ContextQMD
Back to Authelia

Kiali

docs/content/integration/openid-connect/clients/kiali/index.md

4.39.193.5 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://kiali.{{< sitevar name="domain" nojs="example.com" >}}/
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: kiali
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}} At the time of this writing this third party client has a bug and does not support OpenID Connect 1.0. This configuration will likely require configuration of an escape hatch to work around the bug on their end. See Configuration Escape Hatch for details. {{< /callout >}}

The following YAML configuration is an example Authelia client configuration for use with Kiali which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'kiali'
        client_name: 'Kiali'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://kiali.{{< sitevar name="domain" nojs="example.com" >}}/kiali'
        scopes:
          - 'openid'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Application

To configure Kiali there are two methods, using the Configuration File, or using Environment Variables.

Configuration File

To configure Kiali to utilize Authelia as an OpenID Connect 1.0 Provider, use the following configuration:

Adjust your Kiali CR YAML file:

yaml
spec:
  auth:
    strategy: 'openid'
    openid:
      client_id: 'kiali'
      disable_rbac: true
      issuer_uri: 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}'
      scopes: ['openid', 'email']
      username_claim: 'email'

Add the OpenID Connect 1.0 Client Secret:

yaml
apiVersion: v1
kind: Secret
metadata:
  name: 'kiali'
  namespace: 'istio-system'
  labels:
    app: 'kiali'
type: 'Opaque'
stringData:
  oidc-secret: 'insecure_secret'

See Also