Skip to content
LemonLDAP::NG kubernetes controller
Go Shell Makefile
Branch: master
Clone or download
Latest commit 1a8a335 Mar 24, 2018

README.md

LemonLDAP::NG controller

Build Status Coverage Status Go Report Card

Description

This repository contains the LemonLDAP::NG controller built around the Kubernetes Ingress resource that uses ConfigMap to store the LemonLDAP configuration.

It is intended to be used with the NGINX Ingress Controller.

Deployement

See Deployment.

Ingress Annotations

The following annotations are supported:

Name type
kubernetes-controller.lemonldap-ng.org/location-rules string
kubernetes-controller.lemonldap-ng.org/exported-headers string
kubernetes-controller.lemonldap-ng.org/application-category string
kubernetes-controller.lemonldap-ng.org/application-name string
kubernetes-controller.lemonldap-ng.org/application-description string
kubernetes-controller.lemonldap-ng.org/application-logo string
kubernetes-controller.lemonldap-ng.org/application-display string
kubernetes-controller.lemonldap-ng.org/application-uri string

location-rules

YAML or JSON are supported:

kubernetes-controller.lemonldap-ng.org/location-rules: |
  {
    "^/admin/": "$uid eq \"bart.simpson\"",
    "default": "accept"
  }

If not specified in the Ingress, the default location-rules are:

kubernetes-controller.lemonldap-ng.org/location-rules: |
  {
    "default": "accept"
  }

Which ensures that the user is authentified.

See also LemonLDAP::NG documentation.

exported-headers

YAML or JSON are supported:

kubernetes-controller.lemonldap-ng.org/exported-headers: |
  {
    "Display-Name": "$givenName.\" \".$surName"
  }

If not specified in the Ingress, the default exported-headers are:

kubernetes-controller.lemonldap-ng.org/exported-headers: |
  {
    "Auth-User ": "$uid"
  }

See also LemonLDAP::NG documentation.

application-category, application-name, application-description, application-logo, application-display, application-uri

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes-controller.lemonldap-ng.org/application-category: "1apps"
    kubernetes-controller.lemonldap-ng.org/application-name: "MyApp"
    kubernetes-controller.lemonldap-ng.org/application-description: "My Application to do things"
    kubernetes-controller.lemonldap-ng.org/application-logo: "thumbnail.png"
    kubernetes-controller.lemonldap-ng.org/application-display: auto
    kubernetes-controller.lemonldap-ng.org/application-uri: "http://app.example.org/"

If application-category or application-name are not specified in the Ingress, no application is created.

The other annotations defaults to:

  • application-description: Same as application-name
  • application-logo: "gear.png" (other images are available)
  • application-display: "auto" (other values: on or off)
  • application-uri: Url built from first HTTP Ingress rule.

See also LemonLDAP::NG documentation.

Config Map

A config map can be used to override lmConf-1.js parameters.

Any key suffixed by .yaml will be parsed accordingly:

kind: ConfigMap
apiVersion: v1
metadata:
  name: lemonldap-ng-configuration
  namespace: ingress-nginx
data:
  domain: example.org
  globalStorage: Apache::Session::Browseable::Postgres # Default Apache::Session::File
  globalStorageOptions.yaml: |
    DataSource: dbi:Pg:dbname=sessions;host=10.2.3.1
    UserName: lemonldapng
    Password: mysuperpassword
    TableName: sessions
    Commit: 1
    Index: _whatToTrace ipAddr

This is the most difficult part of LemonLDAP::NG configuration. Recommended settings include:

See also the example ConfigMap and the full parameters list from LemonLDAP::NG documentation.

Note: Make sure to have the following to arg in the deployement:

- --configmap=ingress-nginx/lemonldap-ng-configuration

You can convert an existing configuration to ConfigMap with Convert mode.

Command line flags

Usage of /lemonldap-ng-controller:
      --alsologtostderr                               log to standard error as well as files
      --configmap string                              Name of the ConfigMap that contains the custom configuration to use
      --convert                                       Convert lmConf-n.js from standard input to ConfigMap
      --force-namespace-isolation                     Force namespace isolation. This flag is required to avoid the reference of secrets or configmaps located in a different namespace than the specified in the flag --watch-namespace
      --kubeconfig string                             Path to a kubeconfig. Only required if out-of-cluster
      --lemonldap-ng-configuration-directory string   LemonLDAP::NG configuration directory (default "/var/lib/lemonldap-ng/conf")
      --log_backtrace_at traceLocation                when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                                If non-empty, write log files in this directory
      --logtostderr                                   log to standard error instead of files
      --master string                                 The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster
      --stderrthreshold severity                      logs at or above this threshold go to stderr (default 2)
      --sync-period duration                          Relist and confirm cloud resources this often (default 10m0s)
  -v, --v Level                                       log level for V logs
      --version                                       Shows release information about the LemonLDAP::NG controller
      --vmodule moduleSpec                            comma-separated list of pattern=N settings for file-filtered logging
      --watch-namespace string                        Namespace to watch for Ingress. Default is to watch all namespaces

Convert mode

If you have an existing configuration, convert it with --convert:

cat lmConf-42.js | \
  lemonldap-ng-controller --convert --configmap=ingress-nginx/lemonldap-ng-configuration | \
  kubectl apply -f
You can’t perform that action at this time.