docs: update integration guides to reference get started (#3573)
parent
1dbca52cab
commit
e2e1d6d30b
|
@ -778,8 +778,33 @@ notifier:
|
||||||
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
||||||
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# issuer_private_key: |
|
# issuer_private_key: |
|
||||||
# --- KEY START
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
# --- KEY END
|
# MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
|
||||||
|
# lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
|
||||||
|
# HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
|
||||||
|
# Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
|
||||||
|
# Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
|
||||||
|
# YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
|
||||||
|
# AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
|
||||||
|
# i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
|
||||||
|
# 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
|
||||||
|
# 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
|
||||||
|
# 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
|
||||||
|
# ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
|
||||||
|
# owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
|
||||||
|
# AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
|
||||||
|
# OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
|
||||||
|
# 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
|
||||||
|
# fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
|
||||||
|
# pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
|
||||||
|
# ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
|
||||||
|
# Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
|
||||||
|
# UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
|
||||||
|
# D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
|
||||||
|
# P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
|
||||||
|
# vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
|
||||||
|
# qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The lifespans configure the expiration for these token types.
|
## The lifespans configure the expiration for these token types.
|
||||||
# access_token_lifespan: 1h
|
# access_token_lifespan: 1h
|
||||||
|
|
|
@ -34,8 +34,33 @@ identity_providers:
|
||||||
oidc:
|
oidc:
|
||||||
hmac_secret: this_is_a_secret_abc123abc123abc
|
hmac_secret: this_is_a_secret_abc123abc123abc
|
||||||
issuer_private_key: |
|
issuer_private_key: |
|
||||||
--- KEY START
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
--- KEY END
|
MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
|
||||||
|
lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
|
||||||
|
HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
|
||||||
|
Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
|
||||||
|
Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
|
||||||
|
YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
|
||||||
|
AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
|
||||||
|
i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
|
||||||
|
60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
|
||||||
|
7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
|
||||||
|
0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
|
||||||
|
ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
|
||||||
|
owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
|
||||||
|
AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
|
||||||
|
OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
|
||||||
|
7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
|
||||||
|
fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
|
||||||
|
pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
|
||||||
|
ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
|
||||||
|
Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
|
||||||
|
UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
|
||||||
|
D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
|
||||||
|
P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
|
||||||
|
vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
|
||||||
|
qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
access_token_lifespan: 1h
|
access_token_lifespan: 1h
|
||||||
authorize_code_lifespan: 1m
|
authorize_code_lifespan: 1m
|
||||||
id_token_lifespan: 1h
|
id_token_lifespan: 1h
|
||||||
|
|
|
@ -104,4 +104,4 @@ why setting them via the file counterparts is highly encouraged.
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
See the [Docker Integration](../../integration/deployment/docker.md) and
|
See the [Docker Integration](../../integration/deployment/docker.md) and
|
||||||
[Kubernetes Integration](../../integration/kubernetes/introduction/index.md) guides for examples of secrets.
|
[Kubernetes Integration](../../integration/kubernetes/secrets.md) guides for examples of secrets.
|
||||||
|
|
|
@ -15,6 +15,12 @@ toc: true
|
||||||
1. The [configuration](../../configuration/prologue/introduction.md) can be defined statically by YAML.
|
1. The [configuration](../../configuration/prologue/introduction.md) can be defined statically by YAML.
|
||||||
2. Most areas of the configuration can be defined by [environment variables](../../configuration/methods/environment.md).
|
2. Most areas of the configuration can be defined by [environment variables](../../configuration/methods/environment.md).
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Ansible
|
## Ansible
|
||||||
|
|
||||||
*Authelia* could theoretically be easily deployed via [Ansible] however we do not have an [Ansible Role] at this time.
|
*Authelia* could theoretically be easily deployed via [Ansible] however we do not have an [Ansible Role] at this time.
|
||||||
|
|
|
@ -15,6 +15,12 @@ toc: true
|
||||||
There are several ways to achieve this, as *Authelia* runs as a daemon. We do not provide specific examples for running
|
There are several ways to achieve this, as *Authelia* runs as a daemon. We do not provide specific examples for running
|
||||||
*Authelia* as a service excluding the [systemd unit](#systemd) files.
|
*Authelia* as a service excluding the [systemd unit](#systemd) files.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## systemd
|
## systemd
|
||||||
|
|
||||||
We publish two example [systemd] unit files:
|
We publish two example [systemd] unit files:
|
||||||
|
|
|
@ -27,17 +27,33 @@ existing [Docker Compose].
|
||||||
* [Bundle: lite](#lite)
|
* [Bundle: lite](#lite)
|
||||||
* [Bundle: local](#local)
|
* [Bundle: local](#local)
|
||||||
|
|
||||||
|
### Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
### Standalone Example
|
### Standalone Example
|
||||||
|
|
||||||
The following is an example [Docker Compose] deployment with just *Authelia* and no bundled applications or proxies.
