k8s+nginx+ldap
一、场景公司内部使用ldap做统一认证,k8s上某些如:skywaking(无账号有敏感信息)、kibana等服务接入账号验证,正好使用nginx反向代理,且有ldap模块。二、准备文件git clone https://github.com/chaoslawful/lua-nginx-module.git(v0.10.14)git clone https://github.com/openres
·
一、场景
公司内部使用ldap做统一认证,k8s上某些如:skywaking(无账号有敏感信息)、kibana等服务接入账号验证,正好使用
nginx反向代理,ldap对接
二、准备文件
尝试nginx上的lua(或者perl)获取环境变量,不太符合,使用 envsubst
git clone https://github.com/kvspb/nginx-auth-ldap.git
nginx-1.19.1.tar.gz
三、nginx镜像
FROM debian:buster-slim
COPY sources.list /etc/apt/sources.list
ARG SRC=/usr/local/src/
ARG DIR=/usr/local/nginx/
ADD nginx-auth-ldap $SRC/ldap/
ADD nginx-1.19.1.tar.gz $SRC
COPY docker-entrypoint.sh $DIR
RUN apt-get update && apt-get install -y libpcre3-dev zlib1g-dev libldap2-dev libssl-dev gcc g++ make
RUN cd $SRC/nginx-1.19.1 && \
./configure --prefix=/usr/local/nginx \
--sbin-path=/usr/sbin/nginx \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-pcre --with-debug \
--conf-path=/etc/nginx/nginx.conf \
--add-module=$SRC/ldap \
&& make && make install && rm -rf $SRC
RUN apt-get install gettext-base
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo '$TZ' > /etc/timezone
ENV LANG C.UTF-8
EXPOSE 80
WORKDIR $DIR
ENTRYPOINT ["bash","docker-entrypoint.sh"]
CMD ["/usr/sbin/nginx","-g","daemon off;"]
[root@master nginx_work]# cat docker-entrypoint.sh
#!/usr/bin/env sh
set -eu
envsubst < /usr/local/src/nginx.conf.tmp > /etc/nginx/nginx.conf
exec "$@"
四、nginx.conf.tmp
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
ldap_server pro {
url $LDAP_URL;
binddn $LDAP_ADMIN;
binddn_passwd $LDAP_PASSWD;
require valid_user;
}
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
location /$TARGET_NAME {
proxy_pass $TARGET_URL;
auth_ldap "Forbidden";
auth_ldap_servers pro;
}
}
}
五、helmCharts
更多推荐
已为社区贡献8条内容
所有评论(0)