atuhelia update and secret fix

infrastructure/authelia/authelia-internal.sealedsecret.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-internal
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgCn/PgwlkbScgWaElPr22EXSl2vOzk+XtZBQUXGl4lsS/pIixUfQlbNtA/t6cq4CpfglFmThGX5v2d/VvYOT99XD6diAWpMlLSYo6azyL17/pazdqLCji8uGu4eEqkWl1iBnE2+9Uz5PhTVNehdDaIWoDMCsCMKp9Qk/wgaI6DvpbUnN3Z/mjE+b+XqEGgznpWMQOv+fW2bNb8yH0OBLD/8g+/tAbULm7ZeagiLAO4kLBA6RAwvs4gMTVh30xTUMEHi5WFNXBzdLC2pqP9ork2NbBmBJllOU+bwwdUUalQpJtOLf9uWtOmDPobxDYFHZlYEqfJenaYu+DskoP0KaektNTw36PKy9L13v5sQBFI6B7Dm7SaJ+or2SSmvJCp22Oi//MgITqF7uiVxdVU7PB+jxfjB2OxUS5herFx0GMLQdE3qlpQPaw6bTabBmt8Qo83cws5tDFzpNerhWDD9GBvypQrb6orJw7ZONjnt8xc4kvT0KqDK/M8H99bV3LGYVKqgElm3sVQaGuPJLhAAH5RJscpnUjeZZo3x84dz0vNWSK/9Wd9hebWLeJ85urqccUyN/rsNT8xgfyvXBXa4EITHvjNuj6tt56E1DU89PFiQRMV+ZpI/mleHMcPTUTLbc8E8K+TUrLZlRvAYiZJNhdwIhkRReMbmSpTdFqAjBH58ggeUBkksIMk2V1cdBAS/dbhL3+65z3SuYs80Dfyuj8zq4igNm8NIMQFlXkwvlEl8Dnv39nNzFZUKJ/ePAPAZyD6hyXQqrnw9vfgzoPJA1/keTVOo89VyochKWot24Lyg88wC1jURtVkv+PgUUB35lAgduDeE3yXhX3ma6ueqIAMlkYg1bA0Mjf4SQS+bW61a8r5RMwDnzgOHQFztXzkv3RSCrIWGBJvukZSTQ+NMZDo1Zt8wZ/M1RdtJsDOHcG+uFABBv4g=
+    identity_validation.reset_password.jwt.hmac.key: AgAtJjspCizxAVKziRNyKMhVtaf/2noA+2fZX+PmvrYKQWrNTwtJzdcxZitWq9IZN+QDlMnVsCzkKA6u0OUrmDATR3letrnE3/CiAzNrja04sPHyoB1L30C5mnn0aA6HRxnH+gn7bPsLthhzyH1/a9gP2QB8h/PNbMTHHnsgOo1GjuzBusB/8RNNCD1jyNFrsrcanl7A+Q//nfD8sKdPyGyU5boE+pT61FjM62UT2b9CgNRrwTju2pU7p0E2tOPiy5SLE0RbMqT2fjP38f6UhROXimkHhwK3exhb7JPJvzQv3gU0VmzQjWcbq/3VOUuMY/TkA9V3BxBtAquMZAtDqSf2Wqjk3+C2aybUosskFqWX8FVKEtr/Ia1YNqZtr6RHW4p4oo9gNT/GdJfh5SCfAIV9Cc7VOXZXp+UYgJAk/8Fc6t3WeotDYqJOrVJfPVv1TUSG18UWBDX3UlmaaobMNN+iNbvrQyCr9q86RvS1xHNroDLi9A5Ie9U2b4xBj63BDdWg3YslAMijvbBKddL6YAAmMJp3DO/ezfbjGtS75lxcpjOXxiE4J6xK4tBB9ysGz8HM5GLzEuNLLXlGW8t1S7AB5ws6W5tbI6JcFEUuLLLrJTMp4uHFaB44jzqCMD/mWzDWR97z1Vzhq0lW9LhZ9nVoSpZi+ygmrVhFmX6HMdgnQrfMWSTCr3/3iOYGqmzeZGy/xiA4/CXgQ1xThkjEhQPUe++YMTKFjjYZjPMpg0br0Ka5qy8yIVAhTV+eJeQ1J2AlJWpsjFhvGWxQKThDK5g7PQw83Ugv9BQZdBC6xpcxD3hXASXyzzyE96klMiIDPtUOpnYBb2IzmhoxyHOu3vZvopNhr0tyRvnTMSqb/2qTEQ==
+    session.encryption.key: AgBdjuB9W8itXSUi0Sr5Zh2G7btvAokUje75Hoo+sfJqtbiqyDEFMUHdp7ErU+hVlI32EzJVsJXwVWFDHAbVe6XeSptUH5GJmFX5n3DJKfpooRDGMX0ISPwYqJFDZGkgBhX9dgXM47vpA3mhIO91g218XHAyxgoA2NWKD4L4rquF25GdtglBO+LfqQYT2iuvzzVzeTdGCA1oFabXdy4yxQTxfHUFvcePMSzELf7Wr+7xqmP1HD1PsqZDuPpV1h1q3sjcGRI/cfntuwn8Ks8s3ACQq2IpDsZg+dsVtYG6iJ0lv1tyPlvL2XoRz8aQoUngIKKLjnhxHhl53vyUFZw43tZUhZIZfcPBjk8/RXygqp9ZUobOFJoaLKYCe1TgsdiiYjw3zAAUsLIQZgTdIoEJGOiiolo5OtRPIDP3vlYFtcmGsnEwF8c35K1YJU/e89vhR8dEEO0c7ghdpr6JqGKav5cP/dUtSr+PMWMcXYsdVYkYn5+tzK2tVqnFpHb1BwzE10ECyzFRhbaU/SIVmJLYKSI+gYJa4b8RA+ITGR3sSO6mU7PhnNqt93utmrQgHwNJrOvM8Y6jNh3u7mn1Aj1NfhrQoQFa1GPWzCtBaJgDmfnCnHKSF0N4Y/o1JqLR1wNqDj80QgWHIfiV7yhwn/42Z1qlrB5nGya9/DRKu/zhgFSYmXFT7MOcmjsjdW5YUuvKlLl+dmVFSgOTy4MQ1r+ilW96xGGDQ3SNjhYvCTe8xirlBWinwBI+ysKGhQ==
+    storage.encryption.key: AgCtxTfHio8V71I35npbktS6oquu0lh91KRsq0Eg4ZAlYnX/ryEdQlS3oZrRL5Z+jLkSgerZ0WMCKRuWCH5JrLnhAYPIfn8Ss4GSXeymDenL3LRT6+IVuLf4z9bK68RDqnVnyzDSvnjt+kt4d2DDtseosY6ZHqvFakfQzuOL5Cl7MyNE4leah0ItCbcdheel7Ak4vMPXoVHxvjm4gDaxVzKyP1xz7sFJuQIvKKsv8soSGcH58gC0OaAyyzBp7JWB6ZG+cnWLYnmaOjh7vACGbO+BFyCM7RGdabQGAoAPj5XFcMcfo/AkI21Zt8xGKn+HP9hoquOOcHGuQJPL2rF7+p2GNo33c9J18U90IzQoldvOrbDEcf6uSlIQuIwrWs3Ji9OBzBmqbhrbaxtw066Znjj4eDCeORzmEfeqJDWn+sQql8rFmSEUd48BMV/TCAtlUhwIooqJSy590gom+jV/FVBtME6khJZiAH2ylX4TrwWTpuDP0p74kRiu+i1NSW3jtqhi2jjyaFTShOXESGAhmjVOpPmC9ZNQC6CEH/Q5cZOTzFG6iWs7ReUNIAxkMwK9TtkaPdeSSGXpkquCsl+aOLn58umA0uhToSHvW8ecyng+eLXRT6ElznkA8XXgcHNWyZrYNu+Z2ahwfG2rIEwRBYc6TpZyoJZrSOEz6xTz4Z9fG8bJ0WQu5GE3Rk8Ccy6dS2YHmLHOcfgREFD9PoKzZUuACU0kdvGV7g==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-internal
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-smtp.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    smtp.yml: AgAHiNwse+aFYVoun500VoUTUKg22yDSn+cD9pLO4HKG26nqmOxkiTSi5BELpzWouqHXiHNwYLEKPv13ZFJX6AFfFskspBfe+svLvLSzEvtH8kNCSJar0G5jcACEk27xcCxTN0nhmjc6L9lmZF8UUth7l5Mrsl0EG+79pCNYhUtjy16g7HdbmYgmgrY6d7VWCen2R4HZK4A9zPx+8HEsoMzUD0mG+uKKKfmqYaxJ563Gzp7trDcQRXd4tmea9MM8t+bk9TYCDvBj9JbsNuIdzFk8MArlvlesDYqiJj/8wny49NoVyX8vvGVDF3Y5s+OmKA9+MoBIYNc4oT4FLcc14wpnMnk5WgbKtTYfExcGTdTWuTTVWPsF18dvbKTU3C6dnf2kh9T8CydIdu27jwrBbChWffxNbh5nlLlQT3Xvogai8o6qhMn+EqTnw/u93OIxNzPEooVP349VVW/mlhGX3od/IlVzXiIlQIxL5EP2pRCXL2T1KONvkpbClJ/BTuwfjRZTXz3ZaRhaTPdBAZ+bpkRkt+kEAecjqaf9EF+pHy+dOaR4tIrwBWBbrAy47iV4e/Q60B97bRHzgo9N1uaYonGmyzmyVc9TXIkhf7PIlu/cSyDaHKdobVx0AA0p2usi5D1QYMcS9fngXyM1U9imO6QiYopysxQ9gJL8rfuySRJ/YQ6JJ71fLdMxsiQ0r21D7v7LEdJK5SKLovpnmPgk4PBoL9E4ZPE6g5zRXZFj1IxpKkOqRMpyBzBvas9Q1OFFs0Y79kGtyWIXb7Z2HGYmMU1us9Pm95xVF/V34sAtMIEz7qi+SaXQHFvyqbaiJ48U8qHhHL5y+lt9e8PGmQo0tRWfHMejs5BCcFAEZKDiif6zUEsjV/WC9WKO9NUjvRiu0CYCq5z9QzKaZQqWo0LPeM6DMY8pT3w4OqpJ/OLyMfbdoWT/uQ1JW5npApGifL0lhWRIkQHCG7oZA/BkJfbiexV8jwtToS+UX/s9HkbkuQ/O4zDte8qg/Xzh5TOj5AxlAPN6wGCwd6t1RTSITSKVMnTpFabkEvPYnGeiyWU8TrckvaKmhRUNoj2ZWQCCffHKp/bimEHxRqFnW6B+cu35reTjFc2dqp12EhCBR727G0EARx3Gt/LSdPh8OYt+Bs0rLaHiUrCJh4HRBJPmg0PARVwDL7OWx6pwtclnrALmfELKKaopy6yFctDogOtkvxHbL8DNhJqNuQJo6ttzlHhz4bnQcWb2K92HIw==
+    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -1,4 +1,3 @@
-
 ingress:
   enabled: false
 
@@ -6,44 +5,55 @@ ingress:
 pod:
   kind: 'Deployment'
   replicas: 1
-  extraVolumes:
-    - name: config-ldap
-      secret:
-        secretName: authelia-ldap
-    - name: config-oidc
-      secret:
-        secretName: authelia-oidc
-    - name: config-smtp
-      secret:
-        secretName: authelia-smtp
 
-  extraVolumeMounts:
-    - name: config-ldap
-      mountPath: /extra-config/ldap.yml
-      readOnly: true
-    - name: config-oidc
-      mountPath: /extra-config/oidc.yml
-      readOnly: true
-    - name: config-smtp
-      mountPath: /extra-config/smtp.yml
-      readOnly: true
 
 
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
-
-  # Enable the configMap source for the Authelia config.
-  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
-  disabled: false
   key: 'configuration.yml'
-  # do not use a pre-existing configMap
+  # include sub-maps wich OVERRIDE the values generated by the helm chart
-  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
-    - /extra-config/ldap.yml
+    - /secrets/authelia-smtp/smtp.yml
-    - /extra-config/oidc.yml
+
-    - /extra-config/smtp.yml
+
+  # many of the values remain default from the helm chart
+  authentication_backend:
+    ldap:
+      implementation: 'custom'
+      address: 'ldap://lldap:3890'
+      base_dn: 'DC=moll,DC=re'
+      additional_users_dn: 'OU=people'
+      users_filter: "(&({username_attribute}={input})(objectClass=person))"
+      additional_groups_dn: 'OU=groups'
+      groups_filter: "(member={dn})"
+
+      ## The username of the admin user.
+      user: 'uid=authelia,ou=people,dc=moll,dc=re'
+      password:
+        # ## Disables this secret and leaves configuring it entirely up to you.
+        # disabled: false
+
+        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
+        # ## secret_value option below.
+        # secret_name: ~
+
+        # ## The value of a generated secret when using the ~ secret_name.
+        # value: ''
+
+        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
+        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
+        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
+        path: 'authentication.ldap.password.txt'
+        secret_name: authelia-ldap
+
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+
 
   session:
     inactivity: '2d'
@@ -52,37 +62,157 @@ configMap:
     cookies:
       - name: authelia_session
         domain: auth.kluster.moll.re
+    encryption_key:
+      secret_name: authelia-internal
+
+
   storage:
     encryption_key:
-      value: 'authelia-encryption-key'
+      secret_name: authelia-internal
+
     local:
       enabled: true
       file: /config/db.sqlite3
 
 
-##
+  # notifier:
-## Authelia Secret Configuration.
+  # notifier is configured via the smtp secret and merged by authelia upon startup
-##
-secret:
-
-  disabled: false
-
-  existingSecret: ''
 
 
-certificates:
+  identity_validation:
-  # don't use the pre-existing secret
+    reset_password:
-  existingSecret: ''
+      secret:
+        secret_name: authelia-internal
+        path: 'identity_validation.reset_password.jwt.hmac.key'
+
+
+  identity_providers:
+    oidc:
+      enabled: true
+      hmac_secret:
+        secret_name: authelia-internal
+        path: 'identity_providers.oidc.hmac.key'
+      # lifespans:
+      #   access_token: '1 hour'
+      #   authorize_code: '1 minute'
+      #   id_token: '1 hour'
+      #   refresh_token: '1 hour and 30 minutes'
+      cors:
+        allowed_origins_from_client_redirect_uris: true
+      
+      clients:
+        - client_id: 'grafana'
+          client_name: 'Grafana'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.grafana'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://grafana.kluster.moll.re/login/generic_oauth'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'recipes'
+          client_name: 'Recipes'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.recipes'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://recipes.kluster.moll.re/login'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'gitea'
+          client_name: 'Gitea'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.gitea'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'argocd'
+          client_name: 'Argo CD'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.argocd'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.kluster.moll.re/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'paperless'
+          client_name: 'Paperless'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.paperless'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'email'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'linkding'
+          client_name: 'LinkDing'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.linkding'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://linkding.kluster.moll.re/oidc/callback/'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+
 
-##
-## Authelia Persistence Configuration.
-##
-## Useful in scenarios where you need persistent storage.
-## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
-## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
-## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
-##
 persistence:
   enabled: true
   storageClass: 'nfs-client'
 
+
+secret:
+  mountPath: '/secrets'
+  additionalSecrets:
+    # the oidc client secrets referenced in the oidc config
+    authelia-oidc: {}
+    authelia-internal: {}
+    authelia-ldap: {}
+    authelia-smtp: {}

infrastructure/authelia/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
   - authelia-ldap.sealedsecret.yaml
   - authelia-oidc.sealedsecret.yaml
   - authelia-smtp.sealedsecret.yaml
+  - authelia-internal.sealedsecret.yaml
   - ingress.yaml
 
 
@@ -26,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.9
+    version: 0.9.13
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml