Multi Master replication on Kubernetes

[Jean-PhilippeGouin]

Hello,

I tried to start openldap with the replication enabled. But slapd fail with status code 1. I add an headless service for the communication between all pods.

When i disable the replication all pods are correctly starting...

When i use the docker directly it's working fine.

Here are the logs :

*** CONTAINER_LOG_LEVEL = 3 (info)
*** Search service in CONTAINER_SERVICE_DIR = /container/service :
*** link /container/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
*** link /container/service/slapd/startup.sh to /container/run/startup/slapd
*** link /container/service/slapd/process.sh to /container/run/process/slapd/run
*** Set environment for startup files
*** Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.startup.yaml
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
*** Running /container/run/startup/:ssl-tools...
*** Running /container/run/startup/slapd...
+ ulimit -n 1024
+ '[' -d /var/lib/ldap ']'
+ '[' -d /etc/ldap/slapd.d ']'
+ chown -R openldap:openldap /var/lib/ldap
+ chown -R openldap:openldap /etc/ldap
+ chown -R openldap:openldap /container/service/slapd
+ FIRST_START_DONE=/container/run/state/slapd-first-start-done
+ WAS_STARTED_WITH_TLS=/etc/ldap/slapd.d/docker-openldap-was-started-with-tls
+ WAS_STARTED_WITH_TLS_ENFORCE=/etc/ldap/slapd.d/docker-openldap-was-started-with-tls-enforce
+ WAS_STARTED_WITH_REPLICATION=/etc/ldap/slapd.d/docker-openldap-was-started-with-replication
+ WAS_ADMIN_PASSWORD_SET=/etc/ldap/slapd.d/docker-openldap-was-admin-password-set
+ LDAP_TLS_CA_CRT_PATH=/container/service/slapd/assets/certs/ca.crt
+ LDAP_TLS_CRT_PATH=/container/service/slapd/assets/certs/ldap.crt
+ LDAP_TLS_KEY_PATH=/container/service/slapd/assets/certs/ldap.key
+ LDAP_TLS_DH_PARAM_PATH=/container/service/slapd/assets/certs/dhparam.pem
+ '[' '!' -e /container/run/state/slapd-first-start-done ']'
+ BOOTSTRAP=false
++ ls -A -I lost+found '--ignore=.*' /var/lib/ldap
+ '[' -z 'data.mdb
lock.mdb' ']'
++ ls -A -I lost+found '--ignore=.*' /var/lib/ldap
+ '[' -z 'data.mdb
lock.mdb' ']'
++ ls -A -I lost+found '--ignore=.*' /var/lib/ldap
+ '[' '!' -z 'data.mdb
lock.mdb' ']'
++ ls -A -I lost+found '--ignore=.*' /etc/ldap/slapd.d
+ '[' -z 'cn=config
cn=config.ldif
docker-openldap-was-admin-password-set
docker-openldap-was-started-with-replication' ']'
+ '[' mdb = mdb ']'
+ '[' -e '/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif' ']'
+ '[' false == true ']'
+ PREVIOUS_HOSTNAME_PARAM=
+ '[' -e /etc/ldap/slapd.d/docker-openldap-was-started-with-replication ']'
+ source /etc/ldap/slapd.d/docker-openldap-was-started-with-replication
++ export PREVIOUS_HOSTNAME=openldap-0.openldap-headless
++ PREVIOUS_HOSTNAME=openldap-0.openldap-headless
+ '[' openldap-0.openldap-headless '!=' openldap-0.openldap-headless ']'
+ '[' -e /etc/ldap/slapd.d/docker-openldap-was-started-with-tls ']'
+ log-helper info 'Start OpenLDAP...'
Start OpenLDAP...
+ log-helper level ge debug
+ slapd -h 'ldap://openldap-0.openldap-headless ldap://localhost ldapi:///' -u openldap -g openldap
*** /container/run/startup/slapd failed with status 1
*** Killing all processes...

Here are the statefulset.yaml

apiVersion: apps/v1beta2
kind: StatefulSet
metadata:
  name:  {{ template "openldap.fullname" . }}
  labels:
    app: {{ template "openldap.name" . }}
    chart: {{ template "openldap.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels | indent 4 }}
{{- end }}
spec:
  replicas: {{ .Values.replicaCount }}
{{- if .Values.strategy }}
  strategy:
{{ toYaml .Values.strategy | indent 4 }}
{{- end }}
  selector:
    matchLabels:
      app: {{ template "openldap.name" . }}
      release: {{ .Release.Name }}
  template:
    metadata:
      annotations:
        checksum/configmap-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }}
{{- if .Values.customLdifFiles}}
        checksum/configmap-customldif: {{ include (print $.Template.BasePath "/configmap-customldif.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations}}
{{ toYaml .Values.podAnnotations | indent 8}}
{{- end }}
      labels:
        app: {{ template "openldap.name" . }}
        release: {{ .Release.Name }}
    spec:
      {{- if or .Values.customLdifFiles .Values.tls.enabled }}
      initContainers:
      {{- end }}
      {{- if .Values.customLdifFiles }}
      - name: {{ .Chart.Name }}-init-ldif
        image: busybox
        command: ['sh', '-c', 'cp /customldif/* /ldifworkingdir']
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        volumeMounts:
        - name: customldif
          mountPath: /customldif
        - name: ldifworkingdir
          mountPath: /ldifworkingdir
      {{- end }}
      {{- if .Values.tls.enabled }}
      - name: {{ .Chart.Name }}-init-tls
        image: busybox
        command: ['sh', '-c', 'cp /tls/* /certs']
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        volumeMounts:
          - name: tls
            mountPath: /tls
          - name: certs
            mountPath: /certs
      {{- if .Values.tls.CA.enabled }}
      - name: {{ .Chart.Name }}-init-catls
        image: busybox
        command: ['sh', '-c', 'cp /catls/ca.crt /certs']
        volumeMounts:
          - name: catls
            mountPath: /catls
          - name: certs
            mountPath: /certs
      {{- end }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.customLdifFiles }}
          args: [--copy-service]
{{- end }}
          ports:
            - name: ldap-port
              containerPort: 389
            - name: ssl-ldap-port
              containerPort: 636
          envFrom:
            - configMapRef:
                name: {{ template "openldap.fullname" . }}-env
            - secretRef:
                name: {{ template "openldap.secretName" . }}
          volumeMounts:
            - name: data
              mountPath: /var/lib/ldap
              subPath: data
            - name: data
              mountPath: /etc/ldap/slapd.d
              subPath: config-data
            {{- if .Values.customLdifFiles }}
            - name: ldifworkingdir
              mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
            {{- end }}
            {{- if .Values.tls.enabled }}
            - name: certs
              mountPath: /container/service/slapd/assets/certs
            {{- end }}
          env:
            - name: LDAP_LOG_LEVEL
              value: "256"
            - name: LDAP_ORGANISATION
              value: "Example Inc."
            - name: LDAP_DOMAIN
              value: "example.org"
            - name: LDAP_ADMIN_PASSWORD
              value: "admin"
            - name: LDAP_CONFIG_PASSWORD
              value: "config"
            - name: LDAP_READONLY_USER
              value: "false"
            - name: LDAP_READONLY_USER_USERNAME
              value: "readonly"
            - name: LDAP_READONLY_USER_PASSWORD
              value: "readonly"
            - name: LDAP_RFC2307BIS_SCHEMA
              value: "false"
            - name: LDAP_BACKEND
              value: "mdb"
            - name: LDAP_TLS
              value: "false"
            - name: LDAP_TLS_CRT_FILENAME
              value: "ldap.crt"
            - name: LDAP_TLS_KEY_FILENAME
              value: "ldap.key"
            - name: LDAP_TLS_DH_PARAM_FILENAME
              value: "dhparam.pem"
            - name: LDAP_TLS_CA_CRT_FILENAME
              value: "ca.crt"
            - name: LDAP_TLS_ENFORCE
              value: "false"
            - name: LDAP_TLS_CIPHER_SUITE
