First commit
This commit is contained in:
Tiago Augusto Pimenta
commit
079fe62bc9
24
Dockerfile
Normal file
24
Dockerfile
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
FROM golang:alpine
|
||||
|
||||
COPY src /go/src/github.com/tiagoapimenta/nginx-ldap-auth
|
||||
|
||||
RUN cd /go/src/github.com/tiagoapimenta/nginx-ldap-auth &&
|
||||
go get -u gopkg.in/yaml.v2 &&
|
||||
go get -u gopkg.in/ldap.v2 &&
|
||||
go build -ldflags='-s -w' -v -o /go/bin/nginx-ldap-auth .
|
||||
|
||||
FROM alpine
|
||||
|
||||
MAINTAINER Tiago A. Pimenta <tiagoapimenta@gmail.com>
|
||||
|
||||
COPY --from=0 /go/bin/nginx-ldap-auth/nginx-ldap-auth /usr/local/bin/nginx-ldap-auth
|
||||
|
||||
WORKDIR /tmp
|
||||
|
||||
VOLUME /etc/nginx-ldap-auth
|
||||
|
||||
EXPOSE 5555
|
||||
|
||||
USER nouser
|
||||
|
||||
CMD [ "nginx-ldap-auth", "--config", "/etc/nginx-ldap-auth/config.yaml" ]
|
||||
17
LICENSE
Normal file
17
LICENSE
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
Copyright (c) 2018 Tiago A. Pimenta
|
||||
|
||||
This software is provided 'as-is', without any express or implied
|
||||
warranty. In no event will the authors be held liable for any damages
|
||||
arising from the use of this software.
|
||||
|
||||
Permission is granted to anyone to use this software for any purpose,
|
||||
including commercial applications, and to alter it and redistribute it
|
||||
freely, subject to the following restrictions:
|
||||
|
||||
1. The origin of this software must not be misrepresented; you must not
|
||||
claim that you wrote the original software. If you use this software
|
||||
in a product, an acknowledgment in the product documentation would be
|
||||
appreciated but is not required.
|
||||
2. Altered source versions must be plainly marked as such, and must not be
|
||||
misrepresented as being the original software.
|
||||
3. This notice may not be removed or altered from any source distribution.
|
||||
7
README.md
Normal file
7
README.md
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
# Nginx LDAP Auth
|
||||
|
||||
Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the ConfigMap inside `k8s.yaml` to match your LDAP server and run:
|
||||
|
||||
kubectl apply -f k8s.yaml
|
||||
|
||||
Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/):
|
||||
76
k8s.yaml
Normal file
76
k8s.yaml
Normal file
|
|
@ -0,0 +1,76 @@
|
|||
kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
data:
|
||||
config.yaml: |
|
||||
web: 0.0.0.0:5555
|
||||
servers:
|
||||
- ldaps://ldap1.example.com:636
|
||||
- ldaps://ldap2.example.com:636
|
||||
- ldaps://ldap3.example.com:636
|
||||
auth:
|
||||
bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
|
||||
bindPW: password
|
||||
user:
|
||||
bindDN: cn=users,dc=example,dc=com
|
||||
filter: "(objectClass=person)"
|
||||
username: uid
|
||||
requiredGroups:
|
||||
- appAdmin
|
||||
group:
|
||||
baseDN: cn=groups,dc=freeipa,dc=example,dc=com
|
||||
filter: "(objectClass=group)"
|
||||
userAttr: uid
|
||||
groupAttr: member
|
||||
timeout:
|
||||
success: 24h
|
||||
wrong: 5m
|
||||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: nginx-ldap-auth
|
||||
port: 5555
|
||||
protocol: TCP:
|
||||
targetPort: 5555
|
||||
selector:
|
||||
app: nginx-ldap-auth
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
labels:
|
||||
app: nginx-ldap-auth
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx-ldap-auth
|
||||
spec:
|
||||
containers:
|
||||
- image: docker.io/tpimenta/nginx-ldap-auth:latest
|
||||
name: nginx-ldap-auth
|
||||
command:
|
||||
- "nginx-ldap-auth"
|
||||
- "--config"
|
||||
- "/etc/nginx-ldap-auth/config.yaml"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 5555
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/nginx-ldap-auth
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: nginx-ldap-auth
|
||||
items:
|
||||
- key: config.yaml
|
||||
path: config.yaml
|
||||
36
src/config.go
Normal file
36
src/config.go
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
package main
|
||||
|
||||
import "time"
|
||||
|
||||
type AuthConfig struct {
|
||||
BindDN string `yaml:"bindDN"`
|
||||
BindPW string `yaml:"bindPW"`
|
||||
}
|
||||
|
||||
type UserConfig struct {
|
||||
BindDN string `yaml:"bindDN"`
|
||||
Filter string `yaml:"filter"`
|
||||
UserAttr string `yaml:"userAttr"`
|
||||
RequiredGroups []string `yaml:"requiredGroups"`
|
||||
}
|
||||
|
||||
type GroupConfig struct {
|
||||
BindDN string `yaml:"bindDN"`
|
||||
Filter string `yaml:"filter"`
|
||||
UserAttr string `yaml:"userAttr"`
|
||||
GroupAttr string `yaml:"member"`
|
||||
}
|
||||
|
||||
type TimeoutConfig struct {
|
||||
Success time.Duration `yaml:"success"`
|
||||
Wrong time.Duration `yaml:"wrong"`
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
Web string `yaml:"web"`
|
||||
Servers []string `yaml:"servers"`
|
||||
Auth AuthConfig `yaml:"auth"`
|
||||
User UserConfig `yaml:"user"`
|
||||
Group GroupConfig `yaml:"group"`
|
||||
Timeout TimeoutConfig `yaml:"timeout"`
|
||||
}
|
||||
13
src/main.go
Normal file
13
src/main.go
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
var config = flag.String("config", "/etc/nginx-ldap-auth/config.yaml", "Configuration file")
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
fmt.Printf("Value of config: %s\n", *config)
|
||||
}
|
||||
Reference in a new issue