Added Global External Authentication settings to configmap parameters incl. addons
This commit is contained in:
okryvoshapka-connyun
parent
b4f2880ee6
commit
8cc9afe8ee
20 changed files with 819 additions and 72 deletions
9
docs/user-guide/nginx-configuration/annotations.md
Normal file → Executable file
9
docs/user-guide/nginx-configuration/annotations.md
Normal file → Executable file
|
|
@ -27,6 +27,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|
|||
|[nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream](#client-certificate-authentication)|"true" or "false"|
|
||||
|[nginx.ingress.kubernetes.io/auth-url](#external-authentication)|string|
|
||||
|[nginx.ingress.kubernetes.io/auth-snippet](#external-authentication)|string|
|
||||
|[nginx.ingress.kubernetes.io/enable-global-auth](#external-authentication)|"true" or "false"|
|
||||
|[nginx.ingress.kubernetes.io/backend-protocol](#backend-protocol)|string|HTTP,HTTPS,GRPC,GRPCS,AJP|
|
||||
|[nginx.ingress.kubernetes.io/canary](#canary)|"true" or "false"|
|
||||
|[nginx.ingress.kubernetes.io/canary-by-header](#canary)|string|
|
||||
|
|
@ -389,6 +390,14 @@ nginx.ingress.kubernetes.io/auth-snippet: |
|
|||
!!! example
|
||||
Please check the [external-auth](../../examples/auth/external-auth/README.md) example.
|
||||
|
||||
#### Global External Authentication
|
||||
|
||||
By default the controller redirects all requests to an existing service that provides authentication if `global-auth-url` is set in the NGINX ConfigMap. If you want to disable this behavior for that ingress, you can use ssl-redirect: "false" in the NGINX ConfigMap.
|
||||
`nginx.ingress.kubernetes.io/enable-global-auth`:
|
||||
indicates if GlobalExternalAuth configuration should be applied or not to this Ingress rule. Default values is set to `"true"`.
|
||||
|
||||
!!! note For more information please see [global-auth-url](./configmap.md#global-auth-url).
|
||||
|
||||
### Rate limiting
|
||||
|
||||
These annotations define a limit on the connections that can be opened by a single client IP address.
|
||||
|
|
|
|||
45
docs/user-guide/nginx-configuration/configmap.md
Normal file → Executable file
45
docs/user-guide/nginx-configuration/configmap.md
Normal file → Executable file
|
|
@ -152,6 +152,12 @@ The following table shows a configuration option's name, type, and the default v
|
|||
|[limit-req-status-code](#limit-req-status-code)|int|503|
|
||||
|[limit-conn-status-code](#limit-conn-status-code)|int|503|
|
||||
|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|
|
||||
|[global-auth-url](#global-auth-url)|string|""|
|
||||
|[global-auth-method](#global-auth-method)|string|""|
|
||||
|[global-auth-signin](#global-auth-signin)|string|""|
|
||||
|[global-auth-response-headers](#global-auth-response-headers)|string|""|
|
||||
|[global-auth-request-redirect](#global-auth-request-redirect)|string|""|
|
||||
|[global-auth-snippet](#global-auth-snippet)|string|""|
|
||||
|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|
|
||||
|[block-cidrs](#block-cidrs)|[]string|""|
|
||||
|[block-user-agents](#block-user-agents)|[]string|""|
|
||||
|
|
@ -864,6 +870,45 @@ Sets the [status code to return in response to rejected connections](http://ngin
|
|||
A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
|
||||
_**default:**_ "/.well-known/acme-challenge"
|
||||
|
||||
## global-auth-url
|
||||
|
||||
A url to an existing service that provides authentication for all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-url`.
|
||||
Locations that should not get authenticated can be listed using `no-auth-locations` See [no-auth-locations](#no-auth-locations). In addition, each service can be excluded from authentication via annotation `enable-global-auth` set to "false".
|
||||
_**default:**_ ""
|
||||
|
||||
_References:_ [https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#external-authentication)
|
||||
|
||||
## global-auth-method
|
||||
|
||||
A HTTP method to use for an existing service that provides authentication for all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-method`.
|
||||
_**default:**_ ""
|
||||
|
||||
## global-auth-signin
|
||||
|
||||
Sets the location of the error page for an existing service that provides authentication for all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-signin`.
|
||||
_**default:**_ ""
|
||||
|
||||
## global-auth-response-headers
|
||||
|
||||
Sets the headers to pass to backend once authentication request completes. Applied to all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-response-headers`.
|
||||
_**default:**_ ""
|
||||
|
||||
## global-auth-request-redirect
|
||||
|
||||
Sets the X-Auth-Request-Redirect header value. Applied to all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-request-redirect`.
|
||||
_**default:**_ ""
|
||||
|
||||
## global-auth-snippet
|
||||
|
||||
Sets a custom snippet to use with external authentication. Applied to all the locations.
|
||||
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-request-redirect`.
|
||||
_**default:**_ ""
|
||||
|
||||
## no-auth-locations
|
||||
|
||||
A comma-separated list of locations that should not get authenticated.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue