This is a quick guide on how to deploy Authentik, an open source, self-hosted identity provider (IdP) on the same underlying Kubernetes cluster that is running the Octelium Cluster and use it as an OpenID Connect IdentityProvider (read more about IdentityProviders here) to be able to login to the Cluster.
In this guide we use Helm to install Authentik. First, we need to create a values.yaml YAML file for the Authentik Helm chart (see the chart here) as follows:
1authentik:2secret_key: <SECRET_KEY>3postgresql:4password: <POSTGRES_PASSWORD>56global:7env:8- name: AUTHENTIK_BOOTSTRAP_PASSWORD9value: <BOOTSTRAP_LOGIN_PASSWORD>10server:11ingress:12enabled: false13postgresql:14enabled: true15auth:16password: <POSTGRES_PASSWORD>17redis:18enabled: true
If you have Python installed, you can use it to create values for the passwords used above as follows:
python -c "import random, string; print(''.join(random.choices(string.ascii_letters + string.digits, k=16)))"
Now deploy Authentik on the Kubernetes cluster using our values.yaml file as follows:
helm repo add authentik https://charts.goauthentik.iohelm repo updatehelm upgrade --install authentik authentik/authentik --namespace authentik --create-namespace -f </PATH/TO/VALUES.YAML>
If you installed the Cluster via the quick installation guide, you can simply use the command export KUBECONFIG="/etc/rancher/k3s/k3s.yaml" in your Cluster VM/VPS before running the helm commands above.
Now create an Octelium Service for the Authentik web server as follows:
1kind: Service2metadata:3name: idp4spec:5mode: HTTP6config:7upstream:8url: http://authentik-server.authentik.svc9http:10header:11forwardedMode: TRANSPARENT12host:13preserve: true14isPublic: true15isAnonymous: true
Now you can apply the creation of the Service via the octeliumctl apply command (read more here) as follows:
octeliumctl apply /PATH/TO/SERVICE.YAML
Notice that we created the Service as isAnonymous since we need to access it anonymously in order to login to the Cluster. You can read more about anonymous Services here.
Now we visit the Service via the web browser at the URL https://idp.<DOMAIN> and use the user akadmin and the password <BOOTSTRAP_LOGIN_PASSWORD> set in the Helm values.yaml set above to login.
Now that you are logged in and inside the Authentik dashboard, you can create an OpenID Connect client application and use it to create an IdentityProvider in Octelium as follows:
-
Go to Applications > Applications > Create with Provider.
-
Select OAuth2/OpenID Provider and press Next.
-
Set the application details as follows:
- Set a Provider Name (e.g.
octelium) - Set Authorization Flow to default-provider-authorization-explicit-consent (Authorize Application)
- Copy the application's client ID and client secret in order to be used in our IdentityProvider as shown below.
- Set Redirect URIs/Origins to Strict with the URL
https://<DOMAIN>/callback
- Set a Provider Name (e.g.
-
Now go back to the list in Applications > Applications and visit the page of the Application you just created.
-
Click on Provider for
<YOUR_APP>(OAuth2/OpenID Provider). -
Copy the value OpenID Configuration Issuer as we are going to use it later to define our IdentityProvider in the
issuerURLfield as shown below.
Now create an a Secret for the application's client secret as follows:
octeliumctl create secret authentik
Now create an OpenID Connect IdentityProvider using the application's client id, the client secret's Secret and the issuer URL as follows:
1kind: IdentityProvider2metadata:3name: authentik4spec:5displayName: Login with Authentik6oidc:7clientID: <CLIENT_ID>8clientSecret:9fromSecret: authentik10issuerURL: <YOUR_OPENID_ISSUER_URL>
Now you can apply the creation of the IdentityProvider via the octeliumctl apply command as follows:
octeliumctl apply /PATH/TO/IDENTITY_PROVIDER.YAML