feat: Add support to ldap custom certs

wandb · Jan 16, 2024 · 8333a54 · 8333a54
1 parent 2b72080
commit 8333a54
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 2 deletions.
diff --git a/charts/wandb/Chart.yaml b/charts/wandb/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: wandb
 description: A Helm chart for deploying W&B to Kubernetes
 type: application
-version: 0.3.3
-appVersion: 0.47.2
+version: 0.3.4
+appVersion: 0.48.1
 icon: https://wandb.ai/logo.svg
 maintainers:
   - name: wandb

diff --git a/charts/wandb/README.md b/charts/wandb/README.md
@@ -56,3 +56,29 @@ The following Terraform (IaC) options use this approach.
 
 For production-grade implementation, the appropriate chart parameters should be
 used to point to prebuilt, externalized state stores.
+
+### LDAP
+
+The LDAP TLS cert configuration requires a config map pre-created with the certificate content.
+
+To create the config map you can use the following command:
+
+```
+ kubectl -n wandb-helm create configmap ldap-tls-cert --from-file=certificate.crt
+```
+
+And use the config map in the `values.yaml` like the example below
+
+```
+ldap:
+  enabled: true
+  [...]
+  # Enable LDAP TLS
+  tls: true
+  # ConfigMap name and key with CA certificate for LDAP server
+  tlsCert:
+    configMap:
+      name: "ldap-tls-cert"
+      key: "certificate.crt"
+```
+
diff --git a/charts/wandb/templates/deployment.yaml b/charts/wandb/templates/deployment.yaml
@@ -123,6 +123,34 @@ spec:
               value: {{ .Values.host | default "http://localhost:8080" }}
             - name: REDIS
               value: {{ .Values.redis | default "redis://127.0.0.1:6379" }}
+            {{- if .Values.ldap.enabled }}
+            - name: LOCAL_LDAP_LOGIN
+              value: "true"
+            - name: LOCAL_LDAP_ADDRESS
+              value: {{ .Values.ldap.host }}
+            - name: LOCAL_LDAP_BASE_DN
+              value: {{ .Values.ldap.baseDN }}
+            - name: LOCAL_LDAP_BIND_DN
+              value: {{ .Values.ldap.bindDN }}
+            {{- if .Values.createSecrets }}
+            - name: LOCAL_LDAP_BIND_PW
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "wandb.fullname" . }}-secrets
+                  key: LOCAL_LDAP_BIND_PW
+            {{- else }}
+            - name: LOCAL_LDAP_BIND_PW
+              value: {{ .Values.ldap.bindPW }}
+            {{- end }}
+            - name: LOCAL_LDAP_ATTRIBUTES
+              value: {{ .Values.ldap.attributes }}
+            {{- if .Values.ldap.tls }}
+            - name: LOCAL_LDAP_TLS_ENABLE
+              value: "true"
+            {{- end }}
+            - name: LOCAL_LDAP_GROUP_ALLOW_LIST
+              value: {{ .Values.ldap.groupAllowList }}
+            {{- end }}
             {{- if .Values.extraEnv }}
             {{- toYaml .Values.extraEnv | nindent 12 }}
             {{- end }}
@@ -160,6 +188,12 @@ spec:
               mountPath: /usr/local/share/ca-certificates/customCA{{$index}}.crt
               subPath: customCA{{$index}}.crt
           {{- end }}
+          {{- if and .Values.ldap.enabled .Values.ldap.tls }}
+            - name: ldap-tls-cert
+              mountPath: /var/run/secrets/wandb.ai/ldap/ca.crt
+              subPath: ca.crt
+              readOnly: true
+          {{ end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       hostAliases:
@@ -191,6 +225,14 @@ spec:
           configMap:
             name: {{ include "wandb.fullname" . }}-ca-certs
       {{- end }}
+      {{- if and .Values.ldap.enabled .Values.ldap.tls }}
+        - name: ldap-tls-cert
+          configMap:
+            name: {{ .Values.ldap.tlsCert.configMap.name }}
+            items:
+              - key: {{ .Values.ldap.tlsCert.configMap.key }}
+                path: ca.crt
+      {{- end }}
 ---
 {{- if and (not .Values.bucket) .Values.existingClaim }}
 kind: PersistentVolumeClaim

diff --git a/charts/wandb/templates/secrets.yaml b/charts/wandb/templates/secrets.yaml
@@ -29,4 +29,7 @@ data:
 {{- if .Values.sso.clientSecret }}
   CLIENT_SECRET: {{ .Values.clientSecret | b64enc }}
 {{- end}}
+{{- if and .Values.ldap.enabled .Values.ldap.bindPW }}
+  LOCAL_LDAP_BIND_PW: {{ .Values.ldap.bindPW | b64enc }}
+{{- end }}
 {{- end}}
diff --git a/charts/wandb/values.yaml b/charts/wandb/values.yaml
@@ -78,6 +78,29 @@ sso:
   # Optional, only if your IDP requires it
   clientSecret:
 
+# LDAP SSO configuration
+ldap:
+  enabled: false
+  # LDAP server address including "ldap://" or "ldaps://"
+  host:
+  # LDAP search base to use for finding users
+  baseDN:
+  # LDAP user to bind with (if not using anonymous bind)
+  bindDN:
+  # Secret name and key with LDAP password to bind with (if not using anonymous bind)
+  bindPW:
+  # LDAP attribute for email and group ID attribute names as comma separated string values.
+  attributes:
+  # LDAP group allow list
+  groupAllowList:
+  # Enable LDAP TLS
+  tls: false
+  # ConfigMap name and key with CA certificate for LDAP server
+  tlsCert:
+    configMap:
+      name:
+      key:
+
 ingress:
   enabled: false
   className: ""