This repository contains the LemonLDAP::NG controller built around the Kubernetes Ingress resource that uses ConfigMap to store the LemonLDAP configuration.
It is intended to be used with the NGINX Ingress Controller.
See Deployment.
The following annotations are supported:
Name | type |
---|---|
kubernetes-controller.lemonldap-ng.org/location-rules | string |
kubernetes-controller.lemonldap-ng.org/exported-headers | string |
YAML or JSON are supported:
kubernetes-controller.lemonldap-ng.org/location-rules: |
{
"^/admin/": "$uid eq \"bart.simpson\"",
"default": "accept"
}
If not specified in the Ingress, the default location-rules are:
kubernetes-controller.lemonldap-ng.org/location-rules: |
{
"default": "accept"
}
Which ensures that the user is authentified.
See also LemonLDAP::NG documentation.
YAML or JSON are supported:
kubernetes-controller.lemonldap-ng.org/exported-headers: |
{
"Display-Name": "$givenName.\" \".$surName"
}
If not specified in the Ingress, the default exported-headers are:
kubernetes-controller.lemonldap-ng.org/exported-headers: |
{
"Auth-User ": "$uid"
}
See also LemonLDAP::NG documentation.
A config map can be used to override lmConf-1.js parameters.
YAML or JSON are supported:
kind: ConfigMap
apiVersion: v1
metadata:
name: lemonldap-ng-configuration
namespace: ingress-nginx
data:
lmConf.js: |
domain: example.org
This is the most difficult part of LemonLDAP::NG configuration. Recommended settings include:
- Single Sign On cookie, domain and portal URL
- authentification, user and password backends
- session database (if you have more than one replica)
See also the example ConfigMap and the full parameters list from LemonLDAP::NG documentation.
Note: Make sure to have the following to arg in the deployement:
- --configmap=ingress-nginx/lemonldap-ng-configuration
Usage of /lemonldap-ng-controller:
--alsologtostderr log to standard error as well as files
--configmap string Name of the ConfigMap that contains the custom configuration to use
--force-namespace-isolation Force namespace isolation. This flag is required to avoid the reference of secrets or configmaps located in a different namespace than the specified in the flag --watch-namespace
--kubeconfig string Path to a kubeconfig. Only required if out-of-cluster
--lemonldap-ng-configuration-directory string LemonLDAP::NG configuration directory (default "/var/lib/lemonldap-ng/conf")
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files
--master string The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
--sync-period duration Relist and confirm cloud resources this often (default 10m0s)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
--watch-namespace string Namespace to watch for Ingress. Default is to watch all namespaces