djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use bitnami/openldap in integration tests instead of our old fork

Browse Source
This commit is contained in:
Ryan Richard 2023-10-04 10:11:46 -07:00
parent 776e436e35
commit 826d8236d9
3 changed files with 20 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
test/deploy/tools/ldap.yaml
View File

@ -155,60 +155,32 @@ stringData: #@ ldapLIDIF()
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: ldap-server-config-before-ldif-files name: ldap-server-additional-schema-ldif-files
namespace: tools namespace: tools
type: Opaque type: Opaque
stringData: stringData:
server-config.ldif: | #! From https://github.com/bitnami/containers/issues/982#issuecomment-1220354408
# Load the memberof module. memberof.ldif: |
dn: cn=module,cn=config dn: cn=module,cn=config
cn: module cn: module
objectClass: olcModuleList objectClass: olcModuleList
objectClass: top
olcModulePath: /opt/bitnami/openldap/lib/openldap olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: memberof olcModuleLoad: memberof.so
olcModuleLoad: refint.so
dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf objectClass: olcMemberOf
objectClass: olcOverlayConfig objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
# Load the refint module. dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config
dn: cn=module,cn=config
cn: module
objectclass: olcModuleList
objectclass: top
olcmodulepath: /opt/bitnami/openldap/lib/openldap
olcmoduleload: refint
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig objectClass: olcConfig
objectClass: olcOverlayConfig objectClass: olcOverlayConfig
objectClass: olcRefintConfig objectClass: olcRefintConfig
objectClass: top objectClass: top
olcOverlay: {1}refint olcOverlay: refint
olcRefintAttribute: memberof member manager owner olcRefintAttribute: memberof member manager owner
--- ---
apiVersion: v1
kind: Secret
metadata:
name: ldap-server-config-after-ldif-files
namespace: tools
type: Opaque
stringData:
server-config.ldif: |
# Reject any further connections that do not use TLS or StartTLS
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -241,13 +213,6 @@ spec:
containerPort: 1389 containerPort: 1389
- name: ldaps - name: ldaps
containerPort: 1636 containerPort: 1636
resources:
requests:
cpu: "100m" #! one-tenth of one CPU
memory: "64Mi"
limits:
#! Do not limit CPU because it was causing issues running integration tests on AKS where openldap became very slow.
memory: "64Mi"
readinessProbe: readinessProbe:
tcpSocket: tcpSocket:
port: ldap port: ldap
@ -274,6 +239,8 @@ spec:
value: "password" #! ok to hardcode: the LDAP server will not be available from outside the cluster value: "password" #! ok to hardcode: the LDAP server will not be available from outside the cluster
- name: LDAP_ENABLE_TLS - name: LDAP_ENABLE_TLS
value: "yes" value: "yes"
- name: LDAP_REQUIRE_TLS
value: "yes"
- name: LDAP_TLS_CERT_FILE - name: LDAP_TLS_CERT_FILE
value: "/var/certs/ldap.pem" value: "/var/certs/ldap.pem"
- name: LDAP_TLS_KEY_FILE - name: LDAP_TLS_KEY_FILE
@ -283,14 +250,12 @@ spec:
#! Note that the custom LDIF file is only read at pod start-up time. #! Note that the custom LDIF file is only read at pod start-up time.
- name: LDAP_CUSTOM_LDIF_DIR - name: LDAP_CUSTOM_LDIF_DIR
value: "/var/ldifs" value: "/var/ldifs"
- name: LDAP_SERVER_CONFIG_BEFORE_CUSTOM_LDIF_DIR
value: "/var/server-config-before-ldifs"
- name: LDAP_SERVER_CONFIG_AFTER_CUSTOM_LDIF_DIR
value: "/var/server-config-after-ldifs"
#! Seems like LDAP_ROOT is still required when using LDAP_CUSTOM_LDIF_DIR because it effects the admin user. #! Seems like LDAP_ROOT is still required when using LDAP_CUSTOM_LDIF_DIR because it effects the admin user.
#! Presumably this needs to match the root that we create in the LDIF file. #! Presumably this needs to match the root that we create in the LDIF file.
- name: LDAP_ROOT - name: LDAP_ROOT
value: "dc=pinniped,dc=dev" value: "dc=pinniped,dc=dev"
- name: LDAP_EXTRA_SCHEMAS
value: "cosine,inetorgperson,nis,memberof"
volumeMounts: volumeMounts:
- name: certs - name: certs
mountPath: /var/certs mountPath: /var/certs
@ -298,11 +263,9 @@ spec:
- name: ldifs - name: ldifs
mountPath: /var/ldifs mountPath: /var/ldifs
readOnly: true readOnly: true
- name: server-config-before-ldifs - name: additional-schema
mountPath: /var/server-config-before-ldifs mountPath: /opt/bitnami/openldap/etc/schema/memberof.ldif
readOnly: true subPath: memberof.ldif
- name: server-config-after-ldifs
mountPath: /var/server-config-after-ldifs
readOnly: true readOnly: true
volumes: volumes:
- name: certs - name: certs
@ -311,12 +274,9 @@ spec:
- name: ldifs - name: ldifs
secret: secret:
secretName: ldap-ldif-files secretName: ldap-ldif-files
- name: server-config-before-ldifs - name: additional-schema
secret: secret:
secretName: ldap-server-config-before-ldif-files secretName: ldap-server-additional-schema-ldif-files
- name: server-config-after-ldifs
secret:
secretName: ldap-server-config-after-ldif-files
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

9
test/deploy/tools/proxy.yaml
View File

@ -1,4 +1,4 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data") #@ load("@ytt:data", "data")
@ -30,13 +30,6 @@ spec:
ports: ports:
- name: http - name: http
containerPort: 3128 containerPort: 3128
resources:
requests:
cpu: "100m" #! one-tenth of one CPU
memory: "64Mi"
limits:
cpu: "100m" #! one-tenth of one CPU
memory: "64Mi"
volumeMounts: volumeMounts:
- name: log-dir - name: log-dir
mountPath: "/var/log/squid/" mountPath: "/var/log/squid/"

4
test/deploy/tools/values.yaml
View File

@ -1,4 +1,4 @@
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0 #! SPDX-License-Identifier: Apache-2.0
#@data/values #@data/values
@ -28,7 +28,7 @@ pinny_ldap_password:
#! Images for each of the deployed test components. #! Images for each of the deployed test components.
dex_image: ghcr.io/pinniped-ci-bot/test-dex:latest dex_image: ghcr.io/pinniped-ci-bot/test-dex:latest
ldap_image: ghcr.io/pinniped-ci-bot/test-ldap:latest ldap_image: ghcr.io/pinniped-ci-bot/test-bitnami-ldap:latest
proxy_image: ghcr.io/pinniped-ci-bot/test-forward-proxy:latest proxy_image: ghcr.io/pinniped-ci-bot/test-forward-proxy:latest
cfssl_image: ghcr.io/pinniped-ci-bot/test-cfssl:latest cfssl_image: ghcr.io/pinniped-ci-bot/test-cfssl:latest
kubectl_image: ghcr.io/pinniped-ci-bot/test-kubectl:latest kubectl_image: ghcr.io/pinniped-ci-bot/test-kubectl:latest