docs: update integration guides to reference get started (#3573)

This commit is contained in:
James Elliott 2022-06-22 22:58:23 +10:00 committed by GitHub
parent 1dbca52cab
commit e2e1d6d30b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 516 additions and 31 deletions

View File

@ -778,8 +778,33 @@ notifier:
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
# issuer_private_key: |
# --- KEY START
# --- KEY END
# -----BEGIN RSA PRIVATE KEY-----
# MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
# lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
# HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
# Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
# Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
# YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
# AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
# i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
# 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
# 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
# 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
# ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
# owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
# AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
# OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
# 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
# fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
# pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
# ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
# Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
# UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
# D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
# P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
# vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
# qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
# -----END RSA PRIVATE KEY-----
## The lifespans configure the expiration for these token types.
# access_token_lifespan: 1h

View File

@ -34,8 +34,33 @@ identity_providers:
oidc:
hmac_secret: this_is_a_secret_abc123abc123abc
issuer_private_key: |
--- KEY START
--- KEY END
-----BEGIN RSA PRIVATE KEY-----
MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
-----END RSA PRIVATE KEY-----
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h

View File

@ -104,4 +104,4 @@ why setting them via the file counterparts is highly encouraged.
## Examples
See the [Docker Integration](../../integration/deployment/docker.md) and
[Kubernetes Integration](../../integration/kubernetes/introduction/index.md) guides for examples of secrets.
[Kubernetes Integration](../../integration/kubernetes/secrets.md) guides for examples of secrets.

View File

@ -15,6 +15,12 @@ toc: true
1. The [configuration](../../configuration/prologue/introduction.md) can be defined statically by YAML.
2. Most areas of the configuration can be defined by [environment variables](../../configuration/methods/environment.md).
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Ansible
*Authelia* could theoretically be easily deployed via [Ansible] however we do not have an [Ansible Role] at this time.

View File

@ -15,6 +15,12 @@ toc: true
There are several ways to achieve this, as *Authelia* runs as a daemon. We do not provide specific examples for running
*Authelia* as a service excluding the [systemd unit](#systemd) files.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## systemd
We publish two example [systemd] unit files:

View File

@ -27,17 +27,33 @@ existing [Docker Compose].
* [Bundle: lite](#lite)
* [Bundle: local](#local)
### Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
### Standalone Example
The following is an example [Docker Compose] deployment with just *Authelia* and no bundled applications or proxies.
The following is an examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or
proxies.
It expects the following:
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
* The files `data/authelia/secrets/*` exist and contain the relevant [secrets](../../configuration/methods/secrets.md).
* The directory `data/authelia/secrets/` exists and contain the relevant [secret](../../configuration/methods/secrets.md) files:
* A file named `JWT_SECRET` for the [jwt_secret](../../configuration/miscellaneous/introduction.md#jwt_secret)
* A file named `SESSION_SECRET` for the [session secret](../../configuration/session/introduction.md#secret)
* A file named `STORAGE_PASSWORD` for the [PostgreSQL password secret](../../configuration/storage/postgres.md#password)
* A file named `STORAGE_ENCRYPTION_KEY` for the [storage encryption_key secret](../../configuration/storage/introduction.md#encryption_key)
* You're using PostgreSQL.
* You have an external network named `net` which is in bridge mode.
#### Using Secrets
Use this [Standalone Example](#standalone-example) if you want to use
[docker secrets](https://docs.docker.com/engine/swarm/secrets/).
```yaml
version: "3.8"
secrets:
@ -49,10 +65,6 @@ secrets:
file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
STORAGE_ENCRYPTION_KEY:
file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
OIDC_HMAC_KEY:
file: ${PWD}/data/authelia/secrets/OIDC_HMAC_KEY
OIDC_PRIVATE_KEY:
file: ${PWD}/data/authelia/secrets/OIDC_PRIVATE_KEY
services:
authelia:
container_name: authelia
@ -63,14 +75,12 @@ services:
aliases: []
expose:
- 9091
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, OIDC_HMAC_KEY, OIDC_PRIVATE_KEY]
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
environment:
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/OIDC_HMAC_KEY
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/OIDC_PRIVATE_KEY
volumes:
- ${PWD}/data/authelia/config:/config
networks:
@ -79,19 +89,13 @@ networks:
name: net
```
#### Running the Proxy on the Host Instead of in a Container
#### Using a Secrets Volume
If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this
configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the
users asking how to accomplish this. It should be noted that we can't provide documentation or support for every
architectural choice our users make and you should expect to do your own research to figure this out where possible.
The example below includes the additional `ports` option which must be added in order to allow communication to
*Authelia* from daemons on the [Docker] host. The other values are used to show context within the
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
Use this [Standalone Example](#standalone-example) if you want to use a standard
[docker volume](https://docs.docker.com/storage/volumes/) or bind mount for your secrets.
```yaml
version: "3.8"
services:
authelia:
container_name: authelia
@ -102,8 +106,18 @@ services:
aliases: []
expose:
- 9091
ports:
- "127.0.0.1:9091:9091"
environment:
AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY
volumes:
- ${PWD}/data/authelia/config:/config
- ${PWD}/data/authelia/secrets:/secrets
networks:
net:
external: true
name: net
```
### Bundles
@ -156,5 +170,34 @@ running the following command:
grep -Eo '"https://.*" ' ./authelia/notification.txt.
```
## FAQ
#### Running the Proxy on the Host Instead of in a Container
If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this
configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the
users asking how to accomplish this. It should be noted that we can't provide documentation or support for every
architectural choice our users make and you should expect to do your own research to figure this out where possible.
The example below includes the additional `ports` option which must be added in order to allow communication to
*Authelia* from daemons on the [Docker] host. The other values are used to show context within the
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
```yaml
services:
authelia:
container_name: authelia
image: docker.io/authelia/authelia:latest
restart: unless-stopped
networks:
net:
aliases: []
expose:
- 9091
ports:
- "127.0.0.1:9091:9091"
```
[Docker]: https://docker.com
[Docker Compose]: https://docs.docker.com/compose/

View File

@ -17,3 +17,9 @@ There are three main methods to deploy *Authelia*.
1. [Docker](docker.md)
2. [Kubernetes](../kubernetes/introduction/index.md)
3. [Bare-Metal](bare-metal.md)
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.

View File

@ -0,0 +1,45 @@
---
title: "Chart"
description: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes"
lead: "A guide to using the Authelia helm chart to integrate Authelia with Kubernetes."
date: 2022-05-15T13:52:27+10:00
draft: false
images: []
menu:
integration:
parent: "kubernetes"
weight: 520
toc: true
---
Authelia offers a [Helm Chart] which can make integration with [Kubernetes] much easier. It's currently considered beta
status, and as such is subject to breaking changes.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Repository
The [Helm Chart] repository for Authelia is `https://charts.authelia.com`. You can add it to your repository list with
the following [Helm] commands:
```bash
helm repo add authelia https://charts.authelia.com
helm repo update
```
## Website
The [https://charts.authelia.com/](https://charts.authelia.com/) URL also serves a website with basic chart information.
## Source
The source for the [Helm Chart] is hosted on [GitHub](https://github.com/authelia/chartrepo). Please feel free to
[contribute](../../contributing/prologue/introduction.md).
[Kubernetes]: https://kubernetes.io/
[Helm]: https://helm.sh/
[Helm Chart]: https://helm.sh/docs/topics/charts/

View File

@ -21,12 +21,18 @@ aliases:
The following areas are actively being worked on for Kubernetes:
1. Detailed Documentation
2. [Helm Chart](https://github.com/authelia/chartrepo) for Helm v3 see our [chart repository](https://charts.authelia.com)
2. [Helm Chart](../chart.md) for Helm v3
3. Kustomize Deployment
4. Manifest Examples
Users are welcome to reach out directly by using any of our various [contact options](../../information/contact.md).
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Important Notes
The following section has special notes regarding utilizing Authelia with Kubernetes.
@ -57,6 +63,9 @@ spec:
...
```
## Secrets
## FAQ
### RAM usage

View File

@ -8,7 +8,7 @@ images: []
menu:
integration:
parent: "kubernetes"
weight: 530
weight: 551
toc: true
---
@ -18,6 +18,12 @@ official one [nginx-ingress-controller]. Currently we only have support docs for
The [nginx documentation](../proxies/nginx.md) may also be useful for crafting advanced snippets to use with annotations
even though it's not specific to Kubernetes.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## NGINX Ingress Controller (ingress-nginx)
If you use NGINX Ingress Controller (ingress-nginx) you can protect an ingress with the following annotations. The

View File

@ -0,0 +1,223 @@
---
title: "Secrets"
description: "A guide to using secrets when integrating Authelia with Kubernetes."
lead: "A guide to using secrets when integrating Authelia with Kubernetes."
date: 2022-05-15T13:52:27+10:00
draft: false
images: []
menu:
integration:
parent: "kubernetes"
weight: 530
toc: true
---
The following serve as examples of how to inject secrets into the Authelia container on [Kubernetes].
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Creation
The following section covers creating example secrets. See [Secret Usage](#usage) for usage details. These examples are
not intended to be used as is, you should only include secrets that you're actively using and some secrets may be
missing from these examples. You need to see the [secrets documentation](../../configuration/methods/secrets.md) and
appropriately adapt these examples to your use case.
### Helm Chart
The Helm [Chart](chart.md) automatically generates and injects secrets into an Authelia deployment.
### Manifest
The following manifest is an example which all of the other examples attempt to facilitate as closely as possible. You
can manually create a secret like this with `kubectl apply -f`.
##### String Data Example
##### secret.yaml
```yaml
---
kind: Secret
apiVersion: v1
metadata:
name: authelia
stringData:
JWT_SECRET: >-
NwsVsXv4YCAF9suxWZmT7N6PSzmouCDHqVpzbS5niBKo49b7rTREmwFe6roKswf4
SESSION_SECRET: >-
DkezH5zcMQsvaU38YVu673i6JDH4VPiik9xPmYsTN3KPNkxSiiyZ8ASFTdcBcu8q
REDIS_PASSWORD: >-
VfhdNhgFG5mLU9s3cjQn9im6dkiWNu3FEUPJRi9bqGm3UV6xzGBZgvdCJhoy26d9
REDIS_SENTINEL_PASSWORD: >-
sSJMfX9A6Q6vTpD6rHXcLn2j5kN557RwuohAeyZuGqH9P9LGfuSMnzi9woYZuNqU
LDAP_PASSWORD: >-
zafcAShEBfgc48DihdRnnb6UJEGKqzg3FdeZXZ3rhrg6tu2oDoYSBA88w9NPvDhZ
STORAGE_PASSWORD: >-
NMHf9Z7C5UQYuKKgh9BJTKeccoZt6c647FQqsEHhkapkkndPkPw3d8bnvkqLgiZ5
STORAGE_ENCRYPTION_KEY: >-
rH87rjVMQBvzVgj8vVGSxhop2PPwddrJ7B6oSkGcmoganMf4wqANp9AJwaMHt8RA
SMTP_PASSWORD: >-
oi4Yag5HX8Bhc5JTr49nRkdPEr4JcPMfLAPvXxNpHtHqiHXfx3isdWXuTg7yCtjk
DUO_SECRET_KEY: >-
d4ypk2UQXxuo86s7vJ2rYWPa5KoxDfU9JQWgEqtANiBaJVQSG8PJbD9U24eiVuPC
OIDC_HMAC_SECRET: >-
eSopMjbiuCMhEbXGFsm5B8KWKszxV3CJWSLYrWnBJja4rFNvDxti388WyBjdrsHb
OIDC_ISSUER_PRIVATE_KEY:
-----BEGIN RSA PRIVATE KEY-----
MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
-----END RSA PRIVATE KEY-----
...
```
##### Base64 Data Example
This is the same manifest as above but encoded in base64.
```yaml
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: authelia
data:
DUO_SECRET_KEY: ZDR5cGsyVVFYeHVvODZzN3ZKMnJZV1BhNUtveERmVTlKUVdnRXF0QU5pQmFKVlFTRzhQSmJEOVUyNGVpVnVQQw==
JWT_SECRET: TndzVnNYdjRZQ0FGOXN1eFdabVQ3TjZQU3ptb3VDREhxVnB6YlM1bmlCS280OWI3clRSRW13RmU2cm9Lc3dmNA==
LDAP_PASSWORD: emFmY0FTaEVCZmdjNDhEaWhkUm5uYjZVSkVHS3F6ZzNGZGVaWFozcmhyZzZ0dTJvRG9ZU0JBODh3OU5QdkRoWg==
OIDC_HMAC_SECRET: ZVNvcE1qYml1Q01oRWJYR0ZzbTVCOEtXS3N6eFYzQ0pXU0xZclduQkpqYTRyRk52RHh0aTM4OFd5QmpkcnNIYg==
OIDC_ISSUER_PRIVATE_KEY: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLSBNWElFb2dJQiRBS0NBUUVBeFpWSlAzV0YvL1BHMmZMUW9FQzlEdGRpRkcvKzAwdnFsYlZ6ejQ3bnl4S09OSVBJIGxtTDNVZG1xcEdUS01lLzVCcnFzZTRaQUtsUUhpRGJ3eks5eXBuZmlndEh1dmgvSk8wUzdDaFA3MFJDNjdlZDEgSFYxbnlmejVlVzNsbGJ0R0pQcmxZTHFJVE5nY3RIcDZ6bVJVRnRTelBqOXFGdm96STkzTEppNDkyeUwxK3Z1OCBVbjNEbTgrUXE2WE0ydFBkRWNsZEIvZHRCd09Xb0YrOGVPT1ZzdTBURHVCNWJ3bGhCVkdKdVNBdXpCUFJTMmJGIEdhNHVrMEpEZGtET01DRVF4QzV1V0RGeGdmRVJTTUZ5ZkxWV0Q0N3dvRGJ1V0VCcTEwYzB6K2RwV1BNcDdBaW4gWW5ua3FpY3dDTjg4WjB6aWQ2TW1NUTY1RjQrOUhjK3FDL3A2eHdJREFRQUJBb0lCQUdsaGFBSEtvcitTdTNvLyBBWHFYVEw1L3JiWU16YkxRaUx0MFhlSlQ2OWpwZXFNVHJvWlhIbVd2WEUzMTI4bXFuZjB5encvSzJLbzZ5eEdoIGkrai9vbnlhOEZxcHNWWUNDZ2ZzYm4yL2pzMUF5UkplSXA2WTFPUnNZbnFiWEpueG1rWGE4MEFWL09CUFcyLysgNjBUdFNkUXJlYlkzaUZQYytpMmsrOWJQVHZweXlETEtsejhVd2RaRytrNXV5WU5JeVFUY2N6K1Bqd3NJdkRpaiA3dEtZYW1oaExOM1FYdDMvYVpURnBqVGdlelA0V3lyaVp4aldyZGRIb3djNDdxMnJ3TlM5NU5EMzlKY3lzSkFjIDBQY2J1OEE1bFZhN0Z4MzN1T3R6RGZLV0lXN3hWRU4rT3RQZ04rRmJUalhjWGs1SVplZGwrcFc1bFU1UCsrRy8gWlB2eitXRUNnWUVBOWc2SHdkT0RXM2U2OGJPcXNGb0tnMzUrdmZVRk16bHlNRjhIRnlsTlZmbkxwVEVEcjYzNyBvd3pNRnZjVXhWZDcxYitnVjVubm5iSStyaVVGSWd5Ujh2aENqaHk0bW9vcERQYWhDNC9Ld040Tkc2dXoraTFoIEFCNkQ1K3puMkJqbk8vNXhNTUZHbEFwV3RSTm1KVkdZbE5EajNiWEtoMlZYenp5MDNWTmVEOGtDZ1lFQXpaRkwgT2x6b1JCMUhLcFRXSUVDY3V2eG9mTXhMT0xiM3pzMGsydC9GWU5ZSXBvdm1HV0NDQVVMejEzeTUzZTUrLys1bSA3STlWVVpKRmFJaGFaMzZxVkJBcENLZHJ1NjlwWk1rV0NjUU85akVMRmN4NTFFejdPZ0pXenU3R1MxUUpDUEtDIGZFRHhJMHJaSzIxajkzL1NsL25VbkVpcjdDWXBRK3d2Q2FHdUhnOENnWUFYZ2JuY2ZZMStEb2t3a0I2TmJIeTIgcFQ0TWZiejZjTkdFNTM4dzZrUTJJNEFlRHZtd0xlbnRZTXFhb3c0NzhDaW5lZ0FpZmxTUFR6a0h3QWVtZ2hiciBaR1pQVjFVWGhuMTNmSlJVRzIrZVQxaG5QVmNiWG54MjIzTjBrOEJ1ZDZxWG82NUNueVJUL2t6Y1RiY2pkNUVoIEhuZTJkYWljbU1UenluUG85UTcyYVFLQmdCbW9iTzlYOFZXdklkYmF4Tzg1b1ZabGN0VkEycEsxbzdDWVFtVmYgVU0rSlo0TUNLekkzcllKaXpQUzBpSzUrdWpOUG1tRWtjczIvcUJJb0VzQ2dPcnBMV2hQT2NjLzNVUHhYYlB6RCBEK3NDckJPSWRoeGRqMjNxSk5PblVmRE5DR09wZ1VmcEF6QVlnNHE4R0tJbnZpMWg3WHVrUm5FdlFpOU1KNExZIFAxZFpBb0dBU0djR25UTWttZVNYUDh1eCtkdlFKQWlKc2tuL3NKSWdCWjV1cTVHUkNlTEJVb3NSU1Z4TTc1VUsgdkFoL2MvUkJqK3BZWFZLdVB1SEdaQ1FKeHNkY1JYelhOR291VXRnYmFZTUw1TWUvSGFndDIwUXpEUkJmdUdCZyBxZVpCSmFYaGpFbHZ3NlBVV3RnNHgrTFlSQ0JwcS9iUzNMSzNvelpyU1R1a1ZrS0RlZ3c9IC0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
REDIS_PASSWORD: VmZoZE5oZ0ZHNW1MVTlzM2NqUW45aW02ZGtpV051M0ZFVVBKUmk5YnFHbTNVVjZ4ekdCWmd2ZENKaG95MjZkOQ==
REDIS_SENTINEL_PASSWORD: c1NKTWZYOUE2UTZ2VHBENnJIWGNMbjJqNWtONTU3Und1b2hBZXladUdxSDlQOUxHZnVTTW56aTl3b1ladU5xVQ==
SESSION_SECRET: RGtlekg1emNNUXN2YVUzOFlWdTY3M2k2SkRINFZQaWlrOXhQbVlzVE4zS1BOa3hTaWl5WjhBU0ZUZGNCY3U4cQ==
SMTP_PASSWORD: b2k0WWFnNUhYOEJoYzVKVHI0OW5Sa2RQRXI0SmNQTWZMQVB2WHhOcEh0SHFpSFhmeDNpc2RXWHVUZzd5Q3Rqaw==
STORAGE_ENCRYPTION_KEY: ckg4N3JqVk1RQnZ6VmdqOHZWR1N4aG9wMlBQd2Rkcko3QjZvU2tHY21vZ2FuTWY0d3FBTnA5QUp3YU1IdDhSQQ==
STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ==
```
### Kustomize
The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The
files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your
desired secret value.
##### kustomization.yaml
```yaml
generatorOptions:
disableNameSuffixHash: true
labels:
type: generated
app: authelia
secretGenerator:
- name: authelia
files:
- DUO_SECRET_KEY
- JWT_SECRET
- LDAP_PASSWORD
- OIDC_HMAC_SECRET
- OIDC_ISSUER_PRIVATE_KEY
- REDIS_PASSWORD
- REDIS_SENTINEL_PASSWORD
- SESSION_SECRET
- SMTP_PASSWORD
- STORAGE_ENCRYPTION_KEY
- STORAGE_PASSWORD
```
## Usage
The following section covers using the created example secrets. See [Creation](#creation) for creation
details.
The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment],
[StatefulSet], and [DaemonSet].
```yaml
spec:
containers:
- name: authelia
env:
- name: AUTHELIA_DUO_API_SECRET_KEY_FILE
value: /app/secrets/DUO_SECRET_KEY
- name: AUTHELIA_JWT_SECRET_FILE
value: /app/secrets/JWT_SECRET
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
value: /app/secrets/LDAP_PASSWORD
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
value: /app/secrets/OIDC_HMAC_SECRET
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
value: /app/secrets/OIDC_ISSUER_PRIVATE_KEY
- name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
value: /app/secrets/REDIS_PASSWORD
- name: AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
value: /app/secrets/REDIS_SENTINEL_PASSWORD
- name: AUTHELIA_SESSION_SECRET_FILE
value: /app/secrets/SESSION_SECRET
- name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
value: /app/secrets/SMTP_PASSWORD
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
value: /app/secrets/STORAGE_ENCRYPTION_KEY
- name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
value: /app/secrets/STORAGE_ENCRYPTION_KEY
volumeMounts:
- mountPath: /app/secrets
name: secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: authelia
items:
- key: DUO_SECRET_KEY
path: DUO_SECRET_KEY
- key: JWT_SECRET
path: JWT_SECRET
- key: OIDC_HMAC_SECRET
path: OIDC_HMAC_SECRET
- key: OIDC_ISSUER_PRIVATE_KEY
path: OIDC_ISSUER_PRIVATE_KEY
- key: REDIS_PASSWORD
path: REDIS_PASSWORD
- key: REDIS_SENTINEL_PASSWORD
path: REDIS_SENTINEL_PASSWORD
- key: SESSION_SECRET
path: SESSION_SECRET
- key: SMTP_PASSWORD
path: SMTP_PASSWORD
- key: STORAGE_ENCRYPTION_KEY
path: STORAGE_ENCRYPTION_KEY
- key: STORAGE_PASSWORD
path: STORAGE_PASSWORD
```
[Kubernetes]: https://kubernetes.io/
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/
[DaemonSet]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
[StatefulSet]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
[Deployment]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

