add pvc

openldap/environment/file-to-base64.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# print a file encode into base64
+
+FILE=$1
+
+FILE_ENCODED=$(cat $FILE | base64 --wrap=0)
+echo  $FILE_ENCODED

openldap/environment/my-env.startup.yaml

@@ -0,0 +1,61 @@
+# This is the default image startup configuration file
+# this file define environment variables used during the container **first start** in **startup files**.
+
+# This file is deleted right after startup files are processed for the first time,
+# after that all these values will not be available in the container environment.
+# This helps to keep your container configuration secret.
+# more information : https://github.com/osixia/docker-light-baseimage
+
+# Required and used for new ldap server only
+LDAP_ORGANISATION: Example Inc.
+LDAP_DOMAIN: example.org
+LDAP_BASE_DN: #if empty automatically set from LDAP_DOMAIN
+
+LDAP_ADMIN_PASSWORD: admin
+LDAP_CONFIG_PASSWORD: config
+
+LDAP_READONLY_USER: false
+LDAP_READONLY_USER_USERNAME: readonly
+LDAP_READONLY_USER_PASSWORD: readonly
+
+LDAP_RFC2307BIS_SCHEMA: false
+
+# Backend
+LDAP_BACKEND: mdb
+
+# Tls
+LDAP_TLS: true
+LDAP_TLS_CRT_FILENAME: ldap.crt
+LDAP_TLS_KEY_FILENAME: ldap.key
+LDAP_TLS_CA_CRT_FILENAME: ca.crt
+
+LDAP_TLS_ENFORCE: false
+LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
+LDAP_TLS_VERIFY_CLIENT: demand
+
+# Replication
+LDAP_REPLICATION: false
+# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
+# are automaticaly replaced at run time
+
+# if you want to add replication to an existing ldap
+# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
+# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
+LDAP_REPLICATION_HOSTS:
+  - ldap://ldap.example.org # The order must be the same on all ldap servers
+  - ldap://ldap2.example.org
+
+
+# Do not change the ldap config
+# - If set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run.
+#   The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data.
+# - If set to true when bootstrapping a new database, bootstap ldif and schema will not be added and tls and replication config will not be run.
+KEEP_EXISTING_CONFIG: false
+
+# Remove config after setup
+LDAP_REMOVE_CONFIG_AFTER_SETUP: true
+
+# ssl-helper environment variables prefix
+LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.

openldap/environment/my-env.yaml

@@ -0,0 +1,10 @@
+# This is the default image configuration file
+# These values will persists in container environment.
+
+# All environment variables used after the container first start
+# must be defined here.
+# more information : https://github.com/osixia/docker-light-baseimage
+
+# General container configuration
+# see table 5.1 in http://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.
+LDAP_LOG_LEVEL: 256

