一、场景

      公司内部使用ldap做统一认证,k8s上某些如:skywaking(无账号有敏感信息)、kibana等服务接入账号验证,正好使用

nginx反向代理,ldap对接

二、准备文件

尝试nginx上的lua(或者perl)获取环境变量,不太符合,使用  envsubst 
git clone https://github.com/kvspb/nginx-auth-ldap.git
nginx-1.19.1.tar.gz

三、nginx镜像

FROM debian:buster-slim
COPY sources.list /etc/apt/sources.list
ARG SRC=/usr/local/src/
ARG DIR=/usr/local/nginx/
ADD nginx-auth-ldap  $SRC/ldap/
ADD nginx-1.19.1.tar.gz $SRC
COPY docker-entrypoint.sh $DIR
RUN apt-get update && apt-get install -y libpcre3-dev zlib1g-dev libldap2-dev  libssl-dev gcc g++ make
RUN cd $SRC/nginx-1.19.1 && \
 ./configure  --prefix=/usr/local/nginx \
--sbin-path=/usr/sbin/nginx \
--with-http_ssl_module \ 
--with-http_gzip_static_module \
--with-pcre --with-debug \
--conf-path=/etc/nginx/nginx.conf \
--add-module=$SRC/ldap \
&& make && make install && rm -rf $SRC
RUN apt-get install gettext-base
ENV TZ=Asia/Shanghai 
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo '$TZ' > /etc/timezone
ENV LANG C.UTF-8
EXPOSE 80
WORKDIR $DIR
ENTRYPOINT ["bash","docker-entrypoint.sh"]
CMD ["/usr/sbin/nginx","-g","daemon off;"]

[root@master nginx_work]# cat docker-entrypoint.sh 
#!/usr/bin/env sh
set -eu
envsubst < /usr/local/src/nginx.conf.tmp > /etc/nginx/nginx.conf
exec "$@"

四、nginx.conf.tmp

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;  
    keepalive_timeout  65;
    ldap_server pro {
        url     $LDAP_URL;
        binddn  $LDAP_ADMIN;
        binddn_passwd  $LDAP_PASSWD; 
        require valid_user;
    }
    server {      
        listen       80;
        server_name  localhost;
        root         /usr/share/nginx/html;
        location /$TARGET_NAME {
            proxy_pass $TARGET_URL;
            auth_ldap "Forbidden";
            auth_ldap_servers pro;
        }
    }
   
}

 五、helmCharts

 

 

 

 

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