# helm repo add helm-openldap https://jp-gouin.github.io/helm-openldap/
# helm install my-release helm-openldap/openldap-stack-ha
# helm install openldap helm-openldap/openldap-stack-ha -f openldap-values.yaml
# helm upgrade openldap helm-openldap/openldap-stack-ha -f openldap-values.yaml
# 配置试例 集成 sudo与openssh-lpk 模块 openldap-values.yaml
# cat openldap-values.yaml
# Default values for openldap.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Global Docker image parameters
# Please, note that this will override the image parameters, including dependencies, configured to use the global value
# Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
#imagePullSecrets: [""]
## ldapDomain , can be explicit (e.g dc=toto,c=ca) or domain based (e.g example.com)
ldapDomain: "vimll.com"
# Specifies an existing secret to be used for admin and config user passwords. The expected key are LDAP_ADMIN_PASSWORD and LDAP_CONFIG_ADMIN_PASSWORD.
# existingSecret: ""
## Default Passwords to use, stored as a secret. Not used if existingSecret is set.
adminPassword: T@123
configPassword: T@1234
ldapPort: 389
sslLdapPort: 636
## @section Common parameters
## @param kubeVersion Override Kubernetes version
##
kubeVersion: ""
## @param nameOverride String to partially override common.names.fullname
##
nameOverride: ""
## @param fullnameOverride String to fully override common.names.fullname
##
fullnameOverride: ""
## @param commonLabels Labels to add to all deployed objects
##
commonLabels: {}
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: {}
## @param clusterDomain Kubernetes cluster domain name
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
replicaCount: 3
image:
# From repository https://hub.docker.com/r/bitnami/openldap/
repository: bitnami/openldap
tag: 2.6.3
pullPolicy: Always
pullSecrets: []
# Set the container log level
# Valid log levels: none, error, warning, info (default), debug, trace
logLevel: info
# Settings for enabling TLS with custom certificate
# need a secret with tls.crt, tls.key and ca.crt keys with associated files
# Ref: https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#create-a-secret
customTLS:
enabled: true
image:
repository: alpine/openssl
tag: latest
secret: "vimll-com-all" # The name of a kubernetes.io/tls type secret to use for TLS
## Add additional labels to all resources
extraLabels: {}
service:
annotations: {}
## If service type NodePort, define the value here
#ldapPortNodePort:
#sslLdapPortNodePort:
## List of IP addresses at which the service is available
## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
##
externalIPs: []
#loadBalancerIP:
#loadBalancerSourceRanges: []
#type: ClusterIP
type: LoadBalancer
sessionAffinity: None
# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://hub.docker.com/r/bitnami/openldap/
# Be careful, do not modify the following values unless you know exactly what your are doing
env:
BITNAMI_DEBUG: "true"
LDAP_LOGLEVEL: "256"
LDAP_TLS_ENFORCE: "false"
LDAPTLS_REQCERT: "never"
LDAP_ENABLE_TLS: "yes"
LDAP_CONFIG_ADMIN_ENABLED: "yes"
LDAP_CONFIG_ADMIN_USERNAME: "admin"
LDAP_SKIP_DEFAULT_TREE: "no"
LDAP_TLS_VERIFY_CLIENT: "try"
LDAP_EXTRA_SCHEMAS: "cosine,inetorgperson,nis,syncprov,serverid,csyncprov,rep,bsyncprov,brep,acls,sudo"
# Pod Disruption Budget for Stateful Set
# Disabled by default, to ensure backwards compatibility
pdb:
enabled: false
minAvailable: 1
maxUnavailable: ""
## User list to create (comma separated list) , can't be use with customLdifFiles
## Default set by bitnami image
#users: wuyutang
## User password to create (comma separated list, one for each user)
## Default set by bitnami image
#userPasswords: Tang@123
## Group to create and add list of user above
## Default set by bitnami image
#group: readers
## Existing configmap with custom ldif
# Can't be use with customLdifFiles
# Same format as customLdifFiles
# customLdifCm: my-custom-cm
# Custom openldap configuration files used to override default settings
# DO NOT FORGET to put the Root Organisation object as it won't be created while using customLdifFiles
# customLdifFiles:
# 00-root.ldif: |-
# # Root creation
# dn: dc=example,dc=org
# objectClass: dcObject
# objectClass: organization
# o: Example, Inc
# 01-default-group.ldif: |-
# dn: cn=myGroup,dc=example,dc=org
# cn: myGroup
# gidnumber: 500
# objectclass: posixGroup
# objectclass: top
# 02-default-user.ldif: |-
# dn: cn=Jean Dupond,dc=example,dc=org
# cn: Jean Dupond
# gidnumber: 500
# givenname: Jean
# homedirectory: /home/users/jdupond
# objectclass: inetOrgPerson
# objectclass: posixAccount
# objectclass: top
# sn: Dupond
# uid: jdupond
# uidnumber: 1000
# userpassword: {MD5}KOULhzfBhPTq9k7a9XfCGw==
# Custom openldap ACLs
# If not defined, the following default ACLs are applied:
customAcls: |
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=1001,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by dn="cn=reader,dc=vimll,dc=com" read
by anonymous auth by * none
olcAccess: {2}to *
by dn="cn=admin,dc=vimll,dc=com" write
by dn="cn=reader,dc=vimll,dc=com" read
by self read
by * none
#custom openldap schema files used to be used in addition to default schemas
# customSchemaFiles:
# custom.ldif: |-
# # custom schema
# anothercustom.ldif: |-
# # another custom schema
## Existing configmap with custom ldif
# Can't be use with customLdifFiles
# Same format as customLdifFiles
# customLdifCm: my-custom-ldif-cm
customSchemaFiles:
openssh-lpk.ldif: |-
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
sudo.ldif: |-
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3
.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
tart of time interval for which the entry is valid' EQUALITY generalizedTim
eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En
d of time interval for which the entry is valid' EQUALITY generalizedTimeMa
tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i
nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege
rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer
Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand
$ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su
doNotBefore $ sudoNotAfter $ description ) )
replication:
enabled: true
# Enter the name of your cluster, defaults to "cluster.local"
clusterName: "cluster.local"
retry: 60
timeout: 1
interval: 00:00:00:10
starttls: "critical"
tls_reqcert: "never"
## Persist data to a persistent volume
persistence:
enabled: true
## database data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "standard-singlewriter"
#storageClass: "local-path"
# existingClaim: openldap-pvc
accessModes:
- ReadWriteOnce
size: 2Gi
storageClass: "local-path"
## @param customLivenessProbe Custom livenessProbe that overrides the default one
##
customLivenessProbe: {}
## @param customReadinessProbe Custom readinessProbe that overrides the default one
##
customReadinessProbe: {}
## @param customStartupProbe Custom startupProbe that overrides the default one
##
customStartupProbe: {}
## OPENLDAP resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## @param resources.limits The resources limits for the OPENLDAP containers
## @param resources.requests The requested resources for the OPENLDAP containers
##
resources:
limits: {}
requests: {}
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled OPENLDAP pods' Security Context
## @param podSecurityContext.fsGroup Set OPENLDAP pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param containerSecurityContext.enabled Enabled OPENLDAP containers' Security Context
## @param containerSecurityContext.runAsUser Set OPENLDAP containers' Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set OPENLDAP containers' Security Context runAsNonRoot
##
containerSecurityContext:
enabled: false
runAsUser: 1001
runAsNonRoot: true
## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for OPENLDAP
##
existingConfigmap:
## @param command Override default container command (useful when using custom images)
##
command: []
## @param args Override default container args (useful when using custom images)
##
args: []
## @param hostAliases OPENLDAP pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param podLabels Extra labels for OPENLDAP pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAnnotations Annotations for OPENLDAP pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set
##
key: ""
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity Affinity for OPENLDAP pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
##
affinity: {}
## @param nodeSelector Node labels for OPENLDAP pods assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param tolerations Tolerations for OPENLDAP pods assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param updateStrategy.type OPENLDAP statefulset strategy type
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
## @param priorityClassName OPENLDAP pods' priorityClassName
##
priorityClassName: ""
## @param schedulerName Name of the k8s scheduler (other than default) for OPENLDAP pods
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param lifecycleHooks for the OPENLDAP container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param extraEnvVars Array with extra environment variables to add to OPENLDAP nodes
## e.g:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for OPENLDAP nodes
##
extraEnvVarsCM:
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for OPENLDAP nodes
##
extraEnvVarsSecret:
## @param extraVolumes Optionally specify extra list of additional volumes for the OPENLDAP pod(s)
##
extraVolumes: []
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the OPENLDAP container(s)
##
extraVolumeMounts: []
## @param sidecars Add additional sidecar containers to the OPENLDAP pod(s)
## e.g:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## @param initContainers Add additional init containers to the OPENLDAP pod(s)
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
## e.g:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## command: ['sh', '-c', 'echo "hello world"']
##
initContainers: {}
## ServiceAccount configuration
##
serviceAccount:
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
##
create: true
## @param serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @section Init Container Parameters
## 'volumePermissions' init container parameters
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
## based on the *podSecurityContext/*containerSecurityContext parameters
##
volumePermissions:
## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
##
enabled: false
## Bitnami Shell image
## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/
## @param volumePermissions.image.registry Bitnami Shell image registry
## @param volumePermissions.image.repository Bitnami Shell image repository
## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended)
## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy
## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets
##
image:
registry: docker.io
repository: bitnami/bitnami-shell
tag: 10-debian-10
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Command to execute during the volumePermission startup
## command: ['sh', '-c', 'echo "hello world"']
command: {}
## Init container's resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## @param volumePermissions.resources.limits The resources limits for the init container
## @param volumePermissions.resources.requests The requested resources for the init container
##
resources:
limits: {}
requests: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
runAsUser: 0
## Configure extra options for liveness, readiness, and startup probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
livenessProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 10
readinessProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 10
startupProbe:
enabled: true
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 30
## test container details
test:
enabled: false
image:
repository: dduportal/bats
tag: 0.4.0
## ltb-passwd
ltb-passwd:
enabled : true
image:
tag: 5.2.3
ingress:
enabled: false
annotations: {}
path: /
pathType: Prefix
## Ingress Host
hosts:
- "l.vimll.com"
# ldap:
# if you want to restrict search base tree for users instead of complete domain
# searchBase: "ou=....,dc=mydomain,dc=com"
# if you want to use a dedicated bindDN for the search with less permissions instead of cn=admin one
# bindDN: "cn=....,dc=mydomain,dc=com"
# if you want to use a specific key of the credentials secret instead of the default one (LDAP_ADMIN_PASSWORD)
# passKey: LDAP_MY_KEY
## phpldapadmin
phpldapadmin:
enabled: true
image:
tag: 0.9.0
env:
PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: "never"
ingress:
enabled: false
annotations: {}
path: /
pathType: Prefix
## Ingress Host
hosts:
- phpldapadmin.example
VIM Linux Life