habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

outposts: add remote docker integration via SSH

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2021-12-25 16:31:34 +01:00
parent 19b707a0fb
commit 6510b97c1e
14 changed files with 397 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
website/docs/outposts/integrations/docker.md
View File

@ -39,7 +39,7 @@ To minimise the potential risks of mapping the docker socket into a container/gi
- Containers/Kill: Cleanup during upgrades
- Containers/Remove: Removal of outposts
## Remote hosts
## Remote hosts (TLS)
To connect remote hosts, you can follow this Guide from Docker [Use TLS (HTTPS) to protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) to configure Docker.
@ -49,3 +49,25 @@ Afterwards, create two Certificate-keypairs in authentik:
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as Certificate and `~/.docker/key.pem` as Private key.
Create an integration with `Docker CA` as *TLS Verification Certificate* and `Docker Cert` as *TLS Authentication Certificate*.
## Remote hosts (SSH)
Starting with authentik 2021.12.5, you can connect to remote docker hosts using SSH. To configure this, create a new SSH keypair using these commands:
```
# Generate the keypair itself, using RSA keys in the PEM format
ssh-keygen -t rsa -f authentik -N "" -m pem
# Generate a certificate from the private key, required by authentik.
# The values that openssl prompts you for are not relevant
openssl req -x509 -sha256 -nodes -days 365 -out certificate.pem -key authentik
```
You'll end up with three files:
- `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user.
- `authentik` is the private key, which should be imported into a Keypair in authentik.
- `certificate.pem` is the matching certificate for the keypair above.
Modify/create a new Docker integration, and set your *Docker URL* to `ssh://hostname`, and select the keypair you created above as *TLS Authentication Certificate/SSH Keypair*.
The *Docker URL* field include a user, if none is specified authentik connects with the user `authentik`.