Cloned2Preserve
/
TrueChartsClone
mirror of https://github.com/truecharts/charts.git
1
0
Fork 0
Code

chore(authelia, clusterissuer, metallb, traefik): Update chart-specific docs from here instead of from website repo (#19550) 

**Description**
<!--
Instead of updating chart-specific docs from website repo in
[this](d3e3643194)
PR, update from this charts repo so they don't get overwritten. Thanks
ksimm1.
-->
⚒️ Fixes  my booboo

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning
- [ ] I made sure the title starts with `feat(chart-name):`,
`fix(chart-name):` or `chore(chart-name):`

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._
This commit is contained in:
bitpushr 2024-03-22 21:20:50 +11:00 committed by GitHub
parent bac09a0eb2
commit e6da20926b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
charts/premium/authelia/docs/Setup-Guide.md
View File

@ -2,7 +2,7 @@
title: Authelia + LLDAP + Traefik ForwardAuth Setup guide
---
This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel
This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel.
## Prerequisites
@ -18,28 +18,28 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level
:::
- Follow the steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Pretty straightforward. Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`
- Follow the easy steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also, make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`.
![LLDAP Config](./img/LLDAPCatalogConfig.png)
- I've set the services to `ClusterIP` since I'll be using ingress
- Ensure you've set the services to `ClusterIP` since you'll be using ingress
- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. I've created a user called `Steven`
- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. Here I've created a user called `Steven`, but you can use anything
- Create an `admin` group and add `Steven` to it. We will allow users of this group to access the site with Authelia later in the guide.
## Setup Authelia
- The setup for Authelia is very specific, and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo.
- The setup for Authelia is very specific and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo.
### App Configuration
- Domain: `mydomain.com` - Your domain without https://
- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`
- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`.
### LDAP Backend Configuration
`Click Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend
Click `Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend:
- Implementation: `Custom` (that's the default)
- URL: `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890`
@ -63,18 +63,18 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level
#### SMTP Configuration
Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`
Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`.
### Access Control Configuration
- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all the site using a wildcard.
This section is to set rules to connect to `Authelia` and defines which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all of the site using a wildcard.
Set the default `deny`. Then click `Add` next to `Rules` to get the screen below.
![AutheliaAccessControl](./img/AutheliaAccessControl.png)
- Add your `Domain` and a `Wildcard` for your subdomains.
- Set policy to `one_factor` or `two_factor`, up to you.
- Add your `Domain` and a `Wildcard` for your subdomains
- Set policy to `one_factor` or `two_factor`, up to you
- Click `Add Subject` and add a subject of `group:admin` since `Steven` is part of that group.
Please see [Authelia Rules](./authelia-rules) for more advanced rules.
@ -94,7 +94,7 @@ Please see [Authelia Rules](./authelia-rules) for more advanced rules.
![TraefikForwardAuth](./img/TraefikForwardAuth.png)
- Name your `forwardauth` something you'll remember, since that's the middleware you'll add to your ingress going forward. Most people use `auth`
- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from `Heavyscript`
- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from [`HeavyScript`](https://truecharts.org/manual/SCALE/guides/getting-started/#heavyscript)
- Check `trustForwardHeader`
- Add the following `authResponseHeaders` (press `Add` 4 times)
- `Remote-User`

8
charts/premium/authelia/docs/authelia-rules.md
View File

@ -12,13 +12,13 @@ It is important that rules are created in the correct order in Authelia. Rules a
:::note[DEFAULT POLICY]
For theses rules to work as intended, your default access control policy must be set to `deny`.
For these rules to work as intended, your default access control policy must be set to `deny`.
:::
All rules requiring Authelia authentication were configured with `two_factor` (2FA). If you do not want 2FA on some or all rules replace the Policy with `one_factor`.
In this guide we assume you have a group `admin` and a group `user` in ldap.
In this guide we assume you have a group `admin` and a group `user` in LDAP.
Members of the `admin` group will have access to everything.
Members of the `user` group will only have access to a select set of apps you choose.
@ -54,7 +54,7 @@ These rules will protect the Vaultwarden admin page with Authelia but bypass whe
### Rule 1
This rule will allow users of the `admin` group to access the vaulwarden admin page.
This rule will allow users of the `admin` group to access the Vaultwarden admin page.
Domain: `vaultwarden.domain.tld`
@ -70,7 +70,7 @@ Resources: `^*/admin.*$`
### Rule 2
This rule will prevent users not in the `admin` group to access the vaulwarden admin page.
This rule will prevent users not in the `admin` group to access the Vaultwarden admin page.
This is necessary even if the your default policy is set to `deny` because of the `bypass` rule below.
Domain: `vaultwarden.domain.tld`

