YsummarY, use Tab ↹, Return/Enter and go back (⌘ + ←) to navigate.

Authentik proxy outposts for Traefik, Docker and K8S

YouTube Video

This YouTube video explains how to use Authentic Outposts to securely connect Authentic (a free and open-source identity provider) to applications and services running on separate servers or Kubernetes clusters. Key points include:

What are Authentic Outposts?

  • Small, deployable Authentic components that act as secure proxies. They handle authentication requests, offloading this task from the main Authentic server, improving performance.
  • Four types exist: Proxy (focused on in the video), LDAP, Radius, and RI providers (allowing connection to other authentication systems).
  • They connect to the main Authentic API via a service account and auto-generated token.
  • They can be deployed manually (requires manual updates) or via integrations (automatically managed and updated by Authentic).

Deployment and Configuration:

  • The video demonstrates Docker and Kubernetes integrations. The Docker integration is more complex, requiring TLS certificate generation and configuration of the Docker daemon to accept TLS connections on a specific port (e.g., 2376). This involves creating certificate authority (CA), server, and client certificates.
  • The Kubernetes integration is simpler, requiring only a kubeconfig file.
  • The video shows how to create an Outpost, select an integration, choose an application to protect, and configure advanced settings (like Docker networks for Docker integration and Kubernetes namespaces and replicas for Kubernetes integration).
  • Crucial configuration settings include: authentic host, docker network, object naming templates for consistency, and disabling ingress for internal-only Kubernetes deployments. The external host name in the provider must match the hostname used by the reverse proxy.
  • Manual deployments are not automatically updated, whereas integrations are.

Protecting Applications (using Traefik as an example):

  • The video uses Traefik as a reverse proxy. To protect a Traefik dashboard, a proxy provider and application must be created within Authentic. A middleware in Traefik is configured to forward authentication requests to the Authentic Outpost. Correct labels must be added in the Traefik configuration to utilize the middleware.
  • The process is similar for other applications: create a provider, application, outpost, configure middleware in the reverse proxy, and adjust labels accordingly.

Other Important Points:

  • The embedded Outpost runs by default on the main Authentic server.
  • Remote access to the home lab is discussed, mentioning TwinGate (a zero-trust network access platform) as a secure alternative to VPNs.
  • A GitHub repository with boilerplate templates is provided for easier setup. This includes Docker Compose files, Authentic middleware configurations, and Traefik configurations.

The video provides a detailed, albeit complex, guide for securing applications with Authentic Outposts, focusing primarily on Traefik as a reverse proxy and covering both Docker and Kubernetes deployment scenarios. The key takeaway is the improved security and performance offered by offloading authentication to these smaller, distributed components.

Next: AI Risks No One is Talking About
Prev: End-to-End Encryption Now a Historical Footnote. They Won.