diff --git a/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx b/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx index 423266a..a07da08 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx +++ b/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx @@ -2,6 +2,8 @@ title: Deploy Omni on Prem --- +import { omni_release } from '/snippets/custom-variables.mdx'; + This guide shows you how to deploy Omni on-prem. This guide assumes that Omni will be deployed on an Ubuntu machine. Small differences should be expected when using a different OS. For SAML integration sections, this guide assumes Azure AD will be the provider for SAML. @@ -151,36 +153,9 @@ There are two easy ways to run Omni: docker-compose and a simple `docker run`. W #### Auth0 - ```bash - docker run \ - --net=host \ - --cap-add=NET_ADMIN \ - --device /dev/net/tun \ - -v $PWD/etcd:/_out/etcd \ - -v :/tls.crt \ - -v :/tls.key \ - -v $PWD/omni.asc:/omni.asc \ - ghcr.io/siderolabs/omni: \ - --account-id=$(uuidgen) \ - --name=onprem-omni \ - --cert=/tls.crt \ - --key=/tls.key \ - --siderolink-api-cert=/tls.crt \ - --siderolink-api-key=/tls.key \ - --private-key-source=file:///omni.asc \ - --event-sink-port=8091 \ - --bind-addr=0.0.0.0:443 \ - --siderolink-api-bind-addr=0.0.0.0:8090 \ - --k8s-proxy-bind-addr=0.0.0.0:8100 \ - --advertised-api-url=https:/// \ - --siderolink-api-advertised-url=https://:8090/ \ - --siderolink-wireguard-advertised-addr=:50180 \ - --advertised-kubernetes-proxy-url=https://:8100/ \ - --auth-auth0-enabled=true \ - --auth-auth0-domain= \ - --auth-auth0-client-id= \ - --initial-users= - ``` + + {`docker run \\\n --net=host \\\n --cap-add=NET_ADMIN \\\n --device /dev/net/tun \\\n -v $PWD/etcd:/_out/etcd \\\n -v :/tls.crt \\\n -v :/tls.key \\\n -v $PWD/omni.asc:/omni.asc \\\n ghcr.io/siderolabs/omni:${omni_release} \\\n --account-id=$(uuidgen) \\\n --name=onprem-omni \\\n --cert=/tls.crt \\\n --key=/tls.key \\\n --siderolink-api-cert=/tls.crt \\\n --siderolink-api-key=/tls.key \\\n --private-key-source=file:///omni.asc \\\n --event-sink-port=8091 \\\n --bind-addr=0.0.0.0:443 \\\n --siderolink-api-bind-addr=0.0.0.0:8090 \\\n --k8s-proxy-bind-addr=0.0.0.0:8100 \\\n --advertised-api-url=https:/// \\\n --siderolink-api-advertised-url=https://:8090/ \\\n --siderolink-wireguard-advertised-addr=:50180 \\\n --advertised-kubernetes-proxy-url=https://:8100/ \\\n --auth-auth0-enabled=true \\\n --auth-auth0-domain= \\\n --auth-auth0-client-id= \\\n --initial-users=`} + **Note:** The `siderolink-wireguard-advertised-addr` **must** point to an IP, not the domain name. @@ -190,34 +165,10 @@ There are two easy ways to run Omni: docker-compose and a simple `docker run`. W #### SAML - ```bash - docker run \ - --net=host \ - --cap-add=NET_ADMIN \ - --device /dev/net/tun \ - -v $PWD/etcd:/_out/etcd \ - -v :/tls.crt \ - -v :/tls.key \ - -v $PWD/omni.asc:/omni.asc \ - ghcr.io/siderolabs/omni: \ - --account-id=$(uuidgen) \ - --name=onprem-omni \ - --cert=/tls.crt \ - --key=/tls.key \ - --siderolink-api-cert=/tls.crt \ - --siderolink-api-key=/tls.key \ - --private-key-source=file:///omni.asc \ - --event-sink-port=8091 \ - --bind-addr=0.0.0.0:443 \ - --siderolink-api-bind-addr=0.0.0.0:8090 \ - --k8s-proxy-bind-addr=0.0.0.0:8100 \ - --advertised-api-url=https:/// \ - --siderolink-api-advertised-url=https://:8090/ \ - --siderolink-wireguard-advertised-addr=:50180 \ - --advertised-kubernetes-proxy-url=https://:8100/ \ - --auth-saml-enabled=true \ - --auth-saml-url= - ``` + + {`docker run \\\n --net=host \\\n --cap-add=NET_ADMIN \\\n --device /dev/net/tun \\\n -v $PWD/etcd:/_out/etcd \\\n -v :/tls.crt \\\n -v :/tls.key \\\n -v $PWD/omni.asc:/omni.asc \\\n ghcr.io/siderolabs/omni:${omni_release} \\\n --account-id=$(uuidgen) \\\n --name=onprem-omni \\\n --cert=/tls.crt \\\n --key=/tls.key \\\n --siderolink-api-cert=/tls.crt \\\n --siderolink-api-key=/tls.key \\\n --private-key-source=file:///omni.asc \\\n --event-sink-port=8091 \\\n --bind-addr=0.0.0.0:443 \\\n --siderolink-api-bind-addr=0.0.0.0:8090 \\\n --k8s-proxy-bind-addr=0.0.0.0:8100 \\\n --advertised-api-url=https:/// \\\n --siderolink-api-advertised-url=https://:8090/ \\\n --siderolink-wireguard-advertised-addr=:50180 \\\n --advertised-kubernetes-proxy-url=https://:8100/ \\\n --auth-saml-enabled=true \\\n --auth-saml-url= + `} + **Note** @@ -225,40 +176,11 @@ There are two easy ways to run Omni: docker-compose and a simple `docker run`. W #### OIDC - ```bash - docker run \ - --net=host \ - --cap-add=NET_ADMIN \ - --device /dev/net/tun \ - -v $PWD/etcd:/_out/etcd \ - -v :/tls.crt \ - -v :/tls.key \ - -v $PWD/omni.asc:/omni.asc \ - ghcr.io/siderolabs/omni: \ - --account-id=$(uuidgen) \ - --name=onprem-omni \ - --cert=/tls.crt \ - --key=/tls.key \ - --siderolink-api-cert=/tls.crt \ - --siderolink-api-key=/tls.key \ - --private-key-source=file:///omni.asc \ - --event-sink-port=8091 \ - --bind-addr=0.0.0.0:443 \ - --siderolink-api-bind-addr=0.0.0.0:8090 \ - --k8s-proxy-bind-addr=0.0.0.0:8100 \ - --advertised-api-url=https:/// \ - --siderolink-api-advertised-url=https://:8090/ \ - --siderolink-wireguard-advertised-addr=:50180 \ - --advertised-kubernetes-proxy-url=https://:8100/ \ - --auth-oidc-enabled \ - --auth-oidc-provider-url \ - --auth-oidc-client-id \ - --auth-oidc-client-secret \ - --auth-oidc-logout-url \ - --auth-oidc-scopes openid \ - --auth-oidc-scopes profile \ - --auth-oidc-scopes email - ``` + + {` + docker run \\\n --net=host \\\n --cap-add=NET_ADMIN \\\n --device /dev/net/tun \\\n -v $PWD/etcd:/_out/etcd \\\n -v :/tls.crt \\\n -v :/tls.key \\\n -v $PWD/omni.asc:/omni.asc \\\n ghcr.io/siderolabs/omni:${omni_release} \\\n --account-id=$(uuidgen) \\\n --name=onprem-omni \\\n --cert=/tls.crt \\\n --key=/tls.key \\\n --siderolink-api-cert=/tls.crt \\\n --siderolink-api-key=/tls.key \\\n --private-key-source=file:///omni.asc \\\n --event-sink-port=8091 \\\n --bind-addr=0.0.0.0:443 \\\n --siderolink-api-bind-addr=0.0.0.0:8090 \\\n --k8s-proxy-bind-addr=0.0.0.0:8100 \\\n --advertised-api-url=https:/// \\\n --siderolink-api-advertised-url=https://:8090/ \\\n --siderolink-wireguard-advertised-addr=:50180 \\\n --advertised-kubernetes-proxy-url=https://:8100/ \\\n --auth-oidc-enabled \\\n --auth-oidc-provider-url \\\n --auth-oidc-client-id \\\n --auth-oidc-client-secret \\\n --auth-oidc-logout-url \\\n --auth-oidc-scopes openid \\\n --auth-oidc-scopes profile \\\n --auth-oidc-scopes email + `} + **Note** diff --git a/public/omni/security-and-authentication/authentication-and-authorization.mdx b/public/omni/security-and-authentication/authentication-and-authorization.mdx index 8b440ca..21e28fd 100644 --- a/public/omni/security-and-authentication/authentication-and-authorization.mdx +++ b/public/omni/security-and-authentication/authentication-and-authorization.mdx @@ -2,28 +2,38 @@ title: Authentication and Authorization --- -### Auth0 +Omni integrates with several identity providers to authenticate users securely. This page provides an overview of supported authentication methods and how they affect user and role management. -#### Github +## Auth0 -In order to login with GitHub you must use your primary verified email. +Omni