Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloud-native)!: remove support for ldap persistence #9669

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

feat(cloud-native)!: remove support for ldap persistence #9669

wants to merge 25 commits into from

Conversation

iromli
Copy link
Contributor

@iromli iromli commented Oct 6, 2024
edited by moabu
Loading

Prepare

Description

Target issue

closes #9659

This contains a breaking change removing OpenDJ support completely.

Implementation Details

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 6, 2024
edited
Loading

DryRun Security Summary

The provided code changes cover a variety of updates across multiple components of the Janssen application, including the removal of LDAP support, adoption of modern persistence options, improved logging and monitoring, secure credential management, and potential security risks that require further review.

Expand for full summary

Summary:

The provided code changes cover a variety of updates across multiple components of the Janssen application. The key security-related observations are:

  1. Removal of LDAP support: The changes indicate a shift away from LDAP-based persistence, with LDAP-related configurations being removed from various components. This simplification can potentially improve the overall security posture by reducing the attack surface and complexity associated with LDAP integration.

  2. Adoption of modern persistence options: The application is now focusing on more lightweight and cloud-native persistence solutions, such as Couchbase, SQL, and Google Spanner. This transition requires careful review of the security configurations and practices for these new persistence backends.

  3. Improved logging and monitoring: The changes include updates to the logging configurations, which can enhance the application's security monitoring and incident response capabilities.

  4. Secure credential management: The application appears to be using Kubernetes Secrets, Vault, and other secure credential management solutions to store sensitive data, such as database passwords and API keys. This is a positive security practice that should be maintained.

  5. Potential security risks: While the changes generally seem to be focused on improving the application's security, there are a few areas that require further review, such as the handling of custom scripts, resource allocation in test environments, and potential hardcoded or insecure configurations.

Files Changed:

  • automation/rancher-partner-charts/app-readme.md: Removal of LDAP support from the Janssen Server.
  • .github/workflows/microk8s.yml: Simplification of the persistence backend configuration, focusing on MySQL instead of LDAP.
  • automation/docs/generated-cn-docs.sh: Updates to the documentation generation process, with no direct security implications.
  • automation/rancher-partner-charts/questions.yaml: Removal of LDAP support as a persistence option.
  • automation/startjanssendemo.sh: Removal of LDAP persistence option and improvements to logging and monitoring.
  • charts/janssen-all-in-one/README.md: Removal of LDAP-related configurations.
  • charts/janssen-all-in-one/templates/configmap.yaml: Removal of LDAP-related configurations.
  • automation/startjanssenmonolithdemo.sh: Removal of LDAP persistence option and improvements to the deployment process.
  • charts/janssen/Chart.yaml: Removal of the OpenDJ (LDAP) component.
  • charts/janssen/charts/auth-server/templates/deployment.yml: Updates to the resource allocation, probes, and environment variable configurations.
  • charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml: Improvements to the key rotation process.
  • charts/janssen/charts/casa/templates/deployment.yaml: Updates to the resource allocation, custom scripts, and environment variable configurations.
  • charts/janssen/charts/config-api/templates/deployment.yaml: Updates to the resource allocation, custom scripts, and environment variable configurations.
  • charts/janssen/charts/config/README.md: Removal of LDAP-related configurations.
  • charts/janssen/charts/config/templates/_helpers.tpl: Removal of the LDAP scope from the optional scopes.
  • charts/janssen/charts/config/templates/secrets.yaml: Removal of LDAP-related secrets and updates to the credential management.
  • charts/janssen/charts/config/templates/configmaps.yaml: Removal of LDAP-related configurations and updates to the logging, Couchbase, Google, and AWS integrations.
  • charts/janssen/charts/config/values.yaml: Removal of LDAP-related configurations and updates to the persistence, Couchbase, SQL, Redis, and Vault configurations.
  • charts/janssen/charts/fido2/templates/deployment.yml: Updates to the resource allocation and custom script handling.
  • charts/janssen/charts/kc-scheduler/templates/cronjobs.yaml: Updates to the resource allocation and environment variable handling.
  • charts/janssen/charts/link/templates/deployment.yaml: Updates to the resource allocation, volume mounts, environment variables, and custom script handling.

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-pycloudlib kind-feature Issue or PR is a new feature request labels Oct 6, 2024
@iromli iromli self-assigned this Oct 7, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 7, 2024

Quality Gate Passed Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 7, 2024

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 8, 2024

Quality Gate Passed Quality Gate passed for 'jans-pycloudlib'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@mo-auto mo-auto added area-CI Issue or changes required in automatic builds or CI infrastructure comp-charts-jans comp-docker-jans-all-in-one Touching folder /docker-jans-all-in-one comp-docker-jans-auth-server comp-docker-jans-casa Touching folder /docker-jans-casa comp-docker-jans-certmanager comp-docker-jans-config-api comp-docker-jans-configurator comp-docker-jans-fido2 comp-docker-jans-kc-scheduler Touching folder /docker-jans-kc-scheduler comp-docker-jans-link comp-docker-jans-monolith comp-jans-config-api Component affected by issue or PR comp-jans-fido2 Component affected by issue or PR comp-jans-keycloak-link Touching folder /jans-keycloak-link comp-jans-link Touching folder /jans-link labels Oct 11, 2024
@iromli iromli marked this pull request as ready for review October 11, 2024 17:38
@iromli iromli requested a review from moabu as a code owner October 11, 2024 17:38
@moabu moabu changed the title feat(cloud-native): remove support for ldap persistence feat(cloud-native)!: remove support for ldap persistence Oct 11, 2024
@iromli iromli removed comp-jans-pycloudlib comp-jans-config-api Component affected by issue or PR comp-jans-fido2 Component affected by issue or PR comp-jans-keycloak-link Touching folder /jans-keycloak-link comp-jans-link Touching folder /jans-link labels Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu Awaiting requested review from moabu moabu is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@iromli iromli

Labels
area-CI Issue or changes required in automatic builds or CI infrastructure area-documentation Documentation needs to change as part of issue or PR comp-charts-jans comp-docker-jans-all-in-one Touching folder /docker-jans-all-in-one comp-docker-jans-auth-server comp-docker-jans-casa Touching folder /docker-jans-casa comp-docker-jans-certmanager comp-docker-jans-config-api comp-docker-jans-configurator comp-docker-jans-fido2 comp-docker-jans-kc-scheduler Touching folder /docker-jans-kc-scheduler comp-docker-jans-link comp-docker-jans-monolith comp-docs Touching folder /docs kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(cloud-native): remove support for ldap persistence
3 participants
@iromli @mo-auto @moabu