1. 说明
此项目需要镜像 bitnami/openldap:2.6。
2. 导入配置
OpenLDAP 需要一些初始化配置才能工作。
2.1. 创建共享配置
我们可创建一个共享的 ConfigMap 以供系统使用。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: ConfigMap
metadata:
name: conf-ldap
namespace: core-system
labels:
app: ldap
annotations: (1)
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
data:
LDAP_DOMAIN: 'cluster.local'
LDAP_HOST: 'svc-ldap.core-system.svc.cluster.local'
LDAP_URL: 'ldap://svc-ldap.core-system.svc.cluster.local:389'
LDAP_ADDRESS_PORT: 'svc-ldap.core-system.svc.cluster.local:389'
LDAP_BASE_DN: 'dc=cluster,dc=local'
LDAP_USERS_DN: 'ou=people,dc=cluster,dc=local'
LDAP_GROUPS_DN: 'ou=groups,dc=cluster,dc=local'
LDAP_BIND_DN: 'cn=service-account,dc=cluster,dc=local'
其中:
| 1 | 复制此 ConfigMap 到各个 namespace 下 (reflector 提供) |
2.2. 创建 Secret
部署 OpenLDAP 前,需要配置管理员密码和共享用户密码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: v1
kind: Secret
metadata:
name: secret-ldap-admin
namespace: core-system
labels:
app: ldap
type: Opaque
stringData:
LDAP_ADMIN_DN: 'cn=admin,dc=cluster,dc=local'
LDAP_ADMIN_USERNAME: 'admin'
LDAP_ADMIN_PASSWORD: 'admin' (1)
---
apiVersion: v1
kind: Secret
metadata:
name: secret-ldap-service
namespace: core-system
labels:
app: ldap
annotations: (2)
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system,default,core-system,core-middleware,core-app,share-app,monitor-app,dev-ops"
type: Opaque
stringData:
LDAP_BIND_DN_PASSWORD: 'service-account' (3)
其中:
| 1 | 设置管理员密码,请将其设置为复杂的密码 |
| 2 | 配置共享用户秘密共享 |
| 3 | 只读用户密码 |
| 生产环境部署一定要更改为复杂的密码! |
3. 部署 OpenLDAP
3.1. 创建持久化存储
OpenLDAP 运行过程中需要存储数据。使用以下 YAML 创建,注意,此处需要用到之前教程创建的 StroageClass 。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-ldap
namespace: core-system
labels:
app: ldap
spec:
storageClassName: 'sc-nfs-share'
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
3.2. 导入初始化配置
使用以下配置初始化 LDAP 服务器,将完成以下功能:
-
支持 memberOf
-
创建相关服务账户
-
创建此文档相关联的角色
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
apiVersion: v1
kind: ConfigMap
metadata:
name: conf-ldap-schema
namespace: core-system
labels:
app: ldap
data:
bootstrap.sh: |
#!/usr/bin/env bash
set -e
SRC_PATH=/bootstrap
DIST_PATH=/workspace
mkdir -p $DIST_PATH $DIST_PATH/custom
for ldif_path in $(cd $SRC_PATH ; ls *.ldif) ;do
cat "$SRC_PATH/$ldif_path" | sed \
-e "s|<_BIND_DN_PASSWORD_>|$(slappasswd -h {SSHA} -s ${LDAP_BIND_DN_PASSWORD})|g" \
-e "s|<_ADMIN_PASSWORD_>|$(slappasswd -h {SSHA} -s ${LDAP_ADMIN_PASSWORD})|g" | tee "$DIST_PATH/$ldif_path" > /dev/null
done
mv $DIST_PATH/*.ldif $DIST_PATH/custom/
mv $DIST_PATH/custom/schema.ldif $DIST_PATH/schema.ldif
exit 0
schema.ldif: |
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: memberof.so
olcModuleLoad: refint.so
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: memberof
dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof member manager owner
01-top.ldif: |
dn: dc=cluster,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: cluster local
dc: cluster
dn: ou=people,dc=cluster,dc=local
objectClass: organizationalUnit
description: LDAP系统角色分组
ou: people
dn: ou=groups,dc=cluster,dc=local
objectClass: organizationalUnit
description: LDAP集群用户分组
ou: groups
dn: cn=service-account,dc=cluster,dc=local
cn: service-account
description: Bind DN 账户,用于查询LDAP服务器内部信息
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: <_BIND_DN_PASSWORD_>
