gered/nginx-ldap-auth
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Draft

Browse source
This commit is contained in:
Tiago Augusto Pimenta 2018-10-17 21:31:50 -03:00
parent 9b7d526d85
commit 8c9485202c
7 changed files with 107 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -6,10 +6,6 @@ Use this in order to provide a ingress authentication over LDAP for Kubernetes,
kubectl apply -f k8s.yaml kubectl apply -f k8s.yaml
For RBAC enabled cluster use the k8s-rbac.yaml manifest instead:
kubectl apply -f k8s-rbac.yaml
Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/). Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/).
## Configuration ## Configuration

2
build
View file

@ -3,7 +3,7 @@
set -e set -e
base='docker.io/tpimenta/nginx-ldap-auth' base='docker.io/tpimenta/nginx-ldap-auth'
version='v1.0.2' version='v1.1.0'
image="$base:$version" image="$base:$version"
atexit() { atexit() {

41
config.sample.yaml
View file

@ -1,21 +1,50 @@
web: 0.0.0.0:5555 web: 0.0.0.0:5555
path: / path: /
message: "LDAP Login"
servers: servers:
- ldaps://ldap1.example.com:636 - ldaps://ldap1.example.com:636
- ldaps://ldap2.example.com:636 - ldaps://ldap2.example.com:636
- ldaps://ldap3.example.com:636 - ldaps://ldap3.example.com:636
auth: auth:
bindDN: uid=seviceaccount,cn=users,dc=example,dc=com bindDN: cn=seviceaccount,cn=users,o=company
bindPW: password bindPW: password
user: user:
baseDN: ou=users,dc=example,dc=com baseDN: ou=users,o=company
filter: "(cn={0})" filter: "(cn={0})"
requiredGroups: attr: cn
- appAdmin
group: group:
baseDN: ou=groups,dc=example,dc=com baseDN: ou=groups,o=company
groupAttr: cn
filter: "(member={0})" filter: "(member={0})"
attr: cn
timeout: timeout:
success: 24h success: 24h
group: 24h
wrong: 5m wrong: 5m
rules:
- match:
- header: X-Sent-From
value: nginx-ingress-controller
- header: X-Auth-Request-Redirect
regex: "^/dashboard"
allow:
- group: SysAdmin
- group: AppAdmin
- group: Operator
- user: Jhon
deny:
- group: Guest
- match:
- header: X-Sent-From
value: nginx-ingress-controller
- header: X-Original-Method
value: GET
- header: X-Original-URL
regex: "^https?://server.domain/"
allow:
- group: Guest
- match:
- header: X-Sent-From
value: nginx-ingress-controller
- header: X-Auth-Request-Redirect
regex: /login
allowAnonymous: true

92
k8s-rbac.yaml
View file

@ -1,92 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ldap-auth
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ldap-auth
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- "nginx-ldap-auth"
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- "nginx-ldap-auth"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ldap-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ldap-auth
subjects:
- kind: ServiceAccount
name: nginx-ldap-auth
---
kind: Service
apiVersion: v1
metadata:
name: nginx-ldap-auth
spec:
type: ClusterIP
ports:
- name: nginx-ldap-auth
port: 5555
protocol: TCP
targetPort: 5555
selector:
app: nginx-ldap-auth
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: nginx-ldap-auth
labels:
app: nginx-ldap-auth
spec:
replicas: 1
template:
metadata:
labels:
app: nginx-ldap-auth
spec:
serviceAccountName: nginx-ldap-auth
containers:
- image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2
name: nginx-ldap-auth
command:
- "nginx-ldap-auth"
- "--config"
- "/etc/nginx-ldap-auth/config.yaml"
ports:
- name: http
containerPort: 5555
volumeMounts:
- name: config
mountPath: /etc/nginx-ldap-auth
volumes:
- name: config
secret:
secretName: nginx-ldap-auth
items:
- key: config.yaml
path: config.yaml

42
k8s.yaml
View file

@ -1,3 +1,42 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ldap-auth
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ldap-auth
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- "nginx-ldap-auth"
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- "nginx-ldap-auth"
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ldap-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ldap-auth
subjects:
- kind: ServiceAccount
name: nginx-ldap-auth
---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -25,8 +64,9 @@ spec:
labels: labels:
app: nginx-ldap-auth app: nginx-ldap-auth
spec: spec:
serviceAccountName: nginx-ldap-auth
containers: containers:
- image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2 - image: docker.io/tpimenta/nginx-ldap-auth:v1.1.0
name: nginx-ldap-auth name: nginx-ldap-auth
command: command:
- "nginx-ldap-auth" - "nginx-ldap-auth"

37
main/config.go
View file

@ -7,16 +7,10 @@ type AuthConfig struct {
BindPW string `yaml:"bindPW"` BindPW string `yaml:"bindPW"`
} }
type UserConfig struct { type SearchConfig struct {
BaseDN string `yaml:"baseDN"` BaseDN string `yaml:"baseDN"`
Filter string `yaml:"filter"` Filter string `yaml:"filter"`
RequiredGroups []string `yaml:"requiredGroups"` Attr string `yaml:"attr"`
}
type GroupConfig struct {
BaseDN string `yaml:"baseDN"`
GroupAttr string `yaml:"groupAttr"`
Filter string `yaml:"filter"`
} }
type TimeoutConfig struct { type TimeoutConfig struct {
@ -24,13 +18,32 @@ type TimeoutConfig struct {
Wrong time.Duration `yaml:"wrong"` Wrong time.Duration `yaml:"wrong"`
} }
type MatchConfig struct {
Header string `yaml:"header"`
Value string `yaml:"value"`
Regex string `yaml:"regex"`
}
type PermissionConfig struct {
Group string `yaml:"group"`
User string `yaml:"user"`
}
type RulesConfig struct {
Match []MatchConfig `yaml:"match"`
Allow []PermissionConfig `yaml:"allow"`
Deny []PermissionConfig `yaml:"deny"`
AllowAnonymous bool `yaml:"allowAnonymous"`
}
type Config struct { type Config struct {
Web string `yaml:"web"` Web string `yaml:"web"`
Path string `yaml:"path"` Path string `yaml:"path"`
Message string `yaml:"message"` Message string `yaml:"message"`
Servers []string `yaml:"servers"` Servers []string `yaml:"servers"`
Auth AuthConfig `yaml:"auth"` Auth AuthConfig `yaml:"auth"`
User UserConfig `yaml:"user"` User SearchConfig `yaml:"user"`
Group GroupConfig `yaml:"group"` Group SearchConfig `yaml:"group"`
Timeout TimeoutConfig `yaml:"timeout"` Timeout TimeoutConfig `yaml:"timeout"`
Rules []RulesConfig `yaml:"rules"`
} }

9
main/parser.go
View file

@ -23,12 +23,13 @@ func parseConfig() (string, *Config, error) {
Web: "0.0.0.0:5555", Web: "0.0.0.0:5555",
Path: "/", Path: "/",
Message: "LDAP Login", Message: "LDAP Login",
User: UserConfig{ User: SearchConfig{
Filter: "(cn={0})", Filter: "(cn={0})",
Attr: "cn",
}, },
Group: GroupConfig{ Group: SearchConfig{
Filter: "(member={0})", Filter: "(member={0})",
GroupAttr: "cn", Attr: "cn",
}, },
Timeout: TimeoutConfig{ Timeout: TimeoutConfig{
Success: 24 * time.Hour, Success: 24 * time.Hour,