Add LDAP auth for elasticsearch using nginx-ldapauth-proxy #250
Comments
NicolasT
added
state:question
|
To access cluster-provisioned services like Kibana and Grafana, we document the use of The Elasticsearch as deployed with MetalK8s is not really intended to be used by any other services except for cluster logging, so this shouldn't be exposed through an If at some point we integrate an OIDC provider (see #85, #83, #84) we could deploy a mechanism to access Kibana and Grafana more directly, without going through the API proxy, by fronting them with e.g. I'd rather not integrate Overall, access to cluster resources, be it K8s API, Kibana logs, Grafana,... all falls somewhat in the same realm authentication/authorization-wise. |
|
i didn't know that Dex can be configured in such a way to allow http auth to a resource, such as kibana to be password protected. does it? i thought it can only operate as a backend to something that consumes dex like if it was a database of users, but some script still needs to attempt to access "dex"? |
|
Dex doesn't, but an OIDC-aware authenticating proxy (like |
|
With helm/charts@b19cd59#diff-1104eae0826c45bb7d9cd233aff17b1e in the Kibana chart, once we have the Helm 'values override' in place everywhere (cfr. #291), it should be possible to set up auth for Kibana without any changes to MetalK8s required. |
Since nginx-ingress is already part of metal-k8s, wouldn't it be beneficial to add nginx-ldapauth-proxy to metal-k8s as an optional component to allow to securely expose kibana and maybe elasticsearch?
Helm Chart itself:
https://github.com/helm/charts/tree/master/stable/nginx-ldapauth-proxy
And the use-case example:
https://github.com/helm/charts/blob/master/incubator/elastic-stack/requirements.yaml#L20
https://github.com/helm/charts/blob/master/incubator/elastic-stack/values.yaml#L18
The text was updated successfully, but these errors were encountered: