Gerrit configuration to use LDAP auth
Feature: Issue 12484
Change-Id: I3a5cd44a97e545a6206c19a5f2aa358ff3325aaa
diff --git a/.gitignore b/.gitignore
index 5462b53..97f349b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
setup.env
+gerrit.setup
*/gerrit/plugins/*.jar
*/gerrit/etc/*key*
+gerrit.config
+secure.config
diff --git a/single-master/README.md b/single-master/README.md
index 5e2ea26..94ac998 100644
--- a/single-master/README.md
+++ b/single-master/README.md
@@ -107,6 +107,11 @@
You will need to create a secret and put it in a file called `registerEmailPrivateKey`
in the same directory of the SSH keys.
+#### LDAP Password
+
+You will need to put the admin LDAP password in a file called `ldapPassword`
+in the same directory of the SSH keys.
+
#### Import into AWS Secret Manager
You can now run the script to upload them to AWS Secret Manager:
@@ -117,10 +122,17 @@
* Create the repository in the Docker registry:
`aws ecr create-repository --repository-name aws-gerrit/gerrit`
* Set the Docker registry URI in `DOCKER_REGISTRY_URI`
-* Adjust the `gerrit.config` in `./gerrit/etc`
+* Create a `gerrit.setup` and set the correct parameters
+ * An example of the possible setting are in `gerrit.setup.template`
+ * The structure and parameters of `gerrit.setup` are the same as a normal `gerrit.config`
+ * Refer to the [Gerrit Configuration Documentation](https://gerrit-review.googlesource.com/Documentation/config-gerrit.html)
+ for the meaning of the parameters
* Add the plugins you want to install in `./gerrit/plugins`
* Publish the image: `make gerrit-publish`
+NOTE: If you need a testing LDAP server you can find details on how to easily
+create one in the [LDAP folder](../ldap/README.md).
+
### Getting Started
* Create a key pair to access the EC2 instances in the cluster:
diff --git a/single-master/add_secrets_aws_secrets_manager.sh b/single-master/add_secrets_aws_secrets_manager.sh
index 5917ced..f5f8678 100755
--- a/single-master/add_secrets_aws_secrets_manager.sh
+++ b/single-master/add_secrets_aws_secrets_manager.sh
@@ -49,3 +49,9 @@
aws secretsmanager create-secret --name ${KEY_PREFIX}_registerEmailPrivateKey \
--description "Gerrit Register Email Private Key" \
--secret-string file://$SECRETS_DIRECTORY/registerEmailPrivateKey
+
+echo "Adding LDAP password..."
+
+aws secretsmanager create-secret --name ${KEY_PREFIX}_ldapPassword \
+ --description "LDAP password" \
+ --secret-string file://$SECRETS_DIRECTORY/ldapPassword
diff --git a/single-master/gerrit/Dockerfile b/single-master/gerrit/Dockerfile
index 7bbd4c7..f00271a 100644
--- a/single-master/gerrit/Dockerfile
+++ b/single-master/gerrit/Dockerfile
@@ -8,6 +8,7 @@
# Installing scripts to get SSH Keys from Secret Manager
COPY --chown=gerrit:gerrit requirements.txt /tmp
+COPY --chown=gerrit:gerrit gerrit.setup /tmp
COPY --chown=gerrit:gerrit setup_gerrit.py /tmp
RUN chmod +x /tmp/setup_gerrit.py \
&& pip3 install -r /tmp/requirements.txt
diff --git a/single-master/gerrit/etc/gerrit.config b/single-master/gerrit/etc/gerrit.config.template
similarity index 74%
rename from single-master/gerrit/etc/gerrit.config
rename to single-master/gerrit/etc/gerrit.config.template
index 23e4c2e..180d740 100644
--- a/single-master/gerrit/etc/gerrit.config
+++ b/single-master/gerrit/etc/gerrit.config.template
@@ -8,7 +8,16 @@
[index]
type = LUCENE
[auth]
- type = DEVELOPMENT_BECOME_ANY_ACCOUNT
+ type = ldap
+ gitBasicAuth = true
+[ldap]
+ server = {{ LDAP_SERVER }}
+ username = {{ LDAP_USERNAME }}
+ accountBase = {{ LDAP_ACCOUNT_BASE }}
+ accountPattern = (&(objectClass=person)(uid=${username}))
+ accountFullName = displayName
+ accountEmailAddress = mail
+ groupBase = {{ LDAP_GROUP_BASE }}
[sendemail]
smtpServer = localhost
