Compare commits
1 commit
| Author | SHA1 | Date | |
|---|---|---|---|
|
8c9485202c |
|
|
@ -6,10 +6,6 @@ Use this in order to provide a ingress authentication over LDAP for Kubernetes,
|
|||
|
||||
kubectl apply -f k8s.yaml
|
||||
|
||||
For RBAC enabled cluster use the k8s-rbac.yaml manifest instead:
|
||||
|
||||
kubectl apply -f k8s-rbac.yaml
|
||||
|
||||
Configure your ingress with annotation `nginx.ingress.kubernetes.io/auth-url: http://nginx-ldap-auth.default.svc.cluster.local:5555` as described on [nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/).
|
||||
|
||||
## Configuration
|
||||
|
|
|
|||
2
build
2
build
|
|
@ -3,7 +3,7 @@
|
|||
set -e
|
||||
|
||||
base='docker.io/tpimenta/nginx-ldap-auth'
|
||||
version='v1.0.2'
|
||||
version='v1.1.0'
|
||||
image="$base:$version"
|
||||
|
||||
atexit() {
|
||||
|
|
|
|||
|
|
@ -1,21 +1,50 @@
|
|||
web: 0.0.0.0:5555
|
||||
path: /
|
||||
message: "LDAP Login"
|
||||
servers:
|
||||
- ldaps://ldap1.example.com:636
|
||||
- ldaps://ldap2.example.com:636
|
||||
- ldaps://ldap3.example.com:636
|
||||
auth:
|
||||
bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
|
||||
bindDN: cn=seviceaccount,cn=users,o=company
|
||||
bindPW: password
|
||||
user:
|
||||
baseDN: ou=users,dc=example,dc=com
|
||||
baseDN: ou=users,o=company
|
||||
filter: "(cn={0})"
|
||||
requiredGroups:
|
||||
- appAdmin
|
||||
attr: cn
|
||||
group:
|
||||
baseDN: ou=groups,dc=example,dc=com
|
||||
groupAttr: cn
|
||||
baseDN: ou=groups,o=company
|
||||
filter: "(member={0})"
|
||||
attr: cn
|
||||
timeout:
|
||||
success: 24h
|
||||
group: 24h
|
||||
wrong: 5m
|
||||
rules:
|
||||
- match:
|
||||
- header: X-Sent-From
|
||||
value: nginx-ingress-controller
|
||||
- header: X-Auth-Request-Redirect
|
||||
regex: "^/dashboard"
|
||||
allow:
|
||||
- group: SysAdmin
|
||||
- group: AppAdmin
|
||||
- group: Operator
|
||||
- user: Jhon
|
||||
deny:
|
||||
- group: Guest
|
||||
- match:
|
||||
- header: X-Sent-From
|
||||
value: nginx-ingress-controller
|
||||
- header: X-Original-Method
|
||||
value: GET
|
||||
- header: X-Original-URL
|
||||
regex: "^https?://server.domain/"
|
||||
allow:
|
||||
- group: Guest
|
||||
- match:
|
||||
- header: X-Sent-From
|
||||
value: nginx-ingress-controller
|
||||
- header: X-Auth-Request-Redirect
|
||||
regex: /login
|
||||
allowAnonymous: true
|
||||
|
|
|
|||
|
|
@ -1,92 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
resourceNames:
|
||||
- "nginx-ldap-auth"
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- "nginx-ldap-auth"
|
||||
verbs:
|
||||
- get
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: nginx-ldap-auth
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: nginx-ldap-auth
|
||||
|
||||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: nginx-ldap-auth
|
||||
port: 5555
|
||||
protocol: TCP
|
||||
targetPort: 5555
|
||||
selector:
|
||||
app: nginx-ldap-auth
|
||||
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
labels:
|
||||
app: nginx-ldap-auth
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx-ldap-auth
|
||||
spec:
|
||||
serviceAccountName: nginx-ldap-auth
|
||||
containers:
|
||||
- image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2
|
||||
name: nginx-ldap-auth
|
||||
command:
|
||||
- "nginx-ldap-auth"
|
||||
- "--config"
|
||||
- "/etc/nginx-ldap-auth/config.yaml"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 5555
