Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-07 08:07:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/nginx] Added LDAP support (#2608)

Browse Source 
* [bitnami/nginx] Added LDAP support

Adds LDAP support to NGINX by using the Bitnami's
Auth Daemon Image. Liveness and readiness probes were
also updated to comply with this change.

Signed-off-by: joancafom <jcarmona@bitnami.com>

* ServerBlock conditions now force their existence

At least a serverblock must be provided when using LDAP, so
conditions where updated to reflect this change. Also, fixed
small bug on secret creation that lead to error when no bindPass
was provided, even though it is optional.

* README improved with instuctions

Now the README explicitly tells the user how to enable LDAP.

* [bitnami/nginx] Update components versions

Signed-off-by: Bitnami Containers <containers@bitnami.com>

Co-authored-by: Bitnami Containers <containers@bitnami.com>
This commit is contained in:
Jose Antonio Carmona
2020-05-22 14:24:01 +02:00
committed by GitHub
parent 0ec4bd1a3e
commit ac65eadfd9
7 changed files with 273 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/nginx/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1
name: nginx
version: 5.5.0
version: 5.6.0
appVersion: 1.17.10
description: Chart for the nginx server
keywords:

32
bitnami/nginx/README.md
View File

@@ -74,7 +74,7 @@ The following tables lists the configurable parameters of the NGINX Open Source
| `serverBlock` | Custom NGINX server block | `nil` |
| `existingServerBlockConfigmap` | Name of existing PVC with custom NGINX server block | `nil` |
| `extraVolumes` | Array of extra volumes to be added to the deployment. Requires setting `extraVolumeMounts` | `nil` |
| `extraVolumeMounts` | Array of extra volume mounts to be added to the deployment. Normally used with `extraVolumes`| `nil` |
| `extraVolumeMounts` | Array of extra volume mounts to be added to the deployment. Normally used with `extraVolumes`| `nil` |
| `replicaCount` | Number of replicas to deploy | `1` |
| `containerPort` | Deployment Container Port | `8080` |
| `podAnnotations` | Pod annotations | `{}` |
@@ -92,6 +92,23 @@ The following tables lists the configurable parameters of the NGINX Open Source
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.loadBalancerIP` | LoadBalancer service IP address | `""` |
| `service.annotations` | Service annotations | `{}` |
| `ldapDaemon.enabled` | Enable LDAP Auth Daemon proxy | `false` |
| `ldapDaemon.image.registry` | LDAP AUth Daemon Image registry | `docker.io` |
| `ldapDaemon.image.repository` | LDAP Auth Daemon Image name | `bitnami/nginx-ldap-auth-daemon` |
| `ldapDaemon.image.tag` | LDAP Auth Daemon Image tag | `{TAG_NAME}` |
| `ldapDaemon.image.pullPolicy` | LDAP Auth Daemon Image pull policy | `IfNotPresent` |
| `ldapDaemon.port` | LDAP Auth Daemon port | `8888` |
| `ldapDaemon.ldapConfig.uri` | LDAP Server URI, `ldap[s]:/<hostname>:<port>` | `""` |
| `ldapDaemon.ldapConfig.baseDN` | LDAP root DN to begin the search for the user | `""` |
| `ldapDaemon.ldapConfig.bindDN` | DN of user to bind to LDAP | `""` |
| `ldapDaemon.ldapConfig.bindPassword` | Password for the user to bind to LDAP | `""` |
| `ldapDaemon.ldapConfig.filter` | LDAP search filter for search+bind authentication | `""` |
| `ldapDaemon.ldapConfig.httpRealm` | LDAP HTTP auth realm | `""` |
| `ldapDaemon.ldapConfig.httpCookieName` | HTTP cookie name to be used in LDAP Auth | `""` |
| `ldapDaemon.nginxServerBlock` | NGINX server block that configures LDAP communication. Overrides `ldapDaemon.ldapConfig` | See `values.yaml` |
| `ldapDaemon.existingNginxServerBlockSecret`| Name of existing Secret with a NGINX server block to use for LDAP communication | `nil` |
| `ldapDaemon.livenessProbe` | LDAP Auth Daemon Liveness Probe | See `values.yaml` |
| `ldapDaemon.readinessProbe` | LDAP Auth Daemon Readiness Probe | See `values.yaml` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.certManager` | Add annotations for cert-manager | `false` |
| `ingress.selectors` | Ingress selectors for labelSelector option | `[]` |
@@ -195,8 +212,21 @@ serverBlock: |-
In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `existingServerBlockConfigmap` parameter. Note that this will override the previous option.
### Enabling LDAP
In some scenarios, you may require users to authenticate in order to gain access to protected resources. By enabling LDAP, NGINX will make use of an Authorization Daemon to proxy those identification requests against a given LDAP Server.
In order to enable LDAP authentication you can set the `ldapDaemon.enabled` property and follow these steps:
1. Use the `ldapDaemon.nginxServerBlock` property to provide with an additional server block that will make NGINX such a proxy (see `values.yaml`). Alternatively, you can provide this configuration using an external Secret and the property `ldapDaemon.existingNginxServerBlockSecret`.
2. Complete the aforementioned server block by specifying your LDAP Server connection details (see `values.yaml`). Alternatively, you can declare them using the property `ldapDaemon.ldapConfig`.
## Upgrading
### 5.6.0
Added support for the use of LDAP.
### 5.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.

34
bitnami/nginx/templates/_helpers.tpl
View File

@@ -94,6 +94,29 @@ Also, we can't use a single if because lazy evaluation is not an option
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the LDAP Auth Daemon image)
*/}}
{{- define "nginx.ldapDaemon.image" -}}
{{- $registryName := .Values.ldapDaemon.image.registry -}}
{{- $repositoryName := .Values.ldapDaemon.image.repository -}}
{{- $tag := .Values.ldapDaemon.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the metrics image)
*/}}
@@ -211,6 +234,17 @@ Return the custom NGINX server block configmap.
{{- end -}}
{{- end -}}
{{/*
Return the custom NGINX server block secret for LDAP.
*/}}
{{- define "ldap.nginxServerBlockSecret" -}}
{{- if .Values.ldapDaemon.existingNginxServerBlockSecret -}}
{{- printf "%s" (tpl .Values.ldapDaemon.existingNginxServerBlockSecret $) -}}
{{- else -}}
{{- printf "%s-ldap-daemon" (include "nginx.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:

62
bitnami/nginx/templates/deployment.yaml
View File

@@ -79,11 +79,16 @@ spec:
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumeMounts (include "nginx.useStaticSite" .) }}
volumeMounts:
- name: nginx-server-block-paths
mountPath: /opt/bitnami/nginx/conf/server_blocks
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }}
- name: nginx-server-block
mountPath: /opt/bitnami/nginx/conf/server_blocks
mountPath: /opt/bitnami/nginx/conf/server_blocks/common
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: nginx-server-block-ldap
mountPath: /opt/bitnami/nginx/conf/server_blocks/ldap
{{- end }}
{{- if (include "nginx.useStaticSite" .) }}
- name: staticsite
@@ -92,7 +97,40 @@ spec:
{{- if .Values.extraVolumeMounts }}
{{- include "nginx.tplValue" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: ldap-daemon
image: {{ template "nginx.ldapDaemon.image" . }}
imagePullPolicy: {{ .Values.ldapDaemon.image.pullPolicy | quote }}
ports:
- name: ldap-daemon
containerPort: {{ .Values.ldapDaemon.port }}
{{- if .Values.ldapDaemon.livenessProbe }}
livenessProbe: {{- toYaml .Values.ldapDaemon.livenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.ldapDaemon.readinessProbe }}
readinessProbe: {{- toYaml .Values.ldapDaemon.readinessProbe | nindent 12 }}
{{- end }}
env:
- name: NGINXLDAP_PORT_NUMBER
value: {{ .Values.ldapDaemon.port | quote}}
- name: NGINXLDAP_LDAP_URI
value: {{ .Values.ldapDaemon.ldapConfig.uri | quote }}
- name: NGINXLDAP_LDAP_BASE_DN
value: {{ .Values.ldapDaemon.ldapConfig.baseDN | quote }}
- name: NGINXLDAP_LDAP_BIND_DN
value: {{ .Values.ldapDaemon.ldapConfig.bindDN | quote }}
- name: NGINXLDAP_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "nginx.fullname" . }}-ldap-daemon
key: ldap-daemon-ldap-bind-password
- name: NGINXLDAP_LDAP_FILTER
value: {{ .Values.ldapDaemon.ldapConfig.filter | quote }}
- name: NGINXLDAP_HTTP_REALM
value: {{ .Values.ldapDaemon.ldapConfig.httpRealm | quote }}
- name: NGINXLDAP_HTTP_COOKIE_NAME
value: {{ .Values.ldapDaemon.ldapConfig.httpCookieName | quote }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "nginx.metrics.image" . }}
@@ -117,12 +155,23 @@ spec:
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- end }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap .Values.extraVolumes (include "nginx.useStaticSite" .) }}
volumes:
- name: nginx-server-block-paths
configMap:
name: {{ template "nginx.fullname" . }}-server-block
items:
- key: server-blocks-paths.conf
path: server-blocks-paths.conf
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap (include "nginx.useStaticSite" .) }}
{{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }}
- name: nginx-server-block
configMap:
name: {{ include "nginx.serverBlockConfigmapName" . }}
{{- if or .Values.serverBlock }}
items:
- key: server-block.conf
path: server-block.conf
{{- end }}
{{- end }}
{{- if (include "nginx.useStaticSite" .) }}
- name: staticsite
@@ -132,3 +181,8 @@ spec:
{{- include "nginx.tplValue" ( dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.ldapDaemon.enabled }}
- name: nginx-server-block-ldap
secret:
secretName: {{ include "ldap.nginxServerBlockSecret" . }}
{{- end }}

14
bitnami/nginx/templates/ldap-daemon-secrets.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if and .Values.ldapDaemon.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "nginx.fullname" . }}-ldap-daemon
labels: {{- include "nginx.labels" . | nindent 4 }}
type: Opaque
data:
ldap-daemon-ldap-bind-password: {{ .Values.ldapDaemon.ldapConfig.bindPassword | b64enc | quote}}
{{- if (not .Values.ldapDaemon.existingNginxServerBlockSecret) }}
ldap_nginx.conf: |-
{{ tpl .Values.ldapDaemon.nginxServerBlock . | b64enc | indent 4 }}
{{- end }}
{{- end }}

5
bitnami/nginx/templates/server-block-configmap.yaml
View File

@@ -1,10 +1,13 @@
{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "nginx.fullname" . }}-server-block
labels: {{- include "nginx.labels" . | nindent 4 }}
data:
server-blocks-paths.conf: |-
include "/opt/bitnami/nginx/conf/server_blocks/ldap/*.conf";
include "/opt/bitnami/nginx/conf/server_blocks/common/*.conf";
{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }}
server-block.conf: |-
{{ .Values.serverBlock | indent 4 }}
{{- end }}

140
bitnami/nginx/values.yaml
View File

@@ -13,7 +13,7 @@
image:
registry: docker.io
repository: bitnami/nginx
tag: 1.17.10-debian-10-r44
tag: 1.17.10-debian-10-r46
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -54,7 +54,7 @@ cloneStaticSiteFromGit:
image:
registry: docker.io
repository: bitnami/git
tag: 2.26.2-debian-10-r28
tag: 2.26.2-debian-10-r30
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -69,7 +69,7 @@ cloneStaticSiteFromGit:
## Repository to clone static content from
##
# repository:
## Branch inside the git repository
## Branch inside the git repository
##
# branch:
## Interval for sidecar container pull from the repository
@@ -112,7 +112,7 @@ cloneStaticSiteFromGit:
replicaCount: 1
## Deployment Container Port
##
##
containerPort: 8080
## Pod annotations
@@ -154,15 +154,13 @@ resources:
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
httpGet:
path: /
tcpSocket:
port: http
initialDelaySeconds: 30
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
httpGet:
path: /
tcpSocket:
port: http
initialDelaySeconds: 5
timeoutSeconds: 3
@@ -206,6 +204,130 @@ service:
##
externalTrafficPolicy: Cluster
## LDAP Auth Daemon Properties
##
## Daemon that will proxy LDAP requests
## between NGINX and a given LDAP Server
##
ldapDaemon:
enabled: false
## Bitnami NGINX LDAP Auth Daemon image
## ref: https://hub.docker.com/r/bitnami/nginx-ldap-auth-daemon/tags/
##
image:
registry: docker.io
repository: bitnami/nginx-ldap-auth-daemon
tag: 0.20200116.0-debian-10-r7
pullPolicy: IfNotPresent
## LDAP Daemon port
##
port: 8888
## LDAP Auth Daemon Configuration
##
## These different properties define the form of requests performed
## against the given LDAP server
##
## BEWARE THAT THESE VALUES WILL BE IGNORED IF A CUSTOM LDAP SERVER BLOCK
## ALREADY SPECIFIES THEM.
##
##
ldapConfig:
## LDAP URI where to query the server
## Must follow the pattern -> ldap[s]:/<hostname>:<port>
uri: ""
## LDAP search base DN
baseDN: ""
## LDAP bind DN
bindDN: ""
## LDAP bind Password
bindPassword: ""
## LDAP search filter
filter: ""
## LDAP auth realm
httpRealm: ""
## LDAP cookie name
httpCookieName: ""
## NGINX Configuration File containing the directives (that define
## how LDAP requests are performed) and tells NGINX to use the LDAP Daemon
## as proxy. Besides, it defines the routes that will require of LDAP auth
## in order to be accessed.
##
## If LDAP directives are provided, they will take precedence over
## the ones specified in ldapConfig.
##
## This will be evaluated as a template.
##
##
nginxServerBlock: |-
server {
listen 0.0.0.0:{{ .Values.containerPort }};
# You can provide a special subPath or the root
location = / {
auth_request /auth-proxy;
}
location = /auth-proxy {
internal;
proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }};
###############################################################
# YOU SHOULD CHANGE THE FOLLOWING TO YOUR LDAP CONFIGURATION #
###############################################################
# URL and port for connecting to the LDAP server
proxy_set_header X-Ldap-URL "ldap://YOUR_LDAP_SERVER_IP:YOUR_LDAP_SERVER_PORT";
# Base DN
proxy_set_header X-Ldap-BaseDN "dc=example,dc=org";
# Bind DN
proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org";
# Bind password
proxy_set_header X-Ldap-BindPass "adminpassword";
}
}
## Use an existing Secret holding an NGINX Configuration file that
## configures LDAP requests. (will be evaluated as a template)
##
## If provided, both nginxServerBlock and ldapConfig properties are ignored.
##
existingNginxServerBlockSecret:
## LDAP Auth Daemon's liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
tcpSocket:
port: ldap-daemon
initialDelaySeconds: 30
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
tcpSocket:
port: ldap-daemon
initialDelaySeconds: 5
timeoutSeconds: 3
periodSeconds: 5
## Ingress paramaters
##
ingress:
@@ -306,7 +428,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/nginx-exporter
tag: 0.7.0-debian-10-r30
tag: 0.7.0-debian-10-r32
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.