diff --git a/test/deploy/tools/ldap.yaml b/test/deploy/tools/ldap.yaml index 895765070..38a6042d1 100644 --- a/test/deploy/tools/ldap.yaml +++ b/test/deploy/tools/ldap.yaml @@ -155,60 +155,32 @@ stringData: #@ ldapLIDIF() apiVersion: v1 kind: Secret metadata: - name: ldap-server-config-before-ldif-files + name: ldap-server-additional-schema-ldif-files namespace: tools type: Opaque stringData: - server-config.ldif: | - # Load the memberof module. + #! From https://github.com/bitnami/containers/issues/982#issuecomment-1220354408 + memberof.ldif: | dn: cn=module,cn=config cn: module objectClass: olcModuleList - objectClass: top olcModulePath: /opt/bitnami/openldap/lib/openldap - olcModuleLoad: memberof + olcModuleLoad: memberof.so + olcModuleLoad: refint.so - dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config - objectClass: olcConfig + dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig - objectClass: top olcOverlay: memberof - olcMemberOfDangling: ignore - olcMemberOfRefInt: TRUE - olcMemberOfGroupOC: groupOfNames - olcMemberOfMemberAD: member - - # Load the refint module. - dn: cn=module,cn=config - cn: module - objectclass: olcModuleList - objectclass: top - olcmodulepath: /opt/bitnami/openldap/lib/openldap - olcmoduleload: refint - dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config + dn: olcOverlay=refint,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top - olcOverlay: {1}refint + olcOverlay: refint olcRefintAttribute: memberof member manager owner --- -apiVersion: v1 -kind: Secret -metadata: - name: ldap-server-config-after-ldif-files - namespace: tools -type: Opaque -stringData: - server-config.ldif: | - # Reject any further connections that do not use TLS or StartTLS - dn: olcDatabase={2}hdb,cn=config - changetype: modify - add: olcSecurity - olcSecurity: tls=1 ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -241,13 +213,6 @@ spec: containerPort: 1389 - name: ldaps containerPort: 1636 - resources: - requests: - cpu: "100m" #! one-tenth of one CPU - memory: "64Mi" - limits: - #! Do not limit CPU because it was causing issues running integration tests on AKS where openldap became very slow. - memory: "64Mi" readinessProbe: tcpSocket: port: ldap @@ -274,6 +239,8 @@ spec: value: "password" #! ok to hardcode: the LDAP server will not be available from outside the cluster - name: LDAP_ENABLE_TLS value: "yes" + - name: LDAP_REQUIRE_TLS + value: "yes" - name: LDAP_TLS_CERT_FILE value: "/var/certs/ldap.pem" - name: LDAP_TLS_KEY_FILE @@ -283,14 +250,12 @@ spec: #! Note that the custom LDIF file is only read at pod start-up time. - name: LDAP_CUSTOM_LDIF_DIR value: "/var/ldifs" - - name: LDAP_SERVER_CONFIG_BEFORE_CUSTOM_LDIF_DIR - value: "/var/server-config-before-ldifs" - - name: LDAP_SERVER_CONFIG_AFTER_CUSTOM_LDIF_DIR - value: "/var/server-config-after-ldifs" #! Seems like LDAP_ROOT is still required when using LDAP_CUSTOM_LDIF_DIR because it effects the admin user. #! Presumably this needs to match the root that we create in the LDIF file. - name: LDAP_ROOT value: "dc=pinniped,dc=dev" + - name: LDAP_EXTRA_SCHEMAS + value: "cosine,inetorgperson,nis,memberof" volumeMounts: - name: certs mountPath: /var/certs @@ -298,11 +263,9 @@ spec: - name: ldifs mountPath: /var/ldifs readOnly: true - - name: server-config-before-ldifs - mountPath: /var/server-config-before-ldifs - readOnly: true - - name: server-config-after-ldifs - mountPath: /var/server-config-after-ldifs + - name: additional-schema + mountPath: /opt/bitnami/openldap/etc/schema/memberof.ldif + subPath: memberof.ldif readOnly: true volumes: - name: certs @@ -311,12 +274,9 @@ spec: - name: ldifs secret: secretName: ldap-ldif-files - - name: server-config-before-ldifs - secret: - secretName: ldap-server-config-before-ldif-files - - name: server-config-after-ldifs + - name: additional-schema secret: - secretName: ldap-server-config-after-ldif-files + secretName: ldap-server-additional-schema-ldif-files --- apiVersion: v1 kind: Service diff --git a/test/deploy/tools/proxy.yaml b/test/deploy/tools/proxy.yaml index 38cdc88ec..05617394f 100644 --- a/test/deploy/tools/proxy.yaml +++ b/test/deploy/tools/proxy.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -30,13 +30,6 @@ spec: ports: - name: http containerPort: 3128 - resources: - requests: - cpu: "100m" #! one-tenth of one CPU - memory: "64Mi" - limits: - cpu: "100m" #! one-tenth of one CPU - memory: "64Mi" volumeMounts: - name: log-dir mountPath: "/var/log/squid/" diff --git a/test/deploy/tools/values.yaml b/test/deploy/tools/values.yaml index 201dd00f6..8f563949f 100644 --- a/test/deploy/tools/values.yaml +++ b/test/deploy/tools/values.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@data/values @@ -28,7 +28,7 @@ pinny_ldap_password: #! Images for each of the deployed test components. dex_image: ghcr.io/pinniped-ci-bot/test-dex:latest -ldap_image: ghcr.io/pinniped-ci-bot/test-ldap:latest +ldap_image: ghcr.io/pinniped-ci-bot/test-bitnami-ldap:latest proxy_image: ghcr.io/pinniped-ci-bot/test-forward-proxy:latest cfssl_image: ghcr.io/pinniped-ci-bot/test-cfssl:latest kubectl_image: ghcr.io/pinniped-ci-bot/test-kubectl:latest