external-ingress-auth-service
Installs an instance of the External Ingress Authentication Service that provides external authentication for Kubernetes Ingress Controllers. It works perfect with NGINX ingress controller via External Authentication.
Homepage: https://argelbargel.github.io/external-ingress-auth/
Source Code
Values
| Key | Type | Default | Description |
|---|---|---|---|
| commonAnnotations | object | {} |
common annotations for all resources deployed by this chart |
| commonLabels | object | {} |
common labels for all resources deployed by this chart |
| config.authCacheTTLSecs | int | 15 |
|
| config.authentication.htpasswd.enabled | bool | true |
enable/disable htpasswd authentication backend |
| config.authentication.htpasswd.groups.enabled | bool | false |
enable to map users authenticated by the htpasswd-backend to groups. |
| config.authentication.htpasswd.groups.externalSecret.key | string | "groups" |
key in the above secret containing the groups. Can be templated. |
| config.authentication.htpasswd.groups.externalSecret.name | string | "" |
name of a Secret containing the group-mapping for htpassword-authentication-backend required, if groups are enabled. Can be templated |
| config.authentication.htpasswd.users.externalSecret.key | string | ".htpasswd" |
key in the above secret containing the users and their passwords. Can be templated. |
| config.authentication.htpasswd.users.externalSecret.name | string | "" |
name of a Secret containing the users and their passwords as generated by htpassword required, if htpasswd authentication is enabled. Can be templated |
| config.authentication.ldap.bindDn | string | "cn={username}," |
bind-Dn used to bind users for authentication If left empty, the bindDn is configured from the external secret below. Can be templated. |
| config.authentication.ldap.enabled | bool | false |
enable/disable ldap authentication backend |
| config.authentication.ldap.externalSecret.bindDnKey | string | "LDAP_BIND_DN" |
key in the above secret containing the ldap-bind-dn Ignored if bindDn is set above. Can be templated. |
| config.authentication.ldap.externalSecret.managerDnKey | string | "LDAP_MANAGER_DN" |
key in the above secret containing the dn of the user used to search group-memberships # Required. Can be templated. |
| config.authentication.ldap.externalSecret.managerPasswordKey | string | "LDAP_MANAGER_PASSWORD" |
key in the above secret containing the password of the user used to search group-memberships # Required. Can be templated. |
| config.authentication.ldap.externalSecret.name | string | "" |
name of a Secret containing the credentials for the user used to search group-memberships with required, if ldap authentication is enabled. Can be templated |
| config.authentication.ldap.externalSecret.searchBaseKey | string | "LDAP_SEARCH_BASE" |
key in the above secret containing the search-base for looking up groups-memberships Ignored if searchBase is set above. Can be templated. |
| config.authentication.ldap.externalSecret.searchFilterKey | string | "LDAP_SEARCH_FILTER" |
key in the above secret containing the search-filter for looking up groups-memberships Ignored if searchFilter is set above. Can be templated. |
| config.authentication.ldap.externalSecret.serverUrlKey | string | "LDAP_SERVER_URL" |
key in the above secret containing the ldap-server-url. Ignored if serverUrl is set above. Can be templated. |
| config.authentication.ldap.searchBase | string | "" |
base-DN to search users in when getting group-memberships If left empty, the searchBase is configured from the external secret below. Can be templated. |
| config.authentication.ldap.searchFilter | string | "(sAMAccountName={username})" |
filter used when searching the user-object when getting group-memberships If left empty, the searchFilter is configured from the external secret below. Can be templated. |
| config.authentication.ldap.serverUrl | string | "" |
url to the ldap-server to authenticate users against. If left empty, the ldap-server is configured from the external secret below. Can be templated. |
| config.authorization.ingressRules.enabled | bool | false |
|
| config.authorization.ingressRules.secret.external.key | string | "AUTHORIZATION_INGRESS_RULES_SECRET" |
key in the secret where the value for the ingress-secret is stored (can be templated) |
| config.authorization.ingressRules.secret.external.name | string | "" |
if set to a non-empty value, the secret validating authorization-rules from the ingress is injected from the given secret; otherwise a Secret is created with the value above (can be templated) |
| config.authorization.ingressRules.secret.value | string | "" |
|
| config.authorization.rules | list | [] |
authorization rules (see https://github.com/Argelbargel/external-ldap-auth/tree/main/charts/auth-service#authorization-rules) |
| config.bruteForceProtection.enabled | bool | true |
enable/disable brute-force-protection, blocking requests from ips after to many failed authentication requests |
| config.bruteForceProtection.expirationSecs | int | 60 |
determines the window within which failed authentication requests are counted and for how long the ip is blocked |
| config.bruteForceProtection.maxFailureCount | int | 5 |
determines how many failed authentication requests are allowed from one ip before requests get blocked |
| config.logging.format | string | "JSON" |
configures the log-format of the service. |
| config.logging.level | string | "WARN" |
configures the log-level of the service. |
| config.tls.enabled | bool | false |
enable/disable https/tls for the service |
| config.tls.externalSecret.certKey | string | "tls.crt" |
name of the key in the above secret containing the certificate-data. Can be templated. |
| config.tls.externalSecret.keyKey | string | "tls.key" |
name of the key in the above secret containing the certificate-key. Can be templated. |
| config.tls.externalSecret.name | string | "" |
name of a Secret containing the TLS-certificate and key Required if TLS is enabled. Can be templated. |
| deployment.annotations | object | {} |
additional annotations specific to the deployment resource |
| deployment.initContainers | list | [] |
initContainers for the deployment; can be templated e.g to use helm-values |
| deployment.labels | object | {} |
additional labels specific to the deployment resource |
| deployment.replicas | int | 1 |
|
| deployment.resources.limits.memory | string | "128Mi" |
|
| deployment.resources.requests.cpu | string | "50m" |
|
| deployment.resources.requests.memory | string | "128Mi" |
|
| deployment.volumeMounts | list | [] |
additional volume mounts for the external-ldap-auth-container; can be templated e.g to use helm-values |
| deployment.volumes | list | [] |
additional volumes for the deployment; can be templated e.g to use helm-values |
| image.pullPolicy | string | "IfNotPresent" |
|
| image.pullSecrets | list | [] |
image-pull-secrets; can be templated e.g to use helm-values |
| image.repo | string | "ghcr.io/argelbargel/external-ingress-auth" |
overrides the image-repo for the deployed container-image. Can be templated. |
| image.tag | string | "" |
overrides the image-tag for the deployed container-image. Can be templated. |
| ingress.annotations | object | {} |
additional annotations specific to the ingress resource |
| ingress.enabled | bool | false |
when true, generates an Ingress for the auth-service. As the auth-service should only be used by Ingresses, should NOT enable this in production in most use-cases. |
| ingress.host | string | "" |
host-name for the ingress. Required if ingress is enabled. Can be templated. |
| ingress.labels | object | {} |
additional labels specific to the ingress resource |
| ingress.tls.enabled | bool | false |
|
| ingress.tls.secretName | string | "" |
name of a Secret containing the certificate data. Required if tls enabled. Can be templated |
| service.annotations | object | {} |
additional annotations specific to the service resource |
| service.labels | object | {} |
additional labels specific to the service resource |
| service.type | string | "ClusterIP" |
the service-type As the auth-service should only be used by Ingresses and not receive client-traffic directly, this should be kept at ClusterIP in most use-cases. |
| serviceMonitor.annotations | object | {} |
additional annotations specific to the service-monitor resource |
| serviceMonitor.enabled | bool | false |
enable a Service-Monitor monitoring the metrics exposed by the auth-service |
| serviceMonitor.labels | object | {} |
additional labels specific to the service-monitor resource |
Authorization Rules
Configuring authorization rules for the service is much more readable when using this chart.
Rules are configured below the key .config.rules:
config:
rules:
- hosts: [] # list of hosts for which the rule applies
ranges: [] # list of ip-ranges for which the rule applies, e.g. 192.168.0.1/16
methods: [] # list of methods for which the rule applies, e.g. GET
paths: [] # list of paths for which the rule applies, e.g. GET
public: false # whether access to the resource specified by the properties above is public (true) or restricted (false)
# the properties below are ignored if public: true
users: [] # list of users allowed access to the resource specified by the properties above
groups: [] # list of groups allowed access to the resource specified by the properties above
operators:
groups: <AND or OR> # default: OR
users-and-groups: <AND or OR> # default AND
License
- Source code is licensed under MIT