From e2e1d6d30b85c4e97c80f93f4024a33ea8b0e052 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 22 Jun 2022 22:58:23 +1000 Subject: [PATCH] docs: update integration guides to reference get started (#3573) --- config.template.yml | 29 ++- .../identity-providers/open-id-connect.md | 29 ++- .../en/configuration/methods/secrets.md | 2 +- .../en/integration/deployment/automation.md | 6 + .../en/integration/deployment/bare-metal.md | 6 + .../en/integration/deployment/docker.md | 85 +++++-- .../en/integration/deployment/introduction.md | 6 + .../en/integration/kubernetes/chart.md | 45 ++++ .../kubernetes/introduction/index.md | 11 +- .../integration/kubernetes/nginx-ingress.md | 8 +- .../en/integration/kubernetes/secrets.md | 223 ++++++++++++++++++ .../integration/kubernetes/traefik-ingress.md | 8 +- docs/content/en/integration/proxies/caddy.md | 6 + docs/content/en/integration/proxies/envoy.md | 6 + .../content/en/integration/proxies/haproxy.md | 6 + .../en/integration/proxies/introduction.md | 6 + .../proxies/nginx-proxy-manager.md | 6 + docs/content/en/integration/proxies/nginx.md | 6 + .../content/en/integration/proxies/skipper.md | 6 + docs/content/en/integration/proxies/swag.md | 6 + .../content/en/integration/proxies/traefik.md | 6 + .../en/integration/proxies/traefikv1.md | 6 + internal/configuration/config.template.yml | 29 ++- 23 files changed, 516 insertions(+), 31 deletions(-) create mode 100644 docs/content/en/integration/kubernetes/chart.md create mode 100644 docs/content/en/integration/kubernetes/secrets.md diff --git a/config.template.yml b/config.template.yml index 167947c2..9f9c28a0 100644 --- a/config.template.yml +++ b/config.template.yml @@ -778,8 +778,33 @@ notifier: ## The issuer_private_key is used to sign the JWT forged by OpenID Connect. ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets # issuer_private_key: | - # --- KEY START - # --- KEY END + # -----BEGIN RSA PRIVATE KEY----- + # MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI + # lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1 + # HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8 + # Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF + # Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain + # YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/ + # AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh + # i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+ + # 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij + # 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc + # 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/ + # ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637 + # owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h + # AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL + # OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m + # 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC + # fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2 + # pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr + # ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh + # Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf + # UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD + # D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY + # P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK + # vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg + # qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw= + # -----END RSA PRIVATE KEY----- ## The lifespans configure the expiration for these token types. # access_token_lifespan: 1h diff --git a/docs/content/en/configuration/identity-providers/open-id-connect.md b/docs/content/en/configuration/identity-providers/open-id-connect.md index f5c33d97..aa4a99ae 100644 --- a/docs/content/en/configuration/identity-providers/open-id-connect.md +++ b/docs/content/en/configuration/identity-providers/open-id-connect.md @@ -34,8 +34,33 @@ identity_providers: oidc: hmac_secret: this_is_a_secret_abc123abc123abc issuer_private_key: | - --- KEY START - --- KEY END + -----BEGIN RSA PRIVATE KEY----- + MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI + lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1 + HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8 + Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF + Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain + YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/ + AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh + i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+ + 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij + 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc + 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/ + ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637 + owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h + AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL + OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m + 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC + fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2 + pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr + ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh + Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf + UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD + D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY + P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK + vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg + qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw= + -----END RSA PRIVATE KEY----- access_token_lifespan: 1h authorize_code_lifespan: 1m id_token_lifespan: 1h diff --git a/docs/content/en/configuration/methods/secrets.md b/docs/content/en/configuration/methods/secrets.md index 61b85689..dffe2366 100644 --- a/docs/content/en/configuration/methods/secrets.md +++ b/docs/content/en/configuration/methods/secrets.md @@ -104,4 +104,4 @@ why setting them via the file counterparts is highly encouraged. ## Examples See the [Docker Integration](../../integration/deployment/docker.md) and -[Kubernetes Integration](../../integration/kubernetes/introduction/index.md) guides for examples of secrets. +[Kubernetes Integration](../../integration/kubernetes/secrets.md) guides for examples of secrets. diff --git a/docs/content/en/integration/deployment/automation.md b/docs/content/en/integration/deployment/automation.md index b71312b8..5f91cee7 100644 --- a/docs/content/en/integration/deployment/automation.md +++ b/docs/content/en/integration/deployment/automation.md @@ -15,6 +15,12 @@ toc: true 1. The [configuration](../../configuration/prologue/introduction.md) can be defined statically by YAML. 2. Most areas of the configuration can be defined by [environment variables](../../configuration/methods/environment.md). +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Ansible *Authelia* could theoretically be easily deployed via [Ansible] however we do not have an [Ansible Role] at this time. diff --git a/docs/content/en/integration/deployment/bare-metal.md b/docs/content/en/integration/deployment/bare-metal.md index ea41f871..1dc63ac5 100644 --- a/docs/content/en/integration/deployment/bare-metal.md +++ b/docs/content/en/integration/deployment/bare-metal.md @@ -15,6 +15,12 @@ toc: true There are several ways to achieve this, as *Authelia* runs as a daemon. We do not provide specific examples for running *Authelia* as a service excluding the [systemd unit](#systemd) files. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## systemd We publish two example [systemd] unit files: diff --git a/docs/content/en/integration/deployment/docker.md b/docs/content/en/integration/deployment/docker.md index e0e263ed..3a9b48b4 100644 --- a/docs/content/en/integration/deployment/docker.md +++ b/docs/content/en/integration/deployment/docker.md @@ -27,17 +27,33 @@ existing [Docker Compose]. * [Bundle: lite](#lite) * [Bundle: local](#local) +### Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ### Standalone Example -The following is an example [Docker Compose] deployment with just *Authelia* and no bundled applications or proxies. +The following is an examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or +proxies. It expects the following: * The file `data/authelia/config/configuration.yml` is present and the configuration file. -* The files `data/authelia/secrets/*` exist and contain the relevant [secrets](../../configuration/methods/secrets.md). +* The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files: + * A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret) + * A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret) + * A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password) + * A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryption_key) * You're using PostgreSQL. * You have an external network named `net` which is in bridge mode. +#### Using Secrets + +Use this [Standalone Example](#standalone-example) if you want to use +[docker secrets](https://docs.docker.com/engine/swarm/secrets/). + ```yaml version: "3.8" secrets: @@ -49,10 +65,6 @@ secrets: file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD STORAGE_ENCRYPTION_KEY: file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY - OIDC_HMAC_KEY: - file: ${PWD}/data/authelia/secrets/OIDC_HMAC_KEY - OIDC_PRIVATE_KEY: - file: ${PWD}/data/authelia/secrets/OIDC_PRIVATE_KEY services: authelia: container_name: authelia @@ -63,14 +75,12 @@ services: aliases: [] expose: - 9091 - secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, OIDC_HMAC_KEY, OIDC_PRIVATE_KEY] + secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY] environment: AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/OIDC_HMAC_KEY - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/OIDC_PRIVATE_KEY volumes: - ${PWD}/data/authelia/config:/config networks: @@ -79,19 +89,13 @@ networks: name: net ``` -#### Running the Proxy on the Host Instead of in a Container +#### Using a Secrets Volume -If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this -configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the -users asking how to accomplish this. It should be noted that we can't provide documentation or support for every -architectural choice our users make and you should expect to do your own research to figure this out where possible. - -The example below includes the additional `ports` option which must be added in order to allow communication to -*Authelia* from daemons on the [Docker] host. The other values are used to show context within the -[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the -localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs. +Use this [Standalone Example](#standalone-example) if you want to use a standard +[docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets. ```yaml +version: "3.8" services: authelia: container_name: authelia @@ -102,8 +106,18 @@ services: aliases: [] expose: - 9091 - ports: - - "127.0.0.1:9091:9091" + environment: + AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET + AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY + volumes: + - ${PWD}/data/authelia/config:/config + - ${PWD}/data/authelia/secrets:/secrets +networks: + net: + external: true + name: net ``` ### Bundles @@ -156,5 +170,34 @@ running the following command: grep -Eo '"https://.*" ' ./authelia/notification.txt. ``` +## FAQ + +#### Running the Proxy on the Host Instead of in a Container + +If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this +configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the +users asking how to accomplish this. It should be noted that we can't provide documentation or support for every +architectural choice our users make and you should expect to do your own research to figure this out where possible. + +The example below includes the additional `ports` option which must be added in order to allow communication to +*Authelia* from daemons on the [Docker] host. The other values are used to show context within the +[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the +localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs. + +```yaml +services: + authelia: + container_name: authelia + image: docker.io/authelia/authelia:latest + restart: unless-stopped + networks: + net: + aliases: [] + expose: + - 9091 + ports: + - "127.0.0.1:9091:9091" +``` + [Docker]: https://docker.com [Docker Compose]: https://docs.docker.com/compose/ diff --git a/docs/content/en/integration/deployment/introduction.md b/docs/content/en/integration/deployment/introduction.md index ba70f291..f463f550 100644 --- a/docs/content/en/integration/deployment/introduction.md +++ b/docs/content/en/integration/deployment/introduction.md @@ -17,3 +17,9 @@ There are three main methods to deploy *Authelia*. 1. [Docker](docker.md) 2. [Kubernetes](../kubernetes/introduction/index.md) 3. [Bare-Metal](bare-metal.md) + +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. diff --git a/docs/content/en/integration/kubernetes/chart.md b/docs/content/en/integration/kubernetes/chart.md new file mode 100644 index 00000000..2b7f30ae --- /dev/null +++ b/docs/content/en/integration/kubernetes/chart.md @@ -0,0 +1,45 @@ +--- +title: "Chart" +description: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes" +lead: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes." +date: 2022-05-15T13:52:27+10:00 +draft: false +images: [] +menu: + integration: + parent: "kubernetes" +weight: 520 +toc: true +--- + +Authelia offers a [Helm Chart] which can make integration with [Kubernetes] much easier. It's currently considered beta +status, and as such is subject to breaking changes. + +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + +## Repository + +The [Helm Chart] repository for Authelia is `https://charts.authelia.com`. You can add it to your repository list with +the following [Helm] commands: + +```bash +helm repo add authelia https://charts.authelia.com +helm repo update +``` + +## Website + +The [https://charts.authelia.com/](https://charts.authelia.com/) URL also serves a website with basic chart information. + +## Source + +The source for the [Helm Chart] is hosted on [GitHub](https://github.com/authelia/chartrepo). Please feel free to +[contribute](../../contributing/prologue/introduction.md). + +[Kubernetes]: https://kubernetes.io/ +[Helm]: https://helm.sh/ +[Helm Chart]: https://helm.sh/docs/topics/charts/ diff --git a/docs/content/en/integration/kubernetes/introduction/index.md b/docs/content/en/integration/kubernetes/introduction/index.md index 9b70d4d6..6af7af97 100644 --- a/docs/content/en/integration/kubernetes/introduction/index.md +++ b/docs/content/en/integration/kubernetes/introduction/index.md @@ -21,12 +21,18 @@ aliases: The following areas are actively being worked on for Kubernetes: 1. Detailed Documentation -2. [Helm Chart](https://github.com/authelia/chartrepo) for Helm v3 see our [chart repository](https://charts.authelia.com) +2. [Helm Chart](../chart.md) for Helm v3 3. Kustomize Deployment 4. Manifest Examples Users are welcome to reach out directly by using any of our various [contact options](../../information/contact.md). +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Important Notes The following section has special notes regarding utilizing Authelia with Kubernetes. @@ -57,6 +63,9 @@ spec: ... ``` +## Secrets + + ## FAQ ### RAM usage diff --git a/docs/content/en/integration/kubernetes/nginx-ingress.md b/docs/content/en/integration/kubernetes/nginx-ingress.md index b8b94935..edc64eb9 100644 --- a/docs/content/en/integration/kubernetes/nginx-ingress.md +++ b/docs/content/en/integration/kubernetes/nginx-ingress.md @@ -8,7 +8,7 @@ images: [] menu: integration: parent: "kubernetes" -weight: 530 +weight: 551 toc: true --- @@ -18,6 +18,12 @@ official one [nginx-ingress-controller]. Currently we only have support docs for The [nginx documentation](../proxies/nginx.md) may also be useful for crafting advanced snippets to use with annotations even though it's not specific to Kubernetes. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## NGINX Ingress Controller (ingress-nginx) If you use NGINX Ingress Controller (ingress-nginx) you can protect an ingress with the following annotations. The diff --git a/docs/content/en/integration/kubernetes/secrets.md b/docs/content/en/integration/kubernetes/secrets.md new file mode 100644 index 00000000..8e45bae4 --- /dev/null +++ b/docs/content/en/integration/kubernetes/secrets.md @@ -0,0 +1,223 @@ +--- +title: "Secrets" +description: "A guide to using secrets when integrating Authelia with Kubernetes." +lead: "A guide to using secrets when integrating Authelia with Kubernetes." +date: 2022-05-15T13:52:27+10:00 +draft: false +images: [] +menu: + integration: + parent: "kubernetes" +weight: 530 +toc: true +--- + +The following serve as examples of how to inject secrets into the Authelia container on [Kubernetes]. + +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + +## Creation + +The following section covers creating example secrets. See [Secret Usage](#usage) for usage details. These examples are +not intended to be used as is, you should only include secrets that you're actively using and some secrets may be +missing from these examples. You need to see the [secrets documentation](../../configuration/methods/secrets.md) and +appropriately adapt these examples to your use case. + +### Helm Chart + +The Helm [Chart](chart.md) automatically generates and injects secrets into an Authelia deployment. + +### Manifest + +The following manifest is an example which all of the other examples attempt to facilitate as closely as possible. You +can manually create a secret like this with `kubectl apply -f`. + +##### String Data Example + +##### secret.yaml + +```yaml +--- +kind: Secret +apiVersion: v1 +metadata: + name: authelia +stringData: + JWT_SECRET: >- + NwsVsXv4YCAF9suxWZmT7N6PSzmouCDHqVpzbS5niBKo49b7rTREmwFe6roKswf4 + SESSION_SECRET: >- + DkezH5zcMQsvaU38YVu673i6JDH4VPiik9xPmYsTN3KPNkxSiiyZ8ASFTdcBcu8q + REDIS_PASSWORD: >- + VfhdNhgFG5mLU9s3cjQn9im6dkiWNu3FEUPJRi9bqGm3UV6xzGBZgvdCJhoy26d9 + REDIS_SENTINEL_PASSWORD: >- + sSJMfX9A6Q6vTpD6rHXcLn2j5kN557RwuohAeyZuGqH9P9LGfuSMnzi9woYZuNqU + LDAP_PASSWORD: >- + zafcAShEBfgc48DihdRnnb6UJEGKqzg3FdeZXZ3rhrg6tu2oDoYSBA88w9NPvDhZ + STORAGE_PASSWORD: >- + NMHf9Z7C5UQYuKKgh9BJTKeccoZt6c647FQqsEHhkapkkndPkPw3d8bnvkqLgiZ5 + STORAGE_ENCRYPTION_KEY: >- + rH87rjVMQBvzVgj8vVGSxhop2PPwddrJ7B6oSkGcmoganMf4wqANp9AJwaMHt8RA + SMTP_PASSWORD: >- + oi4Yag5HX8Bhc5JTr49nRkdPEr4JcPMfLAPvXxNpHtHqiHXfx3isdWXuTg7yCtjk + DUO_SECRET_KEY: >- + d4ypk2UQXxuo86s7vJ2rYWPa5KoxDfU9JQWgEqtANiBaJVQSG8PJbD9U24eiVuPC + OIDC_HMAC_SECRET: >- + eSopMjbiuCMhEbXGFsm5B8KWKszxV3CJWSLYrWnBJja4rFNvDxti388WyBjdrsHb + OIDC_ISSUER_PRIVATE_KEY: + -----BEGIN RSA PRIVATE KEY----- + MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI + lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1 + HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8 + Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF + Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain + YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/ + AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh + i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+ + 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij + 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc + 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/ + ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637 + owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h + AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL + OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m + 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC + fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2 + pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr + ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh + Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf + UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD + D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY + P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK + vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg + qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw= + -----END RSA PRIVATE KEY----- +... +``` +##### Base64 Data Example + +This is the same manifest as above but encoded in base64. + +```yaml +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: authelia +data: + DUO_SECRET_KEY: ZDR5cGsyVVFYeHVvODZzN3ZKMnJZV1BhNUtveERmVTlKUVdnRXF0QU5pQmFKVlFTRzhQSmJEOVUyNGVpVnVQQw== + JWT_SECRET: TndzVnNYdjRZQ0FGOXN1eFdabVQ3TjZQU3ptb3VDREhxVnB6YlM1bmlCS280OWI3clRSRW13RmU2cm9Lc3dmNA== + LDAP_PASSWORD: emFmY0FTaEVCZmdjNDhEaWhkUm5uYjZVSkVHS3F6ZzNGZGVaWFozcmhyZzZ0dTJvRG9ZU0JBODh3OU5QdkRoWg== + OIDC_HMAC_SECRET: ZVNvcE1qYml1Q01oRWJYR0ZzbTVCOEtXS3N6eFYzQ0pXU0xZclduQkpqYTRyRk52RHh0aTM4OFd5QmpkcnNIYg== + OIDC_ISSUER_PRIVATE_KEY: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLSBNWElFb2dJQiRBS0NBUUVBeFpWSlAzV0YvL1BHMmZMUW9FQzlEdGRpRkcvKzAwdnFsYlZ6ejQ3bnl4S09OSVBJIGxtTDNVZG1xcEdUS01lLzVCcnFzZTRaQUtsUUhpRGJ3eks5eXBuZmlndEh1dmgvSk8wUzdDaFA3MFJDNjdlZDEgSFYxbnlmejVlVzNsbGJ0R0pQcmxZTHFJVE5nY3RIcDZ6bVJVRnRTelBqOXFGdm96STkzTEppNDkyeUwxK3Z1OCBVbjNEbTgrUXE2WE0ydFBkRWNsZEIvZHRCd09Xb0YrOGVPT1ZzdTBURHVCNWJ3bGhCVkdKdVNBdXpCUFJTMmJGIEdhNHVrMEpEZGtET01DRVF4QzV1V0RGeGdmRVJTTUZ5ZkxWV0Q0N3dvRGJ1V0VCcTEwYzB6K2RwV1BNcDdBaW4gWW5ua3FpY3dDTjg4WjB6aWQ2TW1NUTY1RjQrOUhjK3FDL3A2eHdJREFRQUJBb0lCQUdsaGFBSEtvcitTdTNvLyBBWHFYVEw1L3JiWU16YkxRaUx0MFhlSlQ2OWpwZXFNVHJvWlhIbVd2WEUzMTI4bXFuZjB5encvSzJLbzZ5eEdoIGkrai9vbnlhOEZxcHNWWUNDZ2ZzYm4yL2pzMUF5UkplSXA2WTFPUnNZbnFiWEpueG1rWGE4MEFWL09CUFcyLysgNjBUdFNkUXJlYlkzaUZQYytpMmsrOWJQVHZweXlETEtsejhVd2RaRytrNXV5WU5JeVFUY2N6K1Bqd3NJdkRpaiA3dEtZYW1oaExOM1FYdDMvYVpURnBqVGdlelA0V3lyaVp4aldyZGRIb3djNDdxMnJ3TlM5NU5EMzlKY3lzSkFjIDBQY2J1OEE1bFZhN0Z4MzN1T3R6RGZLV0lXN3hWRU4rT3RQZ04rRmJUalhjWGs1SVplZGwrcFc1bFU1UCsrRy8gWlB2eitXRUNnWUVBOWc2SHdkT0RXM2U2OGJPcXNGb0tnMzUrdmZVRk16bHlNRjhIRnlsTlZmbkxwVEVEcjYzNyBvd3pNRnZjVXhWZDcxYitnVjVubm5iSStyaVVGSWd5Ujh2aENqaHk0bW9vcERQYWhDNC9Ld040Tkc2dXoraTFoIEFCNkQ1K3puMkJqbk8vNXhNTUZHbEFwV3RSTm1KVkdZbE5EajNiWEtoMlZYenp5MDNWTmVEOGtDZ1lFQXpaRkwgT2x6b1JCMUhLcFRXSUVDY3V2eG9mTXhMT0xiM3pzMGsydC9GWU5ZSXBvdm1HV0NDQVVMejEzeTUzZTUrLys1bSA3STlWVVpKRmFJaGFaMzZxVkJBcENLZHJ1NjlwWk1rV0NjUU85akVMRmN4NTFFejdPZ0pXenU3R1MxUUpDUEtDIGZFRHhJMHJaSzIxajkzL1NsL25VbkVpcjdDWXBRK3d2Q2FHdUhnOENnWUFYZ2JuY2ZZMStEb2t3a0I2TmJIeTIgcFQ0TWZiejZjTkdFNTM4dzZrUTJJNEFlRHZtd0xlbnRZTXFhb3c0NzhDaW5lZ0FpZmxTUFR6a0h3QWVtZ2hiciBaR1pQVjFVWGhuMTNmSlJVRzIrZVQxaG5QVmNiWG54MjIzTjBrOEJ1ZDZxWG82NUNueVJUL2t6Y1RiY2pkNUVoIEhuZTJkYWljbU1UenluUG85UTcyYVFLQmdCbW9iTzlYOFZXdklkYmF4Tzg1b1ZabGN0VkEycEsxbzdDWVFtVmYgVU0rSlo0TUNLekkzcllKaXpQUzBpSzUrdWpOUG1tRWtjczIvcUJJb0VzQ2dPcnBMV2hQT2NjLzNVUHhYYlB6RCBEK3NDckJPSWRoeGRqMjNxSk5PblVmRE5DR09wZ1VmcEF6QVlnNHE4R0tJbnZpMWg3WHVrUm5FdlFpOU1KNExZIFAxZFpBb0dBU0djR25UTWttZVNYUDh1eCtkdlFKQWlKc2tuL3NKSWdCWjV1cTVHUkNlTEJVb3NSU1Z4TTc1VUsgdkFoL2MvUkJqK3BZWFZLdVB1SEdaQ1FKeHNkY1JYelhOR291VXRnYmFZTUw1TWUvSGFndDIwUXpEUkJmdUdCZyBxZVpCSmFYaGpFbHZ3NlBVV3RnNHgrTFlSQ0JwcS9iUzNMSzNvelpyU1R1a1ZrS0RlZ3c9IC0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t + REDIS_PASSWORD: VmZoZE5oZ0ZHNW1MVTlzM2NqUW45aW02ZGtpV051M0ZFVVBKUmk5YnFHbTNVVjZ4ekdCWmd2ZENKaG95MjZkOQ== + REDIS_SENTINEL_PASSWORD: c1NKTWZYOUE2UTZ2VHBENnJIWGNMbjJqNWtONTU3Und1b2hBZXladUdxSDlQOUxHZnVTTW56aTl3b1ladU5xVQ== + SESSION_SECRET: RGtlekg1emNNUXN2YVUzOFlWdTY3M2k2SkRINFZQaWlrOXhQbVlzVE4zS1BOa3hTaWl5WjhBU0ZUZGNCY3U4cQ== + SMTP_PASSWORD: b2k0WWFnNUhYOEJoYzVKVHI0OW5Sa2RQRXI0SmNQTWZMQVB2WHhOcEh0SHFpSFhmeDNpc2RXWHVUZzd5Q3Rqaw== + STORAGE_ENCRYPTION_KEY: ckg4N3JqVk1RQnZ6VmdqOHZWR1N4aG9wMlBQd2Rkcko3QjZvU2tHY21vZ2FuTWY0d3FBTnA5QUp3YU1IdDhSQQ== + STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ== +``` +### Kustomize + +The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The +files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your +desired secret value. + +##### kustomization.yaml + +```yaml +generatorOptions: + disableNameSuffixHash: true + labels: + type: generated + app: authelia +secretGenerator: + - name: authelia + files: + - DUO_SECRET_KEY + - JWT_SECRET + - LDAP_PASSWORD + - OIDC_HMAC_SECRET + - OIDC_ISSUER_PRIVATE_KEY + - REDIS_PASSWORD + - REDIS_SENTINEL_PASSWORD + - SESSION_SECRET + - SMTP_PASSWORD + - STORAGE_ENCRYPTION_KEY + - STORAGE_PASSWORD +``` + +## Usage + +The following section covers using the created example secrets. See [Creation](#creation) for creation +details. + +The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment], +[StatefulSet], and [DaemonSet]. + +```yaml +spec: + containers: + - name: authelia + env: + - name: AUTHELIA_DUO_API_SECRET_KEY_FILE + value: /app/secrets/DUO_SECRET_KEY + - name: AUTHELIA_JWT_SECRET_FILE + value: /app/secrets/JWT_SECRET + - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE + value: /app/secrets/LDAP_PASSWORD + - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE + value: /app/secrets/OIDC_HMAC_SECRET + - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE + value: /app/secrets/OIDC_ISSUER_PRIVATE_KEY + - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE + value: /app/secrets/REDIS_PASSWORD + - name: AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE + value: /app/secrets/REDIS_SENTINEL_PASSWORD + - name: AUTHELIA_SESSION_SECRET_FILE + value: /app/secrets/SESSION_SECRET + - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + value: /app/secrets/SMTP_PASSWORD + - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE + value: /app/secrets/STORAGE_ENCRYPTION_KEY + - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE + value: /app/secrets/STORAGE_ENCRYPTION_KEY + volumeMounts: + - mountPath: /app/secrets + name: secrets + readOnly: true + volumes: + - name: secrets + secret: + secretName: authelia + items: + - key: DUO_SECRET_KEY + path: DUO_SECRET_KEY + - key: JWT_SECRET + path: JWT_SECRET + - key: OIDC_HMAC_SECRET + path: OIDC_HMAC_SECRET + - key: OIDC_ISSUER_PRIVATE_KEY + path: OIDC_ISSUER_PRIVATE_KEY + - key: REDIS_PASSWORD + path: REDIS_PASSWORD + - key: REDIS_SENTINEL_PASSWORD + path: REDIS_SENTINEL_PASSWORD + - key: SESSION_SECRET + path: SESSION_SECRET + - key: SMTP_PASSWORD + path: SMTP_PASSWORD + - key: STORAGE_ENCRYPTION_KEY + path: STORAGE_ENCRYPTION_KEY + - key: STORAGE_PASSWORD + path: STORAGE_PASSWORD +``` + +[Kubernetes]: https://kubernetes.io/ +[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/ +[DaemonSet]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ +[StatefulSet]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ +[Deployment]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ diff --git a/docs/content/en/integration/kubernetes/traefik-ingress.md b/docs/content/en/integration/kubernetes/traefik-ingress.md index 25b3cda9..2f450256 100644 --- a/docs/content/en/integration/kubernetes/traefik-ingress.md +++ b/docs/content/en/integration/kubernetes/traefik-ingress.md @@ -8,7 +8,7 @@ images: [] menu: integration: parent: "kubernetes" -weight: 520 +weight: 550 toc: true --- @@ -20,6 +20,12 @@ We officially support the Traefik 2.x Kubernetes ingress controllers. These come The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with this ingress even though it's not specific to Kubernetes. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Special Notes ### Cross-Namespace Resources diff --git a/docs/content/en/integration/proxies/caddy.md b/docs/content/en/integration/proxies/caddy.md index 237d13f6..9a6f151c 100644 --- a/docs/content/en/integration/proxies/caddy.md +++ b/docs/content/en/integration/proxies/caddy.md @@ -26,6 +26,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne configuration and customize it to your needs. To-that-end we include links to the official proxy documentation throughout this documentation and in the [See Also](#see-also) section.* +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Requirements You need the following to run __Authelia__ with [Caddy]: diff --git a/docs/content/en/integration/proxies/envoy.md b/docs/content/en/integration/proxies/envoy.md index 41eb9981..1563706e 100644 --- a/docs/content/en/integration/proxies/envoy.md +++ b/docs/content/en/integration/proxies/envoy.md @@ -28,6 +28,12 @@ and thus if anyone has this working please let us know. We will aim to perform documentation for this on our own but there is no current timeframe. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Trusted Proxies *__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration. diff --git a/docs/content/en/integration/proxies/haproxy.md b/docs/content/en/integration/proxies/haproxy.md index bc1517ea..49e320fe 100644 --- a/docs/content/en/integration/proxies/haproxy.md +++ b/docs/content/en/integration/proxies/haproxy.md @@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne configuration and customize it to your needs. To-that-end we include links to the official proxy documentation throughout this documentation and in the [See Also](#see-also) section.* +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Requirements You need the following to run __Authelia__ with [HAProxy]: diff --git a/docs/content/en/integration/proxies/introduction.md b/docs/content/en/integration/proxies/introduction.md index 18b05fa3..2c76533f 100644 --- a/docs/content/en/integration/proxies/introduction.md +++ b/docs/content/en/integration/proxies/introduction.md @@ -18,6 +18,12 @@ __Authelia__ works in collaboration with several reverse proxies. In this sectio various tested proxies with examples of how you may configure them. We are eager for users to help us provide better examples of already documented proxies, as well as provide us examples of undocumented proxies. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Support See [support](support.md) for support information. diff --git a/docs/content/en/integration/proxies/nginx-proxy-manager.md b/docs/content/en/integration/proxies/nginx-proxy-manager.md index 97fa389c..aff28fba 100644 --- a/docs/content/en/integration/proxies/nginx-proxy-manager.md +++ b/docs/content/en/integration/proxies/nginx-proxy-manager.md @@ -26,6 +26,12 @@ throughout this documentation and in the [See Also](#see-also) section.* While this proxy is supported we don't have any specific documentation for it at the present time. Please see the [NGINX integration documentation](nginx.md) for hints on how to configure this. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Requirements [NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box. diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index 3251ea11..9b87362f 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne configuration and customize it to your needs. To-that-end we include links to the official proxy documentation throughout this documentation and in the [See Also](#see-also) section.* +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Requirements You need the following to run __Authelia__ with [NGINX]: diff --git a/docs/content/en/integration/proxies/skipper.md b/docs/content/en/integration/proxies/skipper.md index 0f2edf21..119cf493 100644 --- a/docs/content/en/integration/proxies/skipper.md +++ b/docs/content/en/integration/proxies/skipper.md @@ -28,6 +28,12 @@ and thus if anyone has this working please let us know. We will aim to perform documentation for this on our own but there is no current timeframe. +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Trusted Proxies *__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration. diff --git a/docs/content/en/integration/proxies/swag.md b/docs/content/en/integration/proxies/swag.md index fe0de20b..049cac2b 100644 --- a/docs/content/en/integration/proxies/swag.md +++ b/docs/content/en/integration/proxies/swag.md @@ -30,6 +30,12 @@ only need to enabled two includes. *__Note:__ All paths in this guide are the locations inside the container. You will have to either edit the files within the container or adapt the path to the path you have mounted the relevant container path to.* +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Requirements [SWAG] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box. diff --git a/docs/content/en/integration/proxies/traefik.md b/docs/content/en/integration/proxies/traefik.md index b8b6e87d..5b09ab43 100644 --- a/docs/content/en/integration/proxies/traefik.md +++ b/docs/content/en/integration/proxies/traefik.md @@ -31,6 +31,12 @@ You need the following to run __Authelia__ with [Traefik]: * [Traefik] [v2.4.1](https://github.com/traefik/traefik/releases/tag/v2.4.1) or greater if you wish to use [basic authentication](#basic-authentication) +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Trusted Proxies *__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration. diff --git a/docs/content/en/integration/proxies/traefikv1.md b/docs/content/en/integration/proxies/traefikv1.md index bfe0b82f..65f2bf0e 100644 --- a/docs/content/en/integration/proxies/traefikv1.md +++ b/docs/content/en/integration/proxies/traefikv1.md @@ -21,6 +21,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne configuration and customize it to your needs. To-that-end we include links to the official proxy documentation throughout this documentation and in the [See Also](#see-also) section.* +## Get Started + +It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our +[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to +bootstrapping *Authelia*. + ## Trusted Proxies *__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration. diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index 167947c2..9f9c28a0 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -778,8 +778,33 @@ notifier: ## The issuer_private_key is used to sign the JWT forged by OpenID Connect. ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets # issuer_private_key: | - # --- KEY START - # --- KEY END + # -----BEGIN RSA PRIVATE KEY----- + # MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI + # lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1 + # HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8 + # Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF + # Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain + # YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/ + # AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh + # i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+ + # 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij + # 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc + # 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/ + # ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637 + # owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h + # AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL + # OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m + # 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC + # fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2 + # pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr + # ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh + # Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf + # UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD + # D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY + # P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK + # vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg + # qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw= + # -----END RSA PRIVATE KEY----- ## The lifespans configure the expiration for these token types. # access_token_lifespan: 1h