fnux-playground: add TLS and replication to openldap chart

This commit is contained in:
fnux 2021-08-02 18:08:56 +02:00
parent 2723af1a8e
commit 54fa93a422
No known key found for this signature in database
GPG key ID: 4502C902C00A1E12
6 changed files with 47 additions and 22 deletions

View file

@ -9,6 +9,9 @@ image](https://github.com/osixia/docker-openldap). A TLS certificate is
automatically generated via Let'sEncrypt, but renewal is not handled yet.
TODO: handle TLS certificate renewal.
NOTE: replication with the osixia image is somewhat broken, see:
https://github.com/osixia/docker-openldap/issues/203
-> Worked around the issue with https://github.com/ungleich/docker-openldap/commit/3c7c9ece1e67bce0bfe1fdb66a63f5c8c59359f4
```
kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet

View file

@ -1,6 +0,0 @@
clusterDomain: "c1.k8s.ooo"
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
ldapLogLevel: "256"
ldapOrganisation: "ungleich glarus ag"
ldapDomain: "ungleich.ch"

View file

@ -0,0 +1,10 @@
clusterDomain: "c1.k8s.ooo"
ldap:
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
logLevel: "256"
oganisation: "ungleich glarus ag"
domain: "ungleich.ch"
adminPasswordSecretRef: "ldap-openldap"
enableReplication: "true"
replicationHosts: "#PYTHON2BASH:['ldaps://ldap1.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}','ldaps://ldap2.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}']"

View file

@ -21,4 +21,4 @@ version: 0.1.0
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.5.0"
appVersion: "1.5.0-serverid-hostname-fallback-2"

View file

@ -30,8 +30,8 @@ spec:
mountPath: /etc/letsencrypt
containers:
- name: "openldap"
image: "osixia/openldap:{{ .Chart.AppVersion }}"
args: ["--loglevel", "debug"]
image: "ungleich/openldap:{{ .Chart.AppVersion }}"
args: ["--loglevel", "trace"]
ports:
- name: ldap
containerPort: 389
@ -53,16 +53,21 @@ spec:
- name: HOSTNAME
value: "{{ tpl .Values.fqdn . }}"
- name: LDAP_LOG_LEVEL
value: "{{ tpl .Values.ldapLogLevel . }}"
value: "{{ tpl .Values.ldap.logLevel . }}"
- name: LDAP_ORGANISATION
value: "{{ tpl .Values.ldapOrganisation . }}"
value: "{{ tpl .Values.ldap.organisation . }}"
- name: LDAP_DOMAIN
value: "{{ tpl .Values.ldapDomain . }}"
value: "{{ tpl .Values.ldap.domain . }}"
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}"
key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}"
- name: LDAP_CONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ tpl .Values.ldap.adminPasswordSecretRef . }}"
key: "{{ tpl .Values.ldap.adminPasswordSecretKey . }}"
- name: LDAP_TLS_CRT_FILENAME
value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
- name: LDAP_TLS_KEY_FILENAME
@ -71,6 +76,14 @@ spec:
value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
- name: LDAP_TLS_VERIFY_CLIENT
value: "try"
- name: LDAP_REPLICATION
value: "{{ .Values.ldap.enableReplication }}"
- name: LDAP_REPLICATION_HOSTS
value: "{{ tpl .Values.ldap.replicationHosts . }}"
- name: LDAP_REPLICATION_CONFIG_SYNCPROV
value: "{{ tpl .Values.ldap.replicationConfigSyncprov . }}"
- name: LDAP_REPLICATION_DB_SYNCPROV
value: "{{ tpl .Values.ldap.replicationDbSyncprov . }}"
volumeMounts:
- name: "{{ tpl .Values.identifier . }}-openldap-data"
mountPath: "/etc/ldap/slapd.d"
@ -111,7 +124,7 @@ spec:
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.letsencryptEmail }}"
{{ if eq .Values.letsencryptStaging "no" }}
{{ if not .Values.letsencryptStaging }}
- name: STAGING
value: "no"
{{ end }}

View file

@ -2,13 +2,18 @@ clusterDomain: "c1.k8s.ooo"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
identifier: "{{ .Release.Name }}"
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
ldapLogLevel: "256"
ldapOrganisation: "ungleich glarus ag"
ldapDomain: "{{ tpl .Values.fqdn . }}"
ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
ldap:
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
logLevel: "256"
organisation: "ungleich glarus ag"
domain: "{{ tpl .Values.fqdn . }}"
adminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
adminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
enableReplication: false
replicationHosts: ""
replicationConfigSyncprov: 'binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=no'
replicationDbSyncprov: 'binddn=\"cn=admin,$$LDAP_BASE_DN\" bindmethod=simple credentials=$$LDAP_ADMIN_PASSWORD searchbase=\"$$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=no'
# TLS certificate generation.
letsencryptEmail: "technik@ungleich.ch"
letsencryptStaging: "no"
letsencryptStaging: false