add github action for PR and push to master for jp-gouin#22, update custom certs -> ca.crt need to be added otherwise the chart will fail. Add PR template and check on semantic

jp-gouin · jp-gouin · commit beac3310880b · 2021-05-09T17:24:25.000+02:00
diff --git a/.bin/argo-chaos-cr.yaml b/.bin/argo-chaos-cr.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-chaos
+rules:
+- apiGroups:
+  - "apps"
+  resources:
+  - pods
+  - statefulsets
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - chaos-mesh.org
+  resources:
+  - '*'
+  verbs:
+  - '*'
+
diff --git a/.bin/argo-default-rbac.yaml b/.bin/argo-default-rbac.yaml
@@ -0,0 +1,67 @@
+# give our webhook ap (as default:default) permissions to create workflows
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-invocation
+  namespace: argo
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - watch
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default-default-invocation
+  namespace: argo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-invocation
+subjects:
+- kind: ServiceAccount
+  name: argo-workflow-invocator
+  namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-invocation-chaos
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-chaos
+subjects:
+- kind: ServiceAccount
+  name: argo-workflow-invocator
+  namespace: argo
+
diff --git a/.bin/chaos.yaml b/.bin/chaos.yaml
@@ -0,0 +1,16 @@
+apiVersion: chaos-mesh.org/v1alpha1
+kind: PodChaos
+metadata:
+  name: pod-failure-openldap
+  annotations:
+    experiment.chaos-mesh.org/pause: "false"
+spec:
+  action: pod-failure
+  mode: random-max-percent
+  value: "100"
+  duration: "15s"
+  selector:
+    labelSelectors:
+      "app": "openldap-openldap-stack-ha"
+  scheduler:
+    cron: "@every 2m"
diff --git a/.bin/kind-conf.yml b/.bin/kind-conf.yml
@@ -0,0 +1,24 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+- role: worker
+  kubeadmConfigPatches:
+  - |
+    kind: JoinConfiguration
+    nodeRegistration:
+      kubeletExtraArgs:
+        node-labels: "ingress-ready=true"
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 8080
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 8443
+    protocol: TCP
+  - containerPort: 30636
+    hostPort: 30636
+  - containerPort: 30389
+    hostPort: 30389
+- role: worker
+- role: worker
diff --git a/.bin/myval.yaml b/.bin/myval.yaml
@@ -1,4 +1,9 @@
 logLevel: debug
+resources: 
+  limits:
+    cpu: "128m"
+    memory: "64Mi"
+replicaCount: 3
 ltb-passwd:
   ingress:
     hosts:
@@ -10,8 +15,6 @@ phpldapadmin:
 customTLS:
   enabled: true
   secret: "custom-cert"
-  CA:
-    enabled: false
 customLdifFiles:
   01-default-group.ldif: |-
     dn: cn=myGroup,dc=example,dc=org
@@ -32,3 +35,7 @@ customLdifFiles:
     uid: jdupond
     uidnumber: 1000
     userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
+service:
+  ldapPortNodePort: 30389
+  sslLdapPortNodePort: 30636
+  type: NodePort
diff --git a/.bin/phpldap-test.py b/.bin/phpldap-test.py
@@ -0,0 +1,62 @@
+# Generated by Selenium IDE
+import pytest
+import time
+import json
+from selenium import webdriver
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.action_chains import ActionChains
+from selenium.webdriver.support import expected_conditions
+from selenium.webdriver.support.wait import WebDriverWait
+from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
+
+class TestPhpldap():
+
+  def setup_method(self, method):
+    op = webdriver.ChromeOptions()
+    op.add_argument('headless')
+    self.driver = webdriver.Chrome(options=op)
+    self.vars = {}
+  
+  def teardown_method(self, method):
+    self.driver.quit()
+  
+  def test_phpldap(self):
+    self.driver.get("http://phpldapadmin.example.lan:8080/")
+    print(self.driver.title)
+    self.driver.find_element(By.LINK_TEXT, "login").click()
+    #element = self.driver.find_element(By.LINK_TEXT, "login")
+    #actions = ActionChains(self.driver)
+    #actions.move_to_element(element).perform()
+    #element = self.driver.find_element(By.CSS_SELECTOR, "body")
+    #actions = ActionChains(self.driver)
+    #actions.move_to_element(element, 0, 0).perform()
+    self.driver.find_element(By.ID, "login").click()
+    self.driver.find_element(By.ID, "login").send_keys("cn=admin,dc=example,dc=org")
+    self.driver.find_element(By.ID, "password").click()
+    self.driver.find_element(By.ID, "password").send_keys("admin")
+    self.driver.find_element(By.NAME, "submit").click()
+    print("successfully logged")
+    #test = self.driver.find_element(By.XPATH, "//a[@href='cmd.php?cmd=template_engine&server_id=1&dn=dc%3Dexample%2Cdc%3Dorg']")
+    #test.click()
+    #main = test.find_element(By.XPATH, "//a[@title='dc=example,dc=org']")
+    #print(main.find_element(By.XPATH, "//a[contains(text(), 'child')]"))
+    #self.driver.find_element(By.ID, "posixAccount:2").click()
+    #self.driver.find_element(By.ID, "new_values_givenname_0").click()
+    #self.driver.find_element(By.ID, "new_values_givenname_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_sn_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_uid_0").click()
+    #self.driver.find_element(By.ID, "new_values_userpassword_0").click()
+    #self.driver.find_element(By.ID, "new_values_userpassword_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").click()
+    #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_gidnumber_0").click()
+    #dropdown = self.driver.find_element(By.ID, "new_values_gidnumber_0")
+    #dropdown.find_element(By.XPATH, "//option[. = 'myGroup']").click()
+    #self.driver.find_element(By.ID, "create_button").click()
+  
+testClass = TestPhpldap()
+
+testClass.setup_method("")
+testClass.test_phpldap()
+testClass.teardown_method("")
diff --git a/.bin/selfservice-test.py b/.bin/selfservice-test.py
@@ -0,0 +1,62 @@
+# Generated by Selenium IDE
+import pytest
+import time
+import json
+from selenium import webdriver
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.action_chains import ActionChains
+from selenium.webdriver.support import expected_conditions
+from selenium.webdriver.support.wait import WebDriverWait
+from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
+
+class TestPhpldap():
+
+  def setup_method(self, method):
+    op = webdriver.ChromeOptions()
+    op.add_argument('headless')
+    self.driver = webdriver.Chrome(options=op)
+    self.vars = {}
+  
+  def teardown_method(self, method):
+    self.driver.quit()
+  
+  def test_phpldap(self):
+    self.driver.get("http://phpldapadmin.example.lan:8080/")
+    print(self.driver.title)
+    self.driver.find_element(By.LINK_TEXT, "login").click()
+    #element = self.driver.find_element(By.LINK_TEXT, "login")
+    #actions = ActionChains(self.driver)
+    #actions.move_to_element(element).perform()
+    #element = self.driver.find_element(By.CSS_SELECTOR, "body")
+    #actions = ActionChains(self.driver)
+    #actions.move_to_element(element, 0, 0).perform()
+    self.driver.find_element(By.ID, "login").click()
+    self.driver.find_element(By.ID, "login").send_keys("cn=admin,dc=example,dc=org")
+    self.driver.find_element(By.ID, "password").click()
+    self.driver.find_element(By.ID, "password").send_keys("admin")
+    self.driver.find_element(By.NAME, "submit").click()
+    print("successfully logged")
+    #test = self.driver.find_element(By.XPATH, "//a[@href='cmd.php?cmd=template_engine&server_id=1&dn=dc%3Dexample%2Cdc%3Dorg']")
+    #test.click()
+    #main = test.find_element(By.XPATH, "//a[@title='dc=example,dc=org']")
+    #print(main.find_element(By.XPATH, "//a[contains(text(), 'child')]"))
+    #self.driver.find_element(By.ID, "posixAccount:2").click()
+    #self.driver.find_element(By.ID, "new_values_givenname_0").click()
+    #self.driver.find_element(By.ID, "new_values_givenname_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_sn_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_uid_0").click()
+    #self.driver.find_element(By.ID, "new_values_userpassword_0").click()
+    #self.driver.find_element(By.ID, "new_values_userpassword_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").click()
+    #self.driver.find_element(By.ID, "new_values_verify_userpassword_0").send_keys("test")
+    #self.driver.find_element(By.ID, "new_values_gidnumber_0").click()
+    #dropdown = self.driver.find_element(By.ID, "new_values_gidnumber_0")
+    #dropdown.find_element(By.XPATH, "//option[. = 'myGroup']").click()
+    #self.driver.find_element(By.ID, "create_button").click()
+  
+testClass = TestPhpldap()
+
+testClass.setup_method("")
+testClass.test_phpldap()
+testClass.teardown_method("")
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,9 @@
+### What this PR does / why we need it:
+<!--- Why is this change required? What problem does it solve? -->
+<!--- If it fixes an open issue, please link to the issue here. -->
+
+### Pre-submission checklist:
+
+* [ ] Did you explain what problem does this PR solve? Or what new features have been added?
