osixia/openldap - 在配置 helm chart 以设置挂载时遇到问题

Posted

技术标签:

【中文标题】osixia/openldap - 在配置 helm chart 以设置挂载时遇到问题【英文标题】:osixia/openldap - having trouble configuring helm chart to set mounts 【发布时间】:2021-12-03 04:02:30 【问题描述】:

感谢您在高级方面的帮助,因为我是新手,我的问题可能有点绿色。

所以在工作中,我的任务是让 openldap 通过 helm 部署使用 TLS。我们目前正在使用 osxia/openldap。因此,与其在工作中破坏东西 (389) 正在工作,我宁愿不打扰它。

另一个,所以!我决定在家里启动一个 k3s 集群并模仿我们正在做的事情。很明显,我们在工作中使用了实际的 CA,我懒得弄乱 let Encrypt。我推出了我自己的通配符证书,我正在通过 cert-manager 用于入口,这似乎工作得很好。然后我决定在 openldap 上为 TLS 使用相同的证书,因为我认为这对于家庭实验室来说是可以接受的,看看我是否可以让它工作。

我一直在寻找数字桶的底部,试图找出为什么 helm 图表中的参数/参数没有设置 kubernetes 证书。我尝试设置 customTLS: 和 tls: 参数,但系统仍然忽略它并设置它自己的证书。

除此之外,我还尝试设置卷挂载以将证书以这种方式放入 pod,而 Volumes: 和 extraVolumeMounts: 似乎被忽略了。所以,我确信我在某处遗漏了一部分。有人通过 helm 配置 TLS 吗?

这是我的 yaml 文件..

# Default values for openldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
# It prevents from merging with existing map keys which are forbidden.
strategy: 
  # type: RollingUpdate
  # rollingUpdate:
  #   maxSurge: 1
  #   maxUnavailable: 0
  #
  # or
  #
  # type: Recreate
  # rollingUpdate: null
image:
  # From repository https://github.com/osixia/docker-openldap
  repository: osixia/openldap
  tag: 1.5.0
  pullPolicy: IfNotPresent


# Spcifies an existing secret to be used for admin and config user passwords
existingSecret: ""

customTLS:
  enabled: true
  secret: "blaklabz-io-tls"  # The name of a kubernetes.io/tls type secret to use for TLS
  CA:
    enabled: true
    secret: "wildcard.blaklabz.io.crt"  # The name of a generic secret to use for custom CA certificate (ca.crt)

tls:
  enabled: true
  secret: "blaklabz-io-tls"
  CA:
    enabled: true
    secret: "wildcard.blaklabz.io.crt"  

logLevel: debug

## Add additional labels to all resources
extraLabels: 

podAnnotations: 
service:
  annotations: 

  ldapPort: 389
  sslLdapPort: 636
  ## List of IP addresses at which the service is available
  ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
  ##
  externalIPs: []

  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  type: ClusterIP

# Additional volumes to be mounted to pod
extraVolumes: 
  - name: ca-certs
    hostPath:
      path: C:/code/home/helm/k3s/openldap/certs/
      type: DirectoryOrCreate
 
extraVolumeMounts: 
  - name: ca-certs
    readOnly: true
    mountPath: "/container/run/service/slapd/assets/certs/"





# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
  LDAP_ORGANISATION: "Blaklabz"
  LDAP_DOMAIN: "blaklabz.io"
  LDAP_BACKEND: "hdb"
  LDAP_REQCERT: "allow"
  LDAP_BASE_DN: "dc=blaklabz,dc=io"  
    #LDAP_TLS_CRT_FILENAME: "wildcard.blaklabz.io.crt"
    #LDAP_TLS_KEY_FILENAME: "wildcard.blaklabz.io.key"
    # LDAP_TLS_CA_CRT_FILENAME: "wildcard.blaklabz.io.crt"
  LDAP_BASE_DN: "dc=blaklabz,dc=io"
  LDAP_TLS_ENFORCE: "false"
  LDAP_TLS_VERIFY_CLIENT: "never"  
    

