「Kubernetes」- 部署 LDAP 服务

  CREATED BY JENKINSBOT

问题描述

该笔记将记录:在 Kubernetes Cluster 中,部署 LDAP 服务的方法,以及相关问题的解决办法;

解决方案

现有集成方案

Create An OpenLDAP server with Bitnami Containers on Kubernetes
1)通过清单文件部署

Openldap Helm Chart | Datree
1)通过 Helm 部署;
2)但仅有 OpenLDAP 服务,未集成其他工具(例如 phpLDAPadmin 等等)

stable/openldap · 9edd2edd2ca07e3d77f4d4f144e51421ac240182 · Lennart Nordgreen / helm-charts · GitLab
1)通过 Helm 部署;
2)但仅有 OpenLDAP 服务,未集成其他工具(例如 phpLDAPadmin 等等)

Helm install openldap and phpldapadmin to manage LDAP objects within Kubernetes (K8S)
1)通过 Helm 部署;
2)OpenLDAP 与 phpLDAPadmin 分别部署;

openldap 2.0.4 · jp-gouin/helm-openldap
GitHub – jp-gouin/helm-openldap: Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
1)通过 Helm 部署;
2)集成 phpLDAPadmin、Ltb-passwd 组件

我们部署方案

openldap 2.0.4 · jp-gouin/helm-openldap
GitHub – jp-gouin/helm-openldap: Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd

# helm repo add helm-openldap https://jp-gouin.github.io/helm-openldap/

# helm pull helm-openldap/openldap-stack-ha                                     #  
# helm show values ./openldap-stack-ha-3.0.1.tgz > openldap-stack-ha-3.0.1.helm-values.yaml

# vim openldap-stack-ha-3.0.1.helm-values.yaml

# helm install openldap                                                        \
    --namespace infra-aaa --create-namespace                                   \
    ./openldap-stack-ha-3.0.1.tgz -f openldap-stack-ha-3.0.1.helm-values.yaml

# helm --namespace infra-aaa                                                   \
    upgrade sldapd ./openldap-stack-ha-3.0.1.tgz                               \
    -f openldap-stack-ha-3.0.1.helm-values.yaml

...
OpenLDAP-Stack-HA has been installed. You can access the server from within the k8s cluster using:

  sldapd.infra-aaa.svc.cluster.local:389
  
  Or
  
  sldapd.infra-aaa.svc.cluster.local:636


You can access the LDAP adminPassword and configPassword using:

  kubectl get secret --namespace infra-aaa sldapd -o jsonpath="{.data.LDAP_ADMIN_PASSWORD}" | base64 --decode; echo
  kubectl get secret --namespace infra-aaa sldapd -o jsonpath="{.data.LDAP_CONFIG_PASSWORD}" | base64 --decode; echo


You can access the LDAP service, from within the cluster (or with kubectl port-forward) with a command like (replace password and domain):
  ldapsearch -x -H ldap://sldapd.infra-aaa.svc.cluster.local:389 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w $LDAP_ADMIN_PASSWORD
...

针对 phpLDAPadmin HTTPS 证书:
1)通过查看 Chart 源码,我们发现能够通过 ingress.tls 进行 HTTPS 配置;

针对 Service 命名:
1)起初,我们使用 helm install ldap … 安装,然后,产生 daemon: listen URL “…” parse error=5
2)经过查阅,Crashes due to invalid URL when Nodeport is pointing at pod · Issue #457 · osixia/docker-openldap
3)随后,我们修改服务命名:helm install sldapd …