use authelia as login source

2024-10-04 12:11:23 +02:00
parent 140aca08da
commit a94389bdcc
17 changed files with 323 additions and 0 deletions
--- a/apps/monitoring/grafana-auth.sealedsecret.yaml
+++ b/apps/monitoring/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: grafana-auth
  namespace: monitoring
 spec:
  encryptedData:
    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
  template:
    metadata:
      creationTimestamp: null
      name: grafana-auth
      namespace: monitoring
    type: Opaque
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -16,6 +16,12 @@ serviceMonitor:
  ##
  enabled: false
 envValueFrom:
  AUTH_GRAFANA_CLIENT_SECRET:
    secretKeyRef:
      name: grafana-auth
      key: client_secret
 ingress:
  enabled: false
@@ -67,3 +73,21 @@ grafana.ini:
  default_theme: dark
  unified_alerting:
    enabled: false
  analytics:
    check_for_updates: false
  server:
    domain: grafana.kluster.moll.re
    root_url: https://grafana.kluster.moll.re
  auth.generic_oauth:
    name: Authelia
    enabled: true
    allow_sign_up: true
    client_id: grafana
    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
    scopes: openid profile email groups
    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
    token_url: https://auth.kluster.moll.re/api/oidc/token
    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
    tls_skip_verify_insecure: true
    auto_login: true
    use_pkce: true
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - namespace.yaml
  - grafana.ingress.yaml
  - grafana-admin.sealedsecret.yaml
  - grafana-auth.sealedsecret.yaml
  # grafana dashboards are provisioned from a git repository
  # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
  - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
--- a/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
--- a/infrastructure/authelia/authelia.values.yaml
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -0,0 +1,83 @@
 ingress:
  enabled: false
 pod:
  kind: 'Deployment'
  replicas: 1
  extraVolumes:
    - name: config-ldap
      secret:
        secretName: authelia-ldap
    - name: config-oidc
      secret:
        secretName: authelia-oidc
  extraVolumeMounts:
    - name: config-ldap
      mountPath: /extra-config/ldap.yml
      readOnly: true
    - name: config-oidc
      mountPath: /extra-config/oidc.yml
      readOnly: true
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
  # Enable the configMap source for the Authelia config.
  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
  disabled: false
  key: 'configuration.yml'
  # do not use a pre-existing configMap
  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
  extraConfigs:
    - /extra-config/ldap.yml
    - /extra-config/oidc.yml
  session:
    cookies:
      - name: authelia_session
        domain: auth.kluster.moll.re
  storage:
    encryption:
      key: 'supersecretstorage'
    local:
      enabled: true
      file: /config/db.sqlite3
  notifier:
    filesystem:
      enabled: true
      filename: /config/notification.txt
 ##
 ## Authelia Secret Configuration.
 ##
 secret:
  disabled: false
  existingSecret: ''
 certificates:
  # don't use the pre-existing secret
  existingSecret: ''
 ##
 ## Authelia Persistence Configuration.
 ##
 ## Useful in scenarios where you need persistent storage.
 ## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
 ## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
 ## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
 ##
 persistence:
  enabled: true
  storageClass: 'nfs-client'
--- a/infrastructure/authelia/ingress.yaml
+++ b/infrastructure/authelia/ingress.yaml
@@ -0,0 +1,17 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: authelia-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.kluster.moll.re`)
      kind: Rule
      services:
        - name: authelia
          port: 80
  tls:
    certResolver: default-tls
--- a/infrastructure/authelia/kustomization.yaml
+++ b/infrastructure/authelia/kustomization.yaml
@@ -0,0 +1,30 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: authelia
 resources:
  - namespace.yaml
  # # As a user management tool, we use LDAP, more specifically, ligh ldap
  - lldap-credentials.sealedsecret.yaml
  - lldap.pvc.yaml
  - lldap.deployment.yaml
  - lldap.service.yaml
  # Authelia itself is installed as a helm chart
  - authelia-ldap.sealedsecret.yaml
  - authelia-oidc.sealedsecret.yaml
  - ingress.yaml
 images:
  - name: lldap
    newName: nitnelave/lldap
    newTag: latest
 helmCharts:
  - name: authelia
    releaseName: authelia
    version: 0.9.6
    repo: https://charts.authelia.com
    valuesFile: authelia.values.yaml
--- a/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
+++ b/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: lldap-credentials
  namespace: authelia
 spec:
  encryptedData:
    base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
    jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
    ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
  template:
    metadata:
      creationTimestamp: null
      name: lldap-credentials
      namespace: authelia
    type: Opaque
--- a/infrastructure/authelia/lldap.deployment.yaml
+++ b/infrastructure/authelia/lldap.deployment.yaml
@@ -0,0 +1,54 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: lldap
  name: lldap
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: lldap
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: lldap
    spec:
      containers:
        - env:
            - name: GID
              value: "1001"
            - name: LLDAP_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: jwt-secret
            - name: LLDAP_LDAP_BASE_DN
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: base-dn
            - name: LLDAP_LDAP_USER_PASS
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: ldap-user-pass
            - name: TZ
              value: Europe/Berlin
            - name: UID
              value: "1001"
          image: lldap
          name: lldap
          ports:
            - containerPort: 3890
            - containerPort: 17170
          volumeMounts:
            - mountPath: /data
              name: lldap-data
      restartPolicy: Always
      volumes:
        - name: lldap-data
          persistentVolumeClaim:
            claimName: lldap-data
--- a/infrastructure/authelia/lldap.ingress.yaml
+++ b/infrastructure/authelia/lldap.ingress.yaml
--- a/infrastructure/authelia/lldap.pvc.yaml
+++ b/infrastructure/authelia/lldap.pvc.yaml
@@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: lldap-data
 spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/infrastructure/authelia/lldap.service.yaml
+++ b/infrastructure/authelia/lldap.service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: lldap
 spec:
  selector:
    app: lldap
  ports:
  - port: 3890
    targetPort: 3890
--- a/infrastructure/authelia/namespace.yaml
+++ b/infrastructure/authelia/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/kluster-deployments/authelia/application.yaml
+++ b/kluster-deployments/authelia/application.yaml
@@ -0,0 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: authelia-application
  namespace: argocd
 spec:
  project: infrastructure
  source:
    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
    targetRevision: main
    path: infrastructure/authelia
  destination:
    server: https://kubernetes.default.svc
    namespace: authelia
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/authelia/kustomization.yaml
+++ b/kluster-deployments/authelia/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - application.yaml
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -21,6 +21,7 @@ resources:
  - external-dns/
  - external-services/
  - prometheus/application.yaml
  - authelia/
  # simple apps
  - adguard/