authelia/example/kube
James Elliott 242386e279 Force TLS and valid x509 certs in SMTP Notifier by default
- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes
2020-01-10 17:37:16 +01:00
..
apps Update references to remove hash router 2020-01-10 11:33:18 +01:00
authelia Force TLS and valid x509 certs in SMTP Notifier by default 2020-01-10 17:37:16 +01:00
ingress-controller Declare suites as Go structs and bootstrap e2e test framework in Go. 2019-11-15 20:23:06 +01:00
ldap Add support for LDAP over TLS. 2019-12-06 21:33:47 +01:00
mail Declare suites as Go structs and bootstrap e2e test framework in Go. 2019-11-15 20:23:06 +01:00
storage Deprecate mongo and add mariadb as storage backend option. 2019-11-16 23:39:26 +01:00
bootstrap-authelia.sh Fix and parallelize integration tests. 2019-12-05 11:05:24 +01:00
bootstrap-dashboard.sh Fix Kubernetes suite tests. 2019-11-16 23:39:26 +01:00
bootstrap.sh Fix Kubernetes suite tests. 2019-11-16 23:39:26 +01:00
dashboard.yml Bootstrap Go implementation of Authelia. 2019-10-28 23:28:59 +01:00
namespace.yml fix permissions 2018-12-18 16:34:56 +01:00
README.md Update references to remove hash router 2020-01-10 11:33:18 +01:00
test.yml Rename org from clems4ever to authelia 2019-12-24 13:14:52 +11:00

Authelia on Kubernetes

Authelia is now available on Kube in order to protect your most critical applications using 2-factor authentication and Single Sign-On.

This example leverages ingress-nginx to delegate authentication and authorization to Authelia within the cluster.

Getting started

You can either try to install Authelia on your running instance of Kubernetes or deploy the dedicated suite called kubernetes.

Set up a Kube cluster

The simplest way to start a Kubernetes cluster is to deploy the kubernetes suite with

authelia-scripts suites setup kubernetes

This will take a few seconds (or minutes) to deploy the cluster.

How does it work?

Authentication via Authelia

In a Kube clusters, the routing logic of requests is handled by ingress controllers following rules provided by ingress configurations.

In this example, ingress-nginx controller has been installed to handle the incoming requests. Some of them (specified in the ingress configuration) are forwarded to Authelia so that it can verify whether they are allowed and should reach the protected endpoint.

The authentication is provided at the ingress level by an annotation called nginx.ingress.kubernetes.io/auth-url that is filled with the URL of Authelia's verification endpoint. The ingress controller also requires the URL to the authentication portal so that the user can be redirected if he is not yet authenticated. This annotation is as follows: nginx.ingress.kubernetes.io/auth-signin: "https://login.example.com:8080/"

Those annotations can be seen in apps/apps.yml configuration.

Production grade infrastructure

What is great with using ingress-nginx is that it is compatible with kube-lego which removes the usual pain of manually renewing SSL certificates. It uses letsencrypt to issue and renew certificates every three month without any manual intervention.

What do I need to know to deploy it in my cluster?

Given your cluster already runs a LDAP server, a Redis, a SQL database, a SMTP server and a nginx ingress-controller, you can deploy Authelia and update your ingress configurations. An example is provided here.

Questions

If you have questions about the implementation, please post them on Gitter