Skip to content
Kannika

    Security

    This page describes how to configure security for Kannika Armory during the installation process.

    The property names below are based on the oci://quay.io/kannika/charts/kannika Helm chart.
    When using the oci://quay.io/kannika/charts/kannika-api chart, the api. prefix should be removed from the property names.
    When using the oci://quay.io/kannika/charts/kannika-console chart, the console. prefix should be removed from the property names.

    Configuring security for the API

    Basic authentication

    This is the default authentication method for the API. Use the properties below to configure a username and password. No configuration is needed for the console as it will validate the username and password using the API.

    • api.config.security.enabled
    • api.config.security.username
    • api.config.security.password

    OIDC authentication

    Console configuration

    The Console offers the following options to configure OIDC authentication. When logging in, the console will redirect the user to the authEndpoint using the authorization code flow with PKCE .

    Key
    		Description
    console.config.security.enabledBoolean flag that enables or disables security features for the Console. When set to true, it activates security mechanisms like OIDC and Basic Auth. (Enabled by default)
    console.config.security.oidc.enabledControls whether OpenID Connect (OIDC) is enabled for the console. Setting it to true initiates the OIDC flow for user authentication.
    console.config.security.oidc.clientIdClient ID assigned to the Console by the OIDC provider. The OIDC provider uses this ID to validate your application’s requests.
    console.config.security.oidc.audienceIntended recipient for the tokens issued by the OIDC provider.
    console.config.security.oidc.scopeLevel of access the Console requests from the OIDC provider. It’s a space-separated list of permission scopes (e.g., profile, email) that the provider grants access to.
    console.config.security.oidc.authEndpointURL of the OIDC provider’s authorization endpoint. This is where the initial request for user authentication is directed.
    console.config.security.oidc.tokenEndpointURL of the OIDC provider’s token endpoint. After successful user authentication, the Console retrieves tokens by sending a request to this endpoint.
    console.config.security.oidc.logoutEndpointURL of the OIDC provider’s logout endpoint. When the user logs out of the console, it can redirect them to this endpoint to terminate the OIDC session.
    console.config.security.oidc.displayNameTokenClaimName of the claim within the OIDC token that contains the user’s display name. This value can be used by the Console to display the user’s name after successful authentication.
    Azure Entra ID example

    Create an app registration for Kannika Armory in the Azure Entra ID.

    values.yaml
    console:
     config:
       security:
        enabled: true
        oidc:
          enabled: true
          clientId: YOUR_CLIENT_ID,
          scope: api://kannika-armory/admin, # or the scope you created
          authEndpoint: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize,
          tokenEndpoint: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token,
          logoutEndpoint: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/logout,
          displayNameTokenClaim: name
    Refresh tokens

    The offline_access scope is requested by the Console, and it will use refresh tokens to keep the access tokens valid. If the OIDC provider doesn’t return a refresh token, the Console will continue to function. However, users will be redirected to the OIDC login page upon navigation when the access token is expired or about to.

    API configuration

    To enable OIDC authentication instead of basic authentication in the API, the following properties can be configured.

    Key
    		Description
    api.config.security.enabledBoolean flag that enables or disables security features for the API. When set to true, it activates security mechanisms like OIDC and Basic Auth. (Basic Auth is enabled by default)
    api.config.security.oidc.issuerUriURI that identifies the OIDC provider. The API will use this issuer URI to validate the identity of the provider sending the tokens.
    api.config.security.oidc.audienceIntended recipient for the tokens issued by the OIDC provider.
    api.config.security.oidc.principalClaimNameName of the claim within the OIDC token that contains the user’s identifier. This value will be used in the logs of the API to identify the user.
    Azure Entra ID example
    values.yaml
    api:
     config:
       security:
        enabled: true
        oidc:
          issuerUri: https://sts.windows.net/YOUR_TENANT_ID/
          audience: api://kannika-armory
          principalClaimName: name

    Disable authentication

    Basic authentication is enabled by default. To disable authentication, set the api.config.security.enabled configuration option to false.

    Automatically logout inactive users

    The console can track the user’s activity and log them out automatically if they haven’t interacted with the console for a given time. By default, the user will be shown a warning after 15 minutes of inactivity. Then the user can choose to extend the session or logout. After a minute, the user will be logged out automatically if neither option is chosen.

    To change the default, set console.config.security.userInactivityTimeoutSeconds to the desired timeout in seconds. To disable this feature, set the timeout to 0.