316 lines
12 KiB
YAML
316 lines
12 KiB
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: samba-ad-dc1
|
|
namespace: samba-directory
|
|
labels:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
spec:
|
|
clusterIP: None
|
|
publishNotReadyAddresses: true
|
|
selector:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
ports:
|
|
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
|
|
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
|
|
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
|
|
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
|
|
- { name: ntp, port: 123, protocol: UDP, targetPort: 123 }
|
|
- { name: epm, port: 135, protocol: TCP, targetPort: 135 }
|
|
- { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 }
|
|
- { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 }
|
|
- { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 }
|
|
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
|
|
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
|
|
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
|
|
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
|
|
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
|
|
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
|
|
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
|
|
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
|
|
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
|
|
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
|
|
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
|
|
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
|
|
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
|
|
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
|
|
---
|
|
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: samba-ad-config-dc1
|
|
namespace: samba-directory
|
|
data:
|
|
smb.conf: |
|
|
[global]
|
|
workgroup = UNDERCLOUD
|
|
realm = UNDERCLOUD.LOCAL
|
|
netbios name = DC1
|
|
server role = active directory domain controller
|
|
|
|
rpc server port = 5000
|
|
rpc server port:netlogon = 5001
|
|
rpc server port:lsarpc = 5002
|
|
rpc server port:samr = 5003
|
|
rpc server port:drsuapi = 5004
|
|
rpc server port:dnsserver = 5005
|
|
|
|
[sysvol]
|
|
path = /var/lib/samba/sysvol
|
|
read only = No
|
|
|
|
[netlogon]
|
|
path = /var/lib/samba/sysvol/undercloud.local/scripts
|
|
read only = No
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: dc1
|
|
namespace: samba-directory
|
|
spec:
|
|
serviceName: samba-ad-dc1
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
spec:
|
|
terminationGracePeriodSeconds: 30
|
|
hostname: dc1
|
|
containers:
|
|
- name: samba-ad
|
|
image: quay.io/samba.org/samba-ad-server:latest
|
|
securityContext:
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
envFrom:
|
|
- secretRef:
|
|
name: samba-ad-secrets
|
|
ports:
|
|
- { name: dns-tcp, containerPort: 53, protocol: TCP }
|
|
- { name: dns-udp, containerPort: 53, protocol: UDP }
|
|
- { name: kerberos-tcp, containerPort: 88, protocol: TCP }
|
|
- { name: kerberos-udp, containerPort: 88, protocol: UDP }
|
|
- { name: ldap-tcp, containerPort: 389, protocol: TCP }
|
|
- { name: ldap-udp, containerPort: 389, protocol: UDP }
|
|
- { name: smb, containerPort: 445, protocol: TCP }
|
|
- { name: kpasswd-tcp, containerPort: 464, protocol: TCP }
|
|
- { name: kpasswd-udp, containerPort: 464, protocol: UDP }
|
|
- { name: ldaps, containerPort: 636, protocol: TCP }
|
|
- { name: gc, containerPort: 3268, protocol: TCP }
|
|
- { name: gc-ssl, containerPort: 3269, protocol: TCP }
|
|
- { name: rpc-epmap, containerPort: 135, protocol: TCP }
|
|
- { name: rpc-base, containerPort: 5000, protocol: TCP }
|
|
- { name: rpc-netlogon, containerPort: 5001, protocol: TCP }
|
|
- { name: rpc-lsarpc, containerPort: 5002, protocol: TCP }
|
|
- { name: rpc-samr, containerPort: 5003, protocol: TCP }
|
|
- { name: rpc-drsuapi, containerPort: 5004, protocol: TCP }
|
|
- { name: rpc-dnsserver, containerPort: 5005, protocol: TCP }
|
|
volumeMounts:
|
|
- name: samba-state
|
|
mountPath: /var/lib/samba
|
|
- name: samba-etc
|
|
mountPath: /etc/samba
|
|
- name: samba-bootstrap
|
|
mountPath: /bootstrap
|
|
readOnly: true
|
|
- name: samba-config
|
|
mountPath: /etc/samba/smb.conf
|
|
subPath: smb.conf
|
|
command: ["/bin/bash", "-ec"]
|
|
args:
|
|
- |
|
|
set -euo pipefail
|
|
# disable command echo to avoid leaking passwords
|
|
set +x
|
|
|
|
if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then
|
|
rm -f /var/lib/samba/.provisioned
|
|
rm -f /var/lib/samba/.bootstrap-ldif-applied
|
|
|
|
samba-tool domain provision \
|
|
--server-role=dc \
|
|
--use-rfc2307 \
|
|
--dns-backend=SAMBA_INTERNAL \
|
|
--realm=UNDERCLOUD.LOCAL \
|
|
--domain=UNDERCLOUD \
|
|
--host-name=dc1 \
|
|
-d 3 \
|
|
--adminpass="${ADMIN_PASSWORD}"
|
|
|
|
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
|
|
|
touch /var/lib/samba/.provisioned
|
|
fi
|
|
|
|
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
|
|
|
if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then
|
|
set_password_if_user_exists() {
|
|
local user="$1"
|
|
local password="$2"
|
|
if samba-tool user show "$user" >/dev/null 2>&1; then
|
|
echo "setting password for $user"
|
|
samba-tool user setpassword "$user" --newpassword="$password" >/dev/null
|
|
else
|
|
echo "user $user does not exist yet, skipping password set" >&2
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
add_group_member_if_possible() {
|
|
local group="$1"
|
|
local member="$2"
|
|
echo "adding $member to $group"
