小贝子编程

osixia/在配置舵图设置坐骑时遇到麻烦



谢谢你的帮助,因为我是新人,我的问题可能会让你觉得有点陌生。

所以在工作中,我的任务是通过helm部署让openldap使用TLS。我们目前使用的是osixia/openldap。所以工作时不要打碎东西(389)是在工作,我宁愿不打扰它。

,所以!我决定在家里启动一个k3s集群,模拟我们正在进行的事情。显然,我们在工作中使用的是实际的CA,我懒得使用let加密。我滚动了我自己的通配符证书,我正在使用它通过证书管理器进入,这似乎正在顺利地工作。然后我决定对openldap上的TLS使用相同的证书,因为我认为这对于家庭实验室来说是可以接受的,看看我是否可以让它工作。

我一直在寻找数字桶的底部,试图找出为什么helm图表中的参数/参数没有设置kubernetes证书。我试图设置customTLS:和tls:参数,但系统仍然忽略它并设置它自己的证书。

在此之上,我试图设置卷挂载以使证书以这种方式进入pod,并且Volumes:和extravolumounts:似乎被忽略了。所以,我确信我哪里少了一个零件。有人通过helm配置TLS吗?

这是我的yaml文件。

# Default values for openldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
# It prevents from merging with existing map keys which are forbidden.
strategy: {}
# type: RollingUpdate
# rollingUpdate:
#   maxSurge: 1
#   maxUnavailable: 0
#
# or
#
# type: Recreate
# rollingUpdate: null
image:
# From repository https://github.com/osixia/docker-openldap
repository: osixia/openldap
tag: 1.5.0
pullPolicy: IfNotPresent

# Spcifies an existing secret to be used for admin and config user passwords
existingSecret: ""
customTLS:
enabled: true
secret: "blaklabz-io-tls"  # The name of a kubernetes.io/tls type secret to use for TLS
CA:
enabled: true
secret: "wildcard.blaklabz.io.crt"  # The name of a generic secret to use for custom CA certificate (ca.crt)
tls:
enabled: true
secret: "blaklabz-io-tls"
CA:
enabled: true
secret: "wildcard.blaklabz.io.crt"  
logLevel: debug
## Add additional labels to all resources
extraLabels: {}
podAnnotations: {}
service:
annotations: {}
ldapPort: 389
sslLdapPort: 636
## List of IP addresses at which the service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
##
externalIPs: []
loadBalancerIP: ""
loadBalancerSourceRanges: []
type: ClusterIP
# Additional volumes to be mounted to pod
extraVolumes: 
- name: ca-certs
hostPath:
path: C:/code/home/helm/k3s/openldap/certs/
type: DirectoryOrCreate

extraVolumeMounts: 
- name: ca-certs
readOnly: true
mountPath: "/container/run/service/slapd/assets/certs/"


# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
LDAP_ORGANISATION: "Blaklabz"
LDAP_DOMAIN: "blaklabz.io"
LDAP_BACKEND: "hdb"
LDAP_REQCERT: "allow"
LDAP_BASE_DN: "dc=blaklabz,dc=io"  
#LDAP_TLS_CRT_FILENAME: "wildcard.blaklabz.io.crt"
#LDAP_TLS_KEY_FILENAME: "wildcard.blaklabz.io.key"
# LDAP_TLS_CA_CRT_FILENAME: "wildcard.blaklabz.io.crt"
LDAP_BASE_DN: "dc=blaklabz,dc=io"
LDAP_TLS_ENFORCE: "false"
LDAP_TLS_VERIFY_CLIENT: "never"  

# Default Passwords to use, stored as a secret. If unset, passwords are auto-generated.
# You can override these at install time with
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
# adminPassword: admin
# configPassword: config
# Custom openldap configuration files used to override default settings
customLdifFiles:
01-default-users.ldif: |-
version: 1

# Entry 3: cn=Administrators,dc=blaklabz,dc=io
dn: cn=Administrators,dc=blaklabz,dc=io
cn: Administrators
member: cn=admin,dc=blaklabz,dc=io
member: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
objectclass: groupOfNames
objectclass: top
# Entry 4: ou=groups,dc=blaklabz,dc=io
dn: ou=groups,dc=blaklabz,dc=io
objectclass: organizationalUnit
objectclass: top
ou: groups
# Entry 5: cn=admin,ou=groups,dc=blaklabz,dc=io
dn: cn=admin,ou=groups,dc=blaklabz,dc=io
cn: admin
gidnumber: 500
memberuid: watkinst
memberuid: cwatkins
objectclass: posixGroup
objectclass: top

# Entry 6: cn=developers,ou=groups,dc=blaklabz,dc=io
dn: cn=developers,ou=groups,dc=blaklabz,dc=io
cn: developers
gidnumber: 501
memberuid: 1001
memberuid: dev
objectclass: posixGroup
objectclass: top
# Entry 8: cn=viewers,ou=groups,dc=blaklabz,dc=io
dn: cn=viewers,ou=groups,dc=blaklabz,dc=io
cn: viewers
gidnumber: 502
memberuid: viewer
objectclass: posixGroup
objectclass: top
# Entry 9: ou=users,dc=blaklabz,dc=io
dn: ou=users,dc=blaklabz,dc=io
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 10: cn=Christy Watkins,ou=users,dc=blaklabz,dc=io
dn: cn=Christy Watkins,ou=users,dc=blaklabz,dc=io
cn: Christy Watkins
gidnumber: 500
givenname: Christy
homedirectory: /home/users/cwatkins
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Watkins
uid: cwatkins
uidnumber: 1004


