From 4260a5b5f3843a9e9f70351c71fc59bcda92c90b Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Fri, 29 Aug 2025 10:19:50 -0700 Subject: [PATCH 1/2] SYS-657 use built-in TOTP for guacamole, instead of Authelia --- .../guacamole/subcharts/guacamole-server/values.yaml | 7 ------- k8s/helm/guacamole/values.yaml | 9 ++++++++- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml b/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml index 7f0e6415..aed5ddc6 100644 --- a/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml +++ b/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml @@ -23,11 +23,6 @@ service: type: ClusterIP autoscaling: enabled: false - -authelia: - fqdn: authtotp.example.com - ip: 10.101.1.5 - path: /guacamole/\#/login ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod @@ -38,5 +33,3 @@ ingress: nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Connection $http_connection; proxy_set_header Upgrade $http_upgrade; -ingressTOTP: - enabled: true diff --git a/k8s/helm/guacamole/values.yaml b/k8s/helm/guacamole/values.yaml index 58f205f5..b8c93d5f 100644 --- a/k8s/helm/guacamole/values.yaml +++ b/k8s/helm/guacamole/values.yaml @@ -11,11 +11,18 @@ guacamole-server: tlsHostname: guacamole.example.com deployment: env: + # TODO: enable the BAN extension introduced in 1.6.0; for now + # the ingress-nginx proxy is continuously blocked by spurious + # auth failures, and break-in attempts are blocked by TOTP + ban_enabled: "false" guacd_hostname: guacamole-guacd guacd_port: 4822 + ldap_enabled: "false" mysql_database: guacamole mysql_hostname: db00 - mysql_user: guacamole_user + mysql_username: guacamole_user + skip_if_unavailable: ldap + totp_enabled: "true" xenv: - name: MYSQL_PASSWORD valueFrom: From f060cec8b3bf2b19cd63d5f949bed78a43bda883 Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Fri, 29 Aug 2025 10:28:42 -0700 Subject: [PATCH 2/2] SYS-657 wip --- k8s/helm/guacamole/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s/helm/guacamole/values.yaml b/k8s/helm/guacamole/values.yaml index b8c93d5f..b6495415 100644 --- a/k8s/helm/guacamole/values.yaml +++ b/k8s/helm/guacamole/values.yaml @@ -12,8 +12,8 @@ guacamole-server: deployment: env: # TODO: enable the BAN extension introduced in 1.6.0; for now - # the ingress-nginx proxy is continuously blocked by spurious - # auth failures, and break-in attempts are blocked by TOTP + # break-in attempts are blocked by TOTP because BAN requires + # more ingress-nginx directives to provide proxy IP address ban_enabled: "false" guacd_hostname: guacamole-guacd guacd_port: 4822