First commit

Dockerfile

@@ -0,0 +1,24 @@
+FROM golang:alpine
+
+COPY src /go/src/github.com/tiagoapimenta/nginx-ldap-auth
+
+RUN cd /go/src/github.com/tiagoapimenta/nginx-ldap-auth &&
+	go get -u gopkg.in/yaml.v2 &&
+	go get -u gopkg.in/ldap.v2 &&
+	go build -ldflags='-s -w' -v -o /go/bin/nginx-ldap-auth .
+
+FROM alpine
+
+MAINTAINER Tiago A. Pimenta <tiagoapimenta@gmail.com>
+
+COPY --from=0 /go/bin/nginx-ldap-auth/nginx-ldap-auth /usr/local/bin/nginx-ldap-auth
+
+WORKDIR /tmp
+
+VOLUME /etc/nginx-ldap-auth
+
+EXPOSE 5555
+
+USER nouser
+
+CMD [ "nginx-ldap-auth", "--config", "/etc/nginx-ldap-auth/config.yaml" ]

LICENSE

@@ -0,0 +1,17 @@
+Copyright (c) 2018 Tiago A. Pimenta
+
+This software is provided 'as-is', without any express or implied
+warranty. In no event will the authors be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; you must not
+   claim that you wrote the original software. If you use this software
+   in a product, an acknowledgment in the product documentation would be
+   appreciated but is not required.
+2. Altered source versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.
+3. This notice may not be removed or altered from any source distribution.

README.md

@@ -0,0 +1,7 @@
+# Nginx LDAP Auth
+
+Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the ConfigMap inside `k8s.yaml` to match your LDAP server and run:
+
+    kubectl apply -f k8s.yaml
+
+Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/):

k8s.yaml

@@ -0,0 +1,76 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: nginx-ldap-auth
+data:
+  config.yaml: |
+    web: 0.0.0.0:5555
+    servers:
+    - ldaps://ldap1.example.com:636
+    - ldaps://ldap2.example.com:636
+    - ldaps://ldap3.example.com:636
+    auth:
+      bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
+      bindPW: password
+    user:
+      bindDN: cn=users,dc=example,dc=com
+      filter: "(objectClass=person)"
+      username: uid
+      requiredGroups:
+      - appAdmin
+    group:
+      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
+      filter: "(objectClass=group)"
+      userAttr: uid
+      groupAttr: member
+    timeout:
+      success: 24h
+      wrong: 5m
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-ldap-auth
+spec:
+  type: ClusterIP
+  ports:
+  - name: nginx-ldap-auth
+    port: 5555
+    protocol: TCP:
+    targetPort: 5555
+  selector:
+    app: nginx-ldap-auth
+---
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: nginx-ldap-auth
+  labels:
+    app: nginx-ldap-auth
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx-ldap-auth
+    spec:
+      containers:
+      - image: docker.io/tpimenta/nginx-ldap-auth:latest
+        name: nginx-ldap-auth
+        command:
+          - "nginx-ldap-auth"
+          - "--config"
+          - "/etc/nginx-ldap-auth/config.yaml"
+        ports:
+        - name: http
+          containerPort: 5555
+        volumeMounts:
+        - name: config
+          mountPath: /etc/nginx-ldap-auth
+      volumes:
+      - name: config
+        secret:
+          secretName: nginx-ldap-auth
+          items:
+          - key: config.yaml
+            path: config.yaml

src/config.go

@@ -0,0 +1,36 @@
+package main
+
+import "time"
+
+type AuthConfig struct {
+	BindDN string `yaml:"bindDN"`
+	BindPW string `yaml:"bindPW"`
+}
+
+type UserConfig struct {
+	BindDN         string   `yaml:"bindDN"`
+	Filter         string   `yaml:"filter"`
+	UserAttr       string   `yaml:"userAttr"`
+	RequiredGroups []string `yaml:"requiredGroups"`
+}
+
+type GroupConfig struct {
+	BindDN    string `yaml:"bindDN"`
+	Filter    string `yaml:"filter"`
+	UserAttr  string `yaml:"userAttr"`
+	GroupAttr string `yaml:"member"`
+}
+
+type TimeoutConfig struct {
+	Success time.Duration `yaml:"success"`
+	Wrong   time.Duration `yaml:"wrong"`
+}
+
+type Config struct {
+	Web     string        `yaml:"web"`
+	Servers []string      `yaml:"servers"`
+	Auth    AuthConfig    `yaml:"auth"`
+	User    UserConfig    `yaml:"user"`
+	Group   GroupConfig   `yaml:"group"`
+	Timeout TimeoutConfig `yaml:"timeout"`
+}

src/main.go

@@ -0,0 +1,13 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+)
+
+var config = flag.String("config", "/etc/nginx-ldap-auth/config.yaml", "Configuration file")
+
+func main() {
+	flag.Parse()
+	fmt.Printf("Value of config: %s\n", *config)
+}