forked from kubernetes-sigs/kustomize
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bc12f60
commit 332624b
Showing
10 changed files
with
239 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
apiVersion: apps/v1beta2 | ||
kind: Deployment | ||
metadata: | ||
name: ldap | ||
labels: | ||
app: ldap | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: ldap | ||
template: | ||
metadata: | ||
labels: | ||
app: ldap | ||
spec: | ||
containers: | ||
- name: ldap | ||
image: osixia/openldap:1.1.11 | ||
args: ["--copy-service"] | ||
volumeMounts: | ||
- name: ldap-data | ||
mountPath: /var/lib/ldap | ||
- name: ldap-config | ||
mountPath: /etc/ldap/slapd.d | ||
- name: ldap-certs | ||
mountPath: /container/service/slapd/assets/certs | ||
- name: configmap-volume | ||
mountPath: /container/environment/01-custom | ||
- name: container-run | ||
mountPath: /container/run | ||
ports: | ||
- containerPort: 389 | ||
name: openldap | ||
volumes: | ||
- name: ldap-data | ||
emptyDir: {} | ||
- name: ldap-config | ||
emptyDir: {} | ||
- name: ldap-certs | ||
emptyDir: {} | ||
- name: "configmap-volume" | ||
configMap: | ||
name: "ldap-configmap" | ||
- name: container-run | ||
emptyDir: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# This is the default image startup configuration file | ||
# this file define environment variables used during the container **first start** in **startup files**. | ||
|
||
# This file is deleted right after startup files are processed for the first time, | ||
# after that all these values will not be available in the container environment. | ||
# This helps to keep your container configuration secret. | ||
# more information : https://github.com/osixia/docker-light-baseimage | ||
|
||
# Required and used for new ldap server only | ||
LDAP_ORGANISATION: Example Inc. | ||
LDAP_DOMAIN: example.org | ||
LDAP_BASE_DN: #if empty automatically set from LDAP_DOMAIN | ||
|
||
LDAP_ADMIN_PASSWORD: admin | ||
LDAP_CONFIG_PASSWORD: config | ||
|
||
LDAP_READONLY_USER: false | ||
LDAP_READONLY_USER_USERNAME: readonly | ||
LDAP_READONLY_USER_PASSWORD: readonly | ||
|
||
LDAP_RFC2307BIS_SCHEMA: false | ||
|
||
# Backend | ||
LDAP_BACKEND: hdb | ||
|
||
# Tls | ||
LDAP_TLS: true | ||
LDAP_TLS_CRT_FILENAME: ldap.crt | ||
LDAP_TLS_KEY_FILENAME: ldap.key | ||
LDAP_TLS_CA_CRT_FILENAME: ca.crt | ||
|
||
LDAP_TLS_ENFORCE: false | ||
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC | ||
LDAP_TLS_VERIFY_CLIENT: demand | ||
|
||
# Replication | ||
LDAP_REPLICATION: false | ||
# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD | ||
# are automaticaly replaced at run time | ||
|
||
# if you want to add replication to an existing ldap | ||
# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration | ||
# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables | ||
LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical | ||
LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical | ||
LDAP_REPLICATION_HOSTS: | ||
- ldap://ldap.example.org # The order must be the same on all ldap servers | ||
- ldap://ldap2.example.org | ||
|
||
|
||
# Do not change the ldap config | ||
# - If set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run. | ||
# The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data. | ||
# - If set to true when bootstrapping a new database, bootstap ldif and schema will not be added and tls and replication config will not be run. | ||
KEEP_EXISTING_CONFIG: false | ||
|
||
# Remove config after setup | ||
LDAP_REMOVE_CONFIG_AFTER_SETUP: true | ||
|
||
# ssl-helper environment variables prefix | ||
LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
resources: | ||
- deployment.yaml | ||
- service.yaml | ||
configMapGenerator: | ||
- name: ldap-configmap | ||
files: | ||
- env.startup.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
labels: | ||
app: ldap | ||
name: ldap-service | ||
spec: | ||
ports: | ||
- port: 389 | ||
selector: | ||
app: ldap |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
#!/bin/bash | ||
|
||
