Skip to content
Kannika

    Security

    This page describes how to configure security for Kannika Armory during the installation process.

    The property names below are based on the oci://quay.io/kannika/charts/kannika Helm chart.
    When using the oci://quay.io/kannika/charts/kannika-api chart, the api. prefix should be removed from the property names.
    When using the oci://quay.io/kannika/charts/kannika-console chart, the console. prefix should be removed from the property names.

    Configuring security for the API

    Basic authentication

    This is the default authentication method for the API. Use the properties below to configure a username and password. No configuration is needed for the console as it will validate the username and password using the API.

    • api.config.security.enabled
    • api.config.security.username
    • api.config.security.password

    OIDC authentication

    Console configuration

    The Console offers the following options to configure OIDC authentication. When logging in, the console will redirect the user to the authEndpoint using the authorization code flow with PKCE .

    • console.config.security.enabled
    • console.config.security.oidc.enabled
    • console.config.security.oidc.clientId
    • console.config.security.oidc.audience
    • console.config.security.oidc.scope
    • console.config.security.oidc.authEndpoint
    • console.config.security.oidc.tokenEndpoint
    • console.config.security.oidc.logoutEndpoint
    Refresh tokens

    The offline_access scope is requested by the Console, and it will use refresh tokens to keep the access tokens valid. If the OIDC provider doesn’t return a refresh token, the Console will continue to function. However, users will be redirected to the OIDC login page upon navigation when the access token is expired or about to.

    API configuration

    To enable OIDC authentication instead of basic authentication in the API, the following properties can be configured.

    • api.config.security.enabled
    • api.config.security.oidc.issuerUri
    • api.config.security.oidc.audience

    Disable authentication

    Basic authentication is enabled by default. To disable authentication, set the api.config.security.enabled configuration option to false.

    Automatically logout inactive users

    The console can track the user’s activity and log them out automatically if they haven’t interacted with the console for a given time. By default, the user will be shown a warning after 15 minutes of inactivity. Then the user can choose to extend the session or logout. After a minute, the user will be logged out automatically if neither option is chosen.

    To change the default, set console.config.security.userInactivityTimeoutSeconds to the desired timeout in seconds. To disable this feature, set the timeout to 0.