remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 4 Packages Projects Releases Wiki Activity

atuhelia update and secret fix

Browse Source
This commit is contained in:
Remy Moll
2024-11-29 18:21:35 +01:00
parent 5f0fd69272
commit a332e92890
6 changed files with 223 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

244
infrastructure/authelia/authelia.values.yaml
View File

@@ -1,4 +1,3 @@
ingress:
enabled: false
@@ -6,45 +5,59 @@ ingress:
pod:
kind: 'Deployment'
replicas: 1
extraVolumes:
- name: config-ldap
secret:
secretName: authelia-ldap
- name: config-oidc
secret:
secretName: authelia-oidc
- name: config-smtp
secret:
secretName: authelia-smtp
extraVolumeMounts:
- name: config-ldap
mountPath: /extra-config/ldap.yml
readOnly: true
- name: config-oidc
mountPath: /extra-config/oidc.yml
readOnly: true
- name: config-smtp
mountPath: /extra-config/smtp.yml
readOnly: true
##
## Authelia Config Map Generator
##
configMap:
# Enable the configMap source for the Authelia config.
# If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
disabled: false
key: 'configuration.yml'
# do not use a pre-existing configMap
# BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
# include sub-maps wich OVERRIDE the values generated by the helm chart
extraConfigs:
- /extra-config/ldap.yml
- /extra-config/oidc.yml
- /extra-config/smtp.yml
- /secrets/authelia-smtp/smtp.yml
# many of the values remain default from the helm chart
authentication_backend:
ldap:
enabled: true
implementation: 'custom'
address: 'ldap://lldap:3890'
base_dn: 'DC=moll,DC=re'
additional_users_dn: 'OU=people'
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: 'OU=groups'
groups_filter: "(member={dn})"
## The username of the admin user.
user: 'uid=authelia,ou=people,dc=moll,dc=re'
password:
# ## Disables this secret and leaves configuring it entirely up to you.
# disabled: false
# ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
# ## secret_value option below.
# secret_name: ~
# ## The value of a generated secret when using the ~ secret_name.
# value: ''
# ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
# ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
# ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
path: 'authentication.ldap.password.txt'
secret_name: authelia-ldap
attributes:
display_name: displayName
username: uid
group_name: cn
mail: mail
file:
enabled: false
session:
inactivity: '2d'
expiration: '7d'
@@ -52,37 +65,164 @@ configMap:
cookies:
- name: authelia_session
domain: auth.kluster.moll.re
encryption_key:
secret_name: authelia-internal
storage:
encryption_key:
value: 'authelia-encryption-key'
secret_name: authelia-internal
local:
enabled: true
file: /config/db.sqlite3
##
## Authelia Secret Configuration.
##
secret:
disabled: false
existingSecret: ''
# notifier:
# notifier is configured via the smtp secret and merged by authelia upon startup
certificates:
# don't use the pre-existing secret
existingSecret: ''
identity_validation:
reset_password:
secret:
secret_name: authelia-internal
path: 'identity_validation.reset_password.jwt.hmac.key'
identity_providers:
oidc:
enabled: true
hmac_secret:
secret_name: authelia-internal
path: 'identity_providers.oidc.hmac.key'
# lifespans:
# access_token: '1 hour'
# authorize_code: '1 minute'
# id_token: '1 hour'
# refresh_token: '1 hour and 30 minutes'
jwks:
- algorithm: 'RS256'
key:
path: '/secrets/authelia-internal/oidc.jwks.key'
cors:
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:
path: '/secrets/authelia-oidc/client.grafana'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://grafana.kluster.moll.re/login/generic_oauth'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
- client_id: 'recipes'
client_name: 'Recipes'
client_secret:
path: '/secrets/authelia-oidc/client.recipes'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://recipes.kluster.moll.re/login'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'gitea'
client_name: 'Gitea'
client_secret:
path: '/secrets/authelia-oidc/client.gitea'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'argocd'
client_name: 'Argo CD'
client_secret:
path: '/secrets/authelia-oidc/client.argocd'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://argocd.kluster.moll.re/auth/callback'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
- client_id: 'paperless'
client_name: 'Paperless'
client_secret:
path: '/secrets/authelia-oidc/client.paperless'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'linkding'
client_name: 'LinkDing'
client_secret:
path: '/secrets/authelia-oidc/client.linkding'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://linkding.kluster.moll.re/oidc/callback/'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
enabled: true
storageClass: 'nfs-client'
secret:
mountPath: '/secrets'
additionalSecrets:
# the oidc client secrets referenced in the oidc config
authelia-oidc: {}
authelia-internal: {}
authelia-ldap: {}
authelia-smtp: {}