# This script validates that this package works as expected with kustomize. | ||
# The validation makes sure following steps are correctly executed and the output is as expected | ||
# - deploy a ldap server by the output of kustomize | ||
# - add a user | ||
# - query a user | ||
# - delete a user | ||
# | ||
# This script should be called as | ||
# test.sh <path to directory of Kube-manifest.yaml> | ||
# | ||
# Testing passes if exit code is 0 | ||
# Tesging fails if exit code is 1 | ||
set -x | ||
|
||
function exit_with { | ||
local msg=$1 | ||
echo >&2 ${msg} | ||
exit 1 | ||
} | ||
|
||
# make sure kustomize and kubectl are available | ||
command -v kustomize >/dev/null 2>&1 || { exit_with "Require kustomize but it's not installed. Aborting."; } | ||
command -v kubectl >/dev/null 2>&1 || { exit_with "Require kubectl but it's not installed. Aborting."; } | ||
|
||
# set namespace to default | ||
kubectl config set-context $(kubectl config current-context) --namespace=default | ||
|
||
# run kustomize | ||
# kustomize build $1 | kubectl apply -f - || { exit_with "Failed to run kubectl apply"; } | ||
echo Kustomizing \"$1\" | ||
ls $1 | ||
kustomize build $1 > generatedResources.yaml | ||
[[ $? -eq 0 ]] || { exit_with "Failed to kustomize build"; } | ||
cat generatedResources.yaml | ||
kubectl apply -f generatedResources.yaml | ||
[[ $? -eq 0 ]] || { exit_with "Failed to run kubectl apply"; } | ||
sleep 20 | ||
|
||
# get the pod and namespace | ||
pod=$(kubectl get pods -l app=ldap -o jsonpath='{.items[0].metadata.name}') | ||
namespace=$(kubectl get pods -l app=ldap -o jsonpath='{.items[0].metadata.namespace}') | ||
container="ldap" | ||
[[ -z ${pod} ]] && { exit_with "Pod is not started successfully"; } | ||
[[ -z ${namespace} ]] && { exit_with "Couldn't get namespace for Pod ${pod}"; } | ||
|
||
# create a user ldif file locally | ||
ldiffile="user.ldif" | ||
cat <<EOF >$ldiffile | ||
dn: cn=The Postmaster,dc=example,dc=org | ||
objectClass: organizationalRole | ||
cn: The Postmaster | ||
EOF | ||
[[ -f ${ldiffile} ]] || { exit_with "Failed to create ldif file locally"; } | ||
|
||
# add a user | ||
pod_ldiffile="/tmp/user.ldif" | ||
kubectl cp $ldiffile ${namespace}/${pod}:${pod_ldiffile} || { exit_with "Failed to copy ldif file to Pod ${pod}"; } | ||
kubectl exec ${pod} -c ${container} -- ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin \ | ||
-f ${pod_ldiffile} || { exit_with "Failed to add a user"; } | ||
|
||
# query the added user | ||
r=$(kubectl exec ${pod} -c ${container} -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org \ | ||
-D "cn=admin,dc=example,dc=org" -w admin) | ||
user_count=$(echo ${r} | grep "cn: The Postmaster" | wc -l) | ||
[[ ${user_count} -eq 0 ]] && { exit_with "Couldn't find the new added user"; } | ||
|
||
# delete the added user | ||
kubectl exec ${pod} -c ${container} -- ldapdelete -v -x -H ldap://localhost "cn=The Postmaster,dc=example,dc=org" \ | ||
-D "cn=admin,dc=example,dc=org" -w admin || { exit_with "Failed to delete the user"; } | ||
r=$(kubectl exec ${pod} -c ${container} -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin) | ||
user_count=$(echo ${r} | grep "cn: The Postmaster" | wc -l) | ||
[[ ${user_count} -ne 0 ]] && { exit_with "The user hasn't been deleted."; } | ||
|
||
# kubectl delete | ||
kubectl delete -f generatedResources.yaml | ||
rm $ldiffile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: apps/v1beta2 | ||
kind: Deployment | ||
metadata: | ||
name: ldap | ||
spec: | ||
replicas: 6 | ||
template: | ||
spec: | ||
volumes: | ||
- name: ldap-data | ||
emptyDir: null | ||
gcePersistentDisk: | ||
pdName: ldap-persistent-storage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
bases: | ||
- ../../base | ||
patches: | ||
- deployment.yaml | ||
namePrefix: production- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
DB_USERNAME=admin | ||
DB_PASSWORD=somepw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
|
||
apiVersion: apps/v1beta2 | ||
kind: Deployment | ||
metadata: | ||
name: ldap | ||
spec: | ||
replicas: 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
bases: | ||
- ../../base | ||
patches: | ||
- deployment.yaml | ||
nameprefix: staging- | ||
configMapGenerator: | ||
- name: env-config | ||
files: | ||
- config.env |