[sshd]
@@ -27,6 +36,5 @@
user = gerrit
javaHome = /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre
javaOptions = -Djava.security.egd=file:/dev/./urandom
- javaOptions = -Djava.security.egd=file:/dev/./urandom
[receive]
enableSignedPush = false
diff --git a/single-master/gerrit/etc/secure.config.template b/single-master/gerrit/etc/secure.config.template
index 408ad52..aec8903 100644
--- a/single-master/gerrit/etc/secure.config.template
+++ b/single-master/gerrit/etc/secure.config.template
@@ -1,2 +1,4 @@
[auth]
registerEmailPrivateKey = {{ REGISTER_EMAIL_PRIVATE_KEY }}
+[ldap]
+ password = {{ LDAP_PASSWORD }}
diff --git a/single-master/gerrit/gerrit.setup.template b/single-master/gerrit/gerrit.setup.template
new file mode 100644
index 0000000..b8422e0
--- /dev/null
+++ b/single-master/gerrit/gerrit.setup.template
@@ -0,0 +1,5 @@
+[ldap]
+server = ldap://yourldap.yourcompany.com
+username = cn=admin,dc=example,dc=org
+accountBase = dc=example,dc=org
+groupBase = dc=example,dc=org
diff --git a/single-master/gerrit/requirements.txt b/single-master/gerrit/requirements.txt
index 58ee30e..45831a6 100644
--- a/single-master/gerrit/requirements.txt
+++ b/single-master/gerrit/requirements.txt
@@ -1,2 +1,3 @@
boto3
jinja2==2.11.1
+configparser==5.0.0
diff --git a/single-master/gerrit/setup_gerrit.py b/single-master/gerrit/setup_gerrit.py
index 0fc07e0..6b76440 100755
--- a/single-master/gerrit/setup_gerrit.py
+++ b/single-master/gerrit/setup_gerrit.py
@@ -3,11 +3,11 @@
import boto3
import base64
import os
+import configparser
from botocore.exceptions import ClientError
from jinja2 import Environment, FileSystemLoader
def get_secret(secret_name):
-
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
@@ -62,17 +62,33 @@
]
GERRIT_KEY_PREFIX = "gerrit_secret_"
-GERRIT_SSH_SECRETS_DIRECTORY = "/var/gerrit/etc/"
+GERRIT_CONFIG_DIRECTORY = "/var/gerrit/etc/"
-print("Installing SSH Keys from Secret Manager in directory: " + GERRIT_SSH_SECRETS_DIRECTORY)
+print("Installing SSH Keys from Secret Manager in directory: " + GERRIT_CONFIG_DIRECTORY)
for secretId in secretIds:
print("* Installing SSH Key: " + secretId)
- with open(GERRIT_SSH_SECRETS_DIRECTORY + secretId, 'w', encoding = 'utf-8') as f:
+ with open(GERRIT_CONFIG_DIRECTORY + secretId, 'w', encoding = 'utf-8') as f:
f.write(get_secret(GERRIT_KEY_PREFIX + secretId))
-print("Setting Register Email Private Key in '" + GERRIT_SSH_SECRETS_DIRECTORY + "secure.config'")
-file_loader = FileSystemLoader(GERRIT_SSH_SECRETS_DIRECTORY)
+file_loader = FileSystemLoader(GERRIT_CONFIG_DIRECTORY)
env = Environment(loader=file_loader)
+
+print("Setting Register Email Private Key in '" + GERRIT_CONFIG_DIRECTORY + "secure.config'")
template = env.get_template("secure.config.template")
-with open(GERRIT_SSH_SECRETS_DIRECTORY + "secure.config", 'w', encoding = 'utf-8') as f:
- f.write(template.render(REGISTER_EMAIL_PRIVATE_KEY=get_secret(GERRIT_KEY_PREFIX + "registerEmailPrivateKey")))
+with open(GERRIT_CONFIG_DIRECTORY + "secure.config", 'w', encoding = 'utf-8') as f:
+ f.write(template.render(
+ REGISTER_EMAIL_PRIVATE_KEY=get_secret(GERRIT_KEY_PREFIX + "registerEmailPrivateKey"),
+ LDAP_PASSWORD=get_secret(GERRIT_KEY_PREFIX + "ldapPassword"))
+ )
+
+config = configparser.ConfigParser()
+config.read('/tmp/gerrit.setup')
+print("Setting Gerrit config in '" + GERRIT_CONFIG_DIRECTORY + "gerrit.config'")
+template = env.get_template("gerrit.config.template")
+with open(GERRIT_CONFIG_DIRECTORY + "gerrit.config", 'w', encoding = 'utf-8') as f:
+ f.write(template.render(
+ LDAP_SERVER=config['ldap']['server'],
+ LDAP_USERNAME=config['ldap']['username'],
+ LDAP_ACCOUNT_BASE=config['ldap']['accountBase'],
+ LDAP_GROUP_BASE=config['ldap']['groupBase'])
+ )