objectiflibre / k8s-ldap Goto Github PK

View Code? Open in Web Editor NEW

60.0 9.0 60.0 32 KB

Kubernetes - LDAP authentication with Dex

License: Apache License 2.0

kubernetes dex ldap manifests k8s coreos

k8s-ldap's Introduction

Kubernetes - LDAP authentication with Dex

Kubernetes - LDAP authentication with Dex
- Docs
- Requirements
- Helm chart
- Login application
- Dex
  - CRD
  - Deployment

Docs

This deployment follows Dex by CoreOS & Kubernetes Documentations:

Requirements

DNS entries:
- dex.k8s.example.com --> Dex OIDC provider
- login.k8s.example.com --> Custom Login Application
Kubernetes cluster available with the following requirements:
- RBAC enabled
- OIDC authentication enabled. API server configuration:
  - --oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint
  - --oidc-client-id=loginapp: ID for our Login Application
  - --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.
  - --oidc-username-claim=name: Map to nameAttr Dex configuration. This will be used by Kubernetes RBAC to authorize users based on their name.
  - oidc-groups-claim=groups: This will be used by Kubernetes RBAC to authorize users based on their groups.
- Ingress Controller available.
- Automatic certificate requests for Kubernetes (ex: https://github.com/jetstack/cert-manager)
An available LDAP server

Helm chart

Helm chart is available here.

Login application

Create the auth namespace:

kubectl create ns auth

Create resources:

# CA (letsencrypt) configmap
kubectl create -f ca-cm.yml
# Login App configuration
kubectl create -f loginapp-cm.yml
# Login App Ingress and SVC
kubectl create -f loginapp-ing-svc.yml
# Login App Deployment
kubectl create -f loginapp-deploy.yml

It should fail because Dex is not deployed.

Dex

CRD

We will use Kubernetes Custom Resource Definitions (https://kubernetes.io/docs/concepts/api-extension/custom-resources/) as Dex storage backend.

kubectl create -f dex-crd.yml

Deployment

Create Dex resources:

# Dex configuration
kubectl create -f dex-cm.yml
# Dex ingress and service
kubectl create -f dex-ing-svc.yml
# Dex deployment
kubectl create -f dex-deploy.yml

Now it should work: try https://login.k8s.example.org, login and retrieve k8s configuration.

kubectl --token=token get pods -n auth
Error from server (Forbidden): pods is forbidden: User "<oidc-issuer-url>#<name>" cannot list pods in the namespace "auth"

User prefix can be updated with the --oidc-username-prefix apiserver option.

Create ClusterRoleBinding resource:

kubectl create -f crb-all-auth.yml

Try again:

kubectl --token=$token get po
NAME                        READY     STATUS    RESTARTS   AGE
dex-6f6568d499-m89z6        1/1       Running   0          7m
loginapp-6474748f4b-gb5kb   1/1       Running   0          8m
loginapp-6474748f4b-prq25   1/1       Running   0          8m
loginapp-6474748f4b-vnvnb   1/1       Running   0          8m

k8s-ldap's People

Contributors

Stargazers

Watchers

k8s-ldap's Issues

A couple og missing information about the setup

Hi,

dex.k8s.example.com & login.k8s.example.com

example.com is not a valid domain name, is there a way to run the setup without using theses domain names (minikube will not run the example, as far as I know, so /etc/hosts cannot be used).

--oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem: Letsencrypt CA file because we will use automatic certificate requests.

Where do I get the letsencrypt.pem file from? Is this running with staging certificates?

Expected output of commands, and explanation of what they do, is needed. It would be nice if there were more explanation.

can't use config generated to DEx

Hi ALL
after whole configuration,
I can't use config generated by DEX.
maybe someone could help me.
i think problem that i have loadbalancer before cluster and don't need cert-manager i think.

Rendering Kubernetes Cluster Config using loginapp.

I want to render K8s Cluster Config using latest loginapp image from "quay.io/fydrah/loginapp" as I see the 'loginapp' has been updated 3 months back.

I updated 'loginapp-deploy.yml' file to use image 'quay.io/fydrah/loginapp:latest' instead of "objectiflibre/login-app:latest" but the pod fails to start with following logs on K8s cluster.

NAME:
   loginapp - A new cli application
USAGE:
   Web application for Kubernetes CLI configuration with OIDC
COMMANDS:
     serve    Run loginapp application
     help, h  Shows a list of commands or help for one command
OPTIONS:
   --help, -h     show help
   --version, -v  print the version

Following are my "loginapp-cm.yml" & "loginapp-deploy.yml" files.

