open-metadata · RounakDhillon · Dec 16, 2024
diff --git a/openmetadata-docs/content/v1.5.x/deployment/security/ldap/kubernetes.md b/openmetadata-docs/content/v1.5.x/deployment/security/ldap/kubernetes.md
@@ -0,0 +1,109 @@
+---
+title: Ldap Authentication for Kubernetes
+slug: /deployment/security/ldap/kubernetes
+collate: false
+---
+
+# LDAP Authentication for Kubernetes
+
+This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
+
+## Authentication Configuration
+
+Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
+
+```yaml
+global:
+  authentication:
+    provider: ldap
+    enableSelfSignup: false
+    publicKeyUrls:
+      - "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
+    authority: "https://<your-domain>" # Replace with your domain
+    ldapConfiguration:
+      host: "ldap.example.com"  # Replace with your LDAP server hostname
+      port: 636  # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
+      dnAdminPrincipal: "cn=admin,dc=example,dc=com"  # LDAP admin user DN
+      dnAdminPassword: "your-secret-password"  # Password for the admin user
+      userBaseDN: "ou=users,dc=example,dc=com"  # Base DN for LDAP users
+      mailAttributeName: "mail"  # Attribute for email in the LDAP schema
+      sslEnabled: true  # Enable SSL for secure LDAP
+      truststoreConfigType: "TrustAll"  # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
+      trustStoreConfig:
+        trustAllConfig:
+          examineValidityDates: true  # Reject certificates outside the validity window
+  authorizer:
+    adminPrincipals: ["admin"]  # Add admin users here
+    principalDomain: "example.com"  # Organization domain for principal matching
+openmetadata:
+  server:
+    configOverrides:
+      security:
+        authProvider: ldap
+        jwtToken:
+          enabled: true  # Enable JWT tokens for secure communication
+          publicKeyUrls:
+            - "https://<your-domain>/api/v1/system/config/jwks"  # Replace with your domain
+
+## Mandatory Fields for LDAP Configuration
+
+- **provider**: Set to `ldap` for enabling LDAP authentication.
+- **publicKeyUrls**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
+- **authority**: Specify your domain (e.g., `your_domain`).
+- **enableSelfSignup**: Set to `false` for LDAP.
+
+## Key LDAP Fields
+
+- **host**: Hostname of the LDAP server (e.g., `localhost`).
+- **port**: Port of the LDAP server (e.g., `10636`).
+- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
+- **dnAdminPassword**: Password for the admin principal.
+- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
+
+## Optional Advanced Configuration
+
+- **maxPoolSize**: Maximum connection pool size.
+- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
+- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
+
+## Example: TrustStore Configurations
+
+### TrustAll Configuration
+
+```truststoreConfigType: TrustAll
+trustStoreConfig:
+  trustAllConfig:
+    examineValidityDates: true
+
+### JVMDefault Configuration
+
+```yaml
+truststoreConfigType: JVMDefault
+trustStoreConfig:
+  jvmDefaultConfig:
+    verifyHostname: true
+
+
+### HostName Configuration
+
+```yaml
+truststoreConfigType: HostName
+trustStoreConfig:
+  hostNameConfig:
+    allowWildCards: false
+    acceptableHostNames: [localhost]
+
+
+### CustomTrustStore Configuration
+
+```yaml
+truststoreConfigType: CustomTrustStore
+trustStoreConfig:
+  customTrustManagerConfig:
+    trustStoreFilePath: /path/to/truststore.jks
+    trustStoreFilePassword: password
+    trustStoreFileFormat: JKS
+    verifyHostname: true
+    examineValidityDates: true
+
+{% partial file="/v1.5/deployment/configure-ingestion.md" /%}
diff --git a/openmetadata-docs/content/v1.5.x/menu.md b/openmetadata-docs/content/v1.5.x/menu.md
@@ -75,6 +75,8 @@ site_menu:
     url: /deployment/security/ldap/docker
   - category: Deployment / Enable Security / Ldap Authentication / Bare Metal
     url: /deployment/security/ldap/bare-metal
+  - category: Deployment / Enable Security / Ldap Authentication / Kubernetes
+    url: /deployment/security/ldap/kubernetes
   - category: Deployment / Enable Security / Auth0 SSO
     url: /deployment/security/auth0
   - category: Deployment / Enable Security / Auth0 SSO / Docker

diff --git a/openmetadata-docs/content/v1.6.x/deployment/security/ldap/kubernetes.md b/openmetadata-docs/content/v1.6.x/deployment/security/ldap/kubernetes.md
@@ -0,0 +1,109 @@
+---
+title: Ldap Authentication for Kubernetes
+slug: /deployment/security/ldap/kubernetes