# Default Passwords to use, stored as a secret. If unset, passwords are auto-generated.
# You can override these at install time with
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
# adminPassword: admin
# configPassword: config

# Custom openldap configuration files used to override default settings
customLdifFiles:
  01-default-users.ldif: |-
    version: 1
      
    # Entry 3: cn=Administrators,dc=blaklabz,dc=io
    dn: cn=Administrators,dc=blaklabz,dc=io
    cn: Administrators
    member: cn=admin,dc=blaklabz,dc=io
    member: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
    objectclass: groupOfNames
    objectclass: top

    # Entry 4: ou=groups,dc=blaklabz,dc=io
    dn: ou=groups,dc=blaklabz,dc=io
    objectclass: organizationalUnit
    objectclass: top
    ou: groups

    # Entry 5: cn=admin,ou=groups,dc=blaklabz,dc=io
    dn: cn=admin,ou=groups,dc=blaklabz,dc=io
    cn: admin
    gidnumber: 500
    memberuid: watkinst
    memberuid: cwatkins
    objectclass: posixGroup
    objectclass: top
    
    # Entry 6: cn=developers,ou=groups,dc=blaklabz,dc=io
    dn: cn=developers,ou=groups,dc=blaklabz,dc=io
    cn: developers
    gidnumber: 501
    memberuid: 1001
    memberuid: dev
    objectclass: posixGroup
    objectclass: top

    # Entry 8: cn=viewers,ou=groups,dc=blaklabz,dc=io
    dn: cn=viewers,ou=groups,dc=blaklabz,dc=io
    cn: viewers
    gidnumber: 502
    memberuid: viewer
    objectclass: posixGroup
    objectclass: top

    # Entry 9: ou=users,dc=blaklabz,dc=io
    dn: ou=users,dc=blaklabz,dc=io
    objectclass: organizationalUnit
    objectclass: top
    ou: users

    # Entry 10: cn=Christy Watkins,ou=users,dc=blaklabz,dc=io
    dn: cn=Christy Watkins,ou=users,dc=blaklabz,dc=io
    cn: Christy Watkins
    gidnumber: 500
    givenname: Christy
    homedirectory: /home/users/cwatkins
    loginshell: /bin/sh
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Watkins
    uid: cwatkins
    uidnumber: 1004
    
   
    # Entry 11: cn=dev,ou=users,dc=blaklabz,dc=io
    dn: cn=dev,ou=users,dc=blaklabz,dc=io
    cn: dev
    gidnumber: 501
    givenname: Test1
    homedirectory: /home/users/taccount
    loginshell: /bin/sh
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Account
    uid: dev
    uidnumber: 1001
    

    # Entry 12: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
    dn: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
    cn: ldapadmin
    gidnumber: 503
    givenname: ldapadmin
    homedirectory: /home/users/lldapadmin
    loginshell: /bin/sh
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: ldapadmin
    uid: lldapadmin
    uidnumber: 1002
    
    
    # Entry 13: cn=Thomas,ou=users,dc=blaklabz,dc=io
    dn: cn=Thomas,ou=users,dc=blaklabz,dc=io
    cn: Thomas
    gidnumber: 500
    givenname: watkinst
    homedirectory: /home/users/watkinst
    loginshell: /bin/sh
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: Watkins
    uid: watkinst
    uidnumber: 1000
    
    
    # Entry 14: cn=viewer,ou=users,dc=blaklabz,dc=io
    dn: cn=viewer,ou=users,dc=blaklabz,dc=io
    cn: viewer
    gidnumber: 502
    givenname: admin
    homedirectory: /home/users/admin
    loginshell: /bin/sh
    objectclass: inetOrgPerson
    objectclass: posixAccount
    objectclass: top
    sn: admin
    uid: viewer
    uidnumber: 1003
    

      
## Persist data to a persistent volume
persistence:
  enabled: true
  ## database data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  # storageClass: "-"
  accessMode: ReadWriteOnce
  size: 8Gi

resources: 
 # requests:
 #   cpu: "100m"
 #   memory: "256Mi"
 # limits:
 #   cpu: "500m"
 #   memory: "512Mi"

nodeSelector: 

tolerations: []

affinity: 

## test container details
test:
  enabled: false
  image:
    repository: dduportal/bats
    tag: 0.4.0
      #logLevel: info
      #
      #

这是日志..