02-users-admin.ldif: |
dn: uid=admin,ou=people,dc=cluster,dc=local
cn: admin
sn: admin
uid: admin
description: 系统自动创建的默认管理员用户
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
mail: admin@cluster.local
userPassword: <_ADMIN_PASSWORD_>
03-cluster-groups.ldif: |
dn: cn=oci,ou=groups,dc=cluster,dc=local
cn: oci
description: 镜像操作员角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
dn: cn=admin,ou=groups,dc=cluster,dc=local
cn: admin
description: 管理员角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
dn: cn=develop,ou=groups,dc=cluster,dc=local
cn: develop
description: 项目开发者角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
dn: cn=library,ou=groups,dc=cluster,dc=local
cn: library
description: 依赖库上传者角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
dn: cn=package,ou=groups,dc=cluster,dc=local
cn: package
description: 软件包上传者角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
dn: cn=monitor,ou=groups,dc=cluster,dc=local
cn: monitor
description: 集群监控监控管理角色
member: uid=admin,ou=people,dc=cluster,dc=local
objectClass: groupOfNames
3.3. 部署 OpenLDAP 服务
现在可以部署 LDAP 服务了,导入以下配置即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
apiVersion: v1
kind: Service
metadata:
labels:
app: ldap
name: svc-ldap
namespace: core-system
spec:
ports:
- port: 389
targetPort: 1389
selector:
app: ldap
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: sts-ldap
namespace: core-system
labels:
app: ldap
spec:
serviceName: svc-ldap
selector:
matchLabels:
app: ldap
replicas: 1
template:
metadata:
labels:
app: ldap
spec:
containers:
- name: ldap-core
image: docker.io/bitnami/openldap:2.6
volumeMounts:
- name: ldap-data
mountPath: /bitnami/openldap
- name: ldap-workspace
mountPath: /workspace
ports:
- containerPort: 1389
name: openldap
envFrom:
- secretRef:
name: secret-ldap-admin
- secretRef:
name: secret-ldap-service
env:
- name: LDAP_ROOT
valueFrom:
configMapKeyRef:
key: LDAP_BASE_DN
name: conf-ldap
- name: LDAP_ALLOW_ANON_BINDING
value: "no"
- name: LDAP_SKIP_DEFAULT_TREE
value: "yes"
- name: LDAP_CUSTOM_SCHEMA_FILE
value: "/workspace/schema.ldif"
- name: LDAP_CUSTOM_LDIF_DIR
value: "/workspace/custom"
initContainers:
- name: ldap-pre
image: bitnami/openldap:2.6
envFrom:
- secretRef:
name: secret-ldap-admin
- secretRef:
name: secret-ldap-service
command:
- bash
- /bootstrap/bootstrap.sh
volumeMounts:
- mountPath: /workspace
name: ldap-workspace
- mountPath: /bootstrap
name: ldap-schema
volumes:
- name: ldap-data
persistentVolumeClaim:
claimName: pvc-ldap
- name: ldap-schema
configMap:
name: conf-ldap-schema
- name: ldap-workspace
emptyDir: { }
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ldap
name: svc-ldap-lb
namespace: core-system
annotations:
metallb.universe.tf/allow-shared-ip: "private-ip-share"
spec:
ports:
- port: 389
targetPort: 1389
selector:
app: ldap
type: LoadBalancer
4. 验证
部署完成后,执行以下命令验证部署的完整性。
1
2
3
# 检查配置是否同步到 default 命名空间
kubectl get secrets,configmaps -n core-system
kubectl get pods,service -n core-system
确认 Pod 状态均为 Running 且未多次重启即表示部署无误。
5. 扩展
可使用 CURL 测试 LDAP .
1
curl --user $LDAP_BIND_DN:$LDAP_PASS ldap://$LDAP_HOST/$LDAP_BASE?uid?one?"$LDAP_USER_FILTER"
如遇到 LDAP 出现问题,可使用以下命令快速清除
1
2
kubectl exec -it -n core-system pods/sts-ldap-0 -- rm -rf '/bitnami/openldap/data' '/bitnami/openldap/slapd.d'
kubectl delete -n core-system pods/sts-ldap-0