|
The following is an examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or
|
||||||
|
proxies.
|
||||||
|
|
||||||
It expects the following:
|
It expects the following:
|
||||||
|
|
||||||
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
|
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
|
||||||
* The files `data/authelia/secrets/*` exist and contain the relevant [secrets](../../configuration/methods/secrets.md).
|
* The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files:
|
||||||
|
* A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret)
|
||||||
|
* A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret)
|
||||||
|
* A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password)
|
||||||
|
* A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryption_key)
|
||||||
* You're using PostgreSQL.
|
* You're using PostgreSQL.
|
||||||
* You have an external network named `net` which is in bridge mode.
|
* You have an external network named `net` which is in bridge mode.
|
||||||
|
|
||||||
|
#### Using Secrets
|
||||||
|
|
||||||
|
Use this [Standalone Example](#standalone-example) if you want to use
|
||||||
|
[docker secrets](https://docs.docker.com/engine/swarm/secrets/).
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
version: "3.8"
|
version: "3.8"
|
||||||
secrets:
|
secrets:
|
||||||
|
@ -49,10 +65,6 @@ secrets:
|
||||||
file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
|
file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
|
||||||
STORAGE_ENCRYPTION_KEY:
|
STORAGE_ENCRYPTION_KEY:
|
||||||
file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
|
file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
|
||||||
OIDC_HMAC_KEY:
|
|
||||||
file: ${PWD}/data/authelia/secrets/OIDC_HMAC_KEY
|
|
||||||
OIDC_PRIVATE_KEY:
|
|
||||||
file: ${PWD}/data/authelia/secrets/OIDC_PRIVATE_KEY
|
|
||||||
services:
|
services:
|
||||||
authelia:
|
authelia:
|
||||||
container_name: authelia
|
container_name: authelia
|
||||||
|
@ -63,14 +75,12 @@ services:
|
||||||
aliases: []
|
aliases: []
|
||||||
expose:
|
expose:
|
||||||
- 9091
|
- 9091
|
||||||
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, OIDC_HMAC_KEY, OIDC_PRIVATE_KEY]
|
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
|
||||||
environment:
|
environment:
|
||||||
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
|
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
|
||||||
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
|
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
|
||||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
|
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
|
||||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/OIDC_HMAC_KEY
|
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/OIDC_PRIVATE_KEY
|
|
||||||
volumes:
|
volumes:
|
||||||
- ${PWD}/data/authelia/config:/config
|
- ${PWD}/data/authelia/config:/config
|
||||||
networks:
|
networks:
|
||||||
|
@ -79,19 +89,13 @@ networks:
|
||||||
name: net
|
name: net
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Running the Proxy on the Host Instead of in a Container
|
#### Using a Secrets Volume
|
||||||
|
|
||||||
If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this
|
Use this [Standalone Example](#standalone-example) if you want to use a standard
|
||||||
configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the
|
[docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets.
|
||||||
users asking how to accomplish this. It should be noted that we can't provide documentation or support for every
|
|
||||||
architectural choice our users make and you should expect to do your own research to figure this out where possible.
|
|
||||||
|
|
||||||
The example below includes the additional `ports` option which must be added in order to allow communication to
|
|
||||||
*Authelia* from daemons on the [Docker] host. The other values are used to show context within the
|
|
||||||
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
|
|
||||||
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
|
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
version: "3.8"
|
||||||
services:
|
services:
|
||||||
authelia:
|
authelia:
|
||||||
container_name: authelia
|
container_name: authelia
|
||||||
|
@ -102,8 +106,18 @@ services:
|
||||||
aliases: []
|
aliases: []
|
||||||
expose:
|
expose:
|
||||||
- 9091
|
- 9091
|
||||||
ports:
|
environment:
|
||||||
- "127.0.0.1:9091:9091"
|
AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET
|
||||||
|
AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET
|
||||||
|
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
|
||||||
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY
|
||||||
|
volumes:
|
||||||
|
- ${PWD}/data/authelia/config:/config
|
||||||
|
- ${PWD}/data/authelia/secrets:/secrets
|
||||||
|
networks:
|
||||||
|
net:
|
||||||
|
external: true
|
||||||
|
name: net
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bundles
|
### Bundles
|
||||||
|
@ -156,5 +170,34 @@ running the following command:
|
||||||
grep -Eo '"https://.*" ' ./authelia/notification.txt.
|
grep -Eo '"https://.*" ' ./authelia/notification.txt.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## FAQ
|
||||||
|
|
||||||
|
#### Running the Proxy on the Host Instead of in a Container
|
||||||
|
|
||||||
|
If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this
|
||||||
|
configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the
|
||||||
|
users asking how to accomplish this. It should be noted that we can't provide documentation or support for every
|
||||||
|
architectural choice our users make and you should expect to do your own research to figure this out where possible.
