From e6da20926b206389c79a0a262d1305d0b6050420 Mon Sep 17 00:00:00 2001 From: bitpushr <91350598+bitpushr@users.noreply.github.com> Date: Fri, 22 Mar 2024 21:20:50 +1100 Subject: [PATCH] chore(authelia, clusterissuer, metallb, traefik): Update chart-specific docs from here instead of from website repo (#19550) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** ⚒️ Fixes my booboo **⚙️ Type of change** - [ ] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [ ] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [ ] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning - [ ] I made sure the title starts with `feat(chart-name):`, `fix(chart-name):` or `chore(chart-name):` **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --- charts/premium/authelia/docs/Setup-Guide.md | 24 +++++++++---------- .../premium/authelia/docs/authelia-rules.md | 8 +++---- charts/premium/clusterissuer/docs/how-to.md | 2 +- .../metallb-config/docs/setup-guide.md | 4 ++-- charts/premium/traefik/docs/how-to.md | 14 +++++------ .../docs/traefik-basicAuth-middleware.md | 4 ++-- 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/charts/premium/authelia/docs/Setup-Guide.md b/charts/premium/authelia/docs/Setup-Guide.md index 1a160649309..c4e69888141 100644 --- a/charts/premium/authelia/docs/Setup-Guide.md +++ b/charts/premium/authelia/docs/Setup-Guide.md @@ -2,7 +2,7 @@ title: Authelia + LLDAP + Traefik ForwardAuth Setup guide --- -This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel +This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel. ## Prerequisites @@ -18,28 +18,28 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level ::: -- Follow the steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Pretty straightforward. Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia` +- Follow the easy steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also, make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`. ![LLDAP Config](./img/LLDAPCatalogConfig.png) -- I've set the services to `ClusterIP` since I'll be using ingress +- Ensure you've set the services to `ClusterIP` since you'll be using ingress -- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. I've created a user called `Steven` +- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. Here I've created a user called `Steven`, but you can use anything - Create an `admin` group and add `Steven` to it. We will allow users of this group to access the site with Authelia later in the guide. ## Setup Authelia -- The setup for Authelia is very specific, and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo. +- The setup for Authelia is very specific and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo. ### App Configuration - Domain: `mydomain.com` - Your domain without https:// -- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia` +- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`. ### LDAP Backend Configuration -`Click Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend +Click `Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend: - Implementation: `Custom` (that's the default) - URL: `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890` @@ -63,18 +63,18 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level #### SMTP Configuration -Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587` +Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`. ### Access Control Configuration -- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all the site using a wildcard. +This section is to set rules to connect to `Authelia` and defines which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all of the site using a wildcard. Set the default `deny`. Then click `Add` next to `Rules` to get the screen below. ![AutheliaAccessControl](./img/AutheliaAccessControl.png) -- Add your `Domain` and a `Wildcard` for your subdomains. -- Set policy to `one_factor` or `two_factor`, up to you. +- Add your `Domain` and a `Wildcard` for your subdomains +- Set policy to `one_factor` or `two_factor`, up to you - Click `Add Subject` and add a subject of `group:admin` since `Steven` is part of that group. Please see [Authelia Rules](./authelia-rules) for more advanced rules. @@ -94,7 +94,7 @@ Please see [Authelia Rules](./authelia-rules) for more advanced rules. ![TraefikForwardAuth](./img/TraefikForwardAuth.png) - Name your `forwardauth` something you'll remember, since that's the middleware you'll add to your ingress going forward. Most people use `auth` -- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from `Heavyscript` +- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from [`HeavyScript`](https://truecharts.org/manual/SCALE/guides/getting-started/#heavyscript) - Check `trustForwardHeader` - Add the following `authResponseHeaders` (press `Add` 4 times) - `Remote-User` diff --git a/charts/premium/authelia/docs/authelia-rules.md b/charts/premium/authelia/docs/authelia-rules.md index b435988063c..bd3950f075a 100644 --- a/charts/premium/authelia/docs/authelia-rules.md +++ b/charts/premium/authelia/docs/authelia-rules.md @@ -12,13 +12,13 @@ It is important that rules are created in the correct order in Authelia. Rules a :::note[DEFAULT POLICY] -For theses rules to work as intended, your default access control policy must be set to `deny`. +For these rules to work as intended, your default access control policy must be set to `deny`. ::: All rules requiring Authelia authentication were configured with `two_factor` (2FA). If you do not want 2FA on some or all rules replace the Policy with `one_factor`. -In this guide we assume you have a group `admin` and a group `user` in ldap. +In this guide we assume you have a group `admin` and a group `user` in LDAP. Members of the `admin` group will have access to everything. Members of the `user` group will only have access to a select set of apps you choose. @@ -54,7 +54,7 @@ These rules will protect the Vaultwarden admin page with Authelia but bypass whe ### Rule 1 -This rule will allow users of the `admin` group to access the vaulwarden admin page. +This rule will allow users of the `admin` group to access the Vaultwarden admin page. Domain: `vaultwarden.domain.tld` @@ -70,7 +70,7 @@ Resources: `^*/admin.