supports authentication via Auth0. -### OIDC +### GitHub -OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol that provides user authentication and basic profile information for web and mobile applications. +When logging in with GitHub, you must use your primary verified email address. -### SAML +## OIDC -Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). Omni plays the role of service provider. +OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It provides user authentication and basic profile information for web and mobile applications. Omni can be configured to use OIDC providers to authenticate users. -To enable SAML on your account please submit a ticket in [Zendesk](https://sidero.zendesk.com/). Or reach out to us in the #omni channel in [Slack](https://slack.dev.talos-systems.io/). +## SAML -SAML alters Omni user management: +Security Assertion Markup Language (SAML) is an open standard that enables identity providers (IdPs) to pass authentication and authorization information to service providers (SPs). In this workflow, Omni acts as the service provider. -* Users are automatically created on the first login into Omni: -* the first user gets `Admin` role; -* any subsequently created user gets `None` role. -* `Admin` can change other users' roles. -* Creating or deleting a user is not possible from within Omni - only within the IdP. -* Omni gets the user attributes from the SAML assertion and adds them as labels to `Identity` resource with `saml.omni.sidero.dev/` prefix. -* ACL can be used to adjust fine grained permissions instead of changing the user roles. +To enable SAML for your account, please submit a ticket through [Zendesk](https://sidero.zendesk.com/) or contact us in the `#omni` channel on [Slack](https://slack.dev.talos-systems.io/). + +Using SAML changes how user identities are managed in Omni: + +* Users are created automatically on their first login to Omni. + * The first user created is assigned the `Admin` role. + * All subsequent users are assigned the `None` role. +* An `Admin` can modify the roles of other users. +* User creation and removal must be performed in the IdP — not in Omni. +* Attributes from the SAML assertion are added to the user’s `Identity` resource with the prefix `saml.omni.sidero.dev/`. +* Access Control Lists (ACLs) can be used to grant fine-grained permissions beyond roles. + +## Authentication for Automation + +In addition to interactive login, `omnictl` can also be used in automation. When using user authentication in non-interactive workflows, Omni issues short-lived credentials that expire after a limited time. User tokens can remain valid for up to eight hours, and Omni-generated user public keys currently expire after four hours. These limits are not configurable. + +Because of this, long-running automation or CI/CD pipelines that rely on user authentication may fail when credentials expire. To ensure uninterrupted access for automation, scripts, and other non-interactive use cases, we recommend using Omni Service Accounts instead of user authentication. \ No newline at end of file diff --git a/public/snippets/custom-variables.mdx b/public/snippets/custom-variables.mdx index 5dc7edf..6c9e4a5 100644 --- a/public/snippets/custom-variables.mdx +++ b/public/snippets/custom-variables.mdx @@ -1,6 +1,9 @@ +{/* latest Kubernetes release version */} export const k8s_prev_release = '1.33.0' export const k8s_release = '1.34.0' +{/* latest Omni release version */} +export const omni_release = 'v1.2.1' {/* latest Talos release version */} export const release = 'v1.11.0'