Home

Awesome

<!-- markdownlint-disable MD033 --> <h1> <img src="https://github.com/sighupio/fury-distribution/blob/main/docs/assets/fury-epta-white.png?raw=true" align="left" width="90" style="margin-right: 15px"/> Kubernetes Fury Auth </h1> <!-- markdownlint-enable MD033 -->

Release License Slack

<!-- <KFD-DOCS> -->

Kubernetes Fury Auth provides Authentication Management for Kubernetes Fury Distribution (KFD).

If you are new to KFD please refer to the official documentation on how to get started with the distribution.

Overview

Kubernetes Fury Auth uses CNCF recommended, Cloud Native projects, such as the Dex identity provider, and Pomerium as an identity-aware proxy to enable secure access to internal applications.

Packages

Kubernetes Fury Auth provides the following packages:

PackageVersionDescription
Pomeriumv0.25.0Identity-aware proxy that enables secure access to internal applications.
Dexv2.38.0Dex is a Federated OpenID Connect Provider.
Gangplankv1.1.0Enable authentication flows via OIDC for a kubernetes cluster.

Compatibility

Kubernetes VersionCompatibilityNotes
1.26.x:white_check_mark:No known issues.
1.27.x:white_check_mark:No known issues.
1.28.x:white_check_mark:No known issues.
1.29.x:white_check_mark:No known issues.

Check the compatibility matrix for additional information on previous releases of the modules.

Usage

Prerequisites

ToolVersionDescription
furyctl>=0.6.0The recommended tool to download and manage KFD modules and their packages. To learn more about furyctl read the official documentation.
kustomize>=3.5.0Packages are customized using kustomize. To learn how to create your customization layer with kustomize, please refer to the repository.

Deployment with legacy furyctl

  1. List the packages you want to deploy and their version in a Furyfile.yml:
versions:
  auth: "v0.3.0"
bases:
  - name: auth/pomerium
  - name: auth/dex
  - name: auth/gangplank

See furyctl documentation for additional details about Furyfile.yml format.

  1. Execute furyctl vendor -H to download the packages

  2. Inspect the download packages under ./vendor/katalog/auth/.

  3. Define a kustomization.yaml that includes the ./vendor/katalog/auth directory as a resource.

resources:
  - ./vendor/katalog/auth/pomerium
  - ./vendor/katalog/auth/dex
  - ./vendor/katalog/auth/gangplank
  1. Create the configuration file for Dex (here's an LDAP-based example) and add it as a secret to the kustomization.yaml file, like this:
secretGenerator:
  - name: dex
    namespace: kube-system
    files:
      - config.yml=./secrets/dex/config.yml

ℹ️ read more on Dex's readme.

⛔️ Before proceeding, follow the instructions in Pomerium's package readme and Gangplank's readme to configure them.

  1. Finally, to deploy the module to your cluster, execute:
kustomize build . | kubectl apply -f -

Monitoring

KFD Auth module integrates out-of-the-box with KFD's Monitoring module. Providing metrics and dashboards to visualize the status of its components.

In particular:

<!-- markdownlint-disable MD033 -->

<a href="docs/images/screenshots/pomerium-dashboard.png"><img src="docs/images/screenshots/pomerium-dashboard.png" width="250"/></a> <a href="docs/images/screenshots/pomerium-envoy-dashboard.png"><img src="docs/images/screenshots/pomerium-envoy-dashboard.png" width="250"/></a>

<!-- markdownlint-enable MD033 -->

Screenshots

<!-- markdownlint-disable MD033 -->

<a href="docs/images/screenshots/dex.png"><img src="docs/images/screenshots/dex.png" width="250"/></a>

<a href="docs/images/screenshots/pomerium-403.png"><img src="docs/images/screenshots/pomerium-403.png" width="250"/></a>

<a href="docs/images/screenshots/pomerium-userprofile.png"><img src="docs/images/screenshots/pomerium-userprofile.png" width="250"/></a>

<!-- markdownlint-enable MD033 --> <!-- Links --> <!-- </KFD-DOCS> --> <!-- <FOOTER> -->

Contributing

Before contributing, please read first the Contributing Guidelines.

Reporting Issues

In case you experience any problems with the module, please open a new issue.

License

This module is open-source and it's released under the following LICENSE

<!-- </FOOTER> -->