+collate: false
+---
+
+# LDAP Authentication for Kubernetes
+
+This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
+
+## Authentication Configuration
+
+Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
+
+```yaml
+global:
+  authentication:
+    provider: ldap
+    enableSelfSignup: false
+    publicKeyUrls:
+      - "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
+    authority: "https://<your-domain>" # Replace with your domain
+    ldapConfiguration:
+      host: "ldap.example.com"  # Replace with your LDAP server hostname
+      port: 636  # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
+      dnAdminPrincipal: "cn=admin,dc=example,dc=com"  # LDAP admin user DN
+      dnAdminPassword: "your-secret-password"  # Password for the admin user
+      userBaseDN: "ou=users,dc=example,dc=com"  # Base DN for LDAP users
+      mailAttributeName: "mail"  # Attribute for email in the LDAP schema
+      sslEnabled: true  # Enable SSL for secure LDAP
+      truststoreConfigType: "TrustAll"  # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
+      trustStoreConfig:
+        trustAllConfig:
+          examineValidityDates: true  # Reject certificates outside the validity window
+  authorizer:
+    adminPrincipals: ["admin"]  # Add admin users here
+    principalDomain: "example.com"  # Organization domain for principal matching
+openmetadata:
+  server:
+    configOverrides:
+      security:
+        authProvider: ldap
+        jwtToken:
+          enabled: true  # Enable JWT tokens for secure communication
+          publicKeyUrls:
+            - "https://<your-domain>/api/v1/system/config/jwks"  # Replace with your domain
+
+## Mandatory Fields for LDAP Configuration
+
+- **provider**: Set to `ldap` for enabling LDAP authentication.
+- **publicKeyUrls**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
+- **authority**: Specify your domain (e.g., `your_domain`).
+- **enableSelfSignup**: Set to `false` for LDAP.
+
+## Key LDAP Fields
+
+- **host**: Hostname of the LDAP server (e.g., `localhost`).
+- **port**: Port of the LDAP server (e.g., `10636`).
+- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
+- **dnAdminPassword**: Password for the admin principal.
+- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
+
+## Optional Advanced Configuration
+
+- **maxPoolSize**: Maximum connection pool size.
+- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
+- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
+
+## Example: TrustStore Configurations
+
+### TrustAll Configuration
+
+```truststoreConfigType: TrustAll
+trustStoreConfig:
+  trustAllConfig:
+    examineValidityDates: true
+
+### JVMDefault Configuration
+
+```yaml
+truststoreConfigType: JVMDefault
+trustStoreConfig:
+  jvmDefaultConfig:
+    verifyHostname: true
+
+
+### HostName Configuration
+
+```yaml
+truststoreConfigType: HostName
+trustStoreConfig:
+  hostNameConfig:
+    allowWildCards: false
+    acceptableHostNames: [localhost]
+
+
+### CustomTrustStore Configuration
+
+```yaml
+truststoreConfigType: CustomTrustStore
+trustStoreConfig:
+  customTrustManagerConfig:
+    trustStoreFilePath: /path/to/truststore.jks
+    trustStoreFilePassword: password
+    trustStoreFileFormat: JKS
+    verifyHostname: true
+    examineValidityDates: true
+
+{% partial file="/v1.5/deployment/configure-ingestion.md" /%}
diff --git a/openmetadata-docs/content/v1.6.x/menu.md b/openmetadata-docs/content/v1.6.x/menu.md
@@ -75,6 +75,8 @@ site_menu:
     url: /deployment/security/ldap/docker
   - category: Deployment / Enable Security / Ldap Authentication / Bare Metal
     url: /deployment/security/ldap/bare-metal
+  - category: Deployment / Enable Security / Ldap Authentication / Kubernetes
+    url: /deployment/security/ldap/kubernetes
   - category: Deployment / Enable Security / Auth0 SSO
     url: /deployment/security/auth0
   - category: Deployment / Enable Security / Auth0 SSO / Docker

diff --git a/openmetadata-docs/content/v1.7.x-SNAPSHOT/deployment/security/ldap/kubernetes.md b/openmetadata-docs/content/v1.7.x-SNAPSHOT/deployment/security/ldap/kubernetes.md
@@ -0,0 +1,109 @@
+---
+title: Ldap Authentication for Kubernetes
+slug: /deployment/security/ldap/kubernetes
+collate: false
+---
+
+# LDAP Authentication for Kubernetes
+
+This guide outlines how to configure LDAP authentication for Kubernetes deployments of OpenMetadata. It includes details on required configurations, optional settings, and best practices to ensure secure and efficient authentication.