# Entry 11: cn=dev,ou=users,dc=blaklabz,dc=io
dn: cn=dev,ou=users,dc=blaklabz,dc=io
cn: dev
gidnumber: 501
givenname: Test1
homedirectory: /home/users/taccount
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Account
uid: dev
uidnumber: 1001

# Entry 12: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
dn: cn=ldapadmin,ou=users,dc=blaklabz,dc=io
cn: ldapadmin
gidnumber: 503
givenname: ldapadmin
homedirectory: /home/users/lldapadmin
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: ldapadmin
uid: lldapadmin
uidnumber: 1002


# Entry 13: cn=Thomas,ou=users,dc=blaklabz,dc=io
dn: cn=Thomas,ou=users,dc=blaklabz,dc=io
cn: Thomas
gidnumber: 500
givenname: watkinst
homedirectory: /home/users/watkinst
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Watkins
uid: watkinst
uidnumber: 1000


# Entry 14: cn=viewer,ou=users,dc=blaklabz,dc=io
dn: cn=viewer,ou=users,dc=blaklabz,dc=io
cn: viewer
gidnumber: 502
givenname: admin
homedirectory: /home/users/admin
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: admin
uid: viewer
uidnumber: 1003


## Persist data to a persistent volume
persistence:
enabled: true
## database data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
##   set, choosing the default provisioner.  (gp2 on AWS, standard on
##   GKE, AWS & OpenStack)
##
# storageClass: "-"
accessMode: ReadWriteOnce
size: 8Gi
resources: {}
# requests:
#   cpu: "100m"
#   memory: "256Mi"
# limits:
#   cpu: "500m"
#   memory: "512Mi"
nodeSelector: {}
tolerations: []
affinity: {}
## test container details
test:
enabled: false
image:
repository: dduportal/bats
tag: 0.4.0
#logLevel: info
#
#

这是日志。

***  INFO   | 2021-10-14 18:57:21 | openldap GID/UID
***  INFO   | 2021-10-14 18:57:21 | -------------------------------------
***  INFO   | 2021-10-14 18:57:21 | User uid: 911
***  INFO   | 2021-10-14 18:57:21 | User gid: 911
***  INFO   | 2021-10-14 18:57:21 | uid/gid changed: false
***  INFO   | 2021-10-14 18:57:21 | -------------------------------------
***  INFO   | 2021-10-14 18:57:21 | updating file uid/gid ownership
***  INFO   | 2021-10-14 18:57:21 | Start OpenLDAP...
***  INFO   | 2021-10-14 18:57:21 | Waiting for OpenLDAP to start...
***  INFO   | 2021-10-14 18:57:21 | Add TLS config...
***  INFO   | 2021-10-14 18:57:21 | No certificate file and certificate key provided, generate:
***  INFO   | 2021-10-14 18:57:21 | /container/run/service/slapd/assets/certs/ldap.crt and /container/run/servi
ce/slapd/assets/certs/ldap.key
2021/10/14 18:57:21 [INFO] generate received request
2021/10/14 18:57:21 [INFO] received CSR
2021/10/14 18:57:21 [INFO] generating key: ecdsa-384
2021/10/14 18:57:21 [INFO] encoded CSR
2021/10/14 18:57:21 [INFO] signed certificate with serial number 1558723425496628971971287710038808792320609523
27
***  INFO   | 2021-10-14 18:57:21 | Link /container/run/service/:ssl-tools/assets/default-ca/default-ca.pem to
/container/run/service/slapd/assets/certs/ca.crt
***  INFO   | 2021-10-14 18:57:21 | Disable replication config...
***  INFO   | 2021-10-14 18:57:21 | Stop OpenLDAP...
***  INFO   | 2021-10-14 18:57:21 | Configure ldap client TLS configuration...
***  INFO   | 2021-10-14 18:57:21 | Remove config files...
***  INFO   | 2021-10-14 18:57:22 | First start is done...
***  INFO   | 2021-10-14 18:57:22 | Remove file /container/environment/99-default/default.startup.yaml
***  INFO   | 2021-10-14 18:57:22 | Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
***  INFO   | 2021-10-14 18:57:22 | Running /container/run/process/slapd/run...
61687d92 @(#) $OpenLDAP: slapd 2.4.57+dfsg-1~bpo10+1 (Jan 30 2021 06:59:51) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
61687d92 slapd starting

引用

如果有人对此感到困惑的话。回顾一下,我需要获得TLS并在启动时插入一个自定义文件。所以在做了一些挖掘和快速打开k3s后。

版本1.2.2将导入我的ldif没有问题。1.3.0 - 1.5.0炸毁了openldap,并强制它在数据库中没有任何内容的情况下重新启动。

1.5.0版本将获取我的TLS证书并挂载它。但之前的任何东西都没有。

希望这能帮助到一些人。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium