From 1a37b29798dd4729577c0d2496a29b1b33a5a4bb Mon Sep 17 00:00:00 2001
From: icicimov <icicimov@gmail.com>
Date: Wed, 10 Oct 2018 11:08:52 +1100
Subject: [PATCH] Add RBAC support

---
 README.md     |  4 +++
 k8s-rbac.yaml | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 k8s-rbac.yaml

diff --git a/README.md b/README.md
index 3df436c..f9fba23 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,10 @@ Use this in order to provide a ingress authentication over LDAP for Kubernetes,
 
     kubectl apply -f k8s.yaml
 
+For RBAC enabled cluster use the k8s-rbac.yaml manifest instead:
+
+    kubectl apply -f k8s-rbac.yaml
+
 Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/).
 
 ## Config
diff --git a/k8s-rbac.yaml b/k8s-rbac.yaml
new file mode 100644
index 0000000..c78c1dc
--- /dev/null
+++ b/k8s-rbac.yaml
@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx-ldap-auth
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: nginx-ldap-auth
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - "nginx-ldap-auth"
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - "nginx-ldap-auth"
+    verbs:
+      - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: nginx-ldap-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nginx-ldap-auth
+subjects:
+- kind: ServiceAccount
+  name: nginx-ldap-auth
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nginx-ldap-auth
+spec:
+  type: ClusterIP
+  ports:
+  - name: nginx-ldap-auth
+    port: 5555
+    protocol: TCP
+    targetPort: 5555
+  selector:
+    app: nginx-ldap-auth
+
+---
+kind: Deployment
+apiVersion: extensions/v1beta1
+metadata:
+  name: nginx-ldap-auth
+  labels:
+    app: nginx-ldap-auth
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx-ldap-auth
+    spec:
+      serviceAccountName: nginx-ldap-auth 
+      containers:
+      - image: docker.io/tpimenta/nginx-ldap-auth:v1.0.0
+        name: nginx-ldap-auth
+        command:
+          - "nginx-ldap-auth"
+          - "--config"
+          - "/etc/nginx-ldap-auth/config.yaml"
+        ports:
+        - name: http
+          containerPort: 5555
+        volumeMounts:
+        - name: config
+          mountPath: /etc/nginx-ldap-auth
+      volumes:
+      - name: config
+        secret:
+          secretName: nginx-ldap-auth
+          items:
+          - key: config.yaml
+            path: config.yaml