kubernetes example

example/extend-osixia-openldap/bootstrap/ldif/billy.ldif

@@ -1,6 +1,5 @@
 dn: uid=billy,dc=example,dc=org
 changetype: add
-
 uid: billy
 cn: billy
 sn: 3

example/kubernetes/simple/ldap-rc.yaml

@@ -51,6 +51,8 @@ spec:
               value: "ldap.key"
             - name: LDAP_TLS_CA_CRT_FILENAME
               value: "ca.crt"
+            - name: LDAP_TLS_ENFORCE
+              value: "false"
             - name: LDAP_TLS_CIPHER_SUITE
               value: "SECURE256:-VERS-SSL3.0"
             - name: LDAP_TLS_PROTOCOL_MIN

example/kubernetes/using-secrets/environment/file-to-base64.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# print a file encode into base64
+
+FILE=$1
+
+FILE_ENCODED=$(cat $FILE | base64)
+FILE_ENCODED=`echo ${FILE_ENCODED} | tr -d '\n'`
+FILE_ENCODED=`echo ${FILE_ENCODED} | tr -d ' '`
+echo  $FILE_ENCODED

example/kubernetes/using-secrets/environment/my-env.yaml

@@ -0,0 +1,10 @@
+# This is the default image configuration file
+# These values will persists in container environment.
+
+# All environment variables used after the container first start
+# must be defined here.
+# more information : https://github.com/osixia/docker-light-baseimage
+
+# General container configuration
+# see table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
+LDAP_LOG_LEVEL: 0

example/kubernetes/using-secrets/environment/my-env.yaml.startup

@@ -0,0 +1,46 @@
+# This is the default image startup configuration file
+# this file define environment variables used during the container **first start** in **startup files**.
+
+# This file is deleted right after startup files are processed for the first time,
+# after that all these values will not be available in the container environment.
+# This helps to keep your container configuration secret.
+# more information : https://github.com/osixia/docker-light-baseimage
+
+# Required and used for new ldap server only
+LDAP_ORGANISATION: Example Inc.
+LDAP_DOMAIN: example.org
+LDAP_ADMIN_PASSWORD: Adm1n!
+LDAP_CONFIG_PASSWORD: c0nfig
+
+LDAP_READONLY_USER: true
+LDAP_READONLY_USER_USERNAME: readonly
+LDAP_READONLY_USER_PASSWORD: passwr0rd!
+
+# Tls
+LDAP_TLS: true
+LDAP_TLS_CRT_FILENAME: cert.crt
+LDAP_TLS_KEY_FILENAME: cert.key
+LDAP_TLS_CA_CRT_FILENAME: ca.crt
+
+LDAP_TLS_ENFORCE: false
+LDAP_TLS_CIPHER_SUITE: SECURE256:-VERS-SSL3.0
+LDAP_TLS_PROTOCOL_MIN: 3.1
+LDAP_TLS_VERIFY_CLIENT: never
+
+# Replication
+LDAP_REPLICATION: false
+# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
+# are automaticaly replaced at run time
+
+# if you want to add replication to an existing ldap
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_HDB_SYNCPROV to your configuration
+# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_HDB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_HOSTS:
+  - ldap://ldap.example.org # The order must be the same on all ldap servers
+  - ldap://ldap2.example.org
+
+
+# Remove config after setup
+LDAP_REMOVE_CONFIG_AFTER_SETUP: false

