LDAPS unsupported when using custom CAs

[mzervakis]

Setting the mkeconfig.spec.authentication.ldap.rootCA to the path of the custom CA will not configure the authentication correctly. The logic to create a secret for the customCA and mount it as volume in the authentication POD seems to be missing. Setting the rootCA will cause the authentication pod to crash.

kubectl -n mke get pods --selector app.kubernetes.io/instance=authentication
NAME                                  READY   STATUS             RESTARTS         AGE
authentication-dex-5777858c97-6btbc   0/1     CrashLoopBackOff   31 (3m39s ago)   137m

kubectl -n mke logs authentication-dex-5777858c97-6btbc --tail 1
failed to initialize server: server: Failed to open connector ldap: failed to open connector: failed to create connector ldap: ldap: read ca file: open /etc/dex/certs/ldap/ca.crt: no such file or directory

To support LDAPS rootCAData could be used instead of rootCA.

A workaround is to patch the authentication addon after installation.

CADATA=$(cat ca.crt | base64 -w0)
kubectl -n blueprint-system patch addons.blueprint.mirantis.com authentication --type merge --patch-file=/dev/stdin <<-EOF
apiVersion: blueprint.mirantis.com/v1alpha1
kind: Addon
metadata:
  name: authentication
  namespace: blueprint-system
spec:
  chart:
    values:
      config:
        connectors:
        - config:
            rootCAData: $CADATA
            bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
            bindPW: password
            host: ldap.example.com:636
            userSearch:
              baseDN: cn=users,dc=example,dc=com
              emailAttr: mail
              filter: (objectClass=person)
              idAttr: distinguishedName
              nameAttr: cn
              username: uid
            usernamePrompt: ldap
          id: ldap
          name: ldap
          type: ldap
EOF