A Quick Note On Security
Epinio secures access to its API with TLS and basic authentication.
epinio login [URL] command after installation to save the necessary credentials
(user, password) and certificates. The information is stored in Epinio's settings,
for pickup by other Epinio commands.
For a trial deployment the certificate securing the API will be generated by the underlying cluster, and self-signed, and its CA certificate is stored in the settings to allow verification.
For a production-oriented deployment on the other hand, with a proper
domain specified (
--set global.domain=... when installing the chart),
the certificate can be obtained from Let's Encrypt. Nothing is stored in the
settings in that case, as Let's Encrypt is a known CA.
NOTE: Read more on how to use Let's Encrypt here: Certificate Issuers.
How Kubernetes accesses the Epinio registry (TLS or not) is handled a bit differently depending on installation flags. More details here: Epinio Registry.
Since version 1.3.0, Epinio has integrated Dex as an identity provider which adds the support for external OIDC providers.
To authenticate through Dex, you can use the login command with the
--oidc flag. This will open a web page where you can authenticate with the configured providers.