openldap/ldap-deployment.yaml

@@ -2,124 +2,69 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   namespace: public-service
-  name: openldap
+  name: ldap
   labels:
-    app: openldap
+    app: ldap
 spec:
   replicas: 1
   template:
     metadata:
       labels:
-        app: openldap
+        app: ldap
     spec:
       containers:
-        - name: openldap
-          image: osixia/openldap:1.2.1
+        - name: ldap
+          image: osixia/openldap:1.2.2
+          args: ["--copy-service"]
           volumeMounts:
-            - name: ldap-data
+            - name: openldap-data
               mountPath: /var/lib/ldap
-            - name: ldap-config
+              subPath: data
+            - name: openldap-data
               mountPath: /etc/ldap/slapd.d
-            - name: ldap-certs
+              subPath: config
+            - name: openldap-data
               mountPath: /container/service/slapd/assets/certs
+              subPath: certs
+            - name: secret-volume
+              mountPath: /container/environment/01-custom
+            - name: container-run
+              mountPath: /container/run
           ports:
             - containerPort: 389
               name: openldap
-          env:
-            - name: LDAP_LOG_LEVEL
-              value: "256"
-            - name: LDAP_ORGANISATION
-              value: "Example Inc."
-            - name: LDAP_DOMAIN
-              value: "example.org"
-            - name: LDAP_ADMIN_PASSWORD
-              value: "admin"
-            - name: LDAP_CONFIG_PASSWORD
-              value: "config"
-            - name: LDAP_READONLY_USER
-              value: "false"
-            - name: LDAP_READONLY_USER_USERNAME
-              value: "readonly"
-            - name: LDAP_READONLY_USER_PASSWORD
-              value: "readonly"
-            - name: LDAP_RFC2307BIS_SCHEMA
-              value: "false"
-            - name: LDAP_BACKEND
-              value: "mdb"
-            - name: LDAP_TLS
-              value: "true"
-            - name: LDAP_TLS_CRT_FILENAME
-              value: "ldap.crt"
-            - name: LDAP_TLS_KEY_FILENAME
-              value: "ldap.key"
-            - name: LDAP_TLS_CA_CRT_FILENAME
-              value: "ca.crt"
-            - name: LDAP_TLS_ENFORCE
-              value: "false"
-            - name: LDAP_TLS_CIPHER_SUITE
-              value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
-            - name: LDAP_TLS_VERIFY_CLIENT
-              value: "demand"
-            - name: LDAP_REPLICATION
-              value: "false"
-            - name: LDAP_REPLICATION_CONFIG_SYNCPROV
-              value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
-            - name: LDAP_REPLICATION_DB_SYNCPROV
-              value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
-            - name: LDAP_REPLICATION_HOSTS
-              value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"
-            - name: KEEP_EXISTING_CONFIG
-              value: "false"
-            - name: LDAP_REMOVE_CONFIG_AFTER_SETUP
-              value: "true"
-            - name: LDAP_SSL_HELPER_PREFIX
-              value: "ldap"
+            - name: ssl-ldap-port
+              containerPort: 636
+          livenessProbe:
+            tcpSocket:
+              port: openldap
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            failureThreshold: 10
+          readinessProbe:
+            tcpSocket:
+              port: openldap
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            failureThreshold: 10
       volumes:
-        - name: ldap-data
+        - name: openldap-data
           persistentVolumeClaim:
-            claimName: ldap-data
-        - name: ldap-config
-          persistentVolumeClaim:
-            claimName: ldap-config
-        - name: ldap-certs
-          persistentVolumeClaim:
-            claimName: ldap-certs
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  namespace: public-service
-  name: ldap-data
-spec:
-  accessModes: [ "ReadWriteOnce" ]
-  storageClassName: "gluster-heketi"
-  resources:
-    requests:
-      storage: 100Mi
-
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  namespace: public-service
-  name: ldap-config
-spec:
-  accessModes: [ "ReadWriteOnce" ]
-  storageClassName: "gluster-heketi"
-  resources:
-    requests:
-      storage: 10Mi
+            claimName: openldap-data
+        - name: "secret-volume"
+          secret:
+            secretName: "ldap-secret"
+        - name: container-run
+          emptyDir: {}
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   namespace: public-service
-  name: ldap-certs
+  name: openldap-data
 spec:
-  accessModes: [ "ReadWriteOnce" ]
+  accessModes: [ "ReadWriteMany" ]
   storageClassName: "gluster-heketi"
   resources:
     requests:
-      storage: 10Mi
-
-
+      storage: 1Gi

openldap/ldap-service.yaml

@@ -3,10 +3,17 @@ kind: Service
 metadata:
   namespace: public-service
   labels:
-    app: openldap
+    app: ldap
   name: ldap-service
 spec:
   ports:
-    - port: 389
+    - name: openldap
+      protocol: TCP
+      port: 389
+      targetPort: openldap
+    - name: ssl-ldap-port
+      protocol: TCP
+      port: 636
+      targetPort: ssl-ldap-port
   selector:
-    app: openldap
+    app: ldap