K8s 中运行OpenLDAP

发表于 | 分类于
字数统计: 914 | 阅读时长 ≈ 4

一、前言

通常我们会遵循专机专用的原则,单独使用一台服务器运行OpenLDAP,但实际使用到的资源只有几百兆甚至更少,存在一定的资源浪费,而且多出一台服务器也增加了一定的管理成本。这时如果在k8s容器中运行OpenLDAP的话,就能很好的解决这一问题。

二、部署 OpenLDAP 容器服务

2.1 创建 PVC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[ec2-user@ip- ldap]$ cat openldap-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-data-pvc
  namespace: ops
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: nfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-config-pvc
  namespace: ops
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: nfs

[ec2-user@ip- ldap]$ kubectl apply -f openldap-pvc.yaml

这里使用到了 storageClassName 储存类,可以参照各云厂商创建或自建存储类

2.2 创建 deployment

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
[ec2-user@ip- ldap]$ cat openldap-deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: openldap
  namespace: ops
  labels:
    app: openldap
  annotations:
    app.kubernetes.io/alias-name: LDAP
    app.kubernetes.io/description: 认证中心
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openldap
  template:
    metadata:
      labels:
        app: openldap
    spec:
      containers:
        - name: openldap
          image: 'osixia/openldap:1.5.0'
          ports:
            - name: tcp-389
              containerPort: 389
              protocol: TCP
            - name: tcp-636
              containerPort: 636
              protocol: TCP
          env:
            - name: LDAP_ORGANISATION
              value: admin
            - name: LDAP_DOMAIN
              value: default.com
            - name: LDAP_ADMIN_PASSWORD
              value: 6&g0hbSRZJovaqjsA
            - name: LDAP_CONFIG_PASSWORD
              value: C!DUwyUFZqqQj2&!
            - name: LDAP_BACKEND
              value: mdb
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 100m
              memory: 100Mi
          volumeMounts:
            - name: ldap-config-pvc
              mountPath: /etc/ldap/slapd.d
            - name: ldap-data-pvc
              mountPath: /var/lib/ldap
      volumes:
        - name: ldap-config-pvc
          persistentVolumeClaim:
            claimName: openldap-config-pvc
        - name: ldap-data-pvc
          persistentVolumeClaim:
            claimName: openldap-data-pvc

[ec2-user@ip- ldap]$ kubectl apply -f openldap-deployment.yaml

这里使用的镜像osixia/openldap:1.5.0对应 OpenLDAP: slapd 2.4.57 版本
另外需要注意env 里面配置的参数记得做修改

2.3 创建 svc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[ec2-user@ip- ldap]$ cat openldap-svc.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
  name: openldap-svc
  namespace: ops
  labels:
    app: openldap-svc
spec:
  ports:
  - name: tcp-389
    port: 389
    protocol: TCP
    targetPort: 389
  - name: tcp-636
    port: 636
    protocol: TCP
    targetPort: 636
  selector:
    app: openldap
    
[ec2-user@ip- ldap]$ kubectl apply -f openldap-svc.yaml

service.beta.kubernetes.io/load-balancer-source-ranges:是AWS中对Network Load Balancer资源的白名单配置,参见:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/annotations/#access-control

至此,openldap服务就已经部署好了;接下来部署 phpldapadmin 页面用来管理openldap,使用客户端ldap管理工具的话可以跳过下面步骤

三、部署 phpldap 管理 OpenLDAP

3.1 创建 phpldap deploy,svc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[ec2-user@ip- ldap]$ cat openldap-phpldapadmin.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: ldap-phpldapadmin
  namespace: ops
  labels:
    app: ldap-phpldapadmin
  annotations:
    app.kubernetes.io/alias-name: LDAP
    app.kubernetes.io/description: LDAP在线工具
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ldap-phpldapadmin
  template:
    metadata:
      labels:
        app: ldap-phpldapadmin
    spec:
      containers:
        - name: phpldapadmin
          image: 'osixia/phpldapadmin:stable'
          ports:
            - name: tcp-80
              containerPort: 80
              protocol: TCP
          env:
            - name: PHPLDAPADMIN_HTTPS
              value: 'false'
            - name: PHPLDAPADMIN_LDAP_HOSTS
              value: openldap-svc
          resources:
            limits:
              cpu: 500m
              memory: 500Mi
            requests:
              cpu: 10m
              memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: ldap-phpldapadmin-svc
  namespace: ops
  labels:
    app: ldap-phpldapadmin-svc
spec:
  ports:
  - name: tcp-80
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: ldap-phpldapadmin
    
[ec2-user@ip- ldap]$ kubectl apply -f openldap-phpldapadmin.yaml

3.2 创建 ingress 代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[ec2-user@ip- ldap]$ cat phpldapadmin-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
  name: phpldap
  namespace: ops
spec:
  rules:
  - host: phpldap.xxx.xxx
    http:
      paths:
      - backend:
          serviceName: ldap-phpldapadmin-svc
          servicePort: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - phpldap.xxx.xxx
    secretName: xxx.xxx-20220322-20230322-https

[ec2-user@ip- ldap]$ kubectl apply -f phpldapadmin-ingress.yaml

3.3 访问 phpldapadmin

login DN: cn=admin,dc=xxx,dc=com
Password: 系统变量中的:LDAP_ADMIN_PASSWORD

图片1

顺利登录后就可以通过web页面对openldap进行管理了

图片2

这里在登录时还有个小插曲,上面我设置的ldap密码使用了特殊字符在web登录时认证失败,但我通过ldap客户端工具是可以登录的,后来把ldap密码中的特殊字符&换掉就能顺利登录了

-------------本文结束感谢您的阅读-------------
分享到: 收藏夹 复制网址 邮件 微信 QQ空间 腾讯微博 豆瓣 一键分享 更多