              value: "SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
            - name: LDAP_TLS_VERIFY_CLIENT
              value: "demand"
            - name: CONTAINER_LOG_LEVEL
              value: "4"
            - name: LDAP_REPLICATION
              value: "true"
            - name: LDAP_REPLICATION_CONFIG_SYNCPROV
              value: "binddn=\"cn=admin,cn=config\" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase=\"cn=config\" type=refreshAndPersist retry=\"60 +\" timeout=1 starttls=critical"
            - name: LDAP_REPLICATION_DB_SYNCPROV
              value: "binddn=\"cn=admin,$LDAP_BASE_DN\" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase=\"$LDAP_BASE_DN\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 starttls=critical"
            - name: LDAP_REPLICATION_HOSTS
              value: "#PYTHON2BASH:['ldap://ldap-one-service', 'ldap://ldap-two-service']"
            - name: KEEP_EXISTING_CONFIG
              value: "false"
            - name: LDAP_REMOVE_CONFIG_AFTER_SETUP
              value: "true"
            - name: LDAP_SSL_HELPER_PREFIX
              value: "ldap"
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: HOSTNAME
              value: $(POD_NAME).{{ template "openldap.name" . }}-headless
          {{- if .Values.tls.enabled }}
            - name: LDAP_TLS_CRT_FILENAME
              value: tls.crt
            - name: LDAP_TLS_KEY_FILENAME
              value: tls.key
          {{- if .Values.tls.CA.enabled }}
            - name: LDAP_TLS_CA_CRT_FILENAME
              value: ca.crt
          {{- end }}
          {{- end }}
          livenessProbe:
            tcpSocket:
              port: ldap-port
            initialDelaySeconds: 20
            periodSeconds: 10
            failureThreshold: 10
          readinessProbe:
            tcpSocket:
              port: ldap-port
            initialDelaySeconds: 20
            periodSeconds: 10
            failureThreshold: 10
          resources:
{{ toYaml .Values.resources | indent 12 }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
    {{- end }}
      volumes:
        {{- if .Values.customLdifFiles }}
        - name: customldif
          configMap:
            name: {{ template "openldap.fullname" . }}-customldif
        - name: ldifworkingdir
          emptyDir: {}
        {{- end }}
        {{- if .Values.tls.enabled }}
        - name: tls
          secret:
            secretName: {{ .Values.tls.secret }}
        {{- if .Values.tls.CA.enabled }}
        - name: catls
          secret:
            secretName: {{ .Values.tls.CA.secret }}
        {{- end }}
        {{- end }}
        - name: certs
          emptyDir:
            medium: Memory
{{- if .Values.persistence.enabled }}
      imagePullSecrets: 
        - name: {{ .Values.image.pullSecret }}
  volumeClaimTemplates:
    - metadata:
        name: data
        annotations:
        {{- range $key, $value := .Values.persistence.annotations }}
          {{ $key }}: {{ $value }}
        {{- end }}
      spec:
        accessModes:
        {{- range .Values.persistence.accessModes }}
          - {{ . | quote }}
        {{- end }}
        resources:
          requests:
            storage: {{ .Values.persistence.size | quote }}
      {{- if .Values.persistence.storageClass }}
      {{- if (eq "-" .Values.persistence.storageClass) }}
        storageClassName: ""
      {{- else }}
        storageClassName: "{{ .Values.persistence.storageClass }}"
      {{- end }}
{{- end }}
{{- else }}
        - name: data
          emptyDir: {}
{{- end }}

And the headless service :

apiVersion: v1
kind: Service
metadata:
  name: {{ template "openldap.fullname" . }}-headless
  labels:
    app: {{ template "openldap.fullname" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
spec:
  ports:
  - port: {{ .Values.service.ldapPort }}
    name: unsecure
  clusterIP: None
  selector:
    app: {{ template "openldap.fullname" . }}

Thanks !

[smirnov-mi]

Hey man, did you you manage to get it work? I'm trying to build master-master ldap pod on k8s.

[ghost]

Hi smirnov-mi, not yet. I hope someone can help us on this.

[jp-gouin]

Hi @smirnov-mi , @ropesca you can find a working helm chart of Openldap here : https://github.com/kpc31/helm-openldap

It also include PhpLdapAdmin and Self-Service-Password.

[smirnov-mi]

@kpc31 thanks mate, i'll take a look