File: 'loginapp-cm.yml'

kind: ConfigMap
apiVersion: v1
metadata:
  name: ndp
  namespace: auth
data:
  config.yaml: |
    debug: false
    client_id: "loginapp"
    client_secret: 4TORGiNV9M54BafduFSaI6hUjfjr
    issuer_url: "https://dex.k8s.my.example.com:32000/dex"
    issuer_root_ca: "/etc/ssl/ca.pem"
    redirect_url: "https://dex.k8s.my.example.com:32004/callback"
    listen: "https://0.0.0.0:5555"
    tls_cert: "/etc/loginapp/tls/tls.crt"
    tls_key: "/etc/loginapp/tls/tls.key"
    disable_choices: false
    extra_scopes: "groups"
    app_name: "Kubernetes Auth"
    clusters:
      - name: k8s.my.example.com
        server: https://api.k8s.my.example.com
        certificate-authority: |
          -----BEGIN CERTIFICATE-----
          MIIC0zCCAbugAwIBAgIMFbJwywDTOJDQnUzEMA0GCSqGSIb3DQEBCwUAMBUxEzAR
          DW6CCCsGMWfV20tNXZgCPA6SKe3JY/CZ7DxD2aPSBu1hgPT4B+UikKNiuZ5/Un7T
          ACsOLBeW6A==
          -----END CERTIFICATE-----
        insecure-skip-tls-verify: false

File: 'loginapp-deploy.yml'

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: loginapp-new
  namespace: auth
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: loginapp-new
    spec:
      containers:
      - image: quay.io/fydrah/loginapp:latest
        name: loginapp-new
        #command: ["/loginapp", "serve", "/app/config.yaml"]
        ports:
        - name: http
          containerPort: 5555
        volumeMounts:
        - name: ca
          mountPath: /etc/ssl/
        - name: config
          mountPath: /app/
        - name: tls
          mountPath: /etc/loginapp/tls
      volumes:
      - name: ca
        configMap:
          name: ca
          items:
          - key: ca.pem
            path: ca.pem
      - name: config
        configMap:
          name: ndp
          items:
          - key: config.yaml
            path: config.yaml
      - name: tls
        secret:
          secretName: login.k8s.example.org.tls

I even tried to pass command to new image when it starts by adding 'command: ["/loginapp", "serve", "/app/config.yaml"]' however it still failed starting pod with following error.

{"level":"warning","msg":"format \"\" not available, use json|text. Using json format","time":"2019-07-29T13:40:39Z"}
{"level":"warning","msg":"log level \"\" not available, use debug|info|warning|error. Using Info log level","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no name specified","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no client id specified","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no client secret specified","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no redirect url specified","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no issuer url specified","time":"2019-07-29T13:40:39Z"}
{"level":"error","msg":"no issuer root_ca specified","time":"2019-07-29T13:40:39Z"}
{"level":"fatal","msg":"error while loading configuration","time":"2019-07-29T13:40:39Z"}

Let me know what have I missed or doing wrong. I want to produce Cluster Config details once the user authenticate to LDAP.

Loginapp invalid certificate

Hello,

I have been having problem when deploying this setup. My cert-manager seems to be working:

kubectl logs cert-manager-cert-manager-5656fb7c54-snt72 -n kube-system -c ingress-shim
I0223 10:24:08.052308       1 leaderelection.go:174] attempting to acquire leader lease...
I0223 10:24:25.481969       1 leaderelection.go:184] successfully acquired lease kube-system/ingress-shim-controller
I0223 10:24:25.582349       1 controller.go:147] ingress-shim controller: syncing item 'kube-system/default-backend-ingress'
I0223 10:24:25.582392       1 controller.go:147] ingress-shim controller: syncing item 'auth/dex'
I0223 10:24:25.582664       1 sync.go:85] Certificate "sslportal" for ingress "default-backend-ingress" already exists, not re-creating
I0223 10:24:25.582661       1 sync.go:85] Certificate "dex-tls" for ingress "dex" already exists, not re-creating
I0223 10:24:25.582726       1 controller.go:161] ingress-shim controller: Finished processing work item "auth/dex"
I0223 10:24:25.582740       1 controller.go:147] ingress-shim controller: syncing item 'auth/loginapp'
I0223 10:24:25.582751       1 sync.go:85] Certificate "login-tls" for ingress "loginapp" already exists, not re-creating
I0223 10:24:25.582757       1 controller.go:161] ingress-shim controller: Finished processing work item "auth/loginapp"
I0223 10:24:25.582763       1 controller.go:161] ingress-shim controller: Finished processing work item "kube-system/default-backend-ingress"

