174 lines
4.7 KiB
Markdown
174 lines
4.7 KiB
Markdown
# Authelia
|
|
|
|
## Background
|
|
|
|
Authelia works in conjunction with Traefik to provide SSO with
|
|
credentials stored in Samba (Active Directory compatible) directory tree.
|
|
|
|
Samba resides outside Kubernetes cluster as it's difficuilt to containerize
|
|
while keeping it usable from outside the cluster due to Samba's networking.
|
|
|
|
The MariaDB instance is used to store MFA tokens.
|
|
Redis is used to store session info.
|
|
|
|
|
|
## Deployment
|
|
|
|
Inspect changes with `git diff` and proceed to deploy:
|
|
|
|
```
|
|
kubectl apply -n authelia -f application.yml -f keydb.yml -f mariadb.yml
|
|
kubectl create secret generic -n authelia mysql-secrets \
|
|
--from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
|
|
kubectl create secret generic -n authelia mariadb-secrets \
|
|
--from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
|
|
--from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
|
|
kubectl create secret generic -n authelia redis-secrets \
|
|
--from-literal=REDIS_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
|
|
kubectl -n authelia rollout restart deployment/authelia
|
|
```
|
|
|
|
To change secrets create `secret.yml`:
|
|
|
|
```
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
name: application-secrets
|
|
data:
|
|
JWT_TOKEN: ...
|
|
SESSION_ENCRYPTION_KEY: ...
|
|
STORAGE_PASSWORD: ...
|
|
STORAGE_ENCRYPTION_KEY: ...
|
|
LDAP_PASSWORD: ...
|
|
STORAGE_PASSWORD: ...
|
|
SMTP_PASSWORD: ...
|
|
```
|
|
|
|
Apply with:
|
|
|
|
```
|
|
kubectl apply -n authelia -f application-secrets.yml
|
|
kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
|
|
```
|
|
|
|
## OIDC secrets
|
|
|
|
OIDC secrets are separated from the main configuration until
|
|
Authelia will add CRD-s for these.
|
|
|
|
Generally speaking for untrusted applications, that is stuff that is running
|
|
outside the Kubernetes cluster eg web browser based (JS) and
|
|
local command line clients one
|
|
should use `public: true` and omit `secret: ...`.
|
|
|
|
Populate `oidc-secrets.yml` with approximately following:
|
|
|
|
```
|
|
identity_providers:
|
|
oidc:
|
|
clients:
|
|
- id: kubelogin
|
|
description: Kubernetes cluster
|
|
secret: ...
|
|
authorization_policy: two_factor
|
|
redirect_uris:
|
|
- http://localhost:27890
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- email
|
|
- profile
|
|
- id: proxmox
|
|
description: Proxmox Virtual Environment
|
|
secret: ...
|
|
authorization_policy: two_factor
|
|
redirect_uris:
|
|
- https://pve.k-space.ee
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- email
|
|
- profile
|
|
- id: argocd
|
|
description: ArgoCD
|
|
secret: ...
|
|
authorization_policy: two_factor
|
|
redirect_uris:
|
|
- https://argocd.k-space.ee/auth/callback
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- email
|
|
- profile
|
|
- id: harbor
|
|
description: Harbor
|
|
secret: ...
|
|
authorization_policy: two_factor
|
|
redirect_uris:
|
|
- https://harbor.k-space.ee/c/oidc/callback
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- email
|
|
- profile
|
|
- id: gitea
|
|
description: Gitea
|
|
secret: ...
|
|
authorization_policy: one_factor
|
|
redirect_uris:
|
|
- https://git.k-space.ee/user/oauth2/authelia/callback
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
grant_types:
|
|
- refresh_token
|
|
- authorization_code
|
|
response_types:
|
|
- code
|
|
userinfo_signing_algorithm: none
|
|
- id: grafana
|
|
description: Grafana
|
|
secret: ...
|
|
authorization_policy: one_factor
|
|
redirect_uris:
|
|
- https://grafana.k-space.ee/login/generic_oauth
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- email
|
|
- profile
|
|
```
|
|
|
|
To upload the file to Kubernetes secrets:
|
|
|
|
```
|
|
kubectl -n authelia delete secret oidc-secrets
|
|
kubectl -n authelia create secret generic oidc-secrets \
|
|
--from-file=oidc-secrets.yml=oidc-secrets.yml
|
|
kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
|
|
kubectl -n authelia rollout restart deployment/authelia
|
|
```
|
|
|
|
Synchronize OIDC secrets:
|
|
|
|
```
|
|
kubectl -n argocd delete secret argocd-secret
|
|
kubectl -n argocd create secret generic argocd-secret \
|
|
--from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
|
|
--from-literal=oidc.config.clientSecret=$( \
|
|
kubectl get secret -n authelia oidc-secrets -o json \
|
|
| jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
|
|
| jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
|
|
kubectl -n monitoring delete secret oidc-secret
|
|
kubectl -n monitoring create secret generic oidc-secret \
|
|
--from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
|
|
kubectl get secret -n authelia oidc-secrets -o json \
|
|
| jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
|
|
| jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)
|
|
```
|