背景:
要装置一系列的工具 ,如:jenkins spinnaker gitlab。账号零碎是一件烦人的事件。前两年本人也试过openladap这样的对立账号治理认证。当初就想再用一下.把几个软件的账户零碎整合一下(次要是想上spinnaker了)。搭建形式根本参照:https://mutoulazy.github.io/2021/04/01/kubernetes/openLDAP/#%E5%9C%A8k8s%E4%B8%AD%E9%83%A8%E7%BD%B2。不过这个哥们写的配置文件也比拟乱,起码的pv,pvc应该先创立吧?yaml程序整的杂七乱八的都是创立了服务后导出的.....,另外还有这里两个的能够参考:Kubernetes - - k8s - v1.12.3 OpenLDAP对立认证kubernetes实战(十一):k8s应用openLDAP对立认证
反正就联合这几个搞一下吧!
kubernetes 搭建openLDAP
1.创立pvc
默认存储cbs,间接应用了腾讯云的cbs块存储(最小10G的步长也是10G)
cat <<EOF > pvc.yamlapiVersion: v1kind: PersistentVolumeClaimmetadata: name: ldap-data-pvc namespace: kube-opsspec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: cbs---apiVersion: v1kind: PersistentVolumeClaimmetadata: name: ldap-config-pvc namespace: kube-opsspec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: cbsEOFkubectl apply -f pvc.yaml2. 创立ldap deployment svc服务
cat <<EOF > ldap-deployment.yamlkind: DeploymentapiVersion: apps/v1metadata: name: openldap namespace: kube-ops labels: app: openldap annotations: app.kubernetes.io/alias-name: LDAP app.kubernetes.io/description: 认证核心spec: replicas: 1 selector: matchLabels: app: openldap template: metadata: labels: app: openldap spec: containers: - name: openldap image: 'osixia/openldap:1.5.0' ports: - name: tcp-389 containerPort: 389 protocol: TCP - name: tcp-636 containerPort: 636 protocol: TCP env: - name: LDAP_ORGANISATION value: devops - name: LDAP_DOMAIN value: xxx.com - name: LDAP_ADMIN_PASSWORD value: xxxxxxxx - name: LDAP_CONFIG_PASSWORD value: xxxxxxx - name: LDAP_BACKEND value: mdb resources: limits: cpu: 500m memory: 500Mi requests: cpu: 100m memory: 100Mi volumeMounts: - name: ldap-config-pvc mountPath: /etc/ldap/slapd.d - name: ldap-data-pvc mountPath: /var/lib/ldap volumes: - name: ldap-config-pvc persistentVolumeClaim: claimName: ldap-config-pvc - name: ldap-data-pvc persistentVolumeClaim: claimName: ldap-data-pvc---apiVersion: v1kind: Servicemetadata: name: openldap-svc namespace: kube-ops labels: app: openldap-svcspec: ports: - name: tcp-389 port: 389 protocol: TCP targetPort: 389 - name: tcp-636 port: 636 protocol: TCP targetPort: 636 selector: app: openldapEOFkubectl apply -f ldap-deployment.yaml kubectl logs -f openldap-6d9859cdb-944pp -n kube-ops3.创立phpldap deployments svc服务
cat <<EOF > ldap-phpldapadmin.yamlkind: DeploymentapiVersion: apps/v1metadata: name: ldap-phpldapadmin namespace: kube-ops labels: app: ldap-phpldapadmin annotations: app.kubernetes.io/alias-name: LDAP app.kubernetes.io/description: LDAP在线工具spec: replicas: 1 selector: matchLabels: app: ldap-phpldapadmin template: metadata: labels: app: ldap-phpldapadmin spec: containers: - name: phpldapadmin image: 'osixia/phpldapadmin:stable' ports: - name: tcp-80 containerPort: 80 protocol: TCP env: - name: PHPLDAPADMIN_HTTPS value: 'false' - name: PHPLDAPADMIN_LDAP_HOSTS value: openldap-svc resources: limits: cpu: 500m memory: 500Mi requests: cpu: 10m memory: 10Mi---apiVersion: v1kind: Servicemetadata: name: ldap-phpldapadmin-svc namespace: kube-ops labels: app: ldap-phpldapadmin-svcspec: ports: - name: tcp-80 port: 80 protocol: TCP targetPort: 80 selector: app: ldap-phpldapadminEOFkubectl apply -f ldap-phpldapadmin.yaml kubectl get svc -n kube-ops4. 创立ingress 代理
cat <<EOF > traefik-ldap.yamlapiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: ldap-ui namespace: kube-ops annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: webspec: rules: - host: ldap.xxx.com http: paths: - pathType: Prefix path: / backend: service: name: ldap-phpldapadmin-svc port: number: 80EOFkubectl apply -f traefik-ldap.yaml5. 验证
登陆 https://ldap.xxxx.com
| Login DN: |
|---|
cn=admin,dc=xxx,dc=com
Password:
零碎变量中的:LDAP_ADMIN_PASSWORD
深深的感触到了远古页面的感觉:
先整到这里 ,而后测试一下spinnaker集成。快一年没有搞了,整通了一起测试写一下spinnaker jenkins等利用的集成!