|
||||||
|
|
||||||
|
The example below includes the additional `ports` option which must be added in order to allow communication to
|
||||||
|
*Authelia* from daemons on the [Docker] host. The other values are used to show context within the
|
||||||
|
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
|
||||||
|
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
authelia:
|
||||||
|
container_name: authelia
|
||||||
|
image: docker.io/authelia/authelia:latest
|
||||||
|
restart: unless-stopped
|
||||||
|
networks:
|
||||||
|
net:
|
||||||
|
aliases: []
|
||||||
|
expose:
|
||||||
|
- 9091
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:9091:9091"
|
||||||
|
```
|
||||||
|
|
||||||
[Docker]: https://docker.com
|
[Docker]: https://docker.com
|
||||||
[Docker Compose]: https://docs.docker.com/compose/
|
[Docker Compose]: https://docs.docker.com/compose/
|
||||||
|
|
|
@ -17,3 +17,9 @@ There are three main methods to deploy *Authelia*.
|
||||||
1. [Docker](docker.md)
|
1. [Docker](docker.md)
|
||||||
2. [Kubernetes](../kubernetes/introduction/index.md)
|
2. [Kubernetes](../kubernetes/introduction/index.md)
|
||||||
3. [Bare-Metal](bare-metal.md)
|
3. [Bare-Metal](bare-metal.md)
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
title: "Chart"
|
||||||
|
description: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes"
|
||||||
|
lead: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes."
|
||||||
|
date: 2022-05-15T13:52:27+10:00
|
||||||
|
draft: false
|
||||||
|
images: []
|
||||||
|
menu:
|
||||||
|
integration:
|
||||||
|
parent: "kubernetes"
|
||||||
|
weight: 520
|
||||||
|
toc: true
|
||||||
|
---
|
||||||
|
|
||||||
|
Authelia offers a [Helm Chart] which can make integration with [Kubernetes] much easier. It's currently considered beta
|
||||||
|
status, and as such is subject to breaking changes.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
|
## Repository
|
||||||
|
|
||||||
|
The [Helm Chart] repository for Authelia is `https://charts.authelia.com`. You can add it to your repository list with
|
||||||
|
the following [Helm] commands:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add authelia https://charts.authelia.com
|
||||||
|
helm repo update
|
||||||
|
```
|
||||||
|
|
||||||
|
## Website
|
||||||
|
|
||||||
|
The [https://charts.authelia.com/](https://charts.authelia.com/) URL also serves a website with basic chart information.
|
||||||
|
|
||||||
|
## Source
|
||||||
|
|
||||||
|
The source for the [Helm Chart] is hosted on [GitHub](https://github.com/authelia/chartrepo). Please feel free to
|
||||||
|
[contribute](../../contributing/prologue/introduction.md).
|
||||||
|
|
||||||
|
[Kubernetes]: https://kubernetes.io/
|
||||||
|
[Helm]: https://helm.sh/
|
||||||
|
[Helm Chart]: https://helm.sh/docs/topics/charts/
|
|
@ -21,12 +21,18 @@ aliases:
|
||||||
The following areas are actively being worked on for Kubernetes:
|
The following areas are actively being worked on for Kubernetes:
|
||||||
|
|
||||||
1. Detailed Documentation
|
1. Detailed Documentation
|
||||||
2. [Helm Chart](https://github.com/authelia/chartrepo) for Helm v3 see our [chart repository](https://charts.authelia.com)
|
2. [Helm Chart](../chart.md) for Helm v3
|
||||||
3. Kustomize Deployment
|
3. Kustomize Deployment
|
||||||
4. Manifest Examples
|
4. Manifest Examples
|
||||||
|
|
||||||
Users are welcome to reach out directly by using any of our various [contact options](../../information/contact.md).
|
Users are welcome to reach out directly by using any of our various [contact options](../../information/contact.md).
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Important Notes
|
## Important Notes
|
||||||
|
|
||||||
The following section has special notes regarding utilizing Authelia with Kubernetes.
|
The following section has special notes regarding utilizing Authelia with Kubernetes.
|
||||||
|
@ -57,6 +63,9 @@ spec:
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Secrets
|
||||||
|
|
||||||
|
|
||||||
## FAQ
|
## FAQ
|
||||||
|
|
||||||
### RAM usage
|
### RAM usage
|
||||||
|
|
|
@ -8,7 +8,7 @@ images: []
|
||||||
menu:
|
menu:
|
||||||
integration:
|
integration:
|
||||||
parent: "kubernetes"
|
parent: "kubernetes"
|
||||||
weight: 530
|
weight: 551
|
||||||
toc: true
|
toc: true
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -18,6 +18,12 @@ official one [nginx-ingress-controller]. Currently we only have support docs for
|
||||||
The [nginx documentation](../proxies/nginx.md) may also be useful for crafting advanced snippets to use with annotations
|
The [nginx documentation](../proxies/nginx.md) may also be useful for crafting advanced snippets to use with annotations
|
||||||
even though it's not specific to Kubernetes.