***  INFO   | 2021-10-14 18:57:21 | openldap GID/UID
***  INFO   | 2021-10-14 18:57:21 | -------------------------------------
***  INFO   | 2021-10-14 18:57:21 | User uid: 911
***  INFO   | 2021-10-14 18:57:21 | User gid: 911
***  INFO   | 2021-10-14 18:57:21 | uid/gid changed: false
***  INFO   | 2021-10-14 18:57:21 | -------------------------------------
***  INFO   | 2021-10-14 18:57:21 | updating file uid/gid ownership
***  INFO   | 2021-10-14 18:57:21 | Start OpenLDAP...
***  INFO   | 2021-10-14 18:57:21 | Waiting for OpenLDAP to start...
***  INFO   | 2021-10-14 18:57:21 | Add TLS config...
***  INFO   | 2021-10-14 18:57:21 | No certificate file and certificate key provided, generate:
***  INFO   | 2021-10-14 18:57:21 | /container/run/service/slapd/assets/certs/ldap.crt and /container/run/servi
ce/slapd/assets/certs/ldap.key
2021/10/14 18:57:21 [INFO] generate received request
2021/10/14 18:57:21 [INFO] received CSR
2021/10/14 18:57:21 [INFO] generating key: ecdsa-384
2021/10/14 18:57:21 [INFO] encoded CSR
2021/10/14 18:57:21 [INFO] signed certificate with serial number 1558723425496628971971287710038808792320609523
27
***  INFO   | 2021-10-14 18:57:21 | Link /container/run/service/:ssl-tools/assets/default-ca/default-ca.pem to
/container/run/service/slapd/assets/certs/ca.crt
***  INFO   | 2021-10-14 18:57:21 | Disable replication config...
***  INFO   | 2021-10-14 18:57:21 | Stop OpenLDAP...
***  INFO   | 2021-10-14 18:57:21 | Configure ldap client TLS configuration...
***  INFO   | 2021-10-14 18:57:21 | Remove config files...
***  INFO   | 2021-10-14 18:57:22 | First start is done...
***  INFO   | 2021-10-14 18:57:22 | Remove file /container/environment/99-default/default.startup.yaml
***  INFO   | 2021-10-14 18:57:22 | Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.yaml

To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
***  INFO   | 2021-10-14 18:57:22 | Running /container/run/process/slapd/run...
61687d92 @(#) $OpenLDAP: slapd 2.4.57+dfsg-1~bpo10+1 (Jan 30 2021 06:59:51) $
        Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
61687d92 slapd starting

块引用

【问题讨论】:

【参考方案1】:

对于其他对此感到头疼的人。回顾一下,我需要获取 TLS 并在启动时插入一个 customldif。所以在对 k3s 进行了一些挖掘和 blizing openldap 之后。

版本 1.2.2 将毫无问题地导入我的 ldif。 1.3.0 - 1.5.0 炸毁了 openldap 并强制它在数据库中没有任何内容的情况下重新启动。

1.5.0 版将获取我的 tls 证书并挂载它。但之前的任何事情都没有。

希望这可以帮助某人。

【讨论】:

这也是 tls customTLS 所需的正确语法:启用:真正的秘密:“blaklabz-io-tls”

以上是关于osixia/openldap - 在配置 helm chart 以设置挂载时遇到问题的主要内容,如果未能解决你的问题,请参考以下文章

vagrant系列教程:vagrant的配置文件vagrantfile详解(转)

Docker网络代理设置

springboot项目搭建

cas相关问题

Win10 iot 配置防火墙限制应用部署

我myeclipse用SSH+MYSQL做CRUD操作时候,后台显示insert into...但是mysql表里并没有插入的这条数据,急HEL