kubectl logs cert-manager-cert-manager-5656fb7c54-snt72 -n kube-system -c cert-manager
I0223 10:24:07.734287       1 server.go:68] Listening on http://0.0.0.0:9402
I0223 10:24:07.736528       1 leaderelection.go:174] attempting to acquire leader lease...
I0223 10:24:22.888515       1 leaderelection.go:184] successfully acquired lease kube-system/cert-manager-controller
I0223 10:24:22.989149       1 controller.go:187] certificates controller: syncing item 'auth/dex-tls'
I0223 10:24:22.989428       1 sync.go:107] Error checking existing TLS certificate: secret "dex-tls" not found
I0223 10:24:22.989161       1 controller.go:136] issuers controller: syncing item 'default/ca-issuer'
I0223 10:24:22.989497       1 sync.go:238] Preparing certificate with issuer
I0223 10:24:22.989505       1 sync.go:248] Issuing certificate...
I0223 10:24:22.989185       1 controller.go:187] certificates controller: syncing item 'kube-system/sslportal'
I0223 10:24:22.989194       1 controller.go:138] clusterissuers controller: syncing item 'ca-cluster-issuer'
I0223 10:24:22.990834       1 sync.go:200] Certificate scheduled for renewal in 1104 hours
I0223 10:24:22.990887       1 controller.go:201] certificates controller: Finished processing work item "kube-system/sslportal"
I0223 10:24:22.991461       1 setup.go:55] Signing CA verified
I0223 10:24:22.989245       1 controller.go:187] certificates controller: syncing item 'auth/login-tls'
I0223 10:24:22.992043       1 setup.go:55] Signing CA verified
I0223 10:24:22.992088       1 sync.go:107] Error checking existing TLS certificate: secret "login-tls" not found
I0223 10:24:22.992230       1 sync.go:238] Preparing certificate with issuer
I0223 10:24:22.992242       1 sync.go:248] Issuing certificate...
I0223 10:24:22.995253       1 controller.go:150] issuers controller: Finished processing work item "default/ca-issuer"
I0223 10:24:22.996657       1 controller.go:152] clusterissuers controller: Finished processing work item "ca-cluster-issuer"
I0223 10:24:23.092189       1 helpers.go:165] Setting lastTransitionTime for Certificate "dex-tls" condition "Ready" to 2018-02-23 10:24:23.092176359 +0000 UTC m=+15.443829199
I0223 10:24:23.144987       1 sync.go:269] Certificated issued successfully
I0223 10:24:23.150062       1 sync.go:200] Certificate scheduled for renewal in 8039 hours
I0223 10:24:23.150120       1 controller.go:201] certificates controller: Finished processing work item "auth/dex-tls"
I0223 10:24:23.150142       1 controller.go:187] certificates controller: syncing item 'auth/dex-tls'
I0223 10:24:23.150408       1 sync.go:200] Certificate scheduled for renewal in 8039 hours
I0223 10:24:23.150441       1 controller.go:201] certificates controller: Finished processing work item "auth/dex-tls"
I0223 10:24:23.596080       1 helpers.go:165] Setting lastTransitionTime for Certificate "login-tls" condition "Ready" to 2018-02-23 10:24:23.596066546 +0000 UTC m=+15.947719354
I0223 10:24:24.142036       1 sync.go:269] Certificated issued successfully
I0223 10:24:24.145792       1 sync.go:200] Certificate scheduled for renewal in 8039 hours
I0223 10:24:24.145823       1 controller.go:201] certificates controller: Finished processing work item "auth/login-tls"
I0223 10:24:24.145836       1 controller.go:187] certificates controller: syncing item 'auth/login-tls'
I0223 10:24:24.146036       1 sync.go:200] Certificate scheduled for renewal in 8039 hours
I0223 10:24:24.146046       1 controller.go:201] certificates controller: Finished processing work item "auth/login-tls"
I0223 10:24:24.146338       1 controller.go:187] certificates controller: syncing item 'auth/login-tls'
I0223 10:24:24.146675       1 sync.go:200] Certificate scheduled for renewal in 8039 hours
I0223 10:24:24.146729       1 controller.go:201] certificates controller: Finished processing work item "auth/login-tls"

But the problem is on the loginapp, where the certificate seems to be invalid:

kubectl logs loginapp-6474748f4b-m79vx -n auth
Error: Failed to query provider "https://dex.qubu.yrd.rot.hybris.com/dex": Get https://dex.qubu.yrd.rot.hybris.com/dex/.well-known/openid-configuration: x509: certificate is valid for ingress.local, not dex.qubu.yrd.rot.hybris.com
Usage:
  login-app [flags]

Flags:
  -h, --help   help for login-app

error: Failed to query provider "https://dex.qubu.yrd.rot.hybris.com/dex": Get https://dex.qubu.yrd.rot.hybris.com/dex/.well-known/openid-configuration: x509: certificate is valid for ingress.local, not dex.qubu.yrd.rot.hybris.com

Any idea what may I be missing?

