diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index be3bd36..8c29d78 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,7 +17,7 @@ repos: args: ["--force-exclude"] - repo: git@huizinga.dev:Dreaded_X/cluster-crds.git - rev: 6508ba150745b55a00d3afa6a1c199a37a425285 + rev: 668085a380dfafec220d6ec209cd0c3673dc1457 hooks: - id: kubeconform diff --git a/apps/grafana/access-control-rule.yaml b/apps/grafana/access-control-rule.yaml new file mode 100644 index 0000000..e1fb9b5 --- /dev/null +++ b/apps/grafana/access-control-rule.yaml @@ -0,0 +1,7 @@ +apiVersion: authelia.huizinga.dev/v1 +kind: AccessControlRule +metadata: + name: grafana +spec: + domain: grafana.${domain} + policy: one_factor diff --git a/apps/grafana/config-map-authelia-acl.yaml b/apps/grafana/config-map-authelia-acl.yaml deleted file mode 100644 index 3808399..0000000 --- a/apps/grafana/config-map-authelia-acl.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: authelia-acl - annotations: - config.huizinga.dev/fragment: authelia-acl -data: - rules: | - - domain: grafana.${domain} - policy: one_factor diff --git a/apps/grafana/kustomization.yaml b/apps/grafana/kustomization.yaml index f822e63..d11bec3 100644 --- a/apps/grafana/kustomization.yaml +++ b/apps/grafana/kustomization.yaml @@ -6,7 +6,7 @@ resources: - ./repository.yaml - ./release.yaml - ./service-user.yaml - - ./config-map-authelia-acl.yaml + - ./access-control-rule.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/clusters/titan.lan.huizinga.dev/apps.yaml b/clusters/titan.lan.huizinga.dev/apps.yaml index d52c7f9..41e6ef8 100644 --- a/clusters/titan.lan.huizinga.dev/apps.yaml +++ b/clusters/titan.lan.huizinga.dev/apps.yaml @@ -6,6 +6,7 @@ metadata: spec: dependsOn: - name: traefik + - name: authelia-controller - name: lldap-controller - name: cnpg - name: dragonflydb diff --git a/clusters/titan.lan.huizinga.dev/apps/siranga.yaml b/clusters/titan.lan.huizinga.dev/apps/siranga.yaml index 0a619c7..4715807 100644 --- a/clusters/titan.lan.huizinga.dev/apps/siranga.yaml +++ b/clusters/titan.lan.huizinga.dev/apps/siranga.yaml @@ -20,6 +20,7 @@ spec: - name: traefik - name: letsencrypt - name: lldap-controller + - name: authelia-controller prune: true timeout: 2m sourceRef: diff --git a/clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml b/clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml new file mode 100644 index 0000000..fc467b0 --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml @@ -0,0 +1,24 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: authelia-controller + namespace: flux-system +spec: + interval: 1m0s + url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests + ref: + tag: edge +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: authelia-controller + namespace: flux-system +spec: + interval: 15m + prune: true + timeout: 2m + sourceRef: + kind: OCIRepository + name: authelia-controller + wait: true diff --git a/infra/authelia/kustomization.yaml b/infra/authelia/kustomization.yaml index e1d54c3..125afe6 100644 --- a/infra/authelia/kustomization.yaml +++ b/infra/authelia/kustomization.yaml @@ -6,7 +6,6 @@ resources: - ./helm-repository.yaml - ./helm-release.yaml - ./service-user.yaml - - ./secret-authelia-acl.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/infra/authelia/secret-authelia-acl.yaml b/infra/authelia/secret-authelia-acl.yaml deleted file mode 100644 index 1c24d47..0000000 --- a/infra/authelia/secret-authelia-acl.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: authelia-acl -stringData: - rules: | - # Deny by default, mainly a placeholder to allow patching in other rules - - domain: "*" - policy: deny diff --git a/infra/kyverno-policies/generate-authelia-acl.yaml b/infra/kyverno-policies/generate-authelia-acl.yaml deleted file mode 100644 index b80677f..0000000 --- a/infra/kyverno-policies/generate-authelia-acl.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: generate-authelia-acl - annotations: - policies.kyverno.io/title: Generate Authelia ACL - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kubernetes-version: "1.23" -spec: - rules: - - name: update-from-base - match: - any: - - resources: - kinds: - - Secret - names: - - authelia-acl - namespaces: - - authelia - context: - - name: rules - apiCall: - urlPath: "/api/v1/configmaps" - jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' - mutate: - patchStrategicMerge: - stringData: - "configuration.acl.yaml": | - access_control: - rules: - {{ replace_all(base64_decode(request.object.data.rules || ''), ' - ', ' - ') }}{{ replace_all(rules, ' - ', ' - ') }} - - - name: update-from-fragment - match: - any: - - resources: - kinds: - - ConfigMap - annotations: - config.huizinga.dev/fragment: authelia-acl - context: - - name: rules - apiCall: - urlPath: "/api/v1/configmaps" - jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' - mutate: - mutateExistingOnPolicyUpdate: true - targets: - - apiVersion: v1 - kind: Secret - name: authelia-acl - namespace: authelia - patchStrategicMerge: - stringData: - "configuration.acl.yaml": | - access_control: - rules: - {{ replace_all(base64_decode(target.data.rules || ''), ' - ', ' - ') }}{{ replace_all(rules, ' - ', ' - ') }} diff --git a/infra/kyverno-policies/kustomization.yaml b/infra/kyverno-policies/kustomization.yaml index 400d5c1..7a7e10d 100644 --- a/infra/kyverno-policies/kustomization.yaml +++ b/infra/kyverno-policies/kustomization.yaml @@ -2,5 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./kube-vip-network-adapter.yaml - - ./generate-authelia-acl.yaml - - ./restart-on-secret-change.yaml diff --git a/infra/kyverno-policies/restart-on-secret-change.yaml b/infra/kyverno-policies/restart-on-secret-change.yaml deleted file mode 100644 index 5636919..0000000 --- a/infra/kyverno-policies/restart-on-secret-change.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restart-deployment-on-secret-change - annotations: - policies.kyverno.io/title: Restart Deployment On Secret Change - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Deployment - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/minversion: 1.7.0 - kyverno.io/kubernetes-version: "1.23" -spec: - mutateExistingOnPolicyUpdate: false - rules: - - name: update-secret - skipBackgroundRequests: false - match: - any: - - resources: - kinds: - - Secret - names: - - authelia-acl - namespaces: - - authelia - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: Equals - value: UPDATE - mutate: - targets: - - apiVersion: apps/v1 - kind: Deployment - name: authelia - namespace: authelia - patchStrategicMerge: - spec: - template: - metadata: - annotations: - config.huizinga.dev/triggerRestart: "{{request.object.metadata.resourceVersion}}" diff --git a/infra/rook-ceph-cluster/access-control-rule.yaml b/infra/rook-ceph-cluster/access-control-rule.yaml new file mode 100644 index 0000000..bf37aa1 --- /dev/null +++ b/infra/rook-ceph-cluster/access-control-rule.yaml @@ -0,0 +1,8 @@ +apiVersion: authelia.huizinga.dev/v1 +kind: AccessControlRule +metadata: + name: ceph +spec: + domain: ceph.${domain} + policy: one_factor + subject: "group:lldap_admin" diff --git a/infra/rook-ceph-cluster/kustomization.yaml b/infra/rook-ceph-cluster/kustomization.yaml index 79ce5ae..b811a7e 100644 --- a/infra/rook-ceph-cluster/kustomization.yaml +++ b/infra/rook-ceph-cluster/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization namespace: rook-ceph resources: - ./helm-release.yaml + - ./access-control-rule.yaml diff --git a/infra/rook-ceph/config-map-authelia-acl.yaml b/infra/rook-ceph/config-map-authelia-acl.yaml deleted file mode 100644 index 73274dc..0000000 --- a/infra/rook-ceph/config-map-authelia-acl.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: authelia-acl - annotations: - config.huizinga.dev/fragment: authelia-acl -data: - rules: | - - domain: ceph.${domain} - policy: one_factor - subject: "group:lldap_admin" diff --git a/infra/rook-ceph/kustomization.yaml b/infra/rook-ceph/kustomization.yaml index 53f80c5..b6ce735 100644 --- a/infra/rook-ceph/kustomization.yaml +++ b/infra/rook-ceph/kustomization.yaml @@ -5,4 +5,3 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml - - ./config-map-authelia-acl.yaml diff --git a/infra/traefik/access-control-rule.yaml b/infra/traefik/access-control-rule.yaml new file mode 100644 index 0000000..3eddc1c --- /dev/null +++ b/infra/traefik/access-control-rule.yaml @@ -0,0 +1,8 @@ +apiVersion: authelia.huizinga.dev/v1 +kind: AccessControlRule +metadata: + name: traefik +spec: + domain: traefik.${domain} + policy: one_factor + subject: group:lldap_admin diff --git a/infra/traefik/config-map-authelia-acl.yaml b/infra/traefik/config-map-authelia-acl.yaml deleted file mode 100644 index c3fc14a..0000000 --- a/infra/traefik/config-map-authelia-acl.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: authelia-acl - annotations: - config.huizinga.dev/fragment: authelia-acl -data: - rules: | - - domain: traefik.${domain} - policy: one_factor - subject: "group:lldap_admin" diff --git a/infra/traefik/kustomization.yaml b/infra/traefik/kustomization.yaml index 61d1cb6..fac314c 100644 --- a/infra/traefik/kustomization.yaml +++ b/infra/traefik/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml - - ./config-map-authelia-acl.yaml + - ./access-control-rule.yaml