Create LDAP service in the namespace:
kubectl apply -f dev-openldap-manifest.yamlAdd the LDAP schema and sample LDAP entities:
OPENLDAP_POD=$(kubectl get pod -l app=openldap -o jsonpath={.items[*].metadata.name})
kubectl cp example.ldif ${OPENLDAP_POD}:/
kubectl cp ldap-bootstrap.sh ${OPENLDAP_POD}:/
kubectl exec ${OPENLDAP_POD} bash /ldap-bootstrap.shVerify if users and groups are added:
ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w ${LDAP_ADMIN_PASSWORD}kubectl apply -f dev-minio-manifest.yamlkubectl apply -f etcd-persistence-cluster.yaml- In the
dev-pion-proxyingress, change the host to proper value. The default ispion-gw.example.org - In the
dev-pion-uiingress, change the host to proper value. The default ispion.example.org
Deploy services with following command:
kubectl apply -f dev-pion-manifest.yamlForward port of the manager service:
$ k port-forward dev-pion-manager-588d9c784c-w8qsp 8080Create customer-1:
curl -X POST \
http://localhost:8080/_internal/customers \
-H 'Content-Type: application/json' \
-d '{
"name": "customer1",
"groups": ["group_customer1"],
"userIDs": []
}'
curl -X POST \
http://localhost:8080/_internal/customers \
-H 'Content-Type: application/json' \
-d '{
"name": "customer2",
"groups": ["group_customer2"],
"userIDs": []
}'
List current customers:
$ curl http://localhost:8080/_internal/customers
[
{
"name": "customer1",
"createdAt": "2019-10-07T14:42:42.64511046Z",
"modifiedAt": "2019-10-07T14:42:42.64511046Z",
"groups": [
"group_customer1"
],
"userIDs": []
},
{
"name": "customer2",
"createdAt": "2019-10-07T14:43:02.861132768Z",
"modifiedAt": "2019-10-07T14:43:02.861132768Z",
"groups": [
"group_customer2"
],
"userIDs": []
},
{
"name": "pion",
"createdAt": "2019-10-04T11:01:46.885781632Z",
"modifiedAt": "2019-10-04T11:01:46.885781632Z",
"groups": [
"pion_users",
"pion_admins"
],
"userIDs": null
}
]This command set billy as the admin of all customers
$ kubectl exec $(kubectl get pod -l component=manager -o jsonpath={.items[*].metadata.name}) -- /opt/bootstrap --admin-user billy
I1009 14:58:26.621235 10 bootstrap.go:22] Adding 'billy' as the Admin of the system
I1009 14:58:26.630980 10 bootstrap.go:30] Adding system level role-binding
I1009 14:58:26.645739 10 bootstrap.go:34] Role-binding 'default-admin-rb' existed, deleting
I1009 14:58:26.703291 10 bootstrap.go:45] Created role-binding: {default-admin-rb 0001-01-01 00:00:00 +0000 UTC [{user billy}] admin}-
Login to customer
customer1with user/passwordbilly/billy. -
Create a role-binding for user alice as editor.
-
Login to customer
customer1with useralice/alice -
Create a new bucket:
customer1-testbucket -
Generate access/secret keys for billy.
-
Remember to use correct region and signature version:
$ cat ~/.aws/config [default] region = us-east-1 signature_version = s3v4 -
Use AWS CLI to access the created bucket:
export AWS_ACCESS_KEY_ID=pion-0f286e8a39e083fa840919bcd8545329 export AWS_SECRET_ACCESS_KEY=276957a66127ea8f171a45445995af3ebd7f0ef4c5d5be416d0fc400c95b0e5a aws s3 --endpoint=https://pion-gw.example.org --no-verify-ssl ls
-
Login to
customer2with the super-admidbilly/billy. -
Create role-binding for group
group_customer2asUserrole -
Logout and login again to
customer2with userdave/dave. -
Generate access key for
dave -
Use AWS CLI to access the buckets of the
customer2:export AWS_ACCESS_KEY_ID=pion-efef06346b8150c5e1d19d3f2281e1c5 export AWS_SECRET_ACCESS_KEY=663da98784afdd0f71eba4474e36dc358c13f3adfe06c6dbcfb6135c72002dfc aws s3 --endpoint=https://pion-gw.example.org --no-verify-ssl mb s3://customer2-bucket aws s3 --endpoint=https://pion-gw.example.org --no-verify-ssl ls
-
Verify that buckets created by
customer1does not show to users ofcustomer2