remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 3 Packages Projects Releases Wiki Activity

use authelia as login source

Browse Source
This commit is contained in:
Remy Moll
2024-10-04 12:11:23 +02:00
parent 140aca08da
commit a94389bdcc
17 changed files with 323 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
infrastructure/authelia/authelia-ldap.sealedsecret.yaml Normal file
View File

File diff suppressed because one or more lines are too long

16
infrastructure/authelia/authelia-oidc.sealedsecret.yaml Normal file
View File

File diff suppressed because one or more lines are too long

83
infrastructure/authelia/authelia.values.yaml Normal file
View File

@@ -0,0 +1,83 @@
ingress:
enabled: false
pod:
kind: 'Deployment'
replicas: 1
extraVolumes:
- name: config-ldap
secret:
secretName: authelia-ldap
- name: config-oidc
secret:
secretName: authelia-oidc
extraVolumeMounts:
- name: config-ldap
mountPath: /extra-config/ldap.yml
readOnly: true
- name: config-oidc
mountPath: /extra-config/oidc.yml
readOnly: true
##
## Authelia Config Map Generator
##
configMap:
# Enable the configMap source for the Authelia config.
# If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
disabled: false
key: 'configuration.yml'
# do not use a pre-existing configMap
# BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
extraConfigs:
- /extra-config/ldap.yml
- /extra-config/oidc.yml
session:
cookies:
- name: authelia_session
domain: auth.kluster.moll.re
storage:
encryption:
key: 'supersecretstorage'
local:
enabled: true
file: /config/db.sqlite3
notifier:
filesystem:
enabled: true
filename: /config/notification.txt
##
## Authelia Secret Configuration.
##
secret:
disabled: false
existingSecret: ''
certificates:
# don't use the pre-existing secret
existingSecret: ''
##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
enabled: true
storageClass: 'nfs-client'

17
infrastructure/authelia/ingress.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: authelia-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.kluster.moll.re`)
kind: Rule
services:
- name: authelia
port: 80
tls:
certResolver: default-tls

30
infrastructure/authelia/kustomization.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: authelia
resources:
- namespace.yaml
# # As a user management tool, we use LDAP, more specifically, ligh ldap
- lldap-credentials.sealedsecret.yaml
- lldap.pvc.yaml
- lldap.deployment.yaml
- lldap.service.yaml
# Authelia itself is installed as a helm chart
- authelia-ldap.sealedsecret.yaml
- authelia-oidc.sealedsecret.yaml
- ingress.yaml
images:
- name: lldap
newName: nitnelave/lldap
newTag: latest
helmCharts:
- name: authelia
releaseName: authelia
version: 0.9.6
repo: https://charts.authelia.com
valuesFile: authelia.values.yaml

18
infrastructure/authelia/lldap-credentials.sealedsecret.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: lldap-credentials
namespace: authelia
spec:
encryptedData:
base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
template:
metadata:
creationTimestamp: null
name: lldap-credentials
namespace: authelia
type: Opaque

54
infrastructure/authelia/lldap.deployment.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: lldap
name: lldap
spec:
replicas: 1
selector:
matchLabels:
app: lldap
strategy:
type: Recreate
template:
metadata:
labels:
app: lldap
spec:
containers:
- env:
- name: GID
value: "1001"
- name: LLDAP_JWT_SECRET
valueFrom:
secretKeyRef:
name: lldap-credentials
key: jwt-secret
- name: LLDAP_LDAP_BASE_DN
valueFrom:
secretKeyRef:
name: lldap-credentials
key: base-dn
- name: LLDAP_LDAP_USER_PASS
valueFrom:
secretKeyRef:
name: lldap-credentials
key: ldap-user-pass
- name: TZ
value: Europe/Berlin
- name: UID
value: "1001"
image: lldap
name: lldap
ports:
- containerPort: 3890
- containerPort: 17170
volumeMounts:
- mountPath: /data
name: lldap-data
restartPolicy: Always
volumes:
- name: lldap-data
persistentVolumeClaim:
claimName: lldap-data

0
infrastructure/authelia/lldap.ingress.yaml Normal file
View File

11
infrastructure/authelia/lldap.pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: lldap-data
spec:
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

10
infrastructure/authelia/lldap.service.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: lldap
spec:
selector:
app: lldap
ports:
- port: 3890
targetPort: 3890

4
infrastructure/authelia/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: placeholder