*$` ### Rule 2 -This rule will prevent users not in the `admin` group to access the vaulwarden admin page. +This rule will prevent users not in the `admin` group to access the Vaultwarden admin page. This is necessary even if the your default policy is set to `deny` because of the `bypass` rule below. Domain: `vaultwarden.domain.tld` diff --git a/charts/premium/clusterissuer/docs/how-to.md b/charts/premium/clusterissuer/docs/how-to.md index a8aedac7a2a..1316edb327f 100644 --- a/charts/premium/clusterissuer/docs/how-to.md +++ b/charts/premium/clusterissuer/docs/how-to.md @@ -60,7 +60,7 @@ The recommended `API Token` permissions are below: ![clusterissuer edit dialog](./img/clusterissuer-appconfig.png) -More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentaition for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/). +More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentation for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/). ### Route 53 DNS Provider diff --git a/charts/premium/metallb-config/docs/setup-guide.md b/charts/premium/metallb-config/docs/setup-guide.md index 4eaa30dd688..a59227f82a6 100644 --- a/charts/premium/metallb-config/docs/setup-guide.md +++ b/charts/premium/metallb-config/docs/setup-guide.md @@ -93,8 +93,8 @@ If you have an IP conflict with a previously assigned address it will show as `< :::caution -Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. This may be resolved in the future. +Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. You may need to refresh the page in your browser, bypassing your browser's cache by doing `CTRL + F5`. This may be resolved in the future. ::: -For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/) +For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/). \ No newline at end of file diff --git a/charts/premium/traefik/docs/how-to.md b/charts/premium/traefik/docs/how-to.md index a19eb757d6a..947227ae7e5 100644 --- a/charts/premium/traefik/docs/how-to.md +++ b/charts/premium/traefik/docs/how-to.md @@ -7,7 +7,7 @@ To support this, we supply a separate Traefik "ingress" app, which has been pre- :::notice -The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS +The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS. ::: @@ -17,9 +17,9 @@ The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress In order to set up Traefik, you will be required to change the default TrueNAS WebUI access ports. These ports are by default set to port `80` for HTTP and port `443` for HTTPS. -This is necessary as we will be setting Traefik up to function as a reverse proxy, and receive traffic on these host ports. +This is necessary as we will be setting Traefik up to function as a reverse proxy, and to receive traffic on these host ports. -In the TrueNAS Menu, navigate to **System** > **General**. Click the **Settings** button at the top right of the GUI component. +In the TrueNAS Menu, navigate to **System Settings** > **General**. Click the **Settings** button at the top right of the GUI component. Under these **GUI Settings**, change: - Web Interface HTTP Port to port `81` @@ -44,7 +44,7 @@ Ensure you are accessing your WebUI from the new ports before proceeding. ::: -### Installing the Traefik Scale App +### Installing the Traefik SCALE App :::note @@ -52,8 +52,8 @@ Traefik is part of the `premium` train, so make sure you have it enabled as spec ::: -In the TrueNAS Menu, navigate to **Apps** > **Available Applications**. Use the search bar to search for or manually -find the Traefik app in the list of apps, and click **Install** +In the TrueNAS Menu, navigate to **Apps** > **Discover Apps**. Use the search bar to search for or manually +find the Traefik app in the list of apps, and click **Install**. The setup of Traefik is relatively straight-forward. Most of the settings remain unchanged from default, except for these two: @@ -61,7 +61,7 @@ The setup of Traefik is relatively straight-forward. Most of the settings remain - At the bottom, check the warning checkbox. Continue to section 12, and select **Next**. Traefik will now be installed. -After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking "Web Portal" on the application's entry under **Apps** > **Installed Applications**. +After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking `Open` on the application's entry under **Apps** > **Installed Applications**. ## Video Guide diff --git a/charts/premium/traefik/docs/traefik-basicAuth-middleware.md b/charts/premium/traefik/docs/traefik-basicAuth-middleware.md index 025cd8d6b56..b586d9e55d8 100644 --- a/charts/premium/traefik/docs/traefik-basicAuth-middleware.md +++ b/charts/premium/traefik/docs/traefik-basicAuth-middleware.md @@ -2,7 +2,7 @@ title: Add Traefik Basic Auth to Apps --- -Our `traefik` chart has the ability to add various `middlewares` to the chart can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware. +Our `traefik` chart has the ability to add various `middlewares` to the chart that can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware. ## Prerequisites @@ -14,7 +14,7 @@ Once `traefik` is installed, scroll down to the `Middlewares` section ![BasicAuth](./img/BasicAuth.png) -When there, you can fill out the `Configure basicAuth` section with as follows +When there, you can fill out the `Configure basicAuth` section with what follows: - Name the `basicAuth`, most people choose `basic` - Add as name users as necessary, choosing a specific `Username` and `Password` for each user.