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/nginx-ldap-auth
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: nginx-ldap-auth
|
||||
items:
|
||||
- key: config.yaml
|
||||
path: config.yaml
|
||||
42
k8s.yaml
42
k8s.yaml
|
|
@ -1,3 +1,42 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
resourceNames:
|
||||
- "nginx-ldap-auth"
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- "nginx-ldap-auth"
|
||||
verbs:
|
||||
- get
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: nginx-ldap-auth
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: nginx-ldap-auth
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: nginx-ldap-auth
|
||||
---
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
|
|
@ -25,8 +64,9 @@ spec:
|
|||
labels:
|
||||
app: nginx-ldap-auth
|
||||
spec:
|
||||
serviceAccountName: nginx-ldap-auth
|
||||
containers:
|
||||
- image: docker.io/tpimenta/nginx-ldap-auth:v1.0.2
|
||||
- image: docker.io/tpimenta/nginx-ldap-auth:v1.1.0
|
||||
name: nginx-ldap-auth
|
||||
command:
|
||||
- "nginx-ldap-auth"
|
||||
|
|
|
|||
|
|
@ -7,16 +7,10 @@ type AuthConfig struct {
|
|||
BindPW string `yaml:"bindPW"`
|
||||
}
|
||||
|
||||
type UserConfig struct {
|
||||
BaseDN string `yaml:"baseDN"`
|
||||
Filter string `yaml:"filter"`
|
||||
RequiredGroups []string `yaml:"requiredGroups"`
|
||||
}
|
||||
|
||||
type GroupConfig struct {
|
||||
BaseDN string `yaml:"baseDN"`
|
||||
GroupAttr string `yaml:"groupAttr"`
|
||||
Filter string `yaml:"filter"`
|
||||
type SearchConfig struct {
|
||||
BaseDN string `yaml:"baseDN"`
|
||||
Filter string `yaml:"filter"`
|
||||
Attr string `yaml:"attr"`
|
||||
}
|
||||
|
||||
type TimeoutConfig struct {
|
||||
|
|
@ -24,13 +18,32 @@ type TimeoutConfig struct {
|
|||
Wrong time.Duration `yaml:"wrong"`
|
||||
}
|
||||
|
||||
type MatchConfig struct {
|
||||
Header string `yaml:"header"`
|
||||
Value string `yaml:"value"`
|
||||
Regex string `yaml:"regex"`
|
||||
}
|
||||
|
||||
type PermissionConfig struct {
|
||||
Group string `yaml:"group"`
|
||||
User string `yaml:"user"`
|
||||
}
|
||||
|
||||
type RulesConfig struct {
|
||||
Match []MatchConfig `yaml:"match"`
|
||||
Allow []PermissionConfig `yaml:"allow"`
|
||||
Deny []PermissionConfig `yaml:"deny"`
|
||||
AllowAnonymous bool `yaml:"allowAnonymous"`
|
||||
}
|
||||
|
||||
type Config struct {
|
||||
Web string `yaml:"web"`
|
||||
Path string `yaml:"path"`
|
||||
Message string `yaml:"message"`
|
||||
Servers []string `yaml:"servers"`
|
||||
Auth AuthConfig `yaml:"auth"`
|
||||
User UserConfig `yaml:"user"`
|
||||
Group GroupConfig `yaml:"group"`
|
||||
User SearchConfig `yaml:"user"`
|
||||
Group SearchConfig `yaml:"group"`
|
||||
Timeout TimeoutConfig `yaml:"timeout"`
|
||||
Rules []RulesConfig `yaml:"rules"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,12 +23,13 @@ func parseConfig() (string, *Config, error) {
|
|||
Web: "0.0.0.0:5555",
|
||||
Path: "/",
|
||||
Message: "LDAP Login",
|
||||
User: UserConfig{
|
||||
User: SearchConfig{
|
||||
Filter: "(cn={0})",
|
||||
Attr: "cn",
|
||||
},
|
||||
Group: GroupConfig{
|
||||
Filter: "(member={0})",
|
||||
GroupAttr: "cn",
|
||||
Group: SearchConfig{
|
||||
Filter: "(member={0})",
|
||||
Attr: "cn",
|
||||
},
|
||||
Timeout: TimeoutConfig{
|
||||
Success: 24 * time.Hour,
|
||||
|
|
|
|||
Reference in a new issue