View File

@ -8,7 +8,7 @@ images: []
menu:
integration:
parent: "kubernetes"
weight: 520
weight: 550
toc: true
---
@ -20,6 +20,12 @@ We officially support the Traefik 2.x Kubernetes ingress controllers. These come
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
this ingress even though it's not specific to Kubernetes.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Special Notes
### Cross-Namespace Resources

View File

@ -26,6 +26,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
throughout this documentation and in the [See Also](#see-also) section.*
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Requirements
You need the following to run __Authelia__ with [Caddy]:

View File

@ -28,6 +28,12 @@ and thus if anyone has this working please let us know.
We will aim to perform documentation for this on our own but there is no current timeframe.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Trusted Proxies
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.

View File

@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
throughout this documentation and in the [See Also](#see-also) section.*
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Requirements
You need the following to run __Authelia__ with [HAProxy]:

View File

@ -18,6 +18,12 @@ __Authelia__ works in collaboration with several reverse proxies. In this sectio
various tested proxies with examples of how you may configure them. We are eager for users to help us provide better
examples of already documented proxies, as well as provide us examples of undocumented proxies.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Support
See [support](support.md) for support information.

View File

@ -26,6 +26,12 @@ throughout this documentation and in the [See Also](#see-also) section.*
While this proxy is supported we don't have any specific documentation for it at the present time. Please see the
[NGINX integration documentation](nginx.md) for hints on how to configure this.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Requirements
[NGINX Proxy Manager] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.

View File

@ -22,6 +22,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
throughout this documentation and in the [See Also](#see-also) section.*
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Requirements
You need the following to run __Authelia__ with [NGINX]:

View File

@ -28,6 +28,12 @@ and thus if anyone has this working please let us know.
We will aim to perform documentation for this on our own but there is no current timeframe.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Trusted Proxies
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.

View File

@ -30,6 +30,12 @@ only need to enabled two includes.
*__Note:__ All paths in this guide are the locations inside the container. You will have to either edit the files within
the container or adapt the path to the path you have mounted the relevant container path to.*
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Requirements
[SWAG] supports the required [NGINX](nginx.md#requirements) requirements for __Authelia__ out-of-the-box.

View File

@ -31,6 +31,12 @@ You need the following to run __Authelia__ with [Traefik]:
* [Traefik] [v2.4.1](https://github.com/traefik/traefik/releases/tag/v2.4.1) or greater if you wish to use
[basic authentication](#basic-authentication)
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Trusted Proxies
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.

View File

@ -21,6 +21,12 @@ method of deploying a proxy. These guides show a suggested setup only and you ne
configuration and customize it to your needs. To-that-end we include links to the official proxy documentation
throughout this documentation and in the [See Also](#see-also) section.*
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Trusted Proxies
*__Important:__ You should read the [Forwarded Headers] section and this section as part of any proxy configuration.

View File

@ -778,8 +778,33 @@ notifier:
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
# issuer_private_key: |
# --- KEY START
# --- KEY END
# -----BEGIN RSA PRIVATE KEY-----
# MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
# lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
# HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
# Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
# Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
# YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
# AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
# i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
# 60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
# 7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
# 0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
# ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
# owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
# AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
# OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
# 7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
# fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
# pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
# ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
# Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
# UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
# D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
# P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
# vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
# qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
# -----END RSA PRIVATE KEY-----
## The lifespans configure the expiration for these token types.
# access_token_lifespan: 1h