DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
225f77598a696120369a23d791f37daccb1e0a97
K3S/addons/authelia/role/chart/templates/NOTES.txt
Sergey Antropoff 225f77598a feat: добавить аддон authelia — SSO forward-auth и OIDC provider 
Helm chart + Ansible role для Authelia 4.38:
- Forward-auth для ingress-nginx через аннотации auth-url/auth-signin
- OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud
- SQLite default или PostgreSQL; опциональный Redis для сессий
- RSA ключ OIDC генерируется автоматически если не задан в vault
- ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса
- README: install, users, protect service, OIDC per-service, debug, test
2026-04-26 18:18:46 +03:00

57 lines
3.2 KiB
Plaintext
Raw Blame History

╔══════════════════════════════════════════════════════════════╗
║ Authelia SSO — Deployed ║
╚══════════════════════════════════════════════════════════════╝
Portal: http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.authHost }}/
Namespace: {{ .Release.Namespace }}
OIDC: {{ if .Values.oidc.enabled }}enabled{{ else }}disabled{{ end }}
Redis: {{ if .Values.redis.enabled }}enabled{{ else }}disabled (memory sessions){{ end }}
Storage: {{ .Values.storage.type }}
─── Protect a new service ──────────────────────────────────────
Add to its Ingress:
nginx.ingress.kubernetes.io/auth-url: "http://{{ include "authelia.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:9091/api/authz/forward-auth"
nginx.ingress.kubernetes.io/auth-signin: "http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.authHost }}/?rd=$scheme://$host$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email"
nginx.ingress.kubernetes.io/auth-snippet: "proxy_set_header X-Forwarded-Method $request_method;"
Or get the full reference:
kubectl get cm {{ include "authelia.name" . }}-forward-auth -n {{ .Release.Namespace }} -o jsonpath='{.data.annotations\.yaml}'
─── OIDC Issuer ────────────────────────────────────────────────
http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.authHost }}
Discovery: http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.authHost }}/.well-known/openid-configuration
─── Logs / Debug ───────────────────────────────────────────────
kubectl -n {{ .Release.Namespace }} logs -l app.kubernetes.io/name={{ include "authelia.name" . }} -f
─── First login ────────────────────────────────────────────────
Open: http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ .Values.authHost }}/
User: admin (or as configured in authelia_users)
Pass: the plaintext password whose hash you set in vault.yml
─── Access control rules ────────────────────────────────────────
{{- if .Values.accessControl.protectedDomains }}
Protected (login required):
{{- range .Values.accessControl.protectedDomains }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .Values.accessControl.adminDomains }}
Admin-only (group: admins):
{{- range .Values.accessControl.adminDomains }}
- {{ . }}
{{- end }}
{{- end }}
{{- if .Values.accessControl.bypassDomains }}
Bypass (public):
{{- range .Values.accessControl.bypassDomains }}
- {{ . }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink