06.k8s集群部署openldap
为了方便管理和集成jenkins,k8s、harbor、jenkins均使用openLDAP统一认证
组件版本
组件
版本
openldap
osixia/openldap:1.2.2
lam
7.4
安装ldap
创建pvc
cat > ldap-pvc.yaml << EOF
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ldap-data-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: openebs-hostpath
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ldap-config-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: openebs-hostpath
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ldap-certs-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: openebs-hostpath
EOF
kubectl apply -f ldap-pvc.yaml创建deployment
cat > ladp-deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldap
labels:
app: ldap
spec:
replicas: 1
selector:
matchLabels:
app: ldap
template:
metadata:
labels:
app: ldap
spec:
containers:
- name: ldap
image: osixia/openldap:1.2.2
volumeMounts:
- name: ldap-data
mountPath: /var/lib/ldap
- name: ldap-config
mountPath: /etc/ldap/slapd.d
- name: ldap-certs
mountPath: /container/service/slapd/assets/certs
ports:
- containerPort: 389
name: openldap
env:
- name: LDAP_LOG_LEVEL
value: "256"
- name: LDAP_ORGANISATION
value: "tk8s"
- name: LDAP_DOMAIN
value: "tk8s.com"
- name: LDAP_ADMIN_PASSWORD
value: "admin"
- name: LDAP_CONFIG_PASSWORD
value: "config"
- name: LDAP_READONLY_USER
value: "false"
- name: LDAP_READONLY_USER_USERNAME
value: "readonly"
- name: LDAP_READONLY_USER_PASSWORD
value: "readonly"
- name: LDAP_RFC2307BIS_SCHEMA
value: "false"
- name: LDAP_BACKEND
value: "mdb"
- name: LDAP_TLS
value: "true"
- name: LDAP_TLS_CRT_FILENAME
value: "ldap.crt"
- name: LDAP_TLS_KEY_FILENAME
value: "ldap.key"
- name: LDAP_TLS_CA_CRT_FILENAME
value: "ca.crt"
- name: LDAP_TLS_ENFORCE
value: "false"
- name: LDAP_TLS_CIPHER_SUITE
value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
- name: LDAP_TLS_VERIFY_CLIENT
value: "demand"
- name: LDAP_REPLICATION
value: "false"
- name: LDAP_REPLICATION_CONFIG_SYNCPROV
value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
- name: LDAP_REPLICATION_DB_SYNCPROV
value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
- name: LDAP_REPLICATION_HOSTS
value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"
- name: KEEP_EXISTING_CONFIG
value: "false"
- name: LDAP_REMOVE_CONFIG_AFTER_SETUP
value: "true"
- name: LDAP_SSL_HELPER_PREFIX
value: "ldap"
volumes:
- name: ldap-data
persistentVolumeClaim:
claimName: ldap-data-pvc
- name: ldap-config
persistentVolumeClaim:
claimName: ldap-config-pvc
- name: ldap-certs
persistentVolumeClaim:
claimName: ldap-certs-pvc
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ldap
name: ldap-service
spec:
ports:
- port: 389
selector:
app: ldap
EOF需要修改的地方有3点,其他不需要改动
LDAP_ORGANISATION组织名称。默认为Example Inc.LDAP_DOMAINLdap域。默认为example.orgLDAP_ADMIN_PASSWORDLdap管理员密码。默认为admin
kubectl apply -f ladp-deployment.yaml测试
kubectl exec -it ldap-7fc5bc794d-5pbgx -- bash
ldapsearch -x -H ldap://localhost -b dc=tk8s,dc=com -D "cn=admin,dc=tk8s,dc=com" -w admin若成功得到类似以下文本的返回值,代表服务启动成功。
安装ldap-lam
我这边dn写死在文件中,用的是dc=tk8s,dc=com
需要更改dn,先下载镜像,更改/var/www/html/config/lam.conf ,然后重新docker commit
创建deployment
cat > ladp-lam-deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldap-lam
labels:
app: ldap-lam
spec:
replicas: 1
selector:
matchLabels:
app: ldap-lam
template:
metadata:
labels:
app: ldap-lam
spec:
containers:
- name: ldap
image: tanmgweiwow/lam:v1
ports:
- containerPort: 80
name: http
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ldap-lam
name: ldap-lam-service
spec:
ports:
- port: 80
targetPort: 80
selector:
app: ldap-lam
EOF
kubectl apply -f ladp-lam-deployment.yaml创建ingress
cat > lam-ingress.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: lam
spec:
rules:
- host: lam.tk8s.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ldap-lam-service
port:
number: 80
EOF访问
登陆
添加组
添加用户
查看用户是否存在
kubectl exec -it ldap-7fc5bc794d-5pbgx -- bash
ldapsearch -x -H ldap://localhost -b dc=tk8s,dc=com -D "cn=admin,dc=tk8s,dc=com" -w adminLast updated
Was this helpful?