+
+## Authentication Configuration
+
+Update the `openmetadata.yaml` file with the following settings to enable LDAP authentication:
+
+```yaml
+global:
+  authentication:
+    provider: ldap
+    enableSelfSignup: false
+    publicKeyUrls:
+      - "https://<your-domain>/api/v1/system/config/jwks" # Replace with your domain
+    authority: "https://<your-domain>" # Replace with your domain
+    ldapConfiguration:
+      host: "ldap.example.com"  # Replace with your LDAP server hostname
+      port: 636  # Use 636 for secure LDAP (LDAPS) or 389 for standard LDAP
+      dnAdminPrincipal: "cn=admin,dc=example,dc=com"  # LDAP admin user DN
+      dnAdminPassword: "your-secret-password"  # Password for the admin user
+      userBaseDN: "ou=users,dc=example,dc=com"  # Base DN for LDAP users
+      mailAttributeName: "mail"  # Attribute for email in the LDAP schema
+      sslEnabled: true  # Enable SSL for secure LDAP
+      truststoreConfigType: "TrustAll"  # Trust store type (options: TrustAll, JVMDefault, HostName, CustomTrustStore)
+      trustStoreConfig:
+        trustAllConfig:
+          examineValidityDates: true  # Reject certificates outside the validity window
+  authorizer:
+    adminPrincipals: ["admin"]  # Add admin users here
+    principalDomain: "example.com"  # Organization domain for principal matching
+openmetadata:
+  server:
+    configOverrides:
+      security:
+        authProvider: ldap
+        jwtToken:
+          enabled: true  # Enable JWT tokens for secure communication
+          publicKeyUrls:
+            - "https://<your-domain>/api/v1/system/config/jwks"  # Replace with your domain
+
+## Mandatory Fields for LDAP Configuration
+
+- **provider**: Set to `ldap` for enabling LDAP authentication.
+- **publicKeyUrls**: Provide the public key URL in the format `{http|https}://{your_domain}:{port}/api/v1/system/config/jwks`.
+- **authority**: Specify your domain (e.g., `your_domain`).
+- **enableSelfSignup**: Set to `false` for LDAP.
+
+## Key LDAP Fields
+
+- **host**: Hostname of the LDAP server (e.g., `localhost`).
+- **port**: Port of the LDAP server (e.g., `10636`).
+- **dnAdminPrincipal**: The Distinguished Name (DN) of the admin principal (e.g., `cn=admin,dc=example,dc=com`).
+- **dnAdminPassword**: Password for the admin principal.
+- **userBaseDN**: Base DN for user lookups (e.g., `ou=people,dc=example,dc=com`).
+
+## Optional Advanced Configuration
+
+- **maxPoolSize**: Maximum connection pool size.
+- **sslEnabled**: Set to `true` to enable SSL connections to the LDAP server.
+- **truststoreConfigType**: Determines the type of trust store to use (`CustomTrustStore`, `HostName`, `JVMDefault`, or `TrustAll`).
+
+## Example: TrustStore Configurations
+
+### TrustAll Configuration
+
+```truststoreConfigType: TrustAll
+trustStoreConfig:
+  trustAllConfig:
+    examineValidityDates: true
+
+### JVMDefault Configuration
+
+```yaml
+truststoreConfigType: JVMDefault
+trustStoreConfig:
+  jvmDefaultConfig:
+    verifyHostname: true
+
+
+### HostName Configuration
+
+```yaml
+truststoreConfigType: HostName
+trustStoreConfig:
+  hostNameConfig:
+    allowWildCards: false
+    acceptableHostNames: [localhost]
+
+
+### CustomTrustStore Configuration
+
+```yaml
+truststoreConfigType: CustomTrustStore
+trustStoreConfig:
+  customTrustManagerConfig:
+    trustStoreFilePath: /path/to/truststore.jks
+    trustStoreFilePassword: password
+    trustStoreFileFormat: JKS
+    verifyHostname: true
+    examineValidityDates: true
+
+{% partial file="/v1.5/deployment/configure-ingestion.md" /%}
diff --git a/openmetadata-docs/content/v1.7.x-SNAPSHOT/menu.md b/openmetadata-docs/content/v1.7.x-SNAPSHOT/menu.md
@@ -75,6 +75,8 @@ site_menu:
     url: /deployment/security/ldap/docker
   - category: Deployment / Enable Security / Ldap Authentication / Bare Metal
     url: /deployment/security/ldap/bare-metal
+   - category: Deployment / Enable Security / Ldap Authentication / Kubernetes
+    url: /deployment/security/ldap/kubernetes  
   - category: Deployment / Enable Security / Auth0 SSO
     url: /deployment/security/auth0
   - category: Deployment / Enable Security / Auth0 SSO / Docker