|
even though it's not specific to Kubernetes.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## NGINX Ingress Controller (ingress-nginx)
|
## NGINX Ingress Controller (ingress-nginx)
|
||||||
|
|
||||||
If you use NGINX Ingress Controller (ingress-nginx) you can protect an ingress with the following annotations. The
|
If you use NGINX Ingress Controller (ingress-nginx) you can protect an ingress with the following annotations. The
|
||||||
|
|
|
@ -0,0 +1,223 @@
|
||||||
|
---
|
||||||
|
title: "Secrets"
|
||||||
|
description: "A guide to using secrets when integrating Authelia with Kubernetes."
|
||||||
|
lead: "A guide to using secrets when integrating Authelia with Kubernetes."
|
||||||
|
date: 2022-05-15T13:52:27+10:00
|
||||||
|
draft: false
|
||||||
|
images: []
|
||||||
|
menu:
|
||||||
|
integration:
|
||||||
|
parent: "kubernetes"
|
||||||
|
weight: 530
|
||||||
|
toc: true
|
||||||
|
---
|
||||||
|
|
||||||
|
The following serve as examples of how to inject secrets into the Authelia container on [Kubernetes].
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
|
## Creation
|
||||||
|
|
||||||
|
The following section covers creating example secrets. See [Secret Usage](#usage) for usage details. These examples are
|
||||||
|
not intended to be used as is, you should only include secrets that you're actively using and some secrets may be
|
||||||
|
missing from these examples. You need to see the [secrets documentation](../../configuration/methods/secrets.md) and
|
||||||
|
appropriately adapt these examples to your use case.
|
||||||
|
|
||||||
|
### Helm Chart
|
||||||
|
|
||||||
|
The Helm [Chart](chart.md) automatically generates and injects secrets into an Authelia deployment.
|
||||||
|
|
||||||
|
### Manifest
|
||||||
|
|
||||||
|
The following manifest is an example which all of the other examples attempt to facilitate as closely as possible. You
|
||||||
|
can manually create a secret like this with `kubectl apply -f`.
|
||||||
|
|
||||||
|
##### String Data Example
|
||||||
|
|
||||||
|
##### secret.yaml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
kind: Secret
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: authelia
|
||||||
|
stringData:
|
||||||
|
JWT_SECRET: >-
|
||||||
|
NwsVsXv4YCAF9suxWZmT7N6PSzmouCDHqVpzbS5niBKo49b7rTREmwFe6roKswf4
|
||||||
|
SESSION_SECRET: >-
|
||||||
|
DkezH5zcMQsvaU38YVu673i6JDH4VPiik9xPmYsTN3KPNkxSiiyZ8ASFTdcBcu8q
|
||||||
|
REDIS_PASSWORD: >-
|
||||||
|
VfhdNhgFG5mLU9s3cjQn9im6dkiWNu3FEUPJRi9bqGm3UV6xzGBZgvdCJhoy26d9
|
||||||
|
REDIS_SENTINEL_PASSWORD: >-
|
||||||
|
sSJMfX9A6Q6vTpD6rHXcLn2j5kN557RwuohAeyZuGqH9P9LGfuSMnzi9woYZuNqU
|
||||||
|
LDAP_PASSWORD: >-
|
||||||
|
zafcAShEBfgc48DihdRnnb6UJEGKqzg3FdeZXZ3rhrg6tu2oDoYSBA88w9NPvDhZ
|
||||||
|
STORAGE_PASSWORD: >-
|
||||||
|
NMHf9Z7C5UQYuKKgh9BJTKeccoZt6c647FQqsEHhkapkkndPkPw3d8bnvkqLgiZ5
|
||||||
|
STORAGE_ENCRYPTION_KEY: >-
|
||||||
|
rH87rjVMQBvzVgj8vVGSxhop2PPwddrJ7B6oSkGcmoganMf4wqANp9AJwaMHt8RA
|
||||||
|
SMTP_PASSWORD: >-
|
||||||
|
oi4Yag5HX8Bhc5JTr49nRkdPEr4JcPMfLAPvXxNpHtHqiHXfx3isdWXuTg7yCtjk
|
||||||
|
DUO_SECRET_KEY: >-
|
||||||
|
d4ypk2UQXxuo86s7vJ2rYWPa5KoxDfU9JQWgEqtANiBaJVQSG8PJbD9U24eiVuPC
|
||||||
|
OIDC_HMAC_SECRET: >-
|
||||||
|
eSopMjbiuCMhEbXGFsm5B8KWKszxV3CJWSLYrWnBJja4rFNvDxti388WyBjdrsHb
|
||||||
|
OIDC_ISSUER_PRIVATE_KEY:
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
|
||||||
|
lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
|
||||||
|
HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
|
||||||
|
Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
|
||||||
|
Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
|
||||||
|
YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
|
||||||
|
AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
|
||||||
|
i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
|
||||||
|
60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
|
||||||
|
7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
|
||||||
|
0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
|
||||||
|
ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
|
||||||
|
owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
|
||||||
|
AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
|
||||||
|
OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
|
||||||
|
7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
|
||||||
|
fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
|
||||||
|
pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
|
||||||
|
ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
|
||||||
|
Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
|
||||||
|
UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
|
||||||
|
D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
|
||||||
|
P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
|
||||||
|
vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
|
||||||
|
qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
...
