use authelia as login source

apps/monitoring/grafana-auth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: grafana-auth
+  namespace: monitoring
+spec:
+  encryptedData:
+    client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
+  template:
+    metadata:
+      creationTimestamp: null
+      name: grafana-auth
+      namespace: monitoring
+    type: Opaque

apps/monitoring/grafana.values.yaml

@@ -16,6 +16,12 @@ serviceMonitor:
   ##
   enabled: false
 
+envValueFrom:
+  AUTH_GRAFANA_CLIENT_SECRET:
+    secretKeyRef:
+      name: grafana-auth
+      key: client_secret
+
 ingress:
   enabled: false
 
@@ -67,3 +73,21 @@ grafana.ini:
   default_theme: dark
   unified_alerting:
     enabled: false
+  analytics:
+    check_for_updates: false
+  server:
+    domain: grafana.kluster.moll.re
+    root_url: https://grafana.kluster.moll.re
+  auth.generic_oauth:
+    name: Authelia
+    enabled: true
+    allow_sign_up: true
+    client_id: grafana
+    client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
+    scopes: openid profile email groups
+    auth_url: https://auth.kluster.moll.re/api/oidc/authorization
+    token_url: https://auth.kluster.moll.re/api/oidc/token
+    api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+    tls_skip_verify_insecure: true
+    auto_login: true
+    use_pkce: true

apps/monitoring/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - namespace.yaml
   - grafana.ingress.yaml
   - grafana-admin.sealedsecret.yaml
+  - grafana-auth.sealedsecret.yaml
   # grafana dashboards are provisioned from a git repository
   # in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
   - https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main

infrastructure/authelia/authelia.values.yaml

@@ -0,0 +1,83 @@
+
+ingress:
+  enabled: false
+
+
+pod:
+  kind: 'Deployment'
+  replicas: 1
+  extraVolumes:
+    - name: config-ldap
+      secret:
+        secretName: authelia-ldap
+    - name: config-oidc
+      secret:
+        secretName: authelia-oidc
+  extraVolumeMounts:
+    - name: config-ldap
+      mountPath: /extra-config/ldap.yml
+      readOnly: true
+    - name: config-oidc
+      mountPath: /extra-config/oidc.yml
+      readOnly: true
+      
+
+##
+## Authelia Config Map Generator
+##
+configMap:
+
+  # Enable the configMap source for the Authelia config.
+  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
+  disabled: false
+  key: 'configuration.yml'
+  # do not use a pre-existing configMap
+  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
+  extraConfigs:
+    - /extra-config/ldap.yml
+    - /extra-config/oidc.yml
+  
+  session:
+    cookies:
+      - name: authelia_session
+        domain: auth.kluster.moll.re
+  storage:
+    encryption:
+      key: 'supersecretstorage'
+    local:
+      enabled: true
+      file: /config/db.sqlite3
+  notifier:
+    filesystem:
+      enabled: true
+      filename: /config/notification.txt
+
+
+
+
+##
+## Authelia Secret Configuration.
+##
+secret:
+
+  disabled: false
+
+  existingSecret: ''
+
+
+certificates:
+  # don't use the pre-existing secret
+  existingSecret: ''
+
+##
+## Authelia Persistence Configuration.
+##
+## Useful in scenarios where you need persistent storage.
+## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
+## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
+## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
+##
+persistence:
+  enabled: true
+  storageClass: 'nfs-client'
+

infrastructure/authelia/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.kluster.moll.re`)
+      kind: Rule
+      services:
+        - name: authelia
+          port: 80
+
+  tls:
+    certResolver: default-tls

infrastructure/authelia/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: authelia
+
+resources:
+  - namespace.yaml
+  # # As a user management tool, we use LDAP, more specifically, ligh ldap
+  - lldap-credentials.sealedsecret.yaml
+  - lldap.pvc.yaml
+  - lldap.deployment.yaml
+  - lldap.service.yaml
+  # Authelia itself is installed as a helm chart
+  - authelia-ldap.sealedsecret.yaml
+  - authelia-oidc.sealedsecret.yaml
+  - ingress.yaml
+
+
+images:
+  - name: lldap
+    newName: nitnelave/lldap
+    newTag: latest
+
+
+helmCharts:
+  - name: authelia
+    releaseName: authelia
+    version: 0.9.6
+    repo: https://charts.authelia.com
+    valuesFile: authelia.values.yaml

infrastructure/authelia/lldap-credentials.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: lldap-credentials
+  namespace: authelia
+spec:
+  encryptedData:
+    base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
+    jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
+    ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: lldap-credentials
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/lldap.deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lldap
+  name: lldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lldap
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: lldap
+    spec:
+      containers:
+        - env:
+            - name: GID
+              value: "1001"
+            - name: LLDAP_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: jwt-secret
+            - name: LLDAP_LDAP_BASE_DN
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: base-dn
+            - name: LLDAP_LDAP_USER_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: ldap-user-pass
+            - name: TZ
+              value: Europe/Berlin
+            - name: UID
+              value: "1001"
+          image: lldap
+          name: lldap
+          ports:
+            - containerPort: 3890
+            - containerPort: 17170
+          volumeMounts:
+            - mountPath: /data
+              name: lldap-data
+      restartPolicy: Always
+      volumes:
+        - name: lldap-data
+          persistentVolumeClaim:
+            claimName: lldap-data

infrastructure/authelia/lldap.pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: lldap-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/authelia/lldap.service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: lldap
+spec:
+  selector:
+    app: lldap
+  ports:
+  - port: 3890
+    targetPort: 3890

infrastructure/authelia/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

kluster-deployments/authelia/application.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authelia-application
+  namespace: argocd
+spec:
+  project: infrastructure
+  source:
+    repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+    targetRevision: main
+    path: infrastructure/authelia
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: authelia
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

kluster-deployments/authelia/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml

kluster-deployments/kustomization.yaml

@@ -21,6 +21,7 @@ resources:
   - external-dns/
   - external-services/
   - prometheus/application.yaml
+  - authelia/
 
   # simple apps
   - adguard/