nginx-ingress下使用ldap 实现ingress auth认证

原理

使用nginx subrequest在请求直线通过 ingress annotation注入一条规则去调用auth接口完成ldap认证。参考文档:

创建ldap认证服务

```yaml

apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ldap-auth-config
data:
foxpass.conf: |
# define ldap server
ldap_server foxpass {
url “ldaps://ldap.foxpass.com:636/dc=xiemx,dc=com?uid?sub?(objectClass=*)”;
binddn “{dn信息}”; # cn=test,dc=xiemx,dc=com
binddn_passwd “xxxxxx”;
group_attribute groups;
group_attribute_is_dn on;
require valid_user;
}

server {
  listen 5555;

  location / {
    auth_ldap "foxpass";
    auth_ldap_servers foxpass;

    try_files index.html,index.htm @auth;
  }

  location @auth {
    return 200 "ldap auth";
  }
}

apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ldap-auth

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ldap-auth
rules:

  • apiGroups:
    • “”
      resources:
    • configmaps
      resourceNames:
    • “nginx-ladp-auth-config”
      verbs:
    • get

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ldap-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ldap-auth
subjects:

  • kind: ServiceAccount
    name: nginx-ldap-auth

kind: Service
apiVersion: v1
metadata:
name: nginx-ldap-auth
spec:
type: ClusterIP
ports:

  • name: nginx-ldap-auth
    port: 5555
    protocol: TCP
    targetPort: 5555
    selector:
    app: nginx-ldap-auth

kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx-ldap-auth
labels:
app: nginx-ldap-auth
spec:
replicas: 1
selector:
matchLabels:
app: “nginx-ldap-auth”
template:
metadata:
labels:
app: nginx-ldap-auth
spec:
serviceAccountName: nginx-ldap-auth
containers:
- image: weseek/nginx-auth-ldap:1.15.11-alpine
name: nginx-ldap-auth
ports:
- name: http
containerPort: 5555
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
volumes:
- name: config
configMap:
name: nginx-ldap-auth-config

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
labels:
app: nginx-ldap-auth
name: nginx-ldap-auth
spec:
rules:

  • host: foxpass.i.xiemx.com
    http:
    paths:
    • backend:
      serviceName: nginx-ldap-auth
      servicePort: 5555
      path: /
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

### ingress 开启auth认证

```yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: https://foxpass.i.xiemx.com
name: kibana
spec:
rules:
- host: kibana.i.xiemx.com
http:
paths:
- path: /
backend:
serviceName: kibana
servicePort: 5601

### 测试
kibana git:(master) curl kibana.i.xiemx.com
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.9</center>
</body>
</html>

kibana git:(master) curl kibana.i.xiemx.com --user mingxu.xie
Enter host password for user 'mingxu.xie':