Certificates

certificates are required in the following scenarios sign in and verify saml requests and responses sign json web tokens for oauth and oidc connect to remote docker hosts using docker integration verify ldap server certificates encrypt outpost endpoints default certificate kubeark identity generates a self signed certificate on the first start, which is valid for 1 year and can be used as a default for all oauth2/oidc providers this certificate is also usable for saml providers/sources, although it should be rotated regularly since some saml applications require valid certificates kubeark allows users to generate a longer validity certificate for saml use cases external certificates kubeark allows for the use of externally managed certificates through the discovery feature for docker compose installations, the /certs directory can be used as an output directory for certbot for kubernetes, custom secrets/volumes can be mapped under /certs single files can also be bind mounted into the folder following a specific naming schema files in the root directory will be imported as certificate or private key based on their filename and contents if the file is named fullchain pem or privkey pem, they will get the name of the parent folder files can have any arbitrary file structure and extension, but if the path contains "archive," the files will be ignored to better support certbot setups certs/ ├── baz │ └── bar baz │ ├── fullchain pem │ └── privkey pem ├── foo bar │ ├── fullchain pem │ └── privkey pem ├── foo key └── foo pem manual import certificates can also be imported manually to do so, run the following command within the worker container ak import certificate certificate /certs/mycert pem private key /certs/something pem name test web certificates the default webserver certificate can be configured if you wish to create a very compact and self contained install step 1 encrypt certificates with this setup, using certbot, you can use this compose override (create or edit a file called docker compose override yml in the same folder as the docker compose file) version "3 2" services certbot image certbot/dns route53\ v1 22 0 volumes \ /certs/ /etc/letsencrypt \# variables depending on dns plugin environment aws access key id command \ certonly \ non interactive \ agree tos \ m your email\@company \ d authentik company \# again, match with your provider \ dns route53 step 2 run docker compose up d , which will start certbot and generate your certificate within a few minutes, you'll see the certificate in your identity interface (if the certificate does not appear, restart the worker container this is caused by incompatible permissions set by certbot)