infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

storage: Use Authelia for Longhorn UI auth 

Instead of using a static username/password and HTTP Basic
authentication for the Longhorn UI, we can now use Authelia via the
*nginx* auth subrequest functionality.
dch-webhooks-secrets
Dustin 2023-01-13 19:37:14 -06:00
parent 42bc4ae187
commit df12690958
2 changed files with 8 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
storage/README.md
View File

@ -23,18 +23,11 @@ kubectl apply -f longhorn.yaml
Expose the Longhorn UI outside the cluster:
```sh
printf 'Longhorn username: '
read longhorn_username
printf 'Longhorn password: '
read -s longhorn_password
printf '%s:%s\n' \
"${longhorn_username}" \
"$(openssl passwd -stdin -apr1 <<< "${longhorn_password}")" \
> auth
kubectl create secret generic -n longhorn-system basic-auth --from-file auth
kubectl apply -f longhorn-ingress.yaml
```
Authentication to the UI is handled by Authelia.
[0]: https://longhorn.io/docs/1.3.0/deploy/install/install-with-kubectl/
[1]: https://longhorn.io/docs/1.3.0/advanced-resources/deploy/node-selector/

14
storage/longhorn-ingress.yaml
View File

@ -4,14 +4,12 @@ metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# prevent the controller from redirecting (308) to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
# custom max body size for file uploading like backing image uploading
nginx.ingress.kubernetes.io/proxy-body-size: 10000m
spec: