nginx-ingress下使用ldap 实现ingress auth认证

原理

使用nginx subrequest在请求直线通过 ingress annotation注入一条规则去调用auth接口完成ldap认证。参考文档：

• http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
• https://www.nginx.com/blog/nginx-plus-authenticate-users
• https://docs.foxpass.com/docs/ldap-overview-debugging
• https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication

创建ldap认证服务

```yaml

apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ldap-auth-config
data:
foxpass.conf: |
# define ldap server
ldap_server foxpass {
url “ldaps://ldap.foxpass.com:636/dc=xiemx,dc=com?uid?sub?(objectClass=*)”;
binddn “{dn信息}”; # cn=test,dc=xiemx,dc=com
binddn_passwd “xxxxxx”;
group_attribute groups;
group_attribute_is_dn on;
require valid_user;
}

server {
  listen 5555;

  location / {
    auth_ldap "foxpass";
    auth_ldap_servers foxpass;

    try_files index.html,index.htm @auth;
  }

  location @auth {
    return 200 "ldap auth";
  }
}

---

apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ldap-auth

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ldap-auth
rules:

• apiGroups:
  • “”
    resources:
  • configmaps
    resourceNames:
  • “nginx-ladp-auth-config”
    verbs:
  • get

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ldap-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ldap-auth
subjects:

• kind: ServiceAccount
  name: nginx-ldap-auth

---

kind: Service
apiVersion: v1
metadata:
name: nginx-ldap-auth
spec:
type: ClusterIP
ports:

• name: nginx-ldap-auth
  port: 5555
  protocol: TCP
  targetPort: 5555
  selector:
  app: nginx-ldap-auth

---

kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx-ldap-auth
labels:
app: nginx-ldap-auth
spec:
replicas: 1
selector:
matchLabels:
app: “nginx-ldap-auth”
template:
metadata:
labels:
app: nginx-ldap-auth
spec:
serviceAccountName: nginx-ldap-auth
containers:
- image: weseek/nginx-auth-ldap:1.15.11-alpine
name: nginx-ldap-auth
ports:
- name: http
containerPort: 5555
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
volumes:
- name: config
configMap:
name: nginx-ldap-auth-config

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
labels:
app: nginx-ldap-auth
name: nginx-ldap-auth
spec:
rules:

• host: foxpass.i.xiemx.com
  http:
  paths:
  • backend:
    serviceName: nginx-ldap-auth
    servicePort: 5555
    path: /

### ingress 开启auth认证

```yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
      nginx.ingress.kubernetes.io/auth-url: https://foxpass.i.xiemx.com
  name: kibana
spec:
  rules:
  - host: kibana.i.xiemx.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kibana
          servicePort: 5601

### 测试
➜  kibana git:(master) curl kibana.i.xiemx.com
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.15.9</center>
</body>
</html>

➜  kibana git:(master) curl kibana.i.xiemx.com --user mingxu.xie
Enter host password for user 'mingxu.xie':