|
||||||
|
```
|
||||||
|
##### Base64 Data Example
|
||||||
|
|
||||||
|
This is the same manifest as above but encoded in base64.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
kind: Secret
|
||||||
|
apiVersion: v1
|
||||||
|
type: Opaque
|
||||||
|
metadata:
|
||||||
|
name: authelia
|
||||||
|
data:
|
||||||
|
DUO_SECRET_KEY: ZDR5cGsyVVFYeHVvODZzN3ZKMnJZV1BhNUtveERmVTlKUVdnRXF0QU5pQmFKVlFTRzhQSmJEOVUyNGVpVnVQQw==
|
||||||
|
JWT_SECRET: TndzVnNYdjRZQ0FGOXN1eFdabVQ3TjZQU3ptb3VDREhxVnB6YlM1bmlCS280OWI3clRSRW13RmU2cm9Lc3dmNA==
|
||||||
|
LDAP_PASSWORD: emFmY0FTaEVCZmdjNDhEaWhkUm5uYjZVSkVHS3F6ZzNGZGVaWFozcmhyZzZ0dTJvRG9ZU0JBODh3OU5QdkRoWg==
|
||||||
|
OIDC_HMAC_SECRET: ZVNvcE1qYml1Q01oRWJYR0ZzbTVCOEtXS3N6eFYzQ0pXU0xZclduQkpqYTRyRk52RHh0aTM4OFd5QmpkcnNIYg==
|
||||||
|
OIDC_ISSUER_PRIVATE_KEY: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLSBNWElFb2dJQiRBS0NBUUVBeFpWSlAzV0YvL1BHMmZMUW9FQzlEdGRpRkcvKzAwdnFsYlZ6ejQ3bnl4S09OSVBJIGxtTDNVZG1xcEdUS01lLzVCcnFzZTRaQUtsUUhpRGJ3eks5eXBuZmlndEh1dmgvSk8wUzdDaFA3MFJDNjdlZDEgSFYxbnlmejVlVzNsbGJ0R0pQcmxZTHFJVE5nY3RIcDZ6bVJVRnRTelBqOXFGdm96STkzTEppNDkyeUwxK3Z1OCBVbjNEbTgrUXE2WE0ydFBkRWNsZEIvZHRCd09Xb0YrOGVPT1ZzdTBURHVCNWJ3bGhCVkdKdVNBdXpCUFJTMmJGIEdhNHVrMEpEZGtET01DRVF4QzV1V0RGeGdmRVJTTUZ5ZkxWV0Q0N3dvRGJ1V0VCcTEwYzB6K2RwV1BNcDdBaW4gWW5ua3FpY3dDTjg4WjB6aWQ2TW1NUTY1RjQrOUhjK3FDL3A2eHdJREFRQUJBb0lCQUdsaGFBSEtvcitTdTNvLyBBWHFYVEw1L3JiWU16YkxRaUx0MFhlSlQ2OWpwZXFNVHJvWlhIbVd2WEUzMTI4bXFuZjB5encvSzJLbzZ5eEdoIGkrai9vbnlhOEZxcHNWWUNDZ2ZzYm4yL2pzMUF5UkplSXA2WTFPUnNZbnFiWEpueG1rWGE4MEFWL09CUFcyLysgNjBUdFNkUXJlYlkzaUZQYytpMmsrOWJQVHZweXlETEtsejhVd2RaRytrNXV5WU5JeVFUY2N6K1Bqd3NJdkRpaiA3dEtZYW1oaExOM1FYdDMvYVpURnBqVGdlelA0V3lyaVp4aldyZGRIb3djNDdxMnJ3TlM5NU5EMzlKY3lzSkFjIDBQY2J1OEE1bFZhN0Z4MzN1T3R6RGZLV0lXN3hWRU4rT3RQZ04rRmJUalhjWGs1SVplZGwrcFc1bFU1UCsrRy8gWlB2eitXRUNnWUVBOWc2SHdkT0RXM2U2OGJPcXNGb0tnMzUrdmZVRk16bHlNRjhIRnlsTlZmbkxwVEVEcjYzNyBvd3pNRnZjVXhWZDcxYitnVjVubm5iSStyaVVGSWd5Ujh2aENqaHk0bW9vcERQYWhDNC9Ld040Tkc2dXoraTFoIEFCNkQ1K3puMkJqbk8vNXhNTUZHbEFwV3RSTm1KVkdZbE5EajNiWEtoMlZYenp5MDNWTmVEOGtDZ1lFQXpaRkwgT2x6b1JCMUhLcFRXSUVDY3V2eG9mTXhMT0xiM3pzMGsydC9GWU5ZSXBvdm1HV0NDQVVMejEzeTUzZTUrLys1bSA3STlWVVpKRmFJaGFaMzZxVkJBcENLZHJ1NjlwWk1rV0NjUU85akVMRmN4NTFFejdPZ0pXenU3R1MxUUpDUEtDIGZFRHhJMHJaSzIxajkzL1NsL25VbkVpcjdDWXBRK3d2Q2FHdUhnOENnWUFYZ2JuY2ZZMStEb2t3a0I2TmJIeTIgcFQ0TWZiejZjTkdFNTM4dzZrUTJJNEFlRHZtd0xlbnRZTXFhb3c0NzhDaW5lZ0FpZmxTUFR6a0h3QWVtZ2hiciBaR1pQVjFVWGhuMTNmSlJVRzIrZVQxaG5QVmNiWG54MjIzTjBrOEJ1ZDZxWG82NUNueVJUL2t6Y1RiY2pkNUVoIEhuZTJkYWljbU1UenluUG85UTcyYVFLQmdCbW9iTzlYOFZXdklkYmF4Tzg1b1ZabGN0VkEycEsxbzdDWVFtVmYgVU0rSlo0TUNLekkzcllKaXpQUzBpSzUrdWpOUG1tRWtjczIvcUJJb0VzQ2dPcnBMV2hQT2NjLzNVUHhYYlB6RCBEK3NDckJPSWRoeGRqMjNxSk5PblVmRE5DR09wZ1VmcEF6QVlnNHE4R0tJbnZpMWg3WHVrUm5FdlFpOU1KNExZIFAxZFpBb0dBU0djR25UTWttZVNYUDh1eCtkdlFKQWlKc2tuL3NKSWdCWjV1cTVHUkNlTEJVb3NSU1Z4TTc1VUsgdkFoL2MvUkJqK3BZWFZLdVB1SEdaQ1FKeHNkY1JYelhOR291VXRnYmFZTUw1TWUvSGFndDIwUXpEUkJmdUdCZyBxZVpCSmFYaGpFbHZ3NlBVV3RnNHgrTFlSQ0JwcS9iUzNMSzNvelpyU1R1a1ZrS0RlZ3c9IC0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
|
||||||
|
REDIS_PASSWORD: VmZoZE5oZ0ZHNW1MVTlzM2NqUW45aW02ZGtpV051M0ZFVVBKUmk5YnFHbTNVVjZ4ekdCWmd2ZENKaG95MjZkOQ==
|
||||||
|
REDIS_SENTINEL_PASSWORD: c1NKTWZYOUE2UTZ2VHBENnJIWGNMbjJqNWtONTU3Und1b2hBZXladUdxSDlQOUxHZnVTTW56aTl3b1ladU5xVQ==
|
||||||
|
SESSION_SECRET: RGtlekg1emNNUXN2YVUzOFlWdTY3M2k2SkRINFZQaWlrOXhQbVlzVE4zS1BOa3hTaWl5WjhBU0ZUZGNCY3U4cQ==
|
||||||
|
SMTP_PASSWORD: b2k0WWFnNUhYOEJoYzVKVHI0OW5Sa2RQRXI0SmNQTWZMQVB2WHhOcEh0SHFpSFhmeDNpc2RXWHVUZzd5Q3Rqaw==
|
||||||
|
STORAGE_ENCRYPTION_KEY: ckg4N3JqVk1RQnZ6VmdqOHZWR1N4aG9wMlBQd2Rkcko3QjZvU2tHY21vZ2FuTWY0d3FBTnA5QUp3YU1IdDhSQQ==
|
||||||
|
STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ==
|
||||||
|
```
|
||||||
|
### Kustomize
|
||||||
|
|
||||||
|
The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The
|
||||||
|
files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your
|
||||||
|
desired secret value.
|
||||||
|
|
||||||
|
##### kustomization.yaml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
generatorOptions:
|
||||||
|
disableNameSuffixHash: true
|
||||||
|
labels:
|
||||||
|
type: generated
|
||||||
|
app: authelia
|
||||||
|
secretGenerator:
|
||||||
|
- name: authelia
|
||||||
|
files:
|
||||||
|
- DUO_SECRET_KEY
|
||||||
|
- JWT_SECRET
|
||||||
|
- LDAP_PASSWORD
|
||||||
|
- OIDC_HMAC_SECRET
|
||||||
|
- OIDC_ISSUER_PRIVATE_KEY
|
||||||
|
- REDIS_PASSWORD
|
||||||
|
- REDIS_SENTINEL_PASSWORD
|
||||||
|
- SESSION_SECRET
|
||||||
|
- SMTP_PASSWORD
|
||||||
|
- STORAGE_ENCRYPTION_KEY
|
||||||
|
- STORAGE_PASSWORD
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
The following section covers using the created example secrets. See [Creation](#creation) for creation
|
||||||
|
details.
|
||||||
|
|
||||||
|
The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment],
|
||||||
|
[StatefulSet], and [DaemonSet].
