背景:
要安装一系列的工具 ,如:jenkins spinnaker gitlab。账号系统是一件烦人的事情。前两年自己也试过openladap这样的统一账号管理认证。现在就想再用一下.把几个软件的账户系统整合一下(主要是想上spinnaker了)。搭建方式基本参照:https://mutoulazy.github.io/2021/04/01/kubernetes/openLDAP/#%E5%9C%A8k8s%E4%B8%AD%E9%83%A8%E7%BD%B2。不过这个哥们写的配置文件也比较乱,起码的pv,pvc应该先创建吧?yaml顺序整的杂七乱八的都是创建了服务后导出的.....,另外还有这里两个的可以参考:Kubernetes - - k8s - v1.12.3 OpenLDAP统一认证kubernetes实战(十一):k8s使用openLDAP统一认证
反正就结合这几个搞一下吧!
kubernetes 搭建openLDAP
1.创建pvc
默认存储cbs,直接使用了腾讯云的cbs块存储(最小10G的步长也是10G)
cat <<EOF > pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ldap-data-pvc
namespace: kube-ops
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cbs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ldap-config-pvc
namespace: kube-ops
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cbs
EOF
kubectl apply -f pvc.yaml
2. 创建ldap deployment svc服务
cat <<EOF > ldap-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: openldap
namespace: kube-ops
labels:
app: openldap
annotations:
app.kubernetes.io/alias-name: LDAP
app.kubernetes.io/description: 认证中心
spec:
replicas: 1
selector:
matchLabels:
app: openldap
template:
metadata:
labels:
app: openldap
spec:
containers:
- name: openldap
image: 'osixia/openldap:1.5.0'
ports:
- name: tcp-389
containerPort: 389
protocol: TCP
- name: tcp-636
containerPort: 636
protocol: TCP
env:
- name: LDAP_ORGANISATION
value: devops
- name: LDAP_DOMAIN
value: xxx.com
- name: LDAP_ADMIN_PASSWORD
value: xxxxxxxx
- name: LDAP_CONFIG_PASSWORD
value: xxxxxxx
- name: LDAP_BACKEND
value: mdb
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: ldap-config-pvc
mountPath: /etc/ldap/slapd.d
- name: ldap-data-pvc
mountPath: /var/lib/ldap
volumes:
- name: ldap-config-pvc
persistentVolumeClaim:
claimName: ldap-config-pvc
- name: ldap-data-pvc
persistentVolumeClaim:
claimName: ldap-data-pvc
---
apiVersion: v1
kind: Service
metadata:
name: openldap-svc
namespace: kube-ops
labels:
app: openldap-svc
spec:
ports:
- name: tcp-389
port: 389
protocol: TCP
targetPort: 389
- name: tcp-636
port: 636
protocol: TCP
targetPort: 636
selector:
app: openldap
EOF
kubectl apply -f ldap-deployment.yaml
kubectl logs -f openldap-6d9859cdb-944pp -n kube-ops
3.创建phpldap deployments svc服务
cat <<EOF > ldap-phpldapadmin.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: ldap-phpldapadmin
namespace: kube-ops
labels:
app: ldap-phpldapadmin
annotations:
app.kubernetes.io/alias-name: LDAP
app.kubernetes.io/description: LDAP在线工具
spec:
replicas: 1
selector:
matchLabels:
app: ldap-phpldapadmin
template:
metadata:
labels:
app: ldap-phpldapadmin
spec:
containers:
- name: phpldapadmin
image: 'osixia/phpldapadmin:stable'
ports:
- name: tcp-80
containerPort: 80
protocol: TCP
env:
- name: PHPLDAPADMIN_HTTPS
value: 'false'
- name: PHPLDAPADMIN_LDAP_HOSTS
value: openldap-svc
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 10m
memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
name: ldap-phpldapadmin-svc
namespace: kube-ops
labels:
app: ldap-phpldapadmin-svc
spec:
ports:
- name: tcp-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: ldap-phpldapadmin
EOF
kubectl apply -f ldap-phpldapadmin.yaml
kubectl get svc -n kube-ops
4. 创建ingress 代理
cat <<EOF > traefik-ldap.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ldap-ui
namespace: kube-ops
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: ldap.xxx.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: ldap-phpldapadmin-svc
port:
number: 80
EOF
kubectl apply -f traefik-ldap.yaml
5. 验证
Login DN: |
---|
cn=admin,dc=xxx,dc=com
Password:
系统变量中的:LDAP_ADMIN_PASSWORD
深深的感受到了远古页面的感觉:
先整到这里 ,然后测试一下spinnaker集成。快一年没有搞了,整通了一起测试写一下spinnaker jenkins等应用的集成!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。