From 079fe62bc9dd20a69afb4c79b6bcb7626158ea67 Mon Sep 17 00:00:00 2001 From: Tiago Augusto Pimenta Date: Sat, 15 Sep 2018 09:43:38 -0300 Subject: [PATCH] First commit --- Dockerfile | 24 ++++++++++++++++ LICENSE | 17 ++++++++++++ README.md | 7 +++++ k8s.yaml | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/config.go | 36 ++++++++++++++++++++++++ src/main.go | 13 +++++++++ 6 files changed, 173 insertions(+) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 README.md create mode 100644 k8s.yaml create mode 100644 src/config.go create mode 100644 src/main.go diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..118894e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM golang:alpine + +COPY src /go/src/github.com/tiagoapimenta/nginx-ldap-auth + +RUN cd /go/src/github.com/tiagoapimenta/nginx-ldap-auth && + go get -u gopkg.in/yaml.v2 && + go get -u gopkg.in/ldap.v2 && + go build -ldflags='-s -w' -v -o /go/bin/nginx-ldap-auth . + +FROM alpine + +MAINTAINER Tiago A. Pimenta + +COPY --from=0 /go/bin/nginx-ldap-auth/nginx-ldap-auth /usr/local/bin/nginx-ldap-auth + +WORKDIR /tmp + +VOLUME /etc/nginx-ldap-auth + +EXPOSE 5555 + +USER nouser + +CMD [ "nginx-ldap-auth", "--config", "/etc/nginx-ldap-auth/config.yaml" ] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c8addb5 --- /dev/null +++ b/LICENSE @@ -0,0 +1,17 @@ +Copyright (c) 2018 Tiago A. Pimenta + +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: + +1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. +2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. +3. This notice may not be removed or altered from any source distribution. diff --git a/README.md b/README.md new file mode 100644 index 0000000..79af4dd --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Nginx LDAP Auth + +Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the ConfigMap inside `k8s.yaml` to match your LDAP server and run: + + kubectl apply -f k8s.yaml + +Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/): diff --git a/k8s.yaml b/k8s.yaml new file mode 100644 index 0000000..4067a54 --- /dev/null +++ b/k8s.yaml @@ -0,0 +1,76 @@ +kind: Secret +apiVersion: v1 +metadata: + name: nginx-ldap-auth +data: + config.yaml: | + web: 0.0.0.0:5555 + servers: + - ldaps://ldap1.example.com:636 + - ldaps://ldap2.example.com:636 + - ldaps://ldap3.example.com:636 + auth: + bindDN: uid=seviceaccount,cn=users,dc=example,dc=com + bindPW: password + user: + bindDN: cn=users,dc=example,dc=com + filter: "(objectClass=person)" + username: uid + requiredGroups: + - appAdmin + group: + baseDN: cn=groups,dc=freeipa,dc=example,dc=com + filter: "(objectClass=group)" + userAttr: uid + groupAttr: member + timeout: + success: 24h + wrong: 5m +--- +kind: Service +apiVersion: v1 +metadata: + name: nginx-ldap-auth +spec: + type: ClusterIP + ports: + - name: nginx-ldap-auth + port: 5555 + protocol: TCP: + targetPort: 5555 + selector: + app: nginx-ldap-auth +--- +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: nginx-ldap-auth + labels: + app: nginx-ldap-auth +spec: + replicas: 1 + template: + metadata: + labels: + app: nginx-ldap-auth + spec: + containers: + - image: docker.io/tpimenta/nginx-ldap-auth:latest + name: nginx-ldap-auth + command: + - "nginx-ldap-auth" + - "--config" + - "/etc/nginx-ldap-auth/config.yaml" + ports: + - name: http + containerPort: 5555 + volumeMounts: + - name: config + mountPath: /etc/nginx-ldap-auth + volumes: + - name: config + secret: + secretName: nginx-ldap-auth + items: + - key: config.yaml + path: config.yaml diff --git a/src/config.go b/src/config.go new file mode 100644 index 0000000..28a6a1c --- /dev/null +++ b/src/config.go @@ -0,0 +1,36 @@ +package main + +import "time" + +type AuthConfig struct { + BindDN string `yaml:"bindDN"` + BindPW string `yaml:"bindPW"` +} + +type UserConfig struct { + BindDN string `yaml:"bindDN"` + Filter string `yaml:"filter"` + UserAttr string `yaml:"userAttr"` + RequiredGroups []string `yaml:"requiredGroups"` +} + +type GroupConfig struct { + BindDN string `yaml:"bindDN"` + Filter string `yaml:"filter"` + UserAttr string `yaml:"userAttr"` + GroupAttr string `yaml:"member"` +} + +type TimeoutConfig struct { + Success time.Duration `yaml:"success"` + Wrong time.Duration `yaml:"wrong"` +} + +type Config struct { + Web string `yaml:"web"` + Servers []string `yaml:"servers"` + Auth AuthConfig `yaml:"auth"` + User UserConfig `yaml:"user"` + Group GroupConfig `yaml:"group"` + Timeout TimeoutConfig `yaml:"timeout"` +} diff --git a/src/main.go b/src/main.go new file mode 100644 index 0000000..bab31c1 --- /dev/null +++ b/src/main.go @@ -0,0 +1,13 @@ +package main + +import ( + "flag" + "fmt" +) + +var config = flag.String("config", "/etc/nginx-ldap-auth/config.yaml", "Configuration file") + +func main() { + flag.Parse() + fmt.Printf("Value of config: %s\n", *config) +}