No description

Shell 100%

Find a file

Peter Pfläging 4ef7ecb2e2 Update Readme		2026-03-18 15:59:22 +01:00
admin-tasks	First running version	2026-03-12 16:55:06 +01:00
base	First running version	2026-03-12 16:55:06 +01:00
dev	First running version	2026-03-12 16:55:06 +01:00
instancetemplate	First running version	2026-03-12 16:55:06 +01:00
prod	First running version	2026-03-12 16:55:06 +01:00
qm	First running version	2026-03-12 16:55:06 +01:00
test	First running version	2026-03-12 16:55:06 +01:00
make-cluster.sh	First running version	2026-03-12 16:55:06 +01:00
Readme.md	Update Readme	2026-03-18 15:59:22 +01:00

Readme.md

Rollout for 389DS on an OKD / OpenShift cluster

set your namespace in admin-tasks/kusomtization.yaml (it's a patch)
roll out the admin-tasks as cluster admin: oc apply -k admin-tasks
get the contents of ./instancetemplate and make your own copy or use an upper repo which includes this one as submodule and edit kustomization.yaml
as normal developer/devops/...: oc apply -k myrepo-or-dir-with-the-kustomizationfile/
look into ./make-cluster.sh and edit at least your suffix (base DN) and the password(this is the repl-manager password!)
prepare the databases and redundancey: sh make-cluster.sh

After this you have the following service in your cluster:

ldaps: dirsrv-external-svc:636
ldap: dirsrv-external-svc:389
login:
- Bind DN: cn=Directory Manager
- Bind Password: the output of: oc get secret dirsrv-dm-password -o jsonpath='{.data.dm-password}' | base64 -d

External use via LDAPS

I fyou want to expose the ldaps external:

NodePort and Loadbalancer

create the following forward in your WAF / loadbalancer:

port 636 TCP forward to all cluster members on port 30636

haprox example:

frontend ldaps-traffic
    bind :636
    default_backend ldaps-backend
    mode tcp
    option tcplog

backend ldaps-backend
    balance roundrobin
    mode tcp
    server    elrond.pfpk.pro 152.53.254.46:30636 check
    server    morwen.pfpk.pro 152.53.186.68:30636 check
    server    nain.pfpk.pro 152.53.142.207:30636 check

Route in OKD and WAF / Loadbalancer

create a Route element with "passthrough" and let it terminate on the port 636 at the external service.
Give your loadbalancer a rule like in the above statement, but don't let it terminate on the nodes on port 30636, let them terminate on the OKD-routers on port 443
if you're loadbalancer is also a WAF you can break up the TLS traffic and use an LDAP filter in your WAF (here's an example for F5 BIG-IP https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-6-0/16.html )

Reference

based on https://www.port389.org/docs/389ds/howto/howto-deploy-389ds-on-openshift.html