From f28e43ed58bbd293ae25e0617dd361214250c885 Mon Sep 17 00:00:00 2001 From: rmahique-github <> Date: Fri, 25 Oct 2024 17:09:13 +0200 Subject: [PATCH] changed to helm chart --- charts/ds389/Chart.yaml | 6 + charts/ds389/templates/namespace.yaml | 5 + charts/ds389/templates/secrets.yaml | 18 ++ charts/ds389/templates/service-external.yaml | 23 +++ charts/ds389/templates/service-internal.yaml | 22 +++ charts/ds389/templates/serviceaccount.yaml | 6 + charts/ds389/templates/statefulset.yaml | 94 +++++++++ charts/ds389/values.yaml | 16 ++ scripts/authentication/389.yml | 195 ------------------- scripts/authentication/ds389.sh | 41 ++-- 10 files changed, 211 insertions(+), 215 deletions(-) create mode 100644 charts/ds389/Chart.yaml create mode 100644 charts/ds389/templates/namespace.yaml create mode 100644 charts/ds389/templates/secrets.yaml create mode 100644 charts/ds389/templates/service-external.yaml create mode 100644 charts/ds389/templates/service-internal.yaml create mode 100644 charts/ds389/templates/serviceaccount.yaml create mode 100644 charts/ds389/templates/statefulset.yaml create mode 100644 charts/ds389/values.yaml delete mode 100644 scripts/authentication/389.yml diff --git a/charts/ds389/Chart.yaml b/charts/ds389/Chart.yaml new file mode 100644 index 0000000..4d71889 --- /dev/null +++ b/charts/ds389/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: ds389-helm-chart +description: A Helm chart for deploying the 389 Directory Server +version: 1.0.0 +appVersion: "1.0" + diff --git a/charts/ds389/templates/namespace.yaml b/charts/ds389/templates/namespace.yaml new file mode 100644 index 0000000..9752c5c --- /dev/null +++ b/charts/ds389/templates/namespace.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.ds389.nsName }} + diff --git a/charts/ds389/templates/secrets.yaml b/charts/ds389/templates/secrets.yaml new file mode 100644 index 0000000..ce882b3 --- /dev/null +++ b/charts/ds389/templates/secrets.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-tls-secret + namespace: {{ .Values.ds389.nsName }} +data: + tls.key: {{ .Values.ds389.tlsKey | b64enc | quote }} + tls.crt: {{ .Values.ds389.tlsCert | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: dirsrv-dm-password + namespace: {{ .Values.ds389.nsName }} +data: + dm-password: {{ .Values.ds389.dmPassword | quote }} + diff --git a/charts/ds389/templates/service-external.yaml b/charts/ds389/templates/service-external.yaml new file mode 100644 index 0000000..e454d0c --- /dev/null +++ b/charts/ds389/templates/service-external.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .Values.ds389.name }} + name: {{ .Values.ds389.name }}-external-svc + namespace: {{ .Values.ds389.nsName }} +spec: + ports: + - name: {{ .Values.ds389.name }}-port + port: {{ .Values.ds389.internalPort }} + protocol: TCP + targetPort: {{ .Values.ds389.internalPort }} + nodePort: {{ .Values.ds389.nodePort }} + - name: {{ .Values.ds389.name }}-tls-port + port: {{ .Values.ds389.tlsPort }} + protocol: TCP + targetPort: {{ .Values.ds389.tlsPort }} + nodePort: {{ .Values.ds389.nodePortTls }} + selector: + app: {{ .Values.ds389.name }} + type: NodePort + diff --git a/charts/ds389/templates/service-internal.yaml b/charts/ds389/templates/service-internal.yaml new file mode 100644 index 0000000..eb6178d --- /dev/null +++ b/charts/ds389/templates/service-internal.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ .Values.ds389.name }} + name: {{ .Values.ds389.name }}-internal-svc + namespace: {{ .Values.ds389.nsName }} +spec: + clusterIP: None + ports: + - name: {{ .Values.ds389.name }}-port + port: {{ .Values.ds389.internalPort }} + protocol: TCP + targetPort: {{ .Values.ds389.internalPort }} + - name: {{ .Values.ds389.name }}-tls-port + port: {{ .Values.ds389.tlsPort }} + protocol: TCP + targetPort: {{ .Values.ds389.tlsPort }} + selector: + app: {{ .Values.ds389.name }} + type: ClusterIP + diff --git a/charts/ds389/templates/serviceaccount.yaml b/charts/ds389/templates/serviceaccount.yaml new file mode 100644 index 0000000..ce47416 --- /dev/null +++ b/charts/ds389/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.ds389.name }}-sa + namespace: {{ .Values.ds389.nsName }} + diff --git a/charts/ds389/templates/statefulset.yaml b/charts/ds389/templates/statefulset.yaml new file mode 100644 index 0000000..9639426 --- /dev/null +++ b/charts/ds389/templates/statefulset.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.ds389.name }} + namespace: {{ .Values.ds389.nsName }} +spec: + serviceName: {{ .Values.ds389.name }}-internal-svc + replicas: 1 + selector: + matchLabels: + app: {{ .Values.ds389.name }} + template: + metadata: + labels: + app: {{ .Values.ds389.name }} + spec: + serviceAccountName: {{ .Values.ds389.name }}-sa + securityContext: + fsGroup: 499 + initContainers: + - name: {{ .Values.ds389.name }}-init-container + image: busybox + command: ["/bin/sh", "-c", "chown -R 499:499 /data"] + volumeMounts: + - name: {{ .Values.ds389.name }}-data + mountPath: /data + containers: + - name: dirsrv-container + image: {{ .Values.ds389.image }} + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "sleep 60; + dsconf localhost backend create --suffix {{ .Values.ds389.rootDN }} --be-name userroot --create-suffix --create-entries ; + dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ; + dsconf localhost config replace nsslapd-rootpw={{ .Values.ds389.dm_pwd }} ; + dsconf localhost plugin referential-integrity enable ; + dsconf localhost plugin memberof enable ; + dsconf localhost config replace nsslapd-allow-anonymous-access=off ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ; + dsidm localhost -b {{ .Values.ds389.rootDN }} account change_password uid=ldap_user,ou=people,{{ .Values.ds389.rootDN }} {{ .Values.ds389.users_pwd }} ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ; + dsidm localhost -b {{ .Values.ds389.rootDN }} account change_password uid=developer,ou=people,{{ .Values.ds389.rootDN }} {{ .Values.ds389.users_pwd }} ; + dsidm localhost --basedn {{ .Values.ds389.rootDN }} group create --cn developers; + dsidm localhost -b {{ .Values.ds389.rootDN }} group add_member developers uid=developer,ou=people,{{ .Values.ds389.rootDN }} + "] + env: + - name: DS_DM_PASSWORD + valueFrom: + secretKeyRef: + name: dirsrv-dm-password + key: dm-password + - name: DS_SUFFIX_NAME + value: "{{ .Values.ds389.rootDN }}" + - name: DS_ERRORLOG_LEVEL + value: "8192" + - name: DS_MEMORY_PERCENTAGE + value: "10" + - name: DS_REINDEX + value: "True" + - name: DS_STARTUP_TIMEOUT + value: "120" + ports: + - containerPort: {{ .Values.ds389.internalPort }} + protocol: TCP + - containerPort: {{ .Values.ds389.tlsPort }} + protocol: TCP + securityContext: + runAsUser: 489 + volumeMounts: + - name: {{ .Values.ds389.name }}-data + mountPath: "/data" + - name: dirsrv-tls + mountPath: '/data/tls/' + readOnly: true + volumes: + - name: dirsrv-tls + secret: + secretName: dirsrv-tls-secret + items: + - key: tls.key + path: server.key + - key: tls.crt + path: server.crt + volumeClaimTemplates: + - metadata: + name: {{ .Values.ds389.name }}-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: {{ .Values.ds389.vcSize }} + diff --git a/charts/ds389/values.yaml b/charts/ds389/values.yaml new file mode 100644 index 0000000..3ab000e --- /dev/null +++ b/charts/ds389/values.yaml @@ -0,0 +1,16 @@ +# Default values for ds389-helm-chart +ds389: + nsName: "ds389" + name: "ds389" + image: "docker.io/389ds/dirsrv" + tlsKey: "LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcwQkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FGbEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQ==" + tlsCert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5CZ2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + dmPassword: "YWRtaW4xMjM=" + rootDN: "dc=mydemo,dc=lab" + userPassword: "supersecret123" + vcSize: "5Gi" + internalPort: 3389 + tlsPort: 3636 + nodePort: 30389 + nodePortTls: 30636 + diff --git a/scripts/authentication/389.yml b/scripts/authentication/389.yml deleted file mode 100644 index 6e185fd..0000000 --- a/scripts/authentication/389.yml +++ /dev/null @@ -1,195 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ${ds389_ns_name:-ds389} -... ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ${ds389_name:-ds389}-sa - namespace: ${ds389_ns_name:-ds389} -... - - ---- -apiVersion: v1 -kind: Secret -metadata: - name: dirsrv-tls-secret - namespace: ${ds389_ns_name:-ds389} -data: - tls.key: | - ${ds389_tls_key:-LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcw - QkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FG - bEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVkt - LS0tLQ==} - tls.crt: | - ${ds389_tls_cert:-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5C - Z2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51 - ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t} -... - ---- -apiVersion: v1 -kind: Secret -metadata: - name: dirsrv-dm-password - namespace: ${ds389_ns_name:-ds389} -data: -# Password must be in base64 - dm-password: ${ds389_dm_pwd_b64:-YWRtaW4xMjM=} -# dm-password: admin123 -... - - ---- -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: ${ds389_name:-ds389} - namespace: ${ds389_ns_name:-ds389} -spec: - serviceName: ${ds389_name:-ds389}-internal-svc - replicas: 1 - selector: - matchLabels: - app: ${ds389_name:-ds389} - template: - metadata: - labels: - app: ${ds389_name:-ds389} - spec: - serviceAccountName: ${ds389_name:-ds389}-sa - securityContext: - fsGroup: 499 - initContainers: - # Init container is required to change the permissions after a persistent volume is mounted. - # Otherwise dscontainer will be denied to create subdirectories and will fail to start. - - name: ${ds389_name:-ds389}-init-container - image: busybox - command: ["/bin/sh", "-c", "chown -R 499:499 /data"] - volumeMounts: - - name: ${ds389_name:-ds389}-data - mountPath: /data - containers: - - name: dirsrv-container - image: ${ds389_image:-docker.io/389ds/dirsrv} - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "sleep 60; dsconf localhost backend create --suffix ${ds389_rootdn:-dc=mydemo,dc=lab} --be-name userroot --create-suffix --create-entries ; - dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ; - dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ; - dsconf localhost config replace nsslapd-rootpw=${ds389_dm_pwd:-admin123} ; - dsconf localhost plugin referential-integrity enable ; - dsconf localhost plugin memberof enable ; - dsconf localhost config replace nsslapd-allow-anonymous-access=off ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=ldap_user,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ; - dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} group create --cn developers; - dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} group add_member developers uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} "] - env: - ## Set `cn=Directory Manager`'s password - - name: DS_DM_PASSWORD - valueFrom: - secretKeyRef: - name: dirsrv-dm-password - key: dm-password - ## Use suffix as a basedn in `dsrc` file - - name: DS_SUFFIX_NAME - value: "${ds389_rootdn:-dc=mydemo,dc=lab}" - ## DS_ERRORLOG_LEVEL - set the log level for `ns-slapd`, default is 266354688 - - name: DS_ERRORLOG_LEVEL - value: "8192" - ## DS_MEMORY_PERCENTAGE - set LDBM autotune percentage (`nsslapd-cache-autosize`), default is 25 - - name: DS_MEMORY_PERCENTAGE - value: "10" - ## DS_REINDEX` - run database reindex task (`db2index`) - - name: DS_REINDEX - value: "True" - ## DS_STARTUP_TIMEOUT - set container startup timeout in seconds, default is 60 seconds. - - name: DS_STARTUP_TIMEOUT - value: "120" - ports: - - containerPort: 3389 - protocol: TCP - - containerPort: 3636 - protocol: TCP - securityContext: - runAsUser: 489 - volumeMounts: - - name: ${ds389_name:-ds389}-data - mountPath: "/data" - - name: dirsrv-tls - mountPath: '/data/tls/' - readOnly: true - volumes: - - name: dirsrv-tls - secret: - secretName: dirsrv-tls-secret - items: - - key: tls.key - path: server.key - - key: tls.crt - path: server.crt - volumeClaimTemplates: - - metadata: - name: ${ds389_name:-ds389}-data - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: ${ds389_vc_size:-5Gi} -... ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: ${ds389_name:-ds389} - name: ${ds389_name:-ds389}-internal-svc - namespace: ${ds389_ns_name:-ds389} -spec: - clusterIP: None - ports: - - name: ${ds389_name:-ds389}-port - port: 3389 - protocol: TCP - targetPort: 3389 - - name: ${ds389_name:-ds389}-tls-port - port: 3636 - protocol: TCP - targetPort: 3636 - selector: - app: ${ds389_name:-ds389} - type: ClusterIP -... ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: ${ds389_name:-ds389} - name: ${ds389_name:-ds389}-external-svc - namespace: ${ds389_ns_name:-ds389} -spec: - ports: - - name: ${ds389_name:-ds389}-port - port: 3389 - protocol: TCP - targetPort: 3389 - nodePort: ${ds389_port:-30389} - - name: ${ds389_name:-ds389}-tls-port - port: 3636 - protocol: TCP - targetPort: 3636 - nodePort: ${ds389_port_tls:-30636} - selector: - app: ${ds389_name:-ds389} - type: NodePort -... - diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh index d591f20..5a704df 100644 --- a/scripts/authentication/ds389.sh +++ b/scripts/authentication/ds389.sh @@ -1,24 +1,15 @@ #!/bin/bash +# example: +#_admin_user="cn=Directory Manager" +#_admin_pwd="admin123" +#_uri="ldap://node101.mydemo.lab:30389" +#_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" +#_basedn="dc=mydemo,dc=lab" +#_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" +#_ldap_user_pwd="supersecret123" -_admin_user="cn=Directory Manager" -_admin_pwd="admin123" -_uri="ldap://node101.mydemo.lab:30389" -_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'" -_basedn="dc=mydemo,dc=lab" -_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}" -_ldap_user_pwd="supersecret123" - - - -# Inspired from https://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash#11050943 -function process_templates() { - eval "cat </tmp/389.yml - kubectl apply -f /tmp/389.yml + + # add the repo + helm repo add suse-lab-setup https://opensource.suse.com/lab-setup + helm repo update + + # installs the chart with default parameters + if [[ -f values.yaml ]] + then + helm upgrade --install ds389 suse-lab-setup/ds389 -f values.yaml + else + helm upgrade --install ds389 suse-lab-setup/ds389 + fi + sleep 60 ds389_restrict_permissions ds389_ldap_user-user_private_read