# Authelia ## Background Authelia works in conjunction with Traefik to provide SSO with credentials stored in Samba (Active Directory compatible) directory tree. Samba resides outside Kubernetes cluster as it's difficuilt to containerize while keeping it usable from outside the cluster due to Samba's networking. The MariaDB instance is used to store MFA tokens. KeyDB is used to store session info. ## Deployment Inspect changes with `git diff` and proceed to deploy: ``` kubectl apply -n authelia -f application.yml kubectl create secret generic -n authelia mysql-secrets \ --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30) kubectl create secret generic -n authelia mariadb-secrets \ --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \ --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) kubectl -n authelia rollout restart deployment/authelia ``` To change secrets create `secret.yml`: ``` --- apiVersion: v1 kind: Secret type: Opaque metadata: name: application-secrets data: JWT_TOKEN: ... SESSION_ENCRYPTION_KEY: ... STORAGE_PASSWORD: ... STORAGE_ENCRYPTION_KEY: ... LDAP_PASSWORD: ... STORAGE_PASSWORD: ... SMTP_PASSWORD: ... ``` Apply with: ``` kubectl apply -n authelia -f application-secrets.yml kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true ``` ## OIDC secrets OIDC secrets are separated from the main configuration until Authelia will add CRD-s for these. Generally speaking for untrusted applications, that is stuff that is running outside the Kubernetes cluster eg web browser based (JS) and local command line clients one should use `public: true` and omit `secret: ...`. Populate `oidc-secrets.yml` with approximately following: ``` identity_providers: oidc: clients: - id: kubelogin description: Kubernetes cluster secret: ... authorization_policy: two_factor redirect_uris: - http://localhost:27890 scopes: - openid - groups - email - profile - id: proxmox description: Proxmox Virtual Environment secret: ... authorization_policy: two_factor redirect_uris: - https://pve.k-space.ee scopes: - openid - groups - email - profile - id: argocd description: ArgoCD secret: ... authorization_policy: two_factor redirect_uris: - https://argocd.k-space.ee/auth/callback scopes: - openid - groups - email - profile - id: harbor description: Harbor secret: ... authorization_policy: two_factor redirect_uris: - https://harbor.k-space.ee/c/oidc/callback scopes: - openid - groups - email - profile - id: gitea description: Gitea secret: ... authorization_policy: one_factor redirect_uris: - https://git.k-space.ee/user/oauth2/authelia/callback scopes: - openid - profile - email - groups grant_types: - refresh_token - authorization_code response_types: - code userinfo_signing_algorithm: none - id: grafana description: Grafana secret: ... authorization_policy: one_factor redirect_uris: - https://grafana.k-space.ee/login/generic_oauth scopes: - openid - groups - email - profile ``` To upload the file to Kubernetes secrets: ``` kubectl -n authelia delete secret oidc-secrets kubectl -n authelia create secret generic oidc-secrets \ --from-file=oidc-secrets.yml=oidc-secrets.yml kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true kubectl -n authelia rollout restart deployment/authelia ``` Synchronize OIDC secrets: ``` kubectl -n argocd delete secret argocd-secret kubectl -n argocd create secret generic argocd-secret \ --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \ --from-literal=oidc.config.clientSecret=$( \ kubectl get secret -n authelia oidc-secrets -o json \ | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \ | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r) kubectl -n monitoring delete secret oidc-secret kubectl -n monitoring create secret generic oidc-secret \ --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \ kubectl get secret -n authelia oidc-secrets -o json \ | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \ | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r) ```