1、使用rbd作为存储,创建认证以及pv、创建namespace为: public-service
cat ldap-secret.yaml
apiVersion: "v1"
kind: "Secret"
metadata:
namespace: public-service
name: "ldap-secret"
type: "kubernetes.io/rbd"
data:
key: QVFBbU9ZSmNUSWQ3TlJBQVhKeWh3c2ZtQkhzQzZ2VGJ4UVZvVWc9PQ==
cat rbd-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: openldap-data-pv
namespace: public-service
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteMany
storageClassName: openldap-data-pv
rbd:
monitors:
- '10.75.32.226:6789'
- '10.75.32.230:6789'
- '10.75.32.231:6789'
pool: rbd-k8s
image: cephldap
user: admin
secretRef:
name: ldap-secret
fsType: ext4
readOnly: false
persistentVolumeReclaimPolicy: Recycle
从github取得openldap的yaml文件。
git clone https://github.com/atjapan2015/kuberneteshandson.git
1、各文件添加修改自己的DN,我的为dashboard.com
启动deployment和service。
[root@k8s-master openldap]# cat ldap-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: ldap
namespace: public-service
labels:
app: ldap
spec:
replicas: 1
template:
metadata:
labels:
app: ldap
spec:
containers:
- name: ldap
image: osixia/openldap:1.2.1
volumeMounts:
- name: openldap-data
mountPath: /var/lib/ldap
subPath: ldap-data
- name: openldap-data
mountPath: /etc/ldap/slapd.d
subPath: ldap-config
- name: openldap-data
mountPath: /container/service/slapd/assets/certs
subPath: ldap-certs
ports:
- containerPort: 389
name: openldap
- name: ssl-ldap-port
containerPort: 636
livenessProbe:
tcpSocket:
port: openldap
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
readinessProbe:
tcpSocket:
port: openldap
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
env:
- name: LDAP_LOG_LEVEL
value: "256"
- name: LDAP_ORGANISATION
value: "Dashboard Inc."
- name: LDAP_DOMAIN
value: "dashboard.com"
- name: LDAP_ADMIN_PASSWORD
value: "admin"
- name: LDAP_CONFIG_PASSWORD
value: "config"
- name: LDAP_READONLY_USER
value: "false"
- name: LDAP_READONLY_USER_USERNAME
value: "readonly"
- name: LDAP_READONLY_USER_PASSWORD
value: "readonly"
- name: LDAP_RFC2307BIS_SCHEMA
value: "false"
- name: LDAP_BACKEND
value: "mdb"
- name: LDAP_TLS
value: "true"
- name: LDAP_TLS_CRT_FILENAME
value: "ldap.crt"
- name: LDAP_TLS_KEY_FILENAME
value: "ldap.key"
- name: LDAP_TLS_CA_CRT_FILENAME
value: "ca.crt"
- name: LDAP_TLS_ENFORCE
value: "false"
- name: LDAP_TLS_CIPHER_SUITE
value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
- name: LDAP_TLS_VERIFY_CLIENT
value: "demand"
- name: LDAP_REPLICATION
value: "false"
- name: LDAP_REPLICATION_CONFIG_SYNCPROV
value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
- name: LDAP_REPLICATION_DB_SYNCPROV
value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
- name: LDAP_REPLICATION_HOSTS
value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"
- name: KEEP_EXISTING_CONFIG
value: "false"
- name: LDAP_REMOVE_CONFIG_AFTER_SETUP
value: "true"
- name: LDAP_SSL_HELPER_PREFIX
value: "ldap"
volumes:
- name: openldap-data
persistentVolumeClaim:
claimName: openldap-data
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
namespace: public-service
name: openldap-data
spec:
accessModes: [ "ReadWriteMany" ]
storageClassName: "openldap-data-pv"
resources:
requests:
storage: 1Gi
[root@k8s-master openldap]# cat ldap-service.yaml
apiVersion: v1
kind: Service
metadata:
namespace: public-service
labels:
app: ldap
name: ldap-service
spec:
ports:
- name: openldap
port: 389
protocol: TCP
targetPort: openldap
- name: ssl-ldap-port
protocol: TCP
port: 636
targetPort: ssl-ldap-port
selector:
app: ldap
[root@k8s-master openldap]# cat phpldapadmin-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
namespace: public-service
annotations:
kompose.cmd: kompose convert -f docker-compose.yml
kompose.version: 1.16.0 (0c01309)
creationTimestamp: null
labels:
io.kompose.service: phpldapadmin
name: phpldapadmin
spec:
replicas: 1
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
io.kompose.service: phpldapadmin
spec:
containers:
- env:
- name: PHPLDAPADMIN_HTTPS
value: "false"
- name: PHPLDAPADMIN_LDAP_HOSTS
value: ldap-service
image: osixia/phpldapadmin:0.7.1
name: phpldapadmin
ports:
- containerPort: 80
resources: {}
restartPolicy: Always
status: {}
cat phpldapadmin-service.yaml
apiVersion: v1
kind: Service
metadata:
namespace: public-service
annotations:
kompose.cmd: kompose convert -f docker-compose.yml
kompose.version: 1.16.0 (0c01309)
creationTimestamp: null
labels:
io.kompose.service: phpldapadmin
name: phpldapadmin
spec:
ports:
- name: "8080"
port: 8080
targetPort: 80
selector:
io.kompose.service: phpldapadmin
status:
loadBalancer: {}
2、创建ldap-ui-ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ldap-ui
namespace: public-service
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/tls-acme: "true"
# "413 Request Entity Too Large" uploading plugins, increase client_max_body_size
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
# For nginx-ingress controller < 0.9.0.beta-18
ingress.kubernetes.io/ssl-redirect: "true"
# "413 Request Entity Too Large" uploading plugins, increase client_max_body_size
ingress.kubernetes.io/proxy-body-size: 50m
ingress.kubernetes.io/proxy-request-buffering: "off"
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: phpldapadmin
servicePort: 8080
host: ldap.dashboard.com
tls:
- hosts:
- ldap.dashboard.com
secretName: ingress-secret
查看service,deploy和pod的启动情况。
root@k8s-master openldap]# kubectl get po,svc,pvc,Ingress -n public-service | grep ldap
pod/ldap-6fcc976d77-j4mwf 1/1 Running 0 28s
pod/phpldapadmin-67bcfb5647-m9pzc 1/1 Running 0 27s
service/ldap-service ClusterIP 10.254.154.105
service/phpldapadmin ClusterIP 10.254.153.207
persistentvolumeclaim/openldap-data Bound openldap-data-pv 20Gi RWX openldap-data-pv 28s
ingress.extensions/ldap-ui ldap.dashboard.com 80, 443 27s
使用浏览器访问phpldapadmin。地址为。ldap.dashboard.com