Kuberneters 搭建openLDAP

对你无可奈何

背景:

要安装一系列的工具 ,如:jenkins spinnaker gitlab。账号系统是一件烦人的事情。前两年自己也试过openladap这样的统一账号管理认证。现在就想再用一下.把几个软件的账户系统整合一下(主要是想上spinnaker了)。搭建方式基本参照:https://mutoulazy.github.io/2021/04/01/kubernetes/openLDAP/#%E5%9C%A8k8s%E4%B8%AD%E9%83%A8%E7%BD%B2。不过这个哥们写的配置文件也比较乱,起码的pv,pvc应该先创建吧?yaml顺序整的杂七乱八的都是创建了服务后导出的.....,另外还有这里两个的可以参考:Kubernetes - - k8s - v1.12.3 OpenLDAP统一认证kubernetes实战(十一):k8s使用openLDAP统一认证
反正就结合这几个搞一下吧!

kubernetes 搭建openLDAP

1.创建pvc

默认存储cbs,直接使用了腾讯云的cbs块存储(最小10G的步长也是10G)

cat <<EOF > pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ldap-data-pvc
  namespace: kube-ops
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: cbs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ldap-config-pvc
  namespace: kube-ops
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: cbs
EOF
kubectl apply -f pvc.yaml

d92f7059ef9153eef2c605f6de376ec.png

2. 创建ldap deployment svc服务

cat <<EOF > ldap-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: openldap
  namespace: kube-ops
  labels:
    app: openldap
  annotations:
    app.kubernetes.io/alias-name: LDAP
    app.kubernetes.io/description: 认证中心
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openldap
  template:
    metadata:
      labels:
        app: openldap
    spec:
      containers:
        - name: openldap
          image: 'osixia/openldap:1.5.0'
          ports:
            - name: tcp-389
              containerPort: 389
              protocol: TCP
            - name: tcp-636
              containerPort: 636
              protocol: TCP
          env:
            - name: LDAP_ORGANISATION
              value: devops
            - name: LDAP_DOMAIN
              value: xxx.com
            - name: LDAP_ADMIN_PASSWORD
              value: xxxxxxxx
            - name: LDAP_CONFIG_PASSWORD
              value: xxxxxxx
            - name: LDAP_BACKEND
              value: mdb
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 100m
              memory: 100Mi
          volumeMounts:
            - name: ldap-config-pvc
              mountPath: /etc/ldap/slapd.d
            - name: ldap-data-pvc
              mountPath: /var/lib/ldap
      volumes:
        - name: ldap-config-pvc
          persistentVolumeClaim:
            claimName: ldap-config-pvc
        - name: ldap-data-pvc
          persistentVolumeClaim:
            claimName: ldap-data-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: openldap-svc
  namespace: kube-ops
  labels:
    app: openldap-svc
spec:
  ports:
  - name: tcp-389
    port: 389
    protocol: TCP
    targetPort: 389
  - name: tcp-636
    port: 636
    protocol: TCP
    targetPort: 636
  selector:
    app: openldap
EOF
kubectl apply -f ldap-deployment.yaml    

image.png

kubectl logs -f openldap-6d9859cdb-944pp -n kube-ops

3.创建phpldap deployments svc服务

cat <<EOF >  ldap-phpldapadmin.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: ldap-phpldapadmin
  namespace: kube-ops
  labels:
    app: ldap-phpldapadmin
  annotations:
    app.kubernetes.io/alias-name: LDAP
    app.kubernetes.io/description: LDAP在线工具
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ldap-phpldapadmin
  template:
    metadata:
      labels:
        app: ldap-phpldapadmin
    spec:
      containers:
        - name: phpldapadmin
          image: 'osixia/phpldapadmin:stable'
          ports:
            - name: tcp-80
              containerPort: 80
              protocol: TCP
          env:
            - name: PHPLDAPADMIN_HTTPS
              value: 'false'
            - name: PHPLDAPADMIN_LDAP_HOSTS
              value: openldap-svc
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 10m
              memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: ldap-phpldapadmin-svc
  namespace: kube-ops
  labels:
    app: ldap-phpldapadmin-svc
spec:
  ports:
  - name: tcp-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: ldap-phpldapadmin
EOF
kubectl apply -f ldap-phpldapadmin.yaml 

6664a1c3e8ca504d0be4604c53e26f0.png

kubectl get svc -n kube-ops

image.png

4. 创建ingress 代理

cat <<EOF >  traefik-ldap.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ldap-ui
  namespace: kube-ops
  annotations:
    kubernetes.io/ingress.class: traefik  
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: ldap.xxx.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: ldap-phpldapadmin-svc
            port: 
              number: 80
EOF
kubectl apply -f traefik-ldap.yaml

5. 验证

登陆 https://ldap.xxxx.com

Login DN:

cn=admin,dc=xxx,dc=com
Password:
系统变量中的:LDAP_ADMIN_PASSWORD

image.png
深深的感受到了远古页面的感觉:
image.png
先整到这里 ,然后测试一下spinnaker集成。快一年没有搞了,整通了一起测试写一下spinnaker jenkins等应用的集成!

阅读 1.2k

19 声望
5 粉丝
0 条评论
19 声望
5 粉丝
文章目录
宣传栏