Merge pull request #12 from pinepain/k8s-ingress-nginx

Add k8s ingress-nginx support

.dockerignore

@@ -1 +1,2 @@
-ldap-auth-proxy
+ldap-auth-proxy
+vendor

.gitignore

@@ -1 +1,2 @@
-ldap-auth-proxy
+ldap-auth-proxy
+vendor

Dockerfile

@@ -6,11 +6,13 @@ WORKDIR /go/src/github.com/pinepain/ldap-auth-proxy
 # Copy the local package files to the container's workspace.
 ADD . /go/src/github.com/pinepain/ldap-auth-proxy
 
-RUN CGO_ENABLED=0 GOOS=linux go build \
+RUN go get -u github.com/golang/dep/cmd/dep \
+    && dep ensure \
+    && CGO_ENABLED=0 GOOS=linux go build \
     && go test -cover
 
 
-FROM ubuntu:xenial AS ubuntu
+FROM ubuntu:bionic AS ubuntu
 RUN apt-get update && apt-get install --no-install-recommends -y ca-certificates
 
 

Gopkg.toml

@@ -28,3 +28,11 @@
 [prune]
   go-tests = true
   unused-packages = true
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/naoina/denco"
+
+[[constraint]]
+  name = "github.com/patrickmn/go-cache"
+  version = "2.1.0"

README.md

@@ -21,7 +21,9 @@ LDAP auth proxy could be used in two modes: as an auth backend and as a proxy:
 
 ![auth backend](https://user-images.githubusercontent.com/2185793/38117476-e3a456dc-33bd-11e8-927d-ef68a9a863d7.png)
 
-Example `docker-compose` setup could be found in [examples/auth_backend](./examples/auth_backend).
+Examples:
+  - Kubernetes `ingress-nginx` setup could be found in [examples/k8s-ingress-nginx](./examples/k8s-ingress-nginx).
+  - `docker-compose` setup could be found in [examples/auth_backend](./examples/auth_backend).
 
 ### Proxy
 

config.go

@@ -11,14 +11,16 @@ type Config struct {
 	LogFormat string `default:"txt" split_words:"true" desc:"Log format. Allowed values are 'txt' and 'json'"`
 	LogLevel  string `default:"info" split_words:"true"`
 
-	URLPathSignIn string `default:"/sign_in" split_words:"true"`
-	URLPathAuth   string `default:"/auth" split_words:"true"`
+	URLPathSignIn string `default:"/sign_in" envconfig:"URL_PATH_SIGN_IN"`
+	URLPathAuth   string `default:"/auth" envconfig:"URL_PATH_AUTH"`
 
 	MessageAuthRequired string `default:"Authorisation required" split_words:"true"`
 
 	Upstream       string `default:"" split_words:"true"`
 	PassHostHeader bool   `default:"true" split_words:"true"`
 
+	RedirectQueryAttribute string	`default:"" split_words:"true" desc:"Query attribute that holds URL to redirect to after successful sign in (sign in only mode)"`
+
 	LdapServer       string            `default:"" split_words:"true" desc:"LDAP server name URL"`
 	LdapBase         string            `default:"" split_words:"true"`
 	LdapBindDN       string            `default:"" envconfig:"LDAP_BIND_DN"`

examples/k8s-ingress-nginx/README.md

@@ -0,0 +1,30 @@
+# Usage with ingress-nginx in Kubernetes
+
+Note: this is quick and dirty example how to get started, for production use you'd probably want
+      to store LDAP credentials in secrets.
+
+This example focuses on JumpCloud LDAP, though any generic LDAP server would work just fine.
+
+## Usage:
+
+
+Replace following values in `ldap-auth-proxy.yaml`:
+
+ - `<OID>` with your JumpCloud organisation id.
+ - `<LDAP_BIND_USER>` with your JumpCloud LDAP bind user name.
+ - `<LDAP_BIND_PASSWORD>` with your JumpCloud LDAP bind user password.
+
+e.g.:
+
+ - `<OID>` => `4200000000`
+ - `<LDAP_BIND_USER>` => `jrandom`
+ - `<LDAP_BIND_PASSWORD>` => `password123`
+
+Also replace `yourdomain.com` in both `httpbin.yaml` and `ldap-auth-proxy.yaml` to your domain.
+
+Now let's deploy all of this to kubernetes:
+
+```
+kubectl apply -f ldap-auth-proxy.yaml
+kubectl apply -f httpbin.yaml
+```

examples/k8s-ingress-nginx/httpbin.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: httpbin
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: httpbin
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: httpbin
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: httpbin
+    spec:
+      containers:
+        - name: httpbin
+          image: kennethreitz/httpbin
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: httpbin-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/auth-url: http://auth.yourdomain.com
+    # Alternatively, you can just refer to internal service without exposing auth to the outside
+    #nginx.ingress.kubernetes.io/auth-url: http://ldap-auth-proxy.default.svc.cluster.local
+spec:
+  rules:
+    - host: httpbin.yourdomain.com
+      http:
+        paths:
+          - backend:
+              serviceName: httpbin
+              servicePort: 80

examples/k8s-ingress-nginx/ldap-auth-proxy.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap-auth-proxy
+spec:
+  ports:
+    - port: 80
+      targetPort: 8888
+  selector:
+    app: ldap-auth-proxy
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ldap-auth-proxy
+spec:
+  selector:
+    matchLabels:
+      app: ldap-auth-proxy
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: ldap-auth-proxy
+    spec:
+      containers:
+        - name: ldap-auth-proxy
+          image: pinepain/ldap-auth-proxy
+          ports:
+            - containerPort: 8888
+          env:
+            - name: LOG_LEVEL
+              value: "debug"
+            - name: LISTEN
+              value: ":8888"
+            - name: LDAP_SERVER
+              value: "ldaps://ldap.jumpcloud.com"
+            - name: LDAP_BASE
+              value: "o=<OID>,dc=jumpcloud,dc=com"
+            - name: LDAP_BIND_DN
+              value: "uid=<LDAP_BIND_USER>,ou=Users,o=<OID>,dc=jumpcloud,dc=com"
+            - name: LDAP_BIND_PASSWORD
+              value: "<LDAP_BIND_PASSWORD>"
+            - name: LDAP_USER_FILTER
+              value: "(uid=%s)"
+            - name: LDAP_GROUP_FILTER
+              value: "(&(objectClass=groupOfNames)(member=uid=%s,ou=Users,o=<OID>,dc=jumpcloud,dc=com))"
+            - name: HEADERS_MAP
+              value: "X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn"
+            - name: URL_PATH_AUTH
+              value: "/_external-auth-:orig-location-template"
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: auth-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: auth.yourdomain.com
+      http:
+        paths:
+          - backend:
+              serviceName: ldap-auth-proxy
+              servicePort: 80