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: authelia
|
||||||
|
env:
|
||||||
|
- name: AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||||
|
value: /app/secrets/DUO_SECRET_KEY
|
||||||
|
- name: AUTHELIA_JWT_SECRET_FILE
|
||||||
|
value: /app/secrets/JWT_SECRET
|
||||||
|
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
||||||
|
value: /app/secrets/LDAP_PASSWORD
|
||||||
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
||||||
|
value: /app/secrets/OIDC_HMAC_SECRET
|
||||||
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
||||||
|
value: /app/secrets/OIDC_ISSUER_PRIVATE_KEY
|
||||||
|
- name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
||||||
|
value: /app/secrets/REDIS_PASSWORD
|
||||||
|
- name: AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
|
||||||
|
value: /app/secrets/REDIS_SENTINEL_PASSWORD
|
||||||
|
- name: AUTHELIA_SESSION_SECRET_FILE
|
||||||
|
value: /app/secrets/SESSION_SECRET
|
||||||
|
- name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||||
|
value: /app/secrets/SMTP_PASSWORD
|
||||||
|
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
||||||
|
value: /app/secrets/STORAGE_ENCRYPTION_KEY
|
||||||
|
- name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
|
||||||
|
value: /app/secrets/STORAGE_ENCRYPTION_KEY
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /app/secrets
|
||||||
|
name: secrets
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: secrets
|
||||||
|
secret:
|
||||||
|
secretName: authelia
|
||||||
|
items:
|
||||||
|
- key: DUO_SECRET_KEY
|
||||||
|
path: DUO_SECRET_KEY
|
||||||
|
- key: JWT_SECRET
|
||||||
|
path: JWT_SECRET
|
||||||
|
- key: OIDC_HMAC_SECRET
|
||||||
|
path: OIDC_HMAC_SECRET
|
||||||
|
- key: OIDC_ISSUER_PRIVATE_KEY
|
||||||
|
path: OIDC_ISSUER_PRIVATE_KEY
|
||||||
|
- key: REDIS_PASSWORD
|
||||||
|
path: REDIS_PASSWORD
|
||||||
|
- key: REDIS_SENTINEL_PASSWORD
|
||||||
|
path: REDIS_SENTINEL_PASSWORD
|
||||||
|
- key: SESSION_SECRET
|
||||||
|
path: SESSION_SECRET
|
||||||
|
- key: SMTP_PASSWORD
|
||||||
|
path: SMTP_PASSWORD
|
||||||
|
- key: STORAGE_ENCRYPTION_KEY
|
||||||
|
path: STORAGE_ENCRYPTION_KEY
|
||||||
|
- key: STORAGE_PASSWORD
|
||||||
|
path: STORAGE_PASSWORD
|
||||||
|
```
|
||||||
|
|
||||||
|
[Kubernetes]: https://kubernetes.io/
|
||||||
|
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/
|
||||||
|
[DaemonSet]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
|
||||||
|
[StatefulSet]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
|
||||||
|
[Deployment]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
|
|
@ -8,7 +8,7 @@ images: []
|
||||||
menu:
|
menu:
|
||||||
integration:
|
integration:
|
||||||
parent: "kubernetes"
|
parent: "kubernetes"
|
||||||
weight: 520
|
weight: 550
|
||||||
toc: true
|
toc: true
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -20,6 +20,12 @@ We officially support the Traefik 2.x Kubernetes ingress controllers. These come
|
||||||
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
|
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
|
||||||
this ingress even though it's not specific to Kubernetes.
|
this ingress even though it's not specific to Kubernetes.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Special Notes
|
## Special Notes
|
||||||
|
|
||||||
### Cross-Namespace Resources
|
### Cross-Namespace Resources
|
||||||
|
|
|
@ -26,6 +26,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
|
||||||
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
||||||
throughout this documentation and in the [See Also](#see-also) section.*
|
throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
You need the following to run __Authelia__ with [Caddy]:
|
You need the following to run __Authelia__ with [Caddy]:
|
||||||
|
|
|
@ -28,6 +28,12 @@ and thus if anyone has this working please let us know.
|
||||||
|
|
||||||
We will aim to perform documentation for this on our own but there is no current timeframe.
