public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 01:36:23 +00:00
Code Issues Releases Wiki Activity

No need for custom property mapper

Browse Source 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
This commit is contained in:
David Young
2023-11-09 09:32:58 +13:00
parent 8a01e6bfa2
commit f769cec6f5
5 changed files with 4 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_includes/kubernetes-oidc-setup.md
View File

@@ -64,7 +64,7 @@ kubectl config set-credentials oidc \
--exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \ --exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \
--exec-arg=--oidc-client-id=kube-apiserver \ --exec-arg=--oidc-client-id=kube-apiserver \
--exec-arg=--oidc-client-secret=<your client secret> \ --exec-arg=--oidc-client-secret=<your client secret> \
--exec-arg=--oidc-extra-scope=groups \ --exec-arg=--oidc-extra-scope=profile \
--exec-arg=--oidc-extra-scope=email --exec-arg=--oidc-extra-scope=email
``` ```

BIN
docs/images/authentik-kube-apiserver-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 211 KiB

5
docs/kubernetes/oidc-authentication/authentik.md
View File

@@ -41,15 +41,10 @@ Scroll down, and set:
![](/images/authentik-kube-apiserver-3.png) ![](/images/authentik-kube-apiserver-3.png)
Under **Advanced Protocol Settings**, below the set the scopes to include the built-in `email` scope, as well as the extra `oidc-groups` scope you added when [initially setting up authentik][k8s/authentik]:
![](/images/authentik-kube-apiserver-4.png)
Finally, enable **Include claims in id_token**, instructing authentik to send the user claims back with the id token: Finally, enable **Include claims in id_token**, instructing authentik to send the user claims back with the id token:
![](/images/authentik-kube-apiserver-5.png) ![](/images/authentik-kube-apiserver-5.png)
..and click **Finish**. On the following summary page, under **OAuth2 Provider**, take note of the **OpenID Configuration** URL (*`/application/o/kube-apiserver/.well-known/openid-configuration` if you followed my conventions above*) - you'll need this when configuring Kubernetes. ..and click **Finish**. On the following summary page, under **OAuth2 Provider**, take note of the **OpenID Configuration** URL (*`/application/o/kube-apiserver/.well-known/openid-configuration` if you followed my conventions above*) - you'll need this when configuring Kubernetes.
!!! question "What's that redirect URI for?" !!! question "What's that redirect URI for?"

4
docs/kubernetes/oidc-authentication/k3s-authentik.md
View File

@@ -76,7 +76,7 @@ kubectl oidc-login setup \
All going well, your browser will open a new window, logging you into authentik, and on the CLI you should get output something like this: All going well, your browser will open a new window, logging you into authentik, and on the CLI you should get output something like this:
``` ```
~ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=cVj4YqmB4VPcq6e7 --oidc-extra-scope=groups,email ~ kubectl oidc-login setup --oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ --oidc-client-id=kube-apiserver --oidc-client-secret=cVj4YqmB4VPcq6e7 --oidc-extra-scope=profile,email
authentication in progress... authentication in progress...
## 2. Verify authentication ## 2. Verify authentication
@@ -126,7 +126,7 @@ kubectl config set-credentials oidc \
--exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \ --exec-arg=--oidc-issuer-url=https://authentik.example.com/application/o/kube-apiserver/ \
--exec-arg=--oidc-client-id=kube-apiserver \ --exec-arg=--oidc-client-id=kube-apiserver \
--exec-arg=--oidc-client-secret=<your client secret> \ --exec-arg=--oidc-client-secret=<your client secret> \
--exec-arg=--oidc-extra-scope=groups \ --exec-arg=--oidc-extra-scope=profile \
--exec-arg=--oidc-extra-scope=email --exec-arg=--oidc-extra-scope=email
``` ```

20
docs/recipes/kubernetes/authentik.md
View File

@@ -186,24 +186,6 @@ Eureka! :tada:
Your user is now an authentik superuser. Confirm this by logging out as **akadmin**, and logging back in with your own credentials. Your user is now an authentik superuser. Confirm this by logging out as **akadmin**, and logging back in with your own credentials.
## Add "groups" scope
Since you'll probably want to use authentik for OIDC-secured access to various tools like the [kube-apiserver](/kubernetes/authentication/), Grafana, etc, you'll want authentik to be able to support the "groups" scope, telling OIDC clients what groups the logging-in user belongs to.
Curiously, the OIDC groups scope is **not** a default feature of authentik (*there are [requests](https://github.com/goauthentik/authentik/issues/6184) underway to address this*). There's a simple workaround to add a groups scope though, until such support becomes native...
As your new superuser, navigate to **Customization** -> **Property Mapping**, and create a new **Scope Mapping**. You can pick whatever name you want (*I used `oidc-groups`*), but you'll want to set the scope name to `groups`, since this is the convention for OIDC clients.
Set the expression to:
```python
return {
"groups": [group.name for group in user.ak_groups.all()]
}
```
That's it! Now if your OIDC clients request the `groups` scope, they'll get a list of all the authentik groups the user is a member of.
## Summary ## Summary
What have we achieved? We've got authentik running and accessible, we've created a superuser account, and we're ready to flex :muscle: the power of authentik to deploy an OIDC provider for Kubernetes, or simply secure unprotected UIs with proxy outposts! What have we achieved? We've got authentik running and accessible, we've created a superuser account, and we're ready to flex :muscle: the power of authentik to deploy an OIDC provider for Kubernetes, or simply secure unprotected UIs with proxy outposts!
@@ -215,7 +197,7 @@ What have we achieved? We've got authentik running and accessible, we've created
Next: Next:
* [ ] Configure Kubernetes for OIDC authentication, unlocking production readiness as well as the Kubernetes Dashboard in Weave GitOps UIs (*coming soon*) * [ ] Configure [Kubernetes OIDC authentication](/kubernetes/oidc-authentication/), unlocking production readiness as well as the [Kubernetes Dashboard][k8s/dashboard] and Weave GitOps UIs (*coming soon*)
{% include 'recipe-footer.md' %} {% include 'recipe-footer.md' %}