Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Anti affinity added in the last commit and Fixed by <a class="issue-link js-issue-link

first installation - fails again about helm-openldap HOT 9 CLOSED

smirnov-mi commented on August 21, 2024

first installation - fails again

from helm-openldap.

Comments (9)

jp-gouin commented on August 21, 2024 1

Hi @smirnov-mi
I just updated the chart with some corrections.
Now you should be able to deploy the app with any name and i change the configuration of ltb-passwd so it can use the same secret as openldap.

For phpldapadminand ltb-passwdyou need to configure the host of openldap , this host must be namespace.Appfullname.
So if you deploy the app in the test namespace and you named your deployment openldaptest then the host is `test.openldaptest'

Let me know if this works for you

from helm-openldap.

smirnov-mi commented on August 21, 2024 1

will check it asap. really appreciate your work on this!

from helm-openldap.

jp-gouin commented on August 21, 2024

Hi @smirnov-mi ,
When you scale up , you are upgrading the chart and setting the replica to 3 , or do you use the kubetcl command to scale ?

Edit : this is my typical values , could you please post yours so i can test with your settings :
Edit2 : I'm guessing that maybe you missed the adminPassword value in your deployment. So when you upgrade the chart helm is regenerating another password which prevent your new openldap to join the existing cluster (since it was created with another password)

adminPassword: "myAwesomePassw0rd"
replicaCount: 3
# settings for enabling TLS
customLdifFiles:
  01-default-users.ldif: |-
    # Predefine users here
service:
  annotations:
    cloud.google.com/load-balancer-type: "Internal"

    clusterIP: ""

  ldapPort: 389
  sslLdapPort: 636  # Only used if tls.enabled is true
  type: NodePort
tls:
  enabled: true
ltb-passwd:
  enabled : false
phpldapadmin:
  enabled: true
  ingress:
    enabled: true
    ## Ingress Host
    hosts:
    - phpldapadmin.example.com
  env:
    PHPLDAPADMIN_LDAP_HOSTS: "openldap.openldap"

from helm-openldap.

smirnov-mi commented on August 21, 2024

Hi @jp-gouin
I tried it with kubectl, trying to scale it.
The problem is, that I was not able to make a new installation at all.

I managed to move my installation to a new cluster, using kubectl get ... -o yaml and "create" all this on the new cluster. I lost the helm chart this way, but I have two ldap containers running and syncing.

I do not have adminPAssword in my values indeed.
I thought it's generated at the installation time and is stored in secret ?

~# kubectl describe secret -n ldap openldap
Name: openldap
Namespace: ldap
Labels: app=openldap
chart=openldap-2.0.1
heritage=Helm
release=openldap
Annotations:
Type: Opaque

Data

LDAP_ADMIN_PASSWORD: 32 bytes
LDAP_CONFIG_PASSWORD: 32 bytes

My values look like:

replicaCount: 2
# Define deployment strategy - IMPORTANT: use rollingUpdate: null when use Recreate strategy.
# It prevents from merging with existing map keys which are forbidden.
strategy: {}
  # type: RollingUpdate
  # rollingUpdate:
  #   maxSurge: 1
  #   maxUnavailable: 0
  #
  # or
  #
  # type: Recreate
  # rollingUpdate: null
image:
  repository: osixia/openldap
  tag: latest
  pullPolicy: IfNotPresent
  pullSecret: harbor

# Spcifies an existing secret to be used for admin and config user passwords
existingSecret: ""

# settings for enabling TLS with custom certificate
tls:
  enabled: false
  secret: ""  # The name of a kubernetes.io/tls type secret to use for TLS
  CA:
    enabled: false
    secret: ""  # The name of a generic secret to use for custom CA certificate (ca.crt)

extraLabels: {}

podAnnotations: {}
service:
  annotations: {}
  ldapPort: 389
  sslLdapPort: 636
  externalIPs: [300.2.0.1]

  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  type: ClusterIP
  #type: NodePort

# Default configuration for openldap as environment variables. These get injected directly in the container.
# Use the env variables from https://github.com/osixia/docker-openldap#beginner-guide
env:
  LDAP_LOG_LEVEL: "256"
  LDAP_ORGANISATION: "Example Inc."
  LDAP_DOMAIN: "example.org"
  LDAP_READONLY_USER: "false"
  LDAP_READONLY_USER_USERNAME: "readonly"
  LDAP_READONLY_USER_PASSWORD: "readonly"
  LDAP_RFC2307BIS_SCHEMA: "false"
  LDAP_BACKEND: "mdb"
  LDAP_TLS: "false"
  LDAP_TLS_CRT_FILENAME: "ldap.crt"
  LDAP_TLS_KEY_FILENAME: "ldap.key"
  LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
  LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
  LDAP_TLS_ENFORCE: "false"
  CONTAINER_LOG_LEVEL: "1"
  LDAP_TLS_REQCERT: "never"
  KEEP_EXISTING_CONFIG: "false"
  LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
  LDAP_SSL_HELPER_PREFIX: "ldap"
  LDAP_TLS_VERIFY_CLIENT: "never"
  LDAP_TLS_PROTOCOL_MIN: "3.0"
  LDAP_TLS_CIPHER_SUITE: "NORMAL"
  LOGLEVEL: "DEBUG"

# Default Passwords to use, stored as a secret. If unset, passwords are auto-generated.
# You can override these at install time with
# helm install openldap --set openldap.adminPassword=<passwd>,openldap.configPassword=<passwd>
# adminPassword: admin
# configPassword: config

replication:
  enabled: true
## Persist data to a persistent volume
persistence:
  enabled: true
  storageClass: "rook-ceph-block"
  accessModes:
    - ReadWriteOnce
  size: 60Mi

resources: {}

nodeSelector: {}

tolerations: []

# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinityTemplate: |
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: release
          operator: In
          values: [{{ .Release.Name | quote }}]
        - key: app
          operator: In
          values: [{{ template "openldap.name" . }}]
      topologyKey: kubernetes.io/hostname

## test container details
test:
  enabled: false
  image:
    repository: dduportal/bats
    tag: 0.4.0
ltb-passwd:
  enabled : false
  ingress:
    enabled: true
    annotations: {}
    path: /pas
    ## Ingress Host
    hosts:
    - "demo-ldap.test.test"
  ldap:
    server: ldaps://openldap.ldap.svc.cluster.local
    searchBase: dc=example,dc=org
    binduserSecret: openldap
  env:
  - name: LDAP_BINDDN
    value: "cn=admin,dc=example,dc=org"
  - name: LDAP_BINDPASS
    value: "pass1"
  - name: SECRETEKEY
    value: "LDAP_ADMIN_PASSWORD"
  - name: LDAP_LOGIN_ATTRIBUTE
    value: "cn"

phpldapadmin:
  enabled: true
  ingress:
    enabled: true
    annotations:
      certmanager.k8s.io/cluster-issuer: letsencrypt-prod
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"
      nginx.ingress.kubernetes.io/rewrite-target: /$2
      nginx.ingress.kubernetes.io/proxy-body-size: 8m
    path: /ldap(/|$)(.*)
    ## Ingress Host
    hosts:
    - "demo-ldap.test.test"
  env:
    PHPLDAPADMIN_LDAP_HOSTS: openldap.ldap.svc.cluster.local

from helm-openldap.

jp-gouin commented on August 21, 2024

Yes the helm generate the secret but when you upgrade it will regenerate a password

LDAP_ADMIN_PASSWORD: {{ .Values.adminPassword | default (randAlphaNum 32) | b64enc | quote }}
  LDAP_CONFIG_PASSWORD: {{ .Values.configPassword | default (randAlphaNum 32) | b64enc | quote }}

So when you upgrade you have to set the value of adminPassword and configPassword to the one generated during the first install. Or simply set them in the helm chart for the initial deployment

In your chart , you do not set

tls:
  enabled: true

Without this you won't be able to do ldaps query (the chart will still work)

And to scale you have must indeed upgrade the replica number in the chart in order to update appropriatly the LDAP_REPLICATION_HOSTS value

from helm-openldap.

smirnov-mi commented on August 21, 2024

I managed to install a fresh helm chart, adding "--set loglevel=debug" to the helm install command and figured out that name of some service had "openldap" hard coded somewhere. So I used openldap as a helm chart name, and it worked. I'm not able to install ltb-passwd within this chart, as it's looking for values in the SECRET

Error: couldn't find key BINDDN in Secret ldap2/openldap
And all those values are stored in the configmap, as far as I can see. Don't know where to change the "secret" to "configmap" for ltb-passwd.

Will try ldaps first.

from helm-openldap.

smirnov-mi commented on August 21, 2024

Super awesome!

Got two little points (and have to figure out how to let the ltb sending emails. My servers don't send anything just yet)

ltb - Error: secret "openldaptest" not found
from the ltb-passwd section in values,yaml:
binduserSecret:
affinity, to make pods running on different nodes, I use following (don't know how to parameterize the operator template without hard-coded name):
`

https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

affinityTemplate: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: release
operator: In
values: [{{ .Release.Name | quote }}]
- key: app
operator: In
values: [{{ template "openldap.name" . }}]
topologyKey: kubernetes.io/hostname
`

from helm-openldap.

jp-gouin commented on August 21, 2024

Hi @smirnov-mi ,
For the secret , i will update a correction to always use the secret of openldap.

Regarding the affinity, i have a way to use templatisation on values.yaml but i still need to debug this part .

As workaround, you have to set those values manually (same for the secret of ltb the Secret name is the name of the deployment)

from helm-openldap.

jp-gouin commented on August 21, 2024

Anti affinity added in the last commit and Fixed by #3

from helm-openldap.

first installation - fails again about helm-openldap HOT 9 CLOSED

Comments (9)

Data

https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent