authelia: deploy

cubic3d · Nov 30, 2024 · ecb376c · ecb376c
1 parent 157263f
commit ecb376c
Show file tree

Hide file tree

Showing 6 changed files with 257 additions and 2 deletions.
diff --git a/kubernetes/main/apps/auth/authelia/app/externalsecret.yaml b/kubernetes/main/apps/auth/authelia/app/externalsecret.yaml
@@ -0,0 +1,35 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authelia
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  dataFrom:
+    - extract:
+        key: authelia
+  data:
+    - secretKey: jwks_rsa_4096.pem
+      remoteRef:
+        key: authelia
+        property: jwks_rsa_4096.pem
+        decodingStrategy: Auto
+    - secretKey: users_database.yaml
+      remoteRef:
+        key: authelia
+        property: notesPlain
+    - secretKey: smtp_password
+      remoteRef:
+        key: mailing
+        property: password
+    - secretKey: postgres_password
+      remoteRef:
+        key: postgres-pguser-authelia
+        property: password
+      sourceRef:
+        storeRef:
+          kind: ClusterSecretStore
+          name: cpgo
diff --git a/kubernetes/main/apps/auth/authelia/app/helmrelease.yaml b/kubernetes/main/apps/auth/authelia/app/helmrelease.yaml
@@ -0,0 +1,184 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authelia
+      version: 0.9.10
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: flux-system
+
+  values:
+    ingress:
+      enabled: true
+      annotations:
+        external-dns.alpha.kubernetes.io/target: ingress-ext.${domain}
+      className: external
+
+    pod:
+      kind: Deployment
+      replicas: 1
+      strategy:
+        type: RollingUpdate
+
+      securityContext:
+        container:
+          runAsUser: 2000
+          runAsGroup: 2000
+          fsGroup: 2000
+        pod:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          privileged: false
+
+      env:
+        - name: TZ
+          value: Europe/Berlin
+
+    configMap:
+      telemetry:
+        metrics:
+          enabled: true
+          # TODO: Enable after deploying monitoring
+          # serviceMonitor:
+          #   enabled: false
+          #   annotations: {}
+          #   labels: {}
+
+      default_2fa_method: totp
+      theme: auto
+
+      identity_validation:
+        reset_password:
+          secret:
+            path: jwt_hmac_key
+
+      totp:
+        issuer: Yachthafen ID
+
+      webauthn:
+        display_name: Yachthafen ID
+
+      authentication_backend:
+        password_reset:
+          disable: true
+          custom_url: https://youtu.be/dQw4w9WgXcQ
+        file:
+          enabled: true
+          path: /secrets/authelia/users_database.yaml
+          watch: true
+          search:
+            email: true
+
+      access_control:
+        default_policy: two_factor
+
+        networks:
+          - name: lan
+            networks:
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+
+        rules:
+          - domain: "*"
+            policy: one_factor
+            networks:
+              - lan
+
+      session:
+        name: yachthafen_session
+        encryption_key:
+          path: session_encryption_key
+        cookies:
+          - domain: ${domain}
+            subdomain: auth
+
+        # TODO: Configure redis when deployed
+        redis:
+          enabled: false
+
+      storage:
+        encryption_key:
+          path: storage_encryption_key
+
+        postgres:
+          enabled: true
+          # PgBouncer not used (creates problems with prepared statements)
+          address: tcp://postgres-primary.database.svc.cluster.local:5432
+          database: authelia
+          username: authelia
+          password:
+            path: postgres_password
+
+      notifier:
+        smtp:
+          enabled: true
+          enabledSecret: true
+          address: smtp://smtp.gmail.com:587
+          sender: Yachthafen ID <noreply@${domain}>
+          subject: "{title}"
+          username: noreply@${mail_domain}
+          password:
+            path: smtp_password
+
+      identity_providers:
+        oidc:
+          enabled: true
+          hmac_secret:
+            path: oidc_hmac_key
+          jwks:
+            - key:
+                path: /secrets/authelia/jwks_rsa_4096.pem
+
+          authorization_policies: {}
+
+          clients:
+            - client_name: Cloudflare
+              client_id: cloudflare
+              client_secret:
+                path: /secrets/authelia/oidc_secret_cloudflare
+              consent_mode: implicit
+              scopes:
+                - openid
+                - profile
+                - email
+                - groups
+              redirect_uris:
+                - https://${cloudflare_team_name}.cloudflareaccess.com/cdn-cgi/access/callback
+              pkce_challenge_method: S256
+
+            - client_name: Node-RED
+              client_id: node-red
+              client_secret:
+                path: /secrets/authelia/oidc_secret_nodered
+              consent_mode: implicit
+              scopes:
+                - openid
+                - profile
+                - email
+                - groups
+              redirect_uris:
+                - https://r.${domain}/auth/strategy/callback
+              token_endpoint_auth_method: client_secret_post
+
+    secret:
+      existingSecret: authelia
+
+      additionalSecrets:
+        authelia:
+          items:
+            - key: jwks_rsa_4096.pem
+              path: jwks_rsa_4096.pem
+            - key: notesPlain
+              path: users_database.yaml
+            - key: oidc_secret_cloudflare
+              path: oidc_secret_cloudflare
+            - key: oidc_secret_nodered
+              path: oidc_secret_nodered
diff --git a/kubernetes/main/apps/auth/authelia/ks.yaml b/kubernetes/main/apps/auth/authelia/ks.yaml
@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &appname authelia
+  namespace: flux-system
+spec:
+  targetNamespace: auth
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *appname
+  path: kubernetes/main/apps/auth/authelia/app
+  interval: 10m
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: ops
+  dependsOn:
+    - name: external-secrets-stores
+    - name: crunchy-postgres-operator-cluster
+    - name: crunchy-postgres-operator-secretstore
diff --git a/kubernetes/main/apps/auth/kustomization.yaml b/kubernetes/main/apps/auth/kustomization.yaml
@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - authelia/ks.yaml
diff --git a/kubernetes/main/apps/auth/namespace.yaml b/kubernetes/main/apps/auth/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/kubernetes/main/flux/vars/cluster-secrets.sops.yaml b/kubernetes/main/flux/vars/cluster-secrets.sops.yaml
@@ -5,7 +5,9 @@ metadata:
     namespace: flux-system
 stringData:
     domain: ENC[AES256_GCM,data:kRTW1To=,iv:JY7qFAaGdMBRrFf6GUKhEmCbWQQXT6rkxN/eLIv3CVU=,tag:9vSC507hUAghxW6WDAQPOg==,type:str]
+    mail_domain: ENC[AES256_GCM,data:tTqoct7YqTwKb8I=,iv:0GvrAJ9L63Spa3m/WcPK5+JlMqmQxqVZAHXLUY8G7jg=,tag:gbbTPLyoPAgM+cGZ6pZRBQ==,type:str]
     cloudflare_tunnel_id: ENC[AES256_GCM,data:og+Rit/nk7ed5jY2u5r0CP+FOJBxiffYZDGYwu6aYAClVg9l,iv:zfHXTsRsB6IMoLWsNoNg1vanl87ordJnskCTC0zfM2k=,tag:xyEAlqJwWybykgDBk6MeEA==,type:str]
+    cloudflare_team_name: ENC[AES256_GCM,data:Av+T7iUrgZXxWA==,iv:choopz5i90LzucwaDoVroOnoykiGnAZRFFnAOq78ASc=,tag:eV8J7x5wc0hCH4ww1mopxg==,type:str]
     cpgo_s3_endpoint: ENC[AES256_GCM,data:NREgUaIj647XGNZISeSZPW+cqkXsgVpf/Vra,iv:ytW09I1x7HLjswMwyb27ZcMYxBPEjaOa3247ayunsmg=,tag:WiOnTMnRoL4idYqdjLkQKA==,type:str]
 sops:
     kms: []
@@ -31,8 +33,8 @@ sops:
             YlB1c0hoNXhXV3pPb2JUQ1c4d1kxY0EKIc0f1VLupK849VgeYAFe2+P7a24ddFU1
             nzs66mgQIwhKhPdvZ+6fGHuinNxVNlM/TV4Yc/wE5uGJjOVeaxmo1Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-19T12:46:34Z"
-    mac: ENC[AES256_GCM,data:6Zq9ztJ/Uj5atSxt4AWjpil00ZJyC9joZDkn0K78Tvev5wsH/MKIww0A9mpGVOQTr3l6UaYJ3cl5qYQD8itYZVEcJIw4uVdw1lbOr9wfp9lGYA1UprCXNi9CSvPYOKTeD6CBS9ROQ61ZsHuiAwEFdZWW+tGvP0TcsT3X5HmvV00=,iv:gNDMb7p163sw7wKtuDG6K6XCh78bLUkUOWDXwp/A+zI=,tag:RUzIuI3l3MhETwbiFq2IbA==,type:str]
+    lastmodified: "2024-11-30T12:07:19Z"
+    mac: ENC[AES256_GCM,data:5MBY+/NKXaXD7/3o8sdBYZdIDJRNQ2DIBUK8zD8Cuuhdd/Rl5yrHKxtpPB2oRVp0QlSsP6k9q0zT6Ds4cl30eOnMYVewhsr+GrRhhL1bDf5xmyIYfICBEHzTqF5XOPkf4Puj33o4TD+rMBprGu9iB1/n2JcJfKYKAOTandrG5BQ=,iv:3ycat+x6oS4nXTlywIr0MH8e0hAwCG/grQn+/Znai9M=,tag:fzorw/xtQ0JcBS/I61TO7Q==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.1