infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity
66 Commits
9 Branches
0 Tags
3.5 MiB
Commit Graph

9 Commits (ffffe9d3c84b29a3b35b2d625a252b9fd10ecc79)

Author SHA1 Message Date
Dustin d8aadb01af authelia: add OIDC client for MinIO 
This configuration is for the instance of MinIO running on the BURP
server, which will be used to store PostgreSQL backups created by the
Postgres Operator.
 2023-05-12 11:45:20 -05:00
Dustin 572ea54dd3 authelia: Set OIDC consent duration 
By default, Authelia requires the user to explicitly consent to allow
an application access to personal information *every time the user
authenticates*.  This is rather annoying, so luckily, it provides a
way to remember the consent for a period of time.
 2023-04-23 15:56:50 -05:00
Dustin b5574fa5fc authelia: Skip scanserv-js auth for internal 
For convenience, clients on the internal network do not need to
authenticate in order to access *scanserv-js*.  There isn't anything
particularly sensitive about this application, anyway.
 2023-04-23 15:55:42 -05:00
Dustin 24465dc7da authelia: Set up OIDC for k8s API server 
Enabling OpenID Connect authentication for the Kubernetes API server
will allow clients, particularly `kubectl` to log in without needing
TLS certificates and private keys.
 2023-04-22 21:37:23 -05:00
Dustin bcb54d4010 authelia: Add README 2023-04-22 21:35:28 -05:00
Dustin b2e1e29087 authelia: Enable two-factor auth for Paperless-ngx 2023-04-22 08:00:19 -05:00
Dustin 8a966a7ffb authelia: Enable OIDC provider 
Authelia can act as an Open ID Connect identity provider.  This allows
it to provide authentication/authorization for other applications
besides those inside the Kubernetes cluster using it for Ingress
authentication.

To start with, we'll configure an OIDC client for Jenkins.
 2023-01-25 10:36:22 -06:00
Dustin e38245dc63 authelia: Add startup probe 
I am not entirely sure why, but it seems like the Kubelet *always*
misses the first check in the readiness probe.  This causes a full
60-second delay before the Authelia pod is marked as "ready," even
though it was actually ready within a second of the container starting.

To avoid this very long delay, during which Authelia is unreachable,
even though it is working fine, we can add a startup probe with a much
shorter check interval.  The kubelet will not start readiness probes
until the startup probe returns successfully, so it won't miss the first
one any more.
 2023-01-25 10:32:30 -06:00
Dustin 42bc4ae187 authelia: Install Authelia 
Authelia is a general authentication provider that works (primarily)
by integrating with *nginx* using its subrequest mechanism.  It works
great with Kubernetes/*ingress-nginx* to provide authentication for
services running in the cluster, especially those that do not provide
their own authentication system.

Authelia needs a database to store session data.  It supports various
engines, but since we're only running a very small instance with no real
need for HA, SQLite on a Longhorn persistent volume is sufficient.

Configuration is done mostly through a YAML document, although some
secret values are stored in separate files, which are pointed to by
environment variables.
 2023-01-13 21:33:14 -06:00