example/kubernetes/using-secrets/ldap-rc.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: ldap-controller
+  labels:
+    app: ldap
+spec:
+  replicas: 1
+  selector:
+    app: ldap
+  template:
+    metadata:
+      labels:
+        app: ldap
+    spec:
+      containers:
+        - name: ldap
+          image: osixia/openldap:1.1.0
+          command:
+          - --copy-service
+          volumeMounts:
+            - name: ldap-data
+              mountPath: /var/lib/ldap
+            - name: ldap-config
+              mountPath: /etc/ldap/slapd.d
+            - name: ldap-certs
+              mountPath: /container/service/slapd/assets/certs
+            - name: secret-volume
+              mountPath: /container/environment/01-custom
+            - name: container-run
+              mountPath: /container/run
+          ports:
+            - containerPort: 389
+              name: openldap
+        - name: ldap-backup
+          image: osixia/openldap-backup:0.1.7
+          volumeMounts:
+            - name: ldap-data
+              mountPath: /var/lib/ldap
+            - name: ldap-config
+              mountPath: /etc/ldap/slapd.d
+            - name: ldap-backup
+              mountPath: /data/backup
+          env:
+            - name: LDAP_BACKUP_CONFIG_CRON_EXP
+              value: "15 1 * * *"
+            - name: LDAP_BACKUP_DATA_CRON_EXP
+              value: "20 1 * * *"
+            - name: LDAP_BACKUP_TTL
+              value: "15"
+      volumes:
+        - name: ldap-data
+          hostPath:
+            path: "/data/ldap/db"
+        - name: ldap-config
+          hostPath:
+            path: "/data/ldap/config"
+        - name: ldap-backup
+          hostPath:
+            path: "/data/ldap/backup"
+        - name: ldap-certs
+          hostPath:
+            path: "/data/ldap/certs"
+        - name: "secret-volume"
+          secret:
+            secretName: "ldap-secret"
+        - name: container-run
+          emptyDir: {}

example/kubernetes/using-secrets/ldap-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ldap
+  name: ldap-service
+spec:
+  ports:
+    - port: 389
+  selector:
+    app: ldap

image/service/slapd/assets/schema-to-ldif.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+# set -x (bash debug) if log level is trace
+# https://github.com/osixia/docker-light-baseimage/blob/stable/image/tool/log-helper
+log-helper level eq trace && set -x
+
 SCHEMAS=$1
 
 tmpd=`mktemp -d`
@@ -18,7 +22,7 @@ slaptest -f convert.dat -F .
 
 if [ $? -ne 0 ] ; then
     echo "slaptest conversion failed"
-    exit 
+    exit
 fi
 
 for schema in ${SCHEMAS} ; do
@@ -27,7 +31,7 @@ for schema in ${SCHEMAS} ; do
     schema_dir=`dirname ${fullpath}`
     ldif_file=${schema_name}.ldif
 
-    find . -name *${schema_name}.ldif -exec mv '{}' ./${ldif_file} \;
+    find . -name *\}${schema_name}.ldif -exec mv '{}' ./${ldif_file} \;
 
     # TODO: these sed invocations could all be combined
     sed -i --follow-symlinks "/dn:/ c dn: cn=${schema_name},cn=schema,cn=config" ${ldif_file}
@@ -39,7 +43,7 @@ for schema in ${SCHEMAS} ; do
     sed -i --follow-symlinks '/entryCSN/ d' ${ldif_file}
     sed -i --follow-symlinks '/modifiersName/ d' ${ldif_file}
     sed -i --follow-symlinks '/modifyTimestamp/ d' ${ldif_file}
-    
+
     # slapd seems to be very sensitive to how a file ends. There should be no blank lines.
     sed -i --follow-symlinks '/^ *$/d' ${ldif_file}
 
@@ -47,4 +51,4 @@ for schema in ${SCHEMAS} ; do
 done
 
 popd >>/dev/null
-rm -rf $tmpd
+rm -rf $tmpd

image/service/slapd/startup.sh

@@ -79,7 +79,8 @@ if [ ! -e "$FIRST_START_DONE" ]; then
   if [ -z "$(ls -A /var/lib/ldap)" ] && [ -z "$(ls -A /etc/ldap/slapd.d)" ]; then
 
     BOOTSTRAP=true
-    log-helper info "Database and config directory are empty"
+    log-helper info "Database and config directory are empty..."
+    log-helper info "Init new ldap server..."
 
     cat <<EOF | debconf-set-selections
 slapd slapd/internal/generated_adminpw password ${LDAP_ADMIN_PASSWORD}
@@ -164,7 +165,7 @@ EOF
     for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.schema -type f); do
       SCHEMAS="$SCHEMAS ${f}"
     done
-    ${CONTAINER_SERVICE_DIR}/slapd/assets/schema-to-ldif.sh "$SCHEMAS"
+    ${CONTAINER_SERVICE_DIR}/slapd/assets/schema-to-ldif.sh "$SCHEMAS" | log-helper debug
 
     # add converted schemas
     for f in $(find ${CONTAINER_SERVICE_DIR}/slapd/assets/config/bootstrap/schema -name \*.ldif -type f); do