+* [ ] Have you updated the readme?
+* [ ] Is this PR backward compatible? **If it is not backward compatible, please discuss open a ticket first**
diff --git a/.github/semantic.yml b/.github/semantic.yml
@@ -0,0 +1,15 @@
+titleOnly: true
+allowRevertCommits: true
+types:
+  - feat
+  - fix
+  - docs
+  - style
+  - refactor
+  - perf
+  - test
+  - build
+  - ci
+  - chore
+  - revert
+  - change
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,78 @@
+name: Qualif
+on:
+  push:
+    branches:
+      - "master"
+  pull_request:
+    branches:
+      - "master"
+jobs:
+  qualif:
+      runs-on: ubuntu-latest
+      steps:
+      - name: Check out code
+        uses: actions/checkout@v1
+      - name: Lint
+        shell: bash
+        run: |
+          helm lint .
+      - name: setup cluster
+        shell: bash
+        run: |
+          curl -Lo /tmp/kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
+          chmod +x /tmp/kind
+          /tmp/kind create cluster --config=$GITHUB_WORKSPACE/.bin/kind-conf.yml
+          kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
+          kubectl patch daemonsets -n projectcontour envoy -p '{"spec":{"template":{"spec":{"nodeSelector":{"ingress-ready":"true"}}}}}'
+      - name: setup chaos mesh
+        shell: bash
+        run: |
+          curl -sSL https://mirrors.chaos-mesh.org/latest/install.sh | bash -s -- --local kind
+      - name: setup certs
+        shell: bash
+        run: |
+          openssl req -x509 -newkey rsa:4096 -nodes -subj '/CN=example.com' -keyout tls.key -out tls.crt -days 365
+          cp tls.crt ca.crt
+          openssl dhparam -out dhparam.pem 2048
+          kubectl create secret generic custom-cert --from-file=./tls.crt --from-file=./tls.key --from-file=./dhparam.pem --from-file=./ca.crt
+      - name: deploy openldap-stack-ha
+        shell: bash
+        run: |
+          cd "$GITHUB_WORKSPACE"
+          helm install openldap -f .bin/myval.yaml .
+          kubectl rollout status sts openldap-openldap-stack-ha 
+      - name: verify deployment
+        shell: bash
+        run: |
+           echo "test access to openldap database"
+           sudo apt-get install -y ldap-utils
+           LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org'
+      - name: test phpldapadmin access
+        shell: bash
+        run: |
+           echo "test access to phpldapadmin"
+           echo "127.0.0.1 phpldapadmin.example ssl-ldap2.example" | sudo tee -a /etc/hosts
+           curl phpldapadmin.example:8080
+      - name: test self service pwd access
+        shell: bash
+        run: |
+           echo "test access to ssp"
+           curl ssl-ldap2.example:8080
+      - name: verify certs
+        shell: bash
+        run: |
+           echo "verify certificate"
+           openssl s_client -showcerts -connect localhost:30636 </dev/null | grep "issuer=CN = example.com"
+      - name: apply chaos tests
+        shell: bash
+        run: |
+           echo "test access to openldap database"
+           kubectl apply -f .bin/chaos.yaml
+      - name: chaos tests
+        shell: bash
+        run: |
+           echo "test access to openldap database"
+           for i in {1..20}; do  LDAPTLS_REQCERT=never ldapsearch -x -D 'cn=admin,dc=example,dc=org' -w Not@SecurePassw0rd -H ldaps://localhost:30636 -b 'dc=example,dc=org' && sleep 60 ; done
+
+
+      
diff --git a/templates/statefullset.yaml b/templates/statefullset.yaml
diff --git a/values.yaml b/values.yaml
