From 8e2d957b6793684cd94ed9ba0e07363d822c7e52 Mon Sep 17 00:00:00 2001 From: Steve Sampson <36173115+stphnsmpsn@users.noreply.github.com> Date: Mon, 14 Apr 2025 06:28:24 -0300 Subject: [PATCH] docs(guide): add section for Authentik integration (#34365) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Split authentication section of the guide into two sub-sections: Authelia and Authentik. - Add detailed instructions for configuring Authentik for domain-level forward auth. **Description** :blue_book: Added guide section for configuring Authentik with NGINX Ingress Controller. This was motivated by a thread in the Discord server where I shared my configuration with another user who was asking questions and @PrivatePuffin suggested I contribute to the docs :smiley: **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code - [x] 📜 Documentation Changes **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [x ] ⚖️ My code follows the style guidelines of this project - [x] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [x] 📄 I have made changes to the documentation - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning - [x] I made sure the title starts with `feat(chart-name):`, `fix(chart-name):`, `chore(chart-name):`, `docs(chart-name):` or `fix(docs):` **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com> Co-authored-by: Alfred Göppel <43101280+alfi0812@users.noreply.github.com> --- .../src/content/docs/guides/ingress/nginx.md | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/website/src/content/docs/guides/ingress/nginx.md b/website/src/content/docs/guides/ingress/nginx.md index a41e82e521d..426ecee70c0 100644 --- a/website/src/content/docs/guides/ingress/nginx.md +++ b/website/src/content/docs/guides/ingress/nginx.md @@ -137,7 +137,7 @@ annotations: ### Auth -For Authelia, Authentik and more +#### Authelia ```yaml annotations: @@ -147,6 +147,30 @@ annotations: nginx.ingress.kubernetes.io/auth-response-headers: 'Remote-User,Remote-Name,Remote-Groups,Remote-Email' ``` +#### Authentik + +When using Authentik, take care to configure the service as follows. + +```yaml +annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" +``` + +For domain-level forward auth, you must configure the embedded outpost first (please refer to +[Authentik's docs](https://truecharts.org/charts/stable/authentik/how_to/)). The basic steps are to create a provider and application, then enable the embedded outpost for your newly created application. + +Once that has been done, configure each service you wish to place behind Authentik as follows: + +```yaml +annotations: + nginx.ingress.kubernetes.io/auth-url: http://authentik-http.authentik.svc.cluster.local:10230/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: https://auth.${DOMAIN_1}/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Host $http_host; +``` + ### IP Whitelist ```yaml