1、使用rbd作为存储，创建认证以及pv、创建namespace为： public-service

cat ldap-secret.yaml

apiVersion: "v1"

kind: "Secret"

metadata:

  namespace: public-service

  name: "ldap-secret"

type: "kubernetes.io/rbd"

data:

  key: QVFBbU9ZSmNUSWQ3TlJBQVhKeWh3c2ZtQkhzQzZ2VGJ4UVZvVWc9PQ==

cat rbd-pv.yaml

apiVersion: v1

kind: PersistentVolume

metadata:

  name: openldap-data-pv

  namespace: public-service

spec:

  capacity:

    storage: 20Gi

  accessModes:

    - ReadWriteMany

  storageClassName: openldap-data-pv

  rbd:

    monitors:

      - '10.75.32.226:6789'

      - '10.75.32.230:6789'

      - '10.75.32.231:6789'

    pool: rbd-k8s

    image: cephldap

    user: admin

    secretRef:

      name: ldap-secret

    fsType: ext4

    readOnly: false

  persistentVolumeReclaimPolicy: Recycle

从github取得openldap的yaml文件。

git clone https://github.com/atjapan2015/kuberneteshandson.git

1、各文件添加修改自己的DN，我的为dashboard.com

启动deployment和service。

[root@k8s-master openldap]# cat ldap-deployment.yaml

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

  name: ldap

  namespace: public-service

  labels:

    app: ldap

spec:

  replicas: 1

  template:

    metadata:

      labels:

        app: ldap

    spec:

      containers:

        - name: ldap

          image: osixia/openldap:1.2.1

          volumeMounts:

            - name: openldap-data

              mountPath: /var/lib/ldap

              subPath: ldap-data

            - name: openldap-data

              mountPath: /etc/ldap/slapd.d

              subPath: ldap-config

            - name: openldap-data

              mountPath: /container/service/slapd/assets/certs

              subPath: ldap-certs

          ports:

            - containerPort: 389

              name: openldap

            - name: ssl-ldap-port

              containerPort: 636

          livenessProbe:

            tcpSocket:

              port: openldap

            initialDelaySeconds: 20

            periodSeconds: 10

            failureThreshold: 10

          readinessProbe:

            tcpSocket:

              port: openldap

            initialDelaySeconds: 20

            periodSeconds: 10

            failureThreshold: 10

          env:

            - name: LDAP_LOG_LEVEL

              value: "256"

            - name: LDAP_ORGANISATION

              value: "Dashboard Inc."

            - name: LDAP_DOMAIN

              value: "dashboard.com"

            - name: LDAP_ADMIN_PASSWORD

              value: "admin"

            - name: LDAP_CONFIG_PASSWORD

              value: "config"

            - name: LDAP_READONLY_USER

              value: "false"

            - name: LDAP_READONLY_USER_USERNAME

              value: "readonly"

            - name: LDAP_READONLY_USER_PASSWORD

              value: "readonly"

            - name: LDAP_RFC2307BIS_SCHEMA

              value: "false"

            - name: LDAP_BACKEND

              value: "mdb"

            - name: LDAP_TLS

              value: "true"

            - name: LDAP_TLS_CRT_FILENAME

              value: "ldap.crt"

            - name: LDAP_TLS_KEY_FILENAME

              value: "ldap.key"

            - name: LDAP_TLS_CA_CRT_FILENAME

              value: "ca.crt"

            - name: LDAP_TLS_ENFORCE

              value: "false"

            - name: LDAP_TLS_CIPHER_SUITE

              value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"

            - name: LDAP_TLS_VERIFY_CLIENT

              value: "demand"

            - name: LDAP_REPLICATION

              value: "false"

            - name: LDAP_REPLICATION_CONFIG_SYNCPROV

              value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"

            - name: LDAP_REPLICATION_DB_SYNCPROV

              value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"

            - name: LDAP_REPLICATION_HOSTS

              value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"

            - name: KEEP_EXISTING_CONFIG

              value: "false"

            - name: LDAP_REMOVE_CONFIG_AFTER_SETUP

              value: "true"

            - name: LDAP_SSL_HELPER_PREFIX

              value: "ldap"

      volumes:

        - name: openldap-data

          persistentVolumeClaim:

            claimName: openldap-data

---

kind: PersistentVolumeClaim

apiVersion: v1

metadata:

  namespace: public-service

  name: openldap-data

spec:

  accessModes: [ "ReadWriteMany" ]

  storageClassName: "openldap-data-pv"

  resources:

    requests:

      storage: 1Gi

[root@k8s-master openldap]# cat ldap-service.yaml

apiVersion: v1

kind: Service

metadata:

  namespace: public-service

  labels:

    app: ldap

  name: ldap-service

spec:

  ports:

    - name: openldap

      port: 389

      protocol: TCP

      targetPort: openldap

    - name: ssl-ldap-port

      protocol: TCP

      port: 636

      targetPort: ssl-ldap-port

  selector:

    app: ldap

    [root@k8s-master openldap]# cat phpldapadmin-deployment.yaml

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

  namespace: public-service

  annotations:

    kompose.cmd: kompose convert -f docker-compose.yml

    kompose.version: 1.16.0 (0c01309)

  creationTimestamp: null

  labels:

    io.kompose.service: phpldapadmin

  name: phpldapadmin

spec:

  replicas: 1

  strategy: {}

  template:

    metadata:

      creationTimestamp: null

      labels:

        io.kompose.service: phpldapadmin

    spec:

      containers:

      - env:

        - name: PHPLDAPADMIN_HTTPS

          value: "false"

        - name: PHPLDAPADMIN_LDAP_HOSTS

          value: ldap-service

        image: osixia/phpldapadmin:0.7.1

        name: phpldapadmin

        ports:

        - containerPort: 80

        resources: {}

      restartPolicy: Always

status: {}

cat phpldapadmin-service.yaml

apiVersion: v1

kind: Service

metadata:

  namespace: public-service

  annotations:

    kompose.cmd: kompose convert -f docker-compose.yml

    kompose.version: 1.16.0 (0c01309)

  creationTimestamp: null

  labels:

    io.kompose.service: phpldapadmin

  name: phpldapadmin

spec:

  ports:

  - name: "8080"

    port: 8080

    targetPort: 80

  selector:

    io.kompose.service: phpldapadmin

status:

  loadBalancer: {}

2、创建ldap-ui-ingress

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: ldap-ui

  namespace: public-service

  annotations:

    nginx.ingress.kubernetes.io/ssl-redirect: "true"

    kubernetes.io/tls-acme: "true"

    # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size

    nginx.ingress.kubernetes.io/proxy-body-size: 50m

    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"

    # For nginx-ingress controller < 0.9.0.beta-18

    ingress.kubernetes.io/ssl-redirect: "true"

    # "413 Request Entity Too Large" uploading plugins, increase client_max_body_size

    ingress.kubernetes.io/proxy-body-size: 50m

    ingress.kubernetes.io/proxy-request-buffering: "off"

spec:

  rules:

  - http:

      paths:

      - path: /

        backend:

          serviceName: phpldapadmin

          servicePort: 8080

    host: ldap.dashboard.com

  tls:

  - hosts:

    - ldap.dashboard.com

    secretName: ingress-secret

查看service,deploy和pod的启动情况。

root@k8s-master openldap]# kubectl get po,svc,pvc,Ingress -n public-service | grep ldap

pod/ldap-6fcc976d77-j4mwf          1/1    Running  0          28s

pod/phpldapadmin-67bcfb5647-m9pzc  1/1    Running  0          27s

service/ldap-service  ClusterIP  10.254.154.105  <none>        389/TCP    27s

service/phpldapadmin  ClusterIP  10.254.153.207  <none>        8080/TCP  27s

persistentvolumeclaim/openldap-data  Bound    openldap-data-pv  20Gi      RWX            openldap-data-pv  28s

ingress.extensions/ldap-ui  ldap.dashboard.com            80, 443  27s

使用浏览器访问phpldapadmin。地址为。ldap.dashboard.com