diff --git a/demos/data/ldap/base/deployment.yaml b/demos/data/ldap/base/deployment.yaml new file mode 100644 index 000000000..9570f5a3d --- /dev/null +++ b/demos/data/ldap/base/deployment.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: ldap + labels: + app: ldap +spec: + replicas: 1 + selector: + matchLabels: + app: ldap + template: + metadata: + labels: + app: ldap + spec: + containers: + - name: ldap + image: osixia/openldap:1.1.11 + args: ["--copy-service"] + volumeMounts: + - name: ldap-data + mountPath: /var/lib/ldap + - name: ldap-config + mountPath: /etc/ldap/slapd.d + - name: ldap-certs + mountPath: /container/service/slapd/assets/certs + - name: configmap-volume + mountPath: /container/environment/01-custom + - name: container-run + mountPath: /container/run + ports: + - containerPort: 389 + name: openldap + volumes: + - name: ldap-data + emptyDir: {} + - name: ldap-config + emptyDir: {} + - name: ldap-certs + emptyDir: {} + - name: "configmap-volume" + configMap: + name: "ldap-configmap" + - name: container-run + emptyDir: {} diff --git a/demos/data/ldap/base/env.startup.txt b/demos/data/ldap/base/env.startup.txt new file mode 100644 index 000000000..b29c230c8 --- /dev/null +++ b/demos/data/ldap/base/env.startup.txt @@ -0,0 +1,61 @@ +# This is the default image startup configuration file +# this file define environment variables used during the container **first start** in **startup files**. + +# This file is deleted right after startup files are processed for the first time, +# after that all these values will not be available in the container environment. +# This helps to keep your container configuration secret. +# more information : https://github.com/osixia/docker-light-baseimage + +# Required and used for new ldap server only +LDAP_ORGANISATION: Example Inc. +LDAP_DOMAIN: example.org +LDAP_BASE_DN: #if empty automatically set from LDAP_DOMAIN + +LDAP_ADMIN_PASSWORD: admin +LDAP_CONFIG_PASSWORD: config + +LDAP_READONLY_USER: false +LDAP_READONLY_USER_USERNAME: readonly +LDAP_READONLY_USER_PASSWORD: readonly + +LDAP_RFC2307BIS_SCHEMA: false + +# Backend +LDAP_BACKEND: hdb + +# Tls +LDAP_TLS: true +LDAP_TLS_CRT_FILENAME: ldap.crt +LDAP_TLS_KEY_FILENAME: ldap.key +LDAP_TLS_CA_CRT_FILENAME: ca.crt + +LDAP_TLS_ENFORCE: false +LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC +LDAP_TLS_VERIFY_CLIENT: demand + +# Replication +LDAP_REPLICATION: false +# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD +# are automaticaly replaced at run time + +# if you want to add replication to an existing ldap +# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration +# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables +LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical +LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical +LDAP_REPLICATION_HOSTS: + - ldap://ldap.example.org # The order must be the same on all ldap servers + - ldap://ldap2.example.org + + +# Do not change the ldap config +# - If set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run. +# The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data. +# - If set to true when bootstrapping a new database, bootstap ldif and schema will not be added and tls and replication config will not be run. +KEEP_EXISTING_CONFIG: false + +# Remove config after setup +LDAP_REMOVE_CONFIG_AFTER_SETUP: true + +# ssl-helper environment variables prefix +LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables. diff --git a/demos/data/ldap/base/kustomization.yaml b/demos/data/ldap/base/kustomization.yaml new file mode 100644 index 000000000..6cd10dfad --- /dev/null +++ b/demos/data/ldap/base/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +- deployment.yaml +- service.yaml +configMapGenerator: +- name: ldap-configmap + files: + - env.startup.txt diff --git a/demos/data/ldap/base/service.yaml b/demos/data/ldap/base/service.yaml new file mode 100644 index 000000000..5ea479b54 --- /dev/null +++ b/demos/data/ldap/base/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: ldap + name: ldap-service +spec: + ports: + - port: 389 + selector: + app: ldap diff --git a/demos/data/ldap/base/tests/test.sh b/demos/data/ldap/base/tests/test.sh new file mode 100755 index 000000000..de5ebd5cd --- /dev/null +++ b/demos/data/ldap/base/tests/test.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +# This script validates that this package works as expected with kustomize. +# The validation makes sure following steps are correctly executed and the output is as expected +# - deploy a ldap server by the output of kustomize +# - add a user +# - query a user +# - delete a user +# +# This script should be called as +# test.sh +# +# Testing passes if exit code is 0 +# Tesging fails if exit code is 1 +set -x + +function exit_with { + local msg=$1 + echo >&2 ${msg} + exit 1 +} + +# make sure kustomize and kubectl are available +command -v kustomize >/dev/null 2>&1 || { exit_with "Require kustomize but it's not installed. Aborting."; } +command -v kubectl >/dev/null 2>&1 || { exit_with "Require kubectl but it's not installed. Aborting."; } + +# set namespace to default +kubectl config set-context $(kubectl config current-context) --namespace=default + +# run kustomize +# kustomize build $1 | kubectl apply -f - || { exit_with "Failed to run kubectl apply"; } +echo Kustomizing \"$1\" +ls $1 +kustomize build $1 > generatedResources.yaml +[[ $? -eq 0 ]] || { exit_with "Failed to kustomize build"; } +cat generatedResources.yaml +kubectl apply -f generatedResources.yaml +[[ $? -eq 0 ]] || { exit_with "Failed to run kubectl apply"; } +sleep 20 + +# get the pod and namespace +pod=$(kubectl get pods -l app=ldap -o jsonpath='{.items[0].metadata.name}') +namespace=$(kubectl get pods -l app=ldap -o jsonpath='{.items[0].metadata.namespace}') +container="ldap" +[[ -z ${pod} ]] && { exit_with "Pod is not started successfully"; } +[[ -z ${namespace} ]] && { exit_with "Couldn't get namespace for Pod ${pod}"; } + +# create a user ldif file locally +ldiffile="user.ldif" +cat <$ldiffile +dn: cn=The Postmaster,dc=example,dc=org +objectClass: organizationalRole +cn: The Postmaster +EOF +[[ -f ${ldiffile} ]] || { exit_with "Failed to create ldif file locally"; } + +# add a user +pod_ldiffile="/tmp/user.ldif" +kubectl cp $ldiffile ${namespace}/${pod}:${pod_ldiffile} || { exit_with "Failed to copy ldif file to Pod ${pod}"; } +kubectl exec ${pod} -c ${container} -- ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin \ +-f ${pod_ldiffile} || { exit_with "Failed to add a user"; } + +# query the added user +r=$(kubectl exec ${pod} -c ${container} -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org \ +-D "cn=admin,dc=example,dc=org" -w admin) +user_count=$(echo ${r} | grep "cn: The Postmaster" | wc -l) +[[ ${user_count} -eq 0 ]] && { exit_with "Couldn't find the new added user"; } + +# delete the added user +kubectl exec ${pod} -c ${container} -- ldapdelete -v -x -H ldap://localhost "cn=The Postmaster,dc=example,dc=org" \ +-D "cn=admin,dc=example,dc=org" -w admin || { exit_with "Failed to delete the user"; } +r=$(kubectl exec ${pod} -c ${container} -- ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin) +user_count=$(echo ${r} | grep "cn: The Postmaster" | wc -l) +[[ ${user_count} -ne 0 ]] && { exit_with "The user hasn't been deleted."; } + +# kubectl delete +kubectl delete -f generatedResources.yaml +rm $ldiffile \ No newline at end of file diff --git a/demos/data/ldap/overlays/production/deployment.yaml b/demos/data/ldap/overlays/production/deployment.yaml new file mode 100644 index 000000000..3e535c492 --- /dev/null +++ b/demos/data/ldap/overlays/production/deployment.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: ldap +spec: + replicas: 6 + template: + spec: + volumes: + - name: ldap-data + emptyDir: null + gcePersistentDisk: + pdName: ldap-persistent-storage diff --git a/demos/data/ldap/overlays/production/kustomization.yaml b/demos/data/ldap/overlays/production/kustomization.yaml new file mode 100644 index 000000000..a8dda51ca --- /dev/null +++ b/demos/data/ldap/overlays/production/kustomization.yaml @@ -0,0 +1,5 @@ +bases: + - ../../base +patches: + - deployment.yaml +namePrefix: production- diff --git a/demos/data/ldap/overlays/staging/config.env b/demos/data/ldap/overlays/staging/config.env new file mode 100644 index 000000000..c4032090a --- /dev/null +++ b/demos/data/ldap/overlays/staging/config.env @@ -0,0 +1,2 @@ +DB_USERNAME=admin +DB_PASSWORD=somepw diff --git a/demos/data/ldap/overlays/staging/deployment.yaml b/demos/data/ldap/overlays/staging/deployment.yaml new file mode 100644 index 000000000..792f4d0a2 --- /dev/null +++ b/demos/data/ldap/overlays/staging/deployment.yaml @@ -0,0 +1,7 @@ + +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: ldap +spec: + replicas: 2 diff --git a/demos/data/ldap/overlays/staging/kustomization.yaml b/demos/data/ldap/overlays/staging/kustomization.yaml new file mode 100644 index 000000000..7688bea73 --- /dev/null +++ b/demos/data/ldap/overlays/staging/kustomization.yaml @@ -0,0 +1,9 @@ +bases: + - ../../base +patches: + - deployment.yaml +nameprefix: staging- +configMapGenerator: + - name: env-config + files: + - config.env