2
charts/premium/clusterissuer/docs/how-to.md
View File

@ -60,7 +60,7 @@ The recommended `API Token` permissions are below:
![clusterissuer edit dialog](./img/clusterissuer-appconfig.png)
More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentaition for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/).
More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentation for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/).
### Route 53 DNS Provider

4
charts/premium/metallb-config/docs/setup-guide.md
View File

@ -93,8 +93,8 @@ If you have an IP conflict with a previously assigned address it will show as `<
:::caution
Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. This may be resolved in the future.
Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. You may need to refresh the page in your browser, bypassing your browser's cache by doing `CTRL + F5`. This may be resolved in the future.
:::
For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/)
For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/).

14
charts/premium/traefik/docs/how-to.md
View File

@ -7,7 +7,7 @@ To support this, we supply a separate Traefik "ingress" app, which has been pre-
:::notice
The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS
The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS.
:::
@ -17,9 +17,9 @@ The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress
In order to set up Traefik, you will be required to change the default TrueNAS WebUI access ports.
These ports are by default set to port `80` for HTTP and port `443` for HTTPS.
This is necessary as we will be setting Traefik up to function as a reverse proxy, and receive traffic on these host ports.
This is necessary as we will be setting Traefik up to function as a reverse proxy, and to receive traffic on these host ports.
In the TrueNAS Menu, navigate to **System** > **General**. Click the **Settings** button at the top right of the GUI component.
In the TrueNAS Menu, navigate to **System Settings** > **General**. Click the **Settings** button at the top right of the GUI component.
Under these **GUI Settings**, change:
- Web Interface HTTP Port to port `81`
@ -44,7 +44,7 @@ Ensure you are accessing your WebUI from the new ports before proceeding.
:::
### Installing the Traefik Scale App
### Installing the Traefik SCALE App
:::note
@ -52,8 +52,8 @@ Traefik is part of the `premium` train, so make sure you have it enabled as spec
:::
In the TrueNAS Menu, navigate to **Apps** > **Available Applications**. Use the search bar to search for or manually
find the Traefik app in the list of apps, and click **Install**
In the TrueNAS Menu, navigate to **Apps** > **Discover Apps**. Use the search bar to search for or manually
find the Traefik app in the list of apps, and click **Install**.
The setup of Traefik is relatively straight-forward. Most of the settings remain unchanged from default, except for these two:
@ -61,7 +61,7 @@ The setup of Traefik is relatively straight-forward. Most of the settings remain
- At the bottom, check the warning checkbox.
Continue to section 12, and select **Next**. Traefik will now be installed.
After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking "Web Portal" on the application's entry under **Apps** > **Installed Applications**.
After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking `Open` on the application's entry under **Apps** > **Installed Applications**.
## Video Guide

4
charts/premium/traefik/docs/traefik-basicAuth-middleware.md
View File

@ -2,7 +2,7 @@
title: Add Traefik Basic Auth to Apps
---
Our `traefik` chart has the ability to add various `middlewares` to the chart can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware.
Our `traefik` chart has the ability to add various `middlewares` to the chart that can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware.
## Prerequisites
@ -14,7 +14,7 @@ Once `traefik` is installed, scroll down to the `Middlewares` section
![BasicAuth](./img/BasicAuth.png)
When there, you can fill out the `Configure basicAuth` section with as follows
When there, you can fill out the `Configure basicAuth` section with what follows:
- Name the `basicAuth`, most people choose `basic`
- Add as name users as necessary, choosing a specific `Username` and `Password` for each user.