2018-03-04 17:01:38 +00:00
|
|
|
# Authelia on Kubernetes
|
|
|
|
|
|
|
|
Authelia is now available on Kube in order to protect your most critical
|
2018-04-24 21:59:15 +00:00
|
|
|
applications using 2-factor authentication and Single Sign-On.
|
|
|
|
|
|
|
|
This example leverages [ingress-nginx](https://github.com/kubernetes/ingress-nginx)
|
2019-03-03 22:51:52 +00:00
|
|
|
to delegate authentication and authorization to Authelia within the cluster.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
## Getting started
|
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
You can either try to install **Authelia** on your running instance of Kubernetes
|
|
|
|
or deploy the dedicated [suite](/docs/suites.md) called *kubernetes*.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
### Set up a Kube cluster
|
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
The simplest way to start a Kubernetes cluster is to deploy the *kubernetes* suite with
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
authelia-scripts suites start kubernetes
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
This will take a few seconds (or minutes) to deploy the cluster.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
## How does it work?
|
|
|
|
|
|
|
|
### Authentication via Authelia
|
|
|
|
|
|
|
|
In a Kube clusters, the routing logic of requests is handled by ingress
|
2018-04-24 21:59:15 +00:00
|
|
|
controllers following rules provided by ingress configurations.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2018-04-24 21:59:15 +00:00
|
|
|
In this example, [ingress-nginx](https://github.com/kubernetes/ingress-nginx)
|
|
|
|
controller has been installed to handle the incoming requests. Some of them
|
|
|
|
(specified in the ingress configuration) are forwarded to Authelia so that
|
|
|
|
it can verify whether they are allowed and should reach the protected endpoint.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
The authentication is provided at the ingress level by an annotation called
|
|
|
|
`nginx.ingress.kubernetes.io/auth-url` that is filled with the URL of
|
|
|
|
Authelia's verification endpoint.
|
2018-04-24 21:59:15 +00:00
|
|
|
The ingress controller also requires the URL to the
|
2019-03-03 22:51:52 +00:00
|
|
|
authentication portal so that the user can be redirected if he is not
|
|
|
|
yet authenticated. This annotation is as follows:
|
|
|
|
`nginx.ingress.kubernetes.io/auth-signin: "https://login.example.com:8080/#/"`
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
Those annotations can be seen in `apps/apps.yml` configuration.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
### Production grade infrastructure
|
|
|
|
|
2018-04-24 21:59:15 +00:00
|
|
|
What is great with using [ingress-nginx](https://github.com/kubernetes/ingress-nginx)
|
2018-03-04 17:01:38 +00:00
|
|
|
is that it is compatible with [kube-lego](https://github.com/jetstack/kube-lego)
|
2019-03-03 22:51:52 +00:00
|
|
|
which removes the usual pain of manually renewing SSL certificates. It uses
|
2018-04-24 21:59:15 +00:00
|
|
|
letsencrypt to issue and renew certificates every three month without any
|
|
|
|
manual intervention.
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2019-03-03 22:51:52 +00:00
|
|
|
## What do I need to know to deploy it in my cluster?
|
2018-03-04 17:01:38 +00:00
|
|
|
|
2019-11-16 10:38:21 +00:00
|
|
|
Given your cluster already runs a LDAP server, a Redis, a SQL database,
|
2019-03-03 22:51:52 +00:00
|
|
|
a SMTP server and a nginx ingress-controller, you can deploy **Authelia**
|
|
|
|
and update your ingress configurations. An example is provided
|
|
|
|
[here](./authelia).
|
2018-03-04 17:01:38 +00:00
|
|
|
|
|
|
|
## Questions
|
|
|
|
|
|
|
|
If you have questions about the implementation, please post them on
|
|
|
|
[![Gitter](https://img.shields.io/gitter/room/badges/shields.svg)](https://gitter.im/authelia/general?utm_source=share-link&utm_medium=link&utm_campaign=share-link)
|