前提条件:已部署LDAP服务,可参考:juejin.cn/post/716285…
实现效果
输入ldap用户名和密码登录后,即可自动跳转到相应的服务页面。
配置步骤
1. 创建部署文件
another-ldap-auth.yaml
apiVersion: v1
kind: Namespace
metadata:
name: another
---
apiVersion: v1
kind: ConfigMap
metadata:
name: another-ldap
namespace: another
data:
LDAP_ENDPOINT: "ldap://openldap-svc.open-ldap:389"
LDAP_MANAGER_DN_USERNAME: "CN=admin,OU=people,DC=xx,DC=cn"
LDAP_BIND_DN: "UID={username},OU=people,DC=xx,DC=cn"
LDAP_SEARCH_BASE: "DC=xx,DC=cn"
LDAP_SEARCH_FILTER: "(cn=admin)"
LOG_LEVEL: "DEBUG"
LOG_FORMAT: "JSON"
BRUTE_FORCE_PROTECTION: "False"
BRUTE_FORCE_EXPIRATION: "5"
BRUTE_FORCE_FAILURES: "3"
COOKIE_DOMAIN: ""
METADATA_TITLE: "QuickTable LDAP"
METADATA_DESCRIPTION: ""
METADATA_FOOTER: "Powered by QuickTable LDAP"
PERMANENT_SESSION_LIFETIME: "7"
---
apiVersion: v1
kind: Secret
metadata:
name: another-ldap
namespace: another
type: Opaque
data:
LDAP_MANAGER_PASSWORD: YWNkYyByb2NrIQ==
FLASK_SECRET_KEY: YWNkYyByb2NrIQ==
---
kind: Service
apiVersion: v1
metadata:
name: another-ldap
namespace: another
spec:
type: ClusterIP
selector:
app: another-ldap
ports:
- name: https
port: 443
protocol: TCP
targetPort: 9000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: another-ldap
namespace: another
labels:
app: another-ldap
spec:
replicas: 1
selector:
matchLabels:
app: another-ldap
template:
metadata:
labels:
app: another-ldap
spec:
automountServiceAccountToken: false
imagePullSecrets:
- name: docker-registry
containers:
- name: another-ldap
image: *****.dkr.ecr.us-east-2.amazonaws.com/another-ldap:0.0.1
imagePullPolicy: Always
ports:
- name: https
containerPort: 9000
envFrom:
- configMapRef:
name: another-ldap
- secretRef:
name: another-ldap
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
runAsUser: 10001
capabilities:
drop:
- ALL
livenessProbe:
httpGet:
port: 9000
path: /
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 1
readinessProbe:
httpGet:
port: 9000
path: /
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 1
volumeMounts:
- name: vol-tmp
mountPath: /tmp
volumes:
- name: vol-tmp
emptyDir: {}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: another
name: another-ldap
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
rules:
- host: another-ldap.xxx.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: another-ldap
port:
number: 443
- 根据LDAP的配置,替换ConfigMap下LDAP相关配置
- 为了能共享
SESSION,需要把main.py下SESSION_COOKIE_DOMAIN = param.get('COOKIE_DOMAIN', None)替换成你需要的域名,然后重新打成镜像,如:SESSION_COOKIE_DOMAIN = ‘.quicktable.cn’- 如果你的服务是采用
http://,那么需要把SESSION_COOKIE_SECURE = True改成SESSION_COOKIE_SECURE = Fasle
2. 部署 another-ldap
kubectl apply -f another-ldap-auth.yaml
kubectl -n another get ingress
3. 配置ingress
ingress nginx 增加如下配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
...
nginx.ingress.kubernetes.io/auth-url: https://another-ldap.another.svc.cluster.local/auth
nginx.ingress.kubernetes.io/server-snippet: |
error_page 401 = @login;
location @login {
return 302 `https://another-ldap.xxx.cn/?protocol=pass_access_scheme&callback=$host`; #替换成你的域名
}