|
We will aim to perform documentation for this on our own but there is no current timeframe.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Trusted Proxies
|
## Trusted Proxies
|
||||||
|
|
||||||
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
||||||
|
|
|
@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
|
||||||
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
||||||
throughout this documentation and in the [See Also](#see-also) section.*
|
throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
You need the following to run __Authelia__ with [HAProxy]:
|
You need the following to run __Authelia__ with [HAProxy]:
|
||||||
|
|
|
@ -18,6 +18,12 @@ __Authelia__ works in collaboration with several reverse proxies. In this sectio
|
||||||
various tested proxies with examples of how you may configure them. We are eager for users to help us provide better
|
various tested proxies with examples of how you may configure them. We are eager for users to help us provide better
|
||||||
examples of already documented proxies, as well as provide us examples of undocumented proxies.
|
examples of already documented proxies, as well as provide us examples of undocumented proxies.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Support
|
## Support
|
||||||
|
|
||||||
See [support](support.md) for support information.
|
See [support](support.md) for support information.
|
||||||
|
|
|
@ -26,6 +26,12 @@ throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
While this proxy is supported we don't have any specific documentation for it at the present time. Please see the
|
While this proxy is supported we don't have any specific documentation for it at the present time. Please see the
|
||||||
[NGINX integration documentation](nginx.md) for hints on how to configure this.
|
[NGINX integration documentation](nginx.md) for hints on how to configure this.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
[NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
[NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
||||||
|
|
|
@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
|
||||||
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
||||||
throughout this documentation and in the [See Also](#see-also) section.*
|
throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
You need the following to run __Authelia__ with [NGINX]:
|
You need the following to run __Authelia__ with [NGINX]:
|
||||||
|
|
|
@ -28,6 +28,12 @@ and thus if anyone has this working please let us know.
|
||||||
|
|
||||||
We will aim to perform documentation for this on our own but there is no current timeframe.
|
We will aim to perform documentation for this on our own but there is no current timeframe.
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Trusted Proxies
|
## Trusted Proxies
|
||||||
|
|
||||||
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
||||||
|
|
|
@ -30,6 +30,12 @@ only need to enabled two includes.
|
||||||
*__Note:__ All paths in this guide are the locations inside the container. You will have to either edit the files within
|
*__Note:__ All paths in this guide are the locations inside the container. You will have to either edit the files within
|
||||||
the container or adapt the path to the path you have mounted the relevant container path to.*
|
the container or adapt the path to the path you have mounted the relevant container path to.*
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
[SWAG] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
[SWAG] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.
|
||||||
|
|
|
@ -31,6 +31,12 @@ You need the following to run __Authelia__ with [Traefik]:
|
||||||
* [Traefik] [v2.4.1](https://github.com/traefik/traefik/releases/tag/v2.4.1) or greater if you wish to use
|
* [Traefik] [v2.4.1](https://github.com/traefik/traefik/releases/tag/v2.4.1) or greater if you wish to use
|
||||||
[basic authentication](#basic-authentication)
|
[basic authentication](#basic-authentication)
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Trusted Proxies
|
## Trusted Proxies
|
||||||
|
|
||||||
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
||||||
|
|
|
@ -21,6 +21,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
|
||||||
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
|
||||||
throughout this documentation and in the [See Also](#see-also) section.*
|
throughout this documentation and in the [See Also](#see-also) section.*
|
||||||
|
|
||||||
|
## Get Started
|
||||||
|
|
||||||
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
||||||
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
||||||
|
bootstrapping *Authelia*.
|
||||||
|
|
||||||
## Trusted Proxies
|
## Trusted Proxies
|
||||||
|
|
||||||
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.
|
||||||
|
|
|
@ -778,8 +778,33 @@ notifier:
|
||||||
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
||||||
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
||||||
# issuer_private_key: |
|
# issuer_private_key: |
|
||||||
# --- KEY START
|
# -----BEGIN RSA PRIVATE KEY-----
|
||||||
# --- KEY END
|
# MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
|
||||||
|
# lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
|
||||||
|
# HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
|
||||||
|
# Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
|
||||||
|
# Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
|
||||||
|
# YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
|
||||||
|
# AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
|
||||||
|
# i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
|
||||||
|
# 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
|
||||||
|
# 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
|
||||||
|
# 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
|
||||||
|
# ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
|
||||||
|
# owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
|
||||||
|
# AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
|
||||||
|
# OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
|
||||||
|
# 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
|
||||||
|
# fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
|
||||||
|
# pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
|
||||||
|
# ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
|
||||||
|
# Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
|
||||||
|
# UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
|
||||||
|
# D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
|
||||||
|
# P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
|
||||||
|
# vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
|
||||||
|
# qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
|
||||||
|
# -----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
## The lifespans configure the expiration for these token types.
|
## The lifespans configure the expiration for these token types.
|
||||||
# access_token_lifespan: 1h
|
# access_token_lifespan: 1h
|
||||||
|
|
Loading…
Reference in New Issue