Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-k8s

This commit is contained in:
Nico Schottelius 2021-08-02 18:01:09 +02:00
commit ff130f831e
6 changed files with 105 additions and 9 deletions

View File

@ -5,10 +5,14 @@ Tests made by Timothée for ungleich.
## OpenLDAP
Simple chart based on [Osixia's OpenLDAP
image](https://github.com/osixia/docker-openldap).
image](https://github.com/osixia/docker-openldap). A TLS certificate is
automatically generated via Let'sEncrypt, but renewal is not handled yet.
TODO: handle TLS certificate renewal.
```
helm install ldap1 ./openldap
kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet
helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml
```
## Matrix Synapse

View File

@ -0,0 +1,6 @@
clusterDomain: "c1.k8s.ooo"
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
ldapLogLevel: "256"
ldapOrganisation: "ungleich glarus ag"
ldapDomain: "ungleich.ch"

View File

@ -6,6 +6,10 @@ metadata:
app: openldap
spec:
replicas: 1
strategy:
# Delete old pod before starting the new one - slapd doesn't react well
# with two instances hitting the same database.
type: "Recreate"
selector:
matchLabels:
app: "{{ tpl .Values.identifier . }}-openldap"
@ -14,10 +18,20 @@ spec:
labels:
app: "{{ tpl .Values.identifier . }}-openldap"
spec:
initContainers:
- name: wait-for-cert
image: busybox
command:
- "sh"
- "-c"
- "until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done"
volumeMounts:
- name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
mountPath: /etc/letsencrypt
containers:
- name: "openldap"
image: "osixia/openldap:{{ .Chart.AppVersion }}"
args: ["--loglevel", "info"]
args: ["--loglevel", "debug"]
ports:
- name: ldap
containerPort: 389
@ -47,8 +61,16 @@ spec:
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ tpl .Values.identifier . }}-openldap"
key: LDAP_ADMIN_PASSWORD
name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
- name: LDAP_TLS_CRT_FILENAME
value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
- name: LDAP_TLS_KEY_FILENAME
value: "live/{{ tpl .Values.fqdn . }}/privkey.pem"
- name: LDAP_TLS_CA_CRT_FILENAME
value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
- name: LDAP_TLS_VERIFY_CLIENT
value: "try"
volumeMounts:
- name: "{{ tpl .Values.identifier . }}-openldap-data"
mountPath: "/etc/ldap/slapd.d"
@ -56,10 +78,48 @@ spec:
- name: "{{ tpl .Values.identifier . }}-openldap-data"
mountPath: "/var/lib/ldap"
subPath: database
- name: "{{ tpl .Values.identifier . }}-openldap-data"
- name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
mountPath: /container/service/slapd/assets/certs
subPath: certs
volumes:
- name: "{{ tpl .Values.identifier . }}-openldap-data"
persistentVolumeClaim:
claimName: "{{ tpl .Values.identifier . }}-openldap-data"
- name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ tpl .Values.identifier . }}-getcert
spec:
template:
metadata:
labels:
app: {{ tpl .Values.identifier . }}-openldap
spec:
restartPolicy: Never
containers:
- name: certbot
image: ungleich/ungleich-certbot
ports:
- containerPort: 80
env:
- name: ONLYGETCERT
value: "yes"
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.letsencryptEmail }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
mountPath: /etc/letsencrypt
volumes:
- name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
backoffLimit: 3

View File

@ -4,8 +4,22 @@ metadata:
name: "{{ tpl .Values.identifier . }}-openldap-data"
spec:
accessModes:
- ReadWriteMany
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs

View File

@ -1,13 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: "{{ tpl .Values.identifier . }}"
name: "{{ .Release.Name }}"
labels:
app: openldap
spec:
type: ClusterIP
selector:
app: "{{ tpl .Values.identifier . }}-openldap"
ports:
- port: 389
name: ldap
- port: 636
name: ldaps
# Required for TLS certificate generation via LetsEncrypt.
- port: 80
name: http

View File

@ -2,6 +2,13 @@ clusterDomain: "c1.k8s.ooo"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
identifier: "{{ .Release.Name }}"
# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
ldapLogLevel: "256"
ldapOrganisation: "ungleich glarus ag"
ldapDomain: "{{ tpl .Values.fqdn . }}"
ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
# TLS certificate generation.
letsencryptEmail: "technik@ungleich.ch"
letsencryptStaging: "no"