|
|
samba-tool group addmembers "$group" "$member" >/dev/null 2>&1 || true
|
|
}
|
|
|
|
# Apply LDIF in continue mode so reruns survive partially-created objects.
|
|
ldbmodify -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif || true
|
|
|
|
set_password_if_user_exists sebastian "${SEBASTIAN_PASSWORD}"
|
|
set_password_if_user_exists glados "${GLADOS_PASSWORD}"
|
|
set_password_if_user_exists shodan "${SHODAN_PASSWORD}"
|
|
set_password_if_user_exists lam "${LAM_PASSWORD}"
|
|
set_password_if_user_exists argocd "${ARGOCD_PASSWORD}"
|
|
set_password_if_user_exists gitea "${GITEA_PASSWORD}"
|
|
set_password_if_user_exists firewall "${FIREWALL_PASSWORD}"
|
|
set_password_if_user_exists mailserver "${MAILSERVER_PASSWORD}"
|
|
set_password_if_user_exists bookstack "${BOOKSTACK_PASSWORD}"
|
|
set_password_if_user_exists nextcloud "${NEXTCLOUD_PASSWORD}"
|
|
set_password_if_user_exists jellyfin "${JELLYFIN_PASSWORD}"
|
|
set_password_if_user_exists bastillion "${BASTILLION_PASSWORD}"
|
|
set_password_if_user_exists guacamole "${GUACAMOLE_PASSWORD}"
|
|
set_password_if_user_exists synapse "${SYNAPSE_PASSWORD}"
|
|
set_password_if_user_exists samba "${SAMBA_PASSWORD}"
|
|
|
|
add_group_member_if_possible "Domain Admins" undercloud-administrators
|
|
add_group_member_if_possible "Domain Admins" lam
|
|
|
|
touch /var/lib/samba/.bootstrap-ldif-applied
|
|
fi
|
|
|
|
exec samba -i
|
|
volumes:
|
|
- name: samba-bootstrap
|
|
configMap:
|
|
name: samba-ad-bootstrap
|
|
- name: samba-config
|
|
configMap:
|
|
name: samba-ad-config-dc1
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: samba-state
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 10Gi
|
|
storageClassName: cephfs-hyper
|
|
- metadata:
|
|
name: samba-etc
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
storageClassName: cephfs-hyper
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: samba-ad-dc1-direct
|
|
namespace: samba-directory
|
|
labels:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
spec:
|
|
internalTrafficPolicy: Cluster
|
|
clusterIP: 2001:470:7116:f:1::21
|
|
clusterIPs:
|
|
- 2001:470:7116:f:1::21
|
|
- 10.0.91.21
|
|
ipFamilies:
|
|
- IPv6
|
|
- IPv4
|
|
ipFamilyPolicy: PreferDualStack
|
|
type: ClusterIP
|
|
selector:
|
|
app: samba-ad
|
|
samba-role: dc1
|
|
ports:
|
|
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
|
|
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
|
|
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
|
|
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
|
|
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
|
|
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
|
|
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
|
|
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
|
|
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
|
|
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
|
|
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
|
|
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
|
|
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
|
|
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
|
|
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
|
|
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
|
|
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
|
|
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
|
|
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: samba-ad
|
|
namespace: samba-directory
|
|
labels:
|
|
app: samba-ad
|
|
spec:
|
|
sessionAffinity: ClientIP
|
|
sessionAffinityConfig:
|
|
clientIP:
|
|
timeoutSeconds: 10800
|
|
internalTrafficPolicy: Cluster
|
|
clusterIP: 2001:470:7116:f:1::20
|
|
clusterIPs:
|
|
- 2001:470:7116:f:1::20
|
|
- 10.0.91.20
|
|
ipFamilies:
|
|
- IPv6
|
|
- IPv4
|
|
ipFamilyPolicy: PreferDualStack
|
|
type: ClusterIP
|
|
selector:
|
|
app: samba-ad
|
|
ports:
|
|
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
|
|
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
|
|
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
|
|
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
|
|
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
|
|
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
|
|
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
|
|
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
|
|
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
|
|
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
|
|
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
|
|
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
|
|
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
|
|
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
|
|
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
|
|
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
|
|
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
|
|
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
|
|
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } |