LemonLDAP::NG controller
Description
This repository contains the LemonLDAP::NG controller built around the Kubernetes Ingress resource that uses ConfigMap to store the LemonLDAP configuration.
It is intended to be used with the NGINX Ingress Controller.
Deployement
See Deployment.
Ingress Annotations
The following annotations are supported:
location-rules
YAML or JSON are supported:
kubernetes-controller.lemonldap-ng.org/location-rules: |
{
"^/admin/": "$uid eq \"bart.simpson\"",
"default": "accept"
}
If not specified in the Ingress, the default location-rules are:
kubernetes-controller.lemonldap-ng.org/location-rules: |
{
"default": "accept"
}
Which ensures that the user is authentified.
See also LemonLDAP::NG documentation.
YAML or JSON are supported:
kubernetes-controller.lemonldap-ng.org/exported-headers: |
{
"Display-Name": "$givenName.\" \".$surName"
}
If not specified in the Ingress, the default exported-headers are:
kubernetes-controller.lemonldap-ng.org/exported-headers: |
{
"Auth-User ": "$uid"
}
See also LemonLDAP::NG documentation.
application-category, application-name, application-description, application-logo, application-display, application-uri
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes-controller.lemonldap-ng.org/application-category: "1apps"
kubernetes-controller.lemonldap-ng.org/application-name: "MyApp"
kubernetes-controller.lemonldap-ng.org/application-description: "My Application to do things"
kubernetes-controller.lemonldap-ng.org/application-logo: "thumbnail.png"
kubernetes-controller.lemonldap-ng.org/application-display: auto
kubernetes-controller.lemonldap-ng.org/application-uri: "http://app.example.org/"
If application-category
or application-name
are not specified in the Ingress, no application is created.
The other annotations defaults to:
application-description
: Same as application-name
application-logo
: "gear.png" (other images are available)
application-display
: "auto" (other values: on
or off
)
application-uri
: Url built from first HTTP Ingress rule.
See also LemonLDAP::NG documentation.
Config Map
A config map can be used to override lmConf-1.js parameters.
Any key suffixed by .yaml
will be parsed accordingly:
kind: ConfigMap
apiVersion: v1
metadata:
name: lemonldap-ng-configuration
namespace: ingress-nginx
data:
domain: example.org
globalStorage: Apache::Session::Browseable::Postgres # Default Apache::Session::File
globalStorageOptions.yaml: |
DataSource: dbi:Pg:dbname=sessions;host=10.2.3.1
UserName: lemonldapng
Password: mysuperpassword
TableName: sessions
Commit: 1
Index: _whatToTrace ipAddr
This is the most difficult part of LemonLDAP::NG configuration.
Recommended settings include:
See also the example ConfigMap and the full parameters list from LemonLDAP::NG documentation.
Note: Make sure to have the following to arg in the deployement:
- --configmap=ingress-nginx/lemonldap-ng-configuration
You can convert an existing configuration to ConfigMap with Convert mode.
Command line flags
Usage of /lemonldap-ng-controller:
--alsologtostderr log to standard error as well as files
--configmap string Name of the ConfigMap that contains the custom configuration to use
--convert Convert lmConf-n.js from standard input to ConfigMap
--force-namespace-isolation Force namespace isolation. This flag is required to avoid the reference of secrets or configmaps located in a different namespace than the specified in the flag --watch-namespace
--kubeconfig string Path to a kubeconfig. Only required if out-of-cluster
--lemonldap-ng-configuration-directory string LemonLDAP::NG configuration directory (default "/var/lib/lemonldap-ng/conf")
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files
--master string The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
--sync-period duration Relist and confirm cloud resources this often (default 10m0s)
-v, --v Level log level for V logs
--version Shows release information about the LemonLDAP::NG controller
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
--watch-namespace string Namespace to watch for Ingress. Default is to watch all namespaces
Convert mode
If you have an existing configuration, convert it with --convert
:
cat lmConf-42.js | \
lemonldap-ng-controller --convert --configmap=ingress-nginx/lemonldap-ng-configuration | \
kubectl apply -f