[Merged by Bors] - Kerberos AD backend

default.nix

@@ -19,6 +19,12 @@
         LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
         BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang.cc.lib}/lib/clang/${pkgs.lib.getVersion pkgs.clang.cc}/include";
       };
+      libgssapi-sys = attrs: {
+        nativeBuildInputs = [ pkgs.pkg-config ];
+        buildInputs = [ (pkgs.enableDebugging pkgs.krb5) ];
+        LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
+        BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang.cc.lib}/lib/clang/${pkgs.lib.getVersion pkgs.clang.cc}/include";
+      };
     };
   }
 , meta ? pkgs.lib.importJSON ./nix/meta.json

deploy/helm/secret-operator/crds/crds.yaml

@@ -79,7 +79,44 @@ spec:
                           oneOf:
                             - required:
                                 - mit
+                            - required:
+                                - activeDirectory
                           properties:
+                            activeDirectory:
+                              properties:
+                                ldapServer:
+                                  type: string
+                                ldapTlsCaSecret:
+                                  description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                passwordCacheSecret:
+                                  description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
+                                  properties:
+                                    name:
+                                      description: name is unique within a namespace to reference a secret resource.
+                                      type: string
+                                    namespace:
+                                      description: namespace defines the space within which the secret name must be unique.
+                                      type: string
+                                  type: object
+                                schemaDistinguishedName:
+                                  type: string
+                                userDistinguishedName:
+                                  type: string
+                              required:
+                                - ldapServer
+                                - ldapTlsCaSecret
+                                - passwordCacheSecret
+                                - schemaDistinguishedName
+                                - userDistinguishedName
+                              type: object
                             mit:
                               properties:
                                 kadminServer:

docs/modules/secret-operator/pages/secretclass.adoc

@@ -63,7 +63,7 @@ spec:
 
 Creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
 
-IMPORTANT: Only MIT Kerberos (krb5) is supported. Heimdal and Active Directory are not supported.
+IMPORTANT: Only MIT Kerberos (krb5) and Active Directory are currently supported. Heimdal is not supported.
 
 Principals will be created dynamically if they do not already exist.
 
@@ -81,6 +81,19 @@ spec:
       admin:
         mit:
           kadminServer: krb5-kdc
+        # or...
+        activeDirectory:
+          # ldapServer must match the AD Domain Controller's FQDN or GSSAPI authn will fail
+          # You may need to set AD as your fallback DNS resolver in your Kube DNS Corefile
+          ldapServer: addc.example.com
+          ldapTlsCaSecret:
+            namespace: default
+            name: secret-operator-ad-ca
+          passwordCacheSecret:
+            namespace: default
+            name: secret-operator-ad-passwords
+          userDistinguishedName: CN=Users,DC=sble,DC=test
+          schemaDistinguishedName: CN=Schema,CN=Configuration,DC=sble,DC=test
       adminKeytabSecret:
         namespace: default
         name: secret-provisioner-keytab
@@ -90,7 +103,14 @@ spec:
 `kerberosKeytab`:: Declares that the `kerberosKeytab` backend is used.
 `kerberosKeytab.realmName`:: The name of the Kerberos realm. This should be provided by the Kerberos administrator.
 `kerberosKeytab.kdc`:: The hostname of the Kerberos Key Distribution Center (KDC). This should be provided by the Kerberos administrator.
+`kerberosKeytab.admin.mit`:: Credentials should be provisioned in a MIT Kerberos Admin Server.
 `kerberosKeytab.admin.mit.kadminServer`:: The hostname of the Kerberos Admin Server. This should be provided by the Kerberos administrator.
+`kerberosKeytab.admin.activeDirectory`:: Credentials should be provisioned in a Microsoft Active Directory domain.
+`kerberosKeytab.admin.activeDirectory.ldapServer`:: An AD LDAP server, such as the AD Domain Controller. This _must_ match the server's FQDN, or GSSAPI authentication will fail.
+`kerberosKeytab.admin.activeDirectory.ldapTlsCaSecret`:: Reference (`name` and `namespace`) to a K8s `Secret` object containing the TLS CA (in `ca.crt`) that the LDAP server's certificate should be authenticated against.
+`kerberosKeytab.admin.activeDirectory.passwordCacheSecret`:: Reference (`name` and `namespace`) to a K8s `Secret` object where workload passwords will be stored. This _must not_ be accessible to end users.
+`kerberosKeytab.admin.activeDirectory.userDistinguishedName`:: The root Distinguished Name (DN) where service accounts should be provisioned, typically `CN=Users,{domain_dn}`.
+`kerberosKeytab.admin.activeDirectory.schemaDistinguishedName`:: The root Distinguished Name (DN) for AD-managed schemas, typically `CN=Schema,CN=Configuration,{domain_dn}`.
 `kerberosKeytab.adminKeytabSecret`:: Reference (`name` and `namespace`) to a K8s `Secret` object where a keytab with administrative privileges is stored in the key `keytab`.
 `kerberosKeytab.adminPrincipal`:: The name of the Kerberos principal to be used by the Secret Operator. This should be provided by the Kerberos administrator. The credentials for this principal must be stored in the keytab (`adminKeytabSecret`).
 

rust/krb5-provision-keytab/Cargo.toml

@@ -15,6 +15,12 @@ krb5 = { path = "../krb5" }
 serde = { version = "1.0.152", features = ["derive"] }
 serde_json = "1.0.93"
 snafu = "0.7.4"
-tokio = { version = "1.25.0", features = ["io-util", "process"] }
+tokio = { version = "1.25.0", features = ["io-util", "process", "rt-multi-thread", "macros"] }
 tracing = "0.1.37"
 tracing-subscriber = "0.3.16"
+ldap3 = { version = "0.11.1", default-features = false, features = ["gssapi", "tls"] }
+byteorder = "1.4.3"
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.27.1" }
+rand = "0.8.5"
+native-tls = "0.2.11"
+futures = "0.3.28"