From 8c9485202c4e0bd05d7cd97239f1a2cf78557160 Mon Sep 17 00:00:00 2001 From: Tiago Augusto Pimenta Date: Wed, 17 Oct 2018 21:31:50 -0300 Subject: [PATCH] Draft --- README.md | 4 -- build | 2 +- config.sample.yaml | 41 ++++++++++++++++++--- k8s-rbac.yaml | 92 ---------------------------------------------- k8s.yaml | 42 ++++++++++++++++++++- main/config.go | 37 +++++++++++++------ main/parser.go | 9 +++-- 7 files changed, 107 insertions(+), 120 deletions(-) delete mode 100644 k8s-rbac.yaml diff --git a/README.md b/README.md index 587cb92..47c903e 100644 --- a/README.md +++ b/README.md @@ -6,10 +6,6 @@ Use this in order to provide a ingress authentication over LDAP for Kubernetes, kubectl apply -f k8s.yaml -For RBAC enabled cluster use the k8s-rbac.yaml manifest instead: - - kubectl apply -f k8s-rbac.yaml - Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/). ## Configuration diff --git a/build b/build index 3fd11f8..461fd13 100755 --- a/build +++ b/build @@ -3,7 +3,7 @@ set -e base='docker.io/tpimenta/nginx-ldap-auth' -version='v1.0.2' +version='v1.1.0' image="$base:$version" atexit() { diff --git a/config.sample.yaml b/config.sample.yaml index 2478a60..75eb453 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -1,21 +1,50 @@ web: 0.0.0.0:5555 path: / +message: "LDAP Login" servers: - ldaps://ldap1.example.com:636 - ldaps://ldap2.example.com:636 - ldaps://ldap3.example.com:636 auth: - bindDN: uid=seviceaccount,cn=users,dc=example,dc=com + bindDN: cn=seviceaccount,cn=users,o=company bindPW: password user: - baseDN: ou=users,dc=example,dc=com + baseDN: ou=users,o=company filter: "(cn={0})" - requiredGroups: - - appAdmin + attr: cn group: - baseDN: ou=groups,dc=example,dc=com - groupAttr: cn + baseDN: ou=groups,o=company filter: "(member={0})" + attr: cn timeout: success: 24h + group: 24h wrong: 5m +rules: +- match: + - header: X-Sent-From + value: nginx-ingress-controller + - header: X-Auth-Request-Redirect + regex: "^/dashboard" + allow: + - group: SysAdmin + - group: AppAdmin + - group: Operator + - user: Jhon + deny: + - group: Guest +- match: + - header: X-Sent-From + value: nginx-ingress-controller + - header: X-Original-Method + value: GET + - header: X-Original-URL + regex: "^https?://server.domain/" + allow: + - group: Guest +- match: + - header: X-Sent-From + value: nginx-ingress-controller + - header: X-Auth-Request-Redirect + regex: /login + allowAnonymous: true diff --git a/k8s-rbac.yaml b/k8s-rbac.yaml deleted file mode 100644 index a8d8431..0000000 --- a/k8s-rbac.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ldap-auth - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ldap-auth -rules: - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - "nginx-ldap-auth" - verbs: - - get - - apiGroups: - - "" - resources: - - secrets - resourceNames: - - "nginx-ldap-auth" - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ldap-auth -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ldap-auth -subjects: -- kind: ServiceAccount - name: nginx-ldap-auth - ---- -kind: Service -apiVersion: v1 -metadata: - name: nginx-ldap-auth -spec: - type: ClusterIP - ports: - - name: nginx-ldap-auth - port: 5555 - protocol: TCP - targetPort: 5555 - selector: - app: nginx-ldap-auth - ---- -kind: Deployment -apiVersion: extensions/v1beta1 -metadata: - name: nginx-ldap-auth - labels: - app: nginx-ldap-auth -spec: - replicas: 1 - template: - metadata: - labels: - app: nginx-ldap-auth - spec: - serviceAccountName: nginx-ldap-auth - containers: - - image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2 - name: nginx-ldap-auth - command: - - "nginx-ldap-auth" - - "--config" - - "/etc/nginx-ldap-auth/config.yaml" - ports: - - name: http - containerPort: 5555 - volumeMounts: - - name: config - mountPath: /etc/nginx-ldap-auth - volumes: - - name: config - secret: - secretName: nginx-ldap-auth - items: - - key: config.yaml - path: config.yaml diff --git a/k8s.yaml b/k8s.yaml index 41b76c4..1cc6b05 100644 --- a/k8s.yaml +++ b/k8s.yaml @@ -1,3 +1,42 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-ldap-auth +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: nginx-ldap-auth +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - "nginx-ldap-auth" + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - "nginx-ldap-auth" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: nginx-ldap-auth +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ldap-auth +subjects: +- kind: ServiceAccount + name: nginx-ldap-auth +--- kind: Service apiVersion: v1 metadata: @@ -25,8 +64,9 @@ spec: labels: app: nginx-ldap-auth spec: + serviceAccountName: nginx-ldap-auth containers: - - image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2 + - image: docker.io/tpimenta/nginx-ldap-auth:v1.1.0 name: nginx-ldap-auth command: - "nginx-ldap-auth" diff --git a/main/config.go b/main/config.go index d67d3e0..a99833c 100644 --- a/main/config.go +++ b/main/config.go @@ -7,16 +7,10 @@ type AuthConfig struct { BindPW string `yaml:"bindPW"` } -type UserConfig struct { - BaseDN string `yaml:"baseDN"` - Filter string `yaml:"filter"` - RequiredGroups []string `yaml:"requiredGroups"` -} - -type GroupConfig struct { - BaseDN string `yaml:"baseDN"` - GroupAttr string `yaml:"groupAttr"` - Filter string `yaml:"filter"` +type SearchConfig struct { + BaseDN string `yaml:"baseDN"` + Filter string `yaml:"filter"` + Attr string `yaml:"attr"` } type TimeoutConfig struct { @@ -24,13 +18,32 @@ type TimeoutConfig struct { Wrong time.Duration `yaml:"wrong"` } +type MatchConfig struct { + Header string `yaml:"header"` + Value string `yaml:"value"` + Regex string `yaml:"regex"` +} + +type PermissionConfig struct { + Group string `yaml:"group"` + User string `yaml:"user"` +} + +type RulesConfig struct { + Match []MatchConfig `yaml:"match"` + Allow []PermissionConfig `yaml:"allow"` + Deny []PermissionConfig `yaml:"deny"` + AllowAnonymous bool `yaml:"allowAnonymous"` +} + type Config struct { Web string `yaml:"web"` Path string `yaml:"path"` Message string `yaml:"message"` Servers []string `yaml:"servers"` Auth AuthConfig `yaml:"auth"` - User UserConfig `yaml:"user"` - Group GroupConfig `yaml:"group"` + User SearchConfig `yaml:"user"` + Group SearchConfig `yaml:"group"` Timeout TimeoutConfig `yaml:"timeout"` + Rules []RulesConfig `yaml:"rules"` } diff --git a/main/parser.go b/main/parser.go index 4b1bf3d..3a58045 100644 --- a/main/parser.go +++ b/main/parser.go @@ -23,12 +23,13 @@ func parseConfig() (string, *Config, error) { Web: "0.0.0.0:5555", Path: "/", Message: "LDAP Login", - User: UserConfig{ + User: SearchConfig{ Filter: "(cn={0})", + Attr: "cn", }, - Group: GroupConfig{ - Filter: "(member={0})", - GroupAttr: "cn", + Group: SearchConfig{ + Filter: "(member={0})", + Attr: "cn", }, Timeout: TimeoutConfig{ Success: 24 * time.Hour,