From ecb376c3a45a3a0357e20fcf66c787340b0a0201 Mon Sep 17 00:00:00 2001 From: Waldemar Faist Date: Sat, 30 Nov 2024 13:10:50 +0100 Subject: [PATCH] authelia: deploy --- .../auth/authelia/app/externalsecret.yaml | 35 ++++ .../apps/auth/authelia/app/helmrelease.yaml | 184 ++++++++++++++++++ kubernetes/main/apps/auth/authelia/ks.yaml | 22 +++ kubernetes/main/apps/auth/kustomization.yaml | 6 + kubernetes/main/apps/auth/namespace.yaml | 6 + .../main/flux/vars/cluster-secrets.sops.yaml | 6 +- 6 files changed, 257 insertions(+), 2 deletions(-) create mode 100644 kubernetes/main/apps/auth/authelia/app/externalsecret.yaml create mode 100644 kubernetes/main/apps/auth/authelia/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/auth/authelia/ks.yaml create mode 100644 kubernetes/main/apps/auth/kustomization.yaml create mode 100644 kubernetes/main/apps/auth/namespace.yaml diff --git a/kubernetes/main/apps/auth/authelia/app/externalsecret.yaml b/kubernetes/main/apps/auth/authelia/app/externalsecret.yaml new file mode 100644 index 00000000..8ef44d98 --- /dev/null +++ b/kubernetes/main/apps/auth/authelia/app/externalsecret.yaml @@ -0,0 +1,35 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authelia +spec: + refreshInterval: 5m + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + dataFrom: + - extract: + key: authelia + data: + - secretKey: jwks_rsa_4096.pem + remoteRef: + key: authelia + property: jwks_rsa_4096.pem + decodingStrategy: Auto + - secretKey: users_database.yaml + remoteRef: + key: authelia + property: notesPlain + - secretKey: smtp_password + remoteRef: + key: mailing + property: password + - secretKey: postgres_password + remoteRef: + key: postgres-pguser-authelia + property: password + sourceRef: + storeRef: + kind: ClusterSecretStore + name: cpgo diff --git a/kubernetes/main/apps/auth/authelia/app/helmrelease.yaml b/kubernetes/main/apps/auth/authelia/app/helmrelease.yaml new file mode 100644 index 00000000..f89f29b1 --- /dev/null +++ b/kubernetes/main/apps/auth/authelia/app/helmrelease.yaml @@ -0,0 +1,184 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authelia +spec: + interval: 30m + chart: + spec: + chart: authelia + version: 0.9.10 + sourceRef: + kind: HelmRepository + name: authelia + namespace: flux-system + + values: + ingress: + enabled: true + annotations: + external-dns.alpha.kubernetes.io/target: ingress-ext.${domain} + className: external + + pod: + kind: Deployment + replicas: 1 + strategy: + type: RollingUpdate + + securityContext: + container: + runAsUser: 2000 + runAsGroup: 2000 + fsGroup: 2000 + pod: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + + env: + - name: TZ + value: Europe/Berlin + + configMap: + telemetry: + metrics: + enabled: true + # TODO: Enable after deploying monitoring + # serviceMonitor: + # enabled: false + # annotations: {} + # labels: {} + + default_2fa_method: totp + theme: auto + + identity_validation: + reset_password: + secret: + path: jwt_hmac_key + + totp: + issuer: Yachthafen ID + + webauthn: + display_name: Yachthafen ID + + authentication_backend: + password_reset: + disable: true + custom_url: https://youtu.be/dQw4w9WgXcQ + file: + enabled: true + path: /secrets/authelia/users_database.yaml + watch: true + search: + email: true + + access_control: + default_policy: two_factor + + networks: + - name: lan + networks: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + + rules: + - domain: "*" + policy: one_factor + networks: + - lan + + session: + name: yachthafen_session + encryption_key: + path: session_encryption_key + cookies: + - domain: ${domain} + subdomain: auth + + # TODO: Configure redis when deployed + redis: + enabled: false + + storage: + encryption_key: + path: storage_encryption_key + + postgres: + enabled: true + # PgBouncer not used (creates problems with prepared statements) + address: tcp://postgres-primary.database.svc.cluster.local:5432 + database: authelia + username: authelia + password: + path: postgres_password + + notifier: + smtp: + enabled: true + enabledSecret: true + address: smtp://smtp.gmail.com:587 + sender: Yachthafen ID + subject: "{title}" + username: noreply@${mail_domain} + password: + path: smtp_password + + identity_providers: + oidc: + enabled: true + hmac_secret: + path: oidc_hmac_key + jwks: + - key: + path: /secrets/authelia/jwks_rsa_4096.pem + + authorization_policies: {} + + clients: + - client_name: Cloudflare + client_id: cloudflare + client_secret: + path: /secrets/authelia/oidc_secret_cloudflare + consent_mode: implicit + scopes: + - openid + - profile + - email + - groups + redirect_uris: + - https://${cloudflare_team_name}.cloudflareaccess.com/cdn-cgi/access/callback + pkce_challenge_method: S256 + + - client_name: Node-RED + client_id: node-red + client_secret: + path: /secrets/authelia/oidc_secret_nodered + consent_mode: implicit + scopes: + - openid + - profile + - email + - groups + redirect_uris: + - https://r.${domain}/auth/strategy/callback + token_endpoint_auth_method: client_secret_post + + secret: + existingSecret: authelia + + additionalSecrets: + authelia: + items: + - key: jwks_rsa_4096.pem + path: jwks_rsa_4096.pem + - key: notesPlain + path: users_database.yaml + - key: oidc_secret_cloudflare + path: oidc_secret_cloudflare + - key: oidc_secret_nodered + path: oidc_secret_nodered diff --git a/kubernetes/main/apps/auth/authelia/ks.yaml b/kubernetes/main/apps/auth/authelia/ks.yaml new file mode 100644 index 00000000..bbb9aeaf --- /dev/null +++ b/kubernetes/main/apps/auth/authelia/ks.yaml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &appname authelia + namespace: flux-system +spec: + targetNamespace: auth + commonMetadata: + labels: + app.kubernetes.io/name: *appname + path: kubernetes/main/apps/auth/authelia/app + interval: 10m + prune: true + wait: true + sourceRef: + kind: GitRepository + name: ops + dependsOn: + - name: external-secrets-stores + - name: crunchy-postgres-operator-cluster + - name: crunchy-postgres-operator-secretstore diff --git a/kubernetes/main/apps/auth/kustomization.yaml b/kubernetes/main/apps/auth/kustomization.yaml new file mode 100644 index 00000000..3139b71d --- /dev/null +++ b/kubernetes/main/apps/auth/kustomization.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - authelia/ks.yaml diff --git a/kubernetes/main/apps/auth/namespace.yaml b/kubernetes/main/apps/auth/namespace.yaml new file mode 100644 index 00000000..478c3657 --- /dev/null +++ b/kubernetes/main/apps/auth/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/flux/vars/cluster-secrets.sops.yaml b/kubernetes/main/flux/vars/cluster-secrets.sops.yaml index f0e39930..4158af37 100644 --- a/kubernetes/main/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/main/flux/vars/cluster-secrets.sops.yaml @@ -5,7 +5,9 @@ metadata: namespace: flux-system stringData: domain: ENC[AES256_GCM,data:kRTW1To=,iv:JY7qFAaGdMBRrFf6GUKhEmCbWQQXT6rkxN/eLIv3CVU=,tag:9vSC507hUAghxW6WDAQPOg==,type:str] + mail_domain: ENC[AES256_GCM,data:tTqoct7YqTwKb8I=,iv:0GvrAJ9L63Spa3m/WcPK5+JlMqmQxqVZAHXLUY8G7jg=,tag:gbbTPLyoPAgM+cGZ6pZRBQ==,type:str] cloudflare_tunnel_id: ENC[AES256_GCM,data:og+Rit/nk7ed5jY2u5r0CP+FOJBxiffYZDGYwu6aYAClVg9l,iv:zfHXTsRsB6IMoLWsNoNg1vanl87ordJnskCTC0zfM2k=,tag:xyEAlqJwWybykgDBk6MeEA==,type:str] + cloudflare_team_name: ENC[AES256_GCM,data:Av+T7iUrgZXxWA==,iv:choopz5i90LzucwaDoVroOnoykiGnAZRFFnAOq78ASc=,tag:eV8J7x5wc0hCH4ww1mopxg==,type:str] cpgo_s3_endpoint: ENC[AES256_GCM,data:NREgUaIj647XGNZISeSZPW+cqkXsgVpf/Vra,iv:ytW09I1x7HLjswMwyb27ZcMYxBPEjaOa3247ayunsmg=,tag:WiOnTMnRoL4idYqdjLkQKA==,type:str] sops: kms: [] @@ -31,8 +33,8 @@ sops: YlB1c0hoNXhXV3pPb2JUQ1c4d1kxY0EKIc0f1VLupK849VgeYAFe2+P7a24ddFU1 nzs66mgQIwhKhPdvZ+6fGHuinNxVNlM/TV4Yc/wE5uGJjOVeaxmo1Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-19T12:46:34Z" - mac: ENC[AES256_GCM,data:6Zq9ztJ/Uj5atSxt4AWjpil00ZJyC9joZDkn0K78Tvev5wsH/MKIww0A9mpGVOQTr3l6UaYJ3cl5qYQD8itYZVEcJIw4uVdw1lbOr9wfp9lGYA1UprCXNi9CSvPYOKTeD6CBS9ROQ61ZsHuiAwEFdZWW+tGvP0TcsT3X5HmvV00=,iv:gNDMb7p163sw7wKtuDG6K6XCh78bLUkUOWDXwp/A+zI=,tag:RUzIuI3l3MhETwbiFq2IbA==,type:str] + lastmodified: "2024-11-30T12:07:19Z" + mac: ENC[AES256_GCM,data:5MBY+/NKXaXD7/3o8sdBYZdIDJRNQ2DIBUK8zD8Cuuhdd/Rl5yrHKxtpPB2oRVp0QlSsP6k9q0zT6Ds4cl30eOnMYVewhsr+GrRhhL1bDf5xmyIYfICBEHzTqF5XOPkf4Puj33o4TD+rMBprGu9iB1/n2JcJfKYKAOTandrG5BQ=,iv:3ycat+x6oS4nXTlywIr0MH8e0hAwCG/grQn+/Znai9M=,tag:fzorw/xtQ0JcBS/I61TO7Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1