Extracted secret

2018-10-09 09:29:36 -03:00 · 2018-10-09 09:29:36 -03:00 · 83b51c0bdf
parent 8bf61afe71
commit 83b51c0bdf
3 changed files with 44 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,27 @@
 # Nginx LDAP Auth

-Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `k8s.yaml` to match your LDAP server and run:
+Use this in order to provide a ingress authentication over LDAP for Kubernetes, change the Secret inside `config.sample.yaml` to match your LDAP server and run:
+
+    kubectl create secret generic nginx-ldap-auth --from-file=config.yaml=config.sample.yaml

    kubectl apply -f k8s.yaml

-Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/):
+Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/).
+
+## Config
+
+The actual version choose a random server, in future version it is intended to have a pool of them, that is why it is a list, not a single one, but you can fill only one if you wish.
+
+The prefix tell the program which protocol to use, if `ldaps://` it will try LDAP over SSL, if `ldap://` it will try plain LDAP with STARTTLS, case no prefix is given it will try to guess based on port, 636 for SSL and 389 for plain.
+
+The actual version will fail if neither SSL or STARTTLS is possible, but next version will allow plain LDAP.
+
+If the `user.requiredGroups` list is omited or empty all LDAP users will be allowed regardless the group, if not empty all groups will be required, the next version will have more flexible configuration.
+
+If you are not sure what `filter`, `bindDN` or `baseDN` to use, here is a tip:
+
+    ldapsearch -H ${servers[*]} -D ${auth.bindDN} -w ${auth.bindPW} -b ${user.baseDN|group.baseDN} ${user.filter|group.filter}
+
+Replace the values between `${...}` to the ones on `config.yaml`, when you succeed you can fill the final configuration.
+
+Timeouts are configurable, but it is recommended not to use values less than some seconds, it was planned to prevent several identical requests to LDAP servers.
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -0,0 +1,21 @@
+web: 0.0.0.0:5555
+path: /
+servers:
+- ldaps://ldap1.example.com:636
+- ldaps://ldap2.example.com:636
+- ldaps://ldap3.example.com:636
+auth:
+  bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
+  bindPW: password
+user:
+  baseDN: ou=users,dc=example,dc=com
+  filter: "(cn={0})"
+  requiredGroups:
+  - appAdmin
+group:
+  baseDN: ou=groups,dc=example,dc=com
+  groupAttr: cn
+  filter: "(member={0})"
+timeout:
+  success: 24h
+  wrong: 5m
--- a/k8s.yaml
+++ b/k8s.yaml
@ -1,32 +1,3 @@
-kind: Secret
-apiVersion: v1
-metadata:
-  name: nginx-ldap-auth
-data:
-  config.yaml: |
-    web: 0.0.0.0:5555
-    path: /
-    message: "LDAP Login"
-    servers:
-    - ldaps://ldap1.example.com:636
-    - ldaps://ldap2.example.com:636
-    - ldaps://ldap3.example.com:636
-    auth:
-      bindDN: cn=seviceaccount,cn=users,o=company
-      bindPW: password
-    user:
-      baseDN: ou=users,o=company
-      filter: "(cn={0})"
-      requiredGroups:
-      - appAdmin
-    group:
-      baseDN: ou=groups,o=company
-      groupAttr: cn
-      filter: "(member={0})"
-    timeout:
-      success: 24h
-      wrong: 5m
---
 kind: Service
 apiVersion: v1
 metadata:
@ -36,7 +7,7 @@ spec:
  ports:
  - name: nginx-ldap-auth
    port: 5555
-    protocol: TCP:
+    protocol: TCP
    targetPort: 5555
  selector:
    app: nginx-ldap-auth