Added ability to specify LDAP CA cert

[tchellomello]

Fixes: #117

Introduces the ability to specify an LDAP Certificate Authority

• - Tested deployment manually deployed
• - Testing via OLM manifest (UI)
• - Documentation
  Should we create a dedicated link on how to create the secret with ldap.cert contents?

kubectl create secret generic awx-ldap-ca-cert \
  --from-file=ldap-ca.crt=/etc/pki/ca-trust/source/anchors/Toca_Intermediate_CA.crt  --dry-run -o yaml

Testing

1. Updating operator

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 0334822..0f9cf2a 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -1,3 +1,3 @@
-operator_image: quay.io/ansible/awx-operator
-operator_version: 0.7.0
+operator_image: registry.tatu.home/ansible/awx-operator
+operator_version: ldaps
 pull_policy: Always
diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml
index 457793c..d56bcf3 100644
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -122,7 +122,7 @@ spec:
       serviceAccountName: awx-operator
       containers:
         - name: awx-operator
-          image: "quay.io/ansible/awx-operator:0.7.0"
+         image: "registry.tatu.home/ansible/awx-operator:ldaps"
           imagePullPolicy: "Always"
           volumeMounts:
             - mountPath: /tmp/ansible-operator/runner
@@ -390,12 +390,12 @@ spec:
                 ca_trust_bundle:
                   description: Path where the trusted CA bundle is available
                   type: string
-                ldap_cacert_secret:
-                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
-                  type: string
                 development_mode:
                   description: If the deployment should be done in development mode
                   type: boolean
+                ldap_cacert_secret:
+                  description: Secret where can be found the LDAP trusted Certificate Authority Bundle
+                  type: string
               type: object
             status:
               properties:

• Image updated

kubectl get deployment awx-operator -o yaml | grep 'image: re'  
        image: registry.tatu.home/ansible/awx-operator:ldaps

2. Creating Secret

kubectl create secret generic awx-ldaps-ldap-ca-cert --from-file=ldap-ca.crt=/etc/pki/ca-trust/source/anchors/Toca_Intermediate_CA.crt 
secret/awx-ldaps-ldap-ca-cert created

kubectl describe secret awx-ldaps-ldap-ca-cert 
Name:         awx-ldaps-ldap-ca-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
ldap-ca.crt:  1899 bytes

3. Creating the awx kind

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-ldaps
spec:
  tower_admin_user: admin
  tower_admin_email: tchello.mello@gmail.com
  ldap_cacert_secret: awx-ldaps-ldap-ca-cert

4. Applying YAML

$ kubectl apply -f 04_awx-ldaps.yaml 
awx.awx.ansible.com/awx-ldaps created

$ kubectl get awx awx-ldaps -o yaml | kubectl neat 
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-ldaps
  namespace: default
spec:
  ldap_cacert_secret: awx-ldaps-ldap-ca-cert
  tower_admin_email: tchello.mello@gmail.com
  tower_admin_user: admin
  tower_create_preload_data: true
  tower_garbage_collect_secrets: false
  tower_image_pull_policy: IfNotPresent
  tower_loadbalancer_port: 80
  tower_loadbalancer_protocol: http
  tower_replicas: 1
  tower_route_tls_termination_mechanism: Edge
  tower_task_privileged: false

5. Checking deployment

kubectl get  deploy/awx-ldaps
NAME        READY   UP-TO-DATE   AVAILABLE   AGE
awx-ldaps   1/1     1            1           10m

kubectl describe deploy/awx-ldaps  
Name:                   awx-ldaps
[....SNIP....]
    Mounts:
      /etc/nginx/nginx.conf from awx-ldaps-nginx-conf (ro,path="nginx.conf")
      /etc/openldap/certs/ldap-ca.crt from awx-ldaps-ldap-cacert (ro,path="ldap-ca.crt")
[....SNIP....]
  Volumes:
   awx-ldaps-ldap-cacert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  awx-ldaps-ldap-ca-cert
    Optional:    false

6. Checking mounted certificate and configuration

$ kubectl iexec awx-ldaps /bin/bash
Namespace: default | Pod: ✔ awx-ldaps-747645f9c-8w9qf
Container: ✔ awx-ldaps-web
bash-4.4$ ls -la /etc/openldap/certs/ldap-ca.crt 
-rw-r--r--. 1 root root 1899 Mar 30 01:45 /etc/openldap/certs/ldap-ca.crt

bash-4.4$ cat /etc/tower/conf.d/ldap.py 
AUTH_LDAP_GLOBAL_OPTIONS = {
    ldap.OPT_X_TLS_REQUIRE_CERT: True,
    ldap.OPT_X_TLS_CACERTFILE: "/etc/openldap/certs/ldap-ca.crt"
}

bash-4.4$ awx-manage shell_plus --quiet
Python 3.6.8 (default, Aug 24 2020, 17:57:11) 
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> settings.AUTH_LDAP_GLOBAL_OPTIONS
{24582: True, 24578: '/etc/openldap/certs/ldap-ca.crt'}

$ openssl  x509 -in /etc/openldap/certs/ldap-ca.crt -noout -text | head -n 5
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption

[shanemcd]

💪

[Spredzy]

Looks excellent, minor comment inline (non-blocker)

Also - for consistency, do we want to follow the same pattern the other secret are following.

If ldap_cacert_secret is specified then use it, else try loading <resourcename>-ldap-cacert if it exists, else do nothing.

If we go with the above, https://github.com/ansible/awx-operator/blob/devel/roles/finalizer/tasks/main.yml#L25 needs to be updated also to provide consistency with this new secret.

This is mainly comment, not a formal request of changes, if it is preferred to have that on a following PR (or not at all) we can still proceed with this.

[tchellomello]

@Spredzy PR updated. I tested the changes with 2 deployments (with and without LDAP certificate) and worked like a charm.

I just did not include the removal piece as the <resourcename>-ldap-cacert shall be created manually, so it should not be auto-cleaned, right?