156 additions and 0 deletions.
diff --git a/ldap/Makefile b/ldap/Makefile
@@ -0,0 +1,21 @@
+LDAP_TEMPLATE:=cf-ldap.yml
+AWS_REGION:=us-east-1
+AWS_FC_COMMAND=export AWS_PAGER=;aws cloudformation
+LDAP_STACK_NAME:=gerrit-ldap
+HOSTED_ZONE_NAME:=mycompany.com
+
+.PHONY: ldap delete-ldap
+
+ldap:
+	$(AWS_FC_COMMAND) create-stack \
+		--stack-name $(LDAP_STACK_NAME) \
+		--capabilities CAPABILITY_IAM  \
+		--template-body file://`pwd`/$(LDAP_TEMPLATE) \
+		--region $(AWS_REGION) \
+		--parameters \
+		ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME)
+
+delete-ldap:
+	$(AWS_FC_COMMAND) delete-stack \
+	--stack-name $(LDAP_STACK_NAME) \
+	--region $(AWS_REGION)
diff --git a/ldap/README.md b/ldap/README.md
@@ -0,0 +1,59 @@
+# LDAP
+
+This is a set of Cloud Formation Templates and scripts to spin up a simple LDAP
+service and its Admin panel.
+
+It can be used to provide a simple LDAP instance to be used to integrate with
+any Gerrit setup in the different cookbooks.
+
+## How to run it
+
+### Prerequisites
+
+As a prerequisite to run this stack, you will need a registered and correctly
+configured domain in [Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started.html)
+
+### Getting Started
+
+* Create a key pair to access the EC2 instances in the cluster:
+
+```
+aws ec2 create-key-pair --key-name gerrit-cluster-keys \
+  --query 'KeyMaterial' --output text > gerrit-cluster.pem
+```
+
+*NOTE: the EC2 key pair are useful when you need to connect to the EC2 instances
+for troubleshooting purposes. Store them in a `pem` file to use when ssh-ing into your
+instances as follow: `ssh -i yourKeyPairs.pem <ec2_instance_ip>`*
+
+* Create the LDAP stack:
+
+```
+make ldap HOSTED_ZONE_NAME=mycompany.com
+```
+
+The `HOSTED_ZONE_NAME` value is the Hosted Zone Name where a DSN route pointing
+to the LDAP service will be created.
+
+### Cleaning up
+
+```
+make delete-ldap
+```
+
+### Access your LDAP instance
+
+* LDAP Service:
+ * **URI**: ldap://gerrit-ldap.gerritforgeaws.com
+ * **Port**: 636
+* LDAP Admin Service:
+ * **URI**: https://gerrit-ldap.mycompany.com
+ * **Port**: 6443
+ * **Username**: cn=admin,dc=example,dc=org
+ * **Password**: secret
+
+The LDAP instance provided already has a Gerrit Admin user baked in with the
+following credentials:
+
+* **Username**: gerritadmin
+* **Password**: secret
diff --git a/ldap/cf-ldap.yml b/ldap/cf-ldap.yml
@@ -0,0 +1,76 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'AWS CloudFormation Template to Deploy a single EC2 instance
+  with OpenLDAP Installed and configured with a Gerrit Admin User'
+Parameters:
+  KeyName:
+    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
+    Type: AWS::EC2::KeyPair::KeyName
+    Default: gerrit-cluster-keys
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  InstanceType:
+    Description: EC2 instance type
+    Type: String
+    Default: t2.micro
+  HostedZoneName:
+    Description: The route53 HostedZoneName.
+    Type: String
+Resources:
+  EC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      InstanceType: !Ref InstanceType
+      SecurityGroups:
+        - !Ref InstanceSecurityGroup
+      KeyName: !Ref KeyName
+      ImageId: ami-0472cbe99b81a694a
+      UserData:
+        Fn::Base64: !Sub |
+          #!/bin/bash -xe
+          su - ec2-user bash -c "docker-compose up"
+  InstanceSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Enable SSH access via port 22
+      SecurityGroupIngress:
+      - CidrIp: 0.0.0.0/0
+        IpProtocol: -1
+  LDAPDnsRecord:
+      Type: AWS::Route53::RecordSet
+      Properties:
+        Name: !Sub 'gerrit-ldap.${HostedZoneName}'
+        HostedZoneName: !Sub '${HostedZoneName}.'
+        Comment: DNS name for LDAP Test instance.
+        Type: A
+        TTL: '60'
+        ResourceRecords:
+          - !GetAtt EC2Instance.PublicIp
+Outputs:
+  InstanceId:
+    Description: InstanceId of the newly created EC2 instance
+    Value:
+      Ref: EC2Instance
+  AZ:
+    Description: Availability Zone of the newly created EC2 instance
+    Value:
+      Fn::GetAtt:
+      - EC2Instance
+      - AvailabilityZone
+  PublicDNS:
+    Description: Public DNSName of the newly created EC2 instance
+    Value:
+      Fn::GetAtt:
+      - EC2Instance
+      - PublicDnsName
+  PublicIP:
+    Description: Public IP address of the newly created EC2 instance
+    Value:
+      Fn::GetAtt:
+      - EC2Instance
+      - PublicIp
+  LDAPAdminWebUrl:
+    Description: LDAP Admin URL
+    Value: !Sub 'https://gerrit-ldap.${HostedZoneName}:6443'
+  LDAPServiceUrl:
+    Description: LDAP Service URL
+    Value: !Sub 'ldap://gerrit-ldap.${HostedZoneName}:636'