1,基本概念
- 為了方便管理和集成jenkins,k8s、harbor、jenkins均使用openLDAP統一認證。
2,部署openLDAP
- 根據之前的文檔,openLDAP使用GFS進行數據持久化。
- 下載對應的openLDAP文件
git clone https://github.com/xiaoqshuo/k8s-cluster.git
2.1 創建openLDAP
[root@k8s-master01 k8s-cluster]# kubectl apply -f openldap/
deployment.extensions/ldap created
persistentvolumeclaim/openldap-data created
secret/ldap-secret created
service/ldap-service created
deployment.extensions/phpldapadmin created
service/phpldapadmin created
2.2 創建ldap-ui-ingress
[root@k8s-master01 openldap]# kubectl create -f traefik-ldap.yaml
ingress.extensions/ldap-ui created
[root@k8s-master01 openldap]# cat traefik-ldap.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ldap-ui
namespace: public-service
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: ldap.k8s.net
http:
paths:
- backend:
serviceName: phpldapadmin
servicePort: 8080
3, 查看驗證
[root@k8s-master01 openldap]# kubectl get po,svc,pvc -n public-service | grep ldap
pod/ldap-6c9fcc7446-r52r7 1/1 Running 0 4m19s
pod/phpldapadmin-6784bf8db-gxqw2 1/1 Running 0 4m16s
service/glusterfs-dynamic-openldap-data ClusterIP 10.96.177.154 <none> 1/TCP 3m29s
service/ldap-service ClusterIP 10.111.36.109 <none> 389/TCP,636/TCP 4m16s
service/phpldapadmin ClusterIP 10.103.142.162 <none> 8080/TCP 4m11s
persistentvolumeclaim/openldap-data Bound pvc-252ac771-01da-11e9-b0c8-000c2927a0d0 1Gi RWX gluster-heketi 4m20s
3.1 訪問web
- 訪問phpldapadmin:ldap.k8s.net
- 登錄
- 默認DN:cn=admin,dc=example,dc=org,默認Password:admin(線上系統需自定義修改)
4, 添加用戶和組
4.1 創建Groups和People OU
4.2 創建組和用戶
4.2.1 組 dev devops test
4.2.2 用戶
- 填寫基本信息,選擇組和Login Shell
- 注意修改Common Name
4.3 為每個用戶添加Email,沒有Email無法登陸gitlab
5,配置k8s使用ldap登錄
未完待續