What is URL"https://dex.k8s.example.com/dex" in API Server configuration?

In the api server configuration
OIDC authentication enabled. API server configuration:
--oidc-issuer-url=https://dex.k8s.example.com/dex: External Dex endpoint

Is this something else from "dex.k8s.example.com --> Dex OIDC provider" ?

thanks in advanced~~

loginapp CrashLoopBackOff

Hi, follow user guide to install all component on kubernetes, but i found loginapp always CrashLoopBackOff, the logs:

Error: Failed to query provider "https://dex.k8s.example.org/dex": Get https://dex.k8s.example.org/dex/.well-known/openid-configuration: dial tcp: lookup dex.k8s.example.org on 10.96.0.10:53: no such host
Usage:
  login-app [flags]

Flags:
  -h, --help   help for login-app

error: Failed to query provider "https://dex.k8s.example.org/dex": Get https://dex.k8s.example.org/dex/.well-known/openid-configuration: dial tcp: lookup dex.k8s.example.org on 10.96.0.10:53: no such host

dex.k8s.example.org or dex.k8s.example.com, is that loginapp configmap wrong? thanks a lot!

Loginapp deployment errors

We are getting below error with loginapp deployment, we used yaml files mentioned in this github.

~]$ kubectl logs loginapp-66d6b766d9-gwxsn
Error: failed to read root-ca: open /etc/kubernetes/pki/ca.pem: no such file or directory
Usage:
  login-app [flags]

Flags:
  -h, --help   help for login-app

error: failed to read root-ca: open /etc/kubernetes/pki/ca.pem: no such file or directory

~]$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T10:09:24Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T09:42:01Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

handshake failure

Hello,

I followed this guide and i have two questions.:

is --oidc-ca-file=/etc/kubernetes/ssl/letsencrypt.pem mandatory? as the apiserver pod fails when i added it.
I have this error in loginapp pod and it CrashLoopBackOff al the time "Error: Failed to query provider "https://dex.k8s.77mack.ml/dex": Get https://dex.k8s.77mack.ml/dex/.well-known/openid-configuration: remote error: tls: handshake failure"

Unable to connect to loginapp service

I have deployed loginapp along with dex and both pods are running fine without errors. Still I am not able to connect loginapp service, even I a telnet from container itself failing to port 5555.

[dev-k8s-helm ~]$ k exec -it loginapp-59c68896d-tldq7 sh
/ # ps -ef
PID   USER     TIME   COMMAND
    1 root       0:00 /login-app /app/config.yaml
   26 root       0:00 sh
   32 root       0:00 ps -ef
/ # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 :::5555                 :::*                    LISTEN      1/login-app
/ # telnet localhost 5555

Pod logs:

[dev-k8s-helm ~]$ kubectl logs loginapp-59c68896d-tldq7
2018/03/16 07:56:50 GET /dex/.well-known/openid-configuration HTTP/1.1
Host: dev.dex.k8s.example.com:8443

2018/03/16 07:56:50 HTTP/1.1 200 OK
Content-Length: 773
Content-Type: application/json
Date: Fri, 16 Mar 2018 07:56:50 GMT

{
  "issuer": "https://dev.dex.k8s.example.com:8443/dex",
  "authorization_endpoint": "https://dev.dex.k8s.example.com:8443/dex/auth",
  "token_endpoint": "https://dev.dex.k8s.example.com:8443/dex/token",
  "jwks_uri": "https://dev.dex.k8s.example.com:8443/dex/keys",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}
2018/03/16 07:56:50 listening on http://0.0.0.0:5555

Please help to debug this further.

objectiflibre / k8s-ldap Goto Github PK

k8s-ldap's Introduction

Kubernetes - LDAP authentication with Dex

Docs

Requirements

Helm chart

Login application

Dex

CRD

Deployment

k8s-ldap's People

Contributors

Stargazers

Watchers

Forkers

k8s-ldap's Issues

Recommend Projects

Recommend Topics

Recommend Org