Switch to authelia-controller

.pre-commit-config.yaml

@@ -17,7 +17,7 @@ repos:
         args: ["--force-exclude"]
 
   - repo: git@huizinga.dev:Dreaded_X/cluster-crds.git
-    rev: 6508ba150745b55a00d3afa6a1c199a37a425285
+    rev: 668085a380dfafec220d6ec209cd0c3673dc1457
     hooks:
       - id: kubeconform
 

apps/grafana/access-control-rule.yaml

@@ -0,0 +1,7 @@
+apiVersion: authelia.huizinga.dev/v1
+kind: AccessControlRule
+metadata:
+  name: grafana
+spec:
+  domain: grafana.${domain}
+  policy: one_factor

apps/grafana/config-map-authelia-acl.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: authelia-acl
-  annotations:
-    config.huizinga.dev/fragment: authelia-acl
-data:
-  rules: |
-    - domain: grafana.${domain}
-      policy: one_factor

apps/grafana/kustomization.yaml

@@ -6,7 +6,7 @@ resources:
   - ./repository.yaml
   - ./release.yaml
   - ./service-user.yaml
-  - ./config-map-authelia-acl.yaml
+  - ./access-control-rule.yaml
   - ../../common/postgres
   - ../../common/dragonflydb
 

clusters/titan.lan.huizinga.dev/apps.yaml

@@ -6,6 +6,7 @@ metadata:
 spec:
   dependsOn:
     - name: traefik
+    - name: authelia-controller
     - name: lldap-controller
     - name: cnpg
     - name: dragonflydb

clusters/titan.lan.huizinga.dev/apps/siranga.yaml

@@ -20,6 +20,7 @@ spec:
     - name: traefik
     - name: letsencrypt
     - name: lldap-controller
+    - name: authelia-controller
   prune: true
   timeout: 2m
   sourceRef:

clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml

@@ -0,0 +1,24 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
+  ref:
+    tag: edge
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: authelia-controller
+  wait: true

infra/authelia/kustomization.yaml

@@ -6,7 +6,6 @@ resources:
   - ./helm-repository.yaml
   - ./helm-release.yaml
   - ./service-user.yaml
-  - ./secret-authelia-acl.yaml
   - ../../common/postgres
   - ../../common/dragonflydb
 

infra/authelia/secret-authelia-acl.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: authelia-acl
-stringData:
-  rules: |
-    # Deny by default, mainly a placeholder to allow patching in other rules
-    - domain: "*"
-      policy: deny

infra/kyverno-policies/generate-authelia-acl.yaml

@@ -1,71 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: generate-authelia-acl
-  annotations:
-    policies.kyverno.io/title: Generate Authelia ACL
-    policies.kyverno.io/category: Other
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Secret
-    kyverno.io/kyverno-version: 1.7.0
-    policies.kyverno.io/minversion: 1.7.0
-    kyverno.io/kubernetes-version: "1.23"
-spec:
-  rules:
-    - name: update-from-base
-      match:
-        any:
-          - resources:
-              kinds:
-                - Secret
-              names:
-                - authelia-acl
-              namespaces:
-                - authelia
-      context:
-        - name: rules
-          apiCall:
-            urlPath: "/api/v1/configmaps"
-            jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)'
-      mutate:
-        patchStrategicMerge:
-          stringData:
-            "configuration.acl.yaml": |
-              access_control:
-                rules:
-                  {{ replace_all(base64_decode(request.object.data.rules || ''), '
-              ', '
-                  ') }}{{ replace_all(rules, '
-              ', '
-                  ') }}
-
-    - name: update-from-fragment
-      match:
-        any:
-          - resources:
-              kinds:
-                - ConfigMap
-              annotations:
-                config.huizinga.dev/fragment: authelia-acl
-      context:
-        - name: rules
-          apiCall:
-            urlPath: "/api/v1/configmaps"
-            jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)'
-      mutate:
-        mutateExistingOnPolicyUpdate: true
-        targets:
-          - apiVersion: v1
-            kind: Secret
-            name: authelia-acl
-            namespace: authelia
-        patchStrategicMerge:
-          stringData:
-            "configuration.acl.yaml": |
-              access_control:
-                rules:
-                  {{ replace_all(base64_decode(target.data.rules || ''), '
-              ', '
-                  ') }}{{ replace_all(rules, '
-              ', '
-                  ') }}

infra/kyverno-policies/kustomization.yaml

@@ -2,5 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./kube-vip-network-adapter.yaml
-  - ./generate-authelia-acl.yaml
-  - ./restart-on-secret-change.yaml

infra/kyverno-policies/restart-on-secret-change.yaml

@@ -1,43 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: restart-deployment-on-secret-change
-  annotations:
-    policies.kyverno.io/title: Restart Deployment On Secret Change
-    policies.kyverno.io/category: Other
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Deployment
-    kyverno.io/kyverno-version: 1.7.0
-    policies.kyverno.io/minversion: 1.7.0
-    kyverno.io/kubernetes-version: "1.23"
-spec:
-  mutateExistingOnPolicyUpdate: false
-  rules:
-    - name: update-secret
-      skipBackgroundRequests: false
-      match:
-        any:
-          - resources:
-              kinds:
-                - Secret
-              names:
-                - authelia-acl
-              namespaces:
-                - authelia
-      preconditions:
-        all:
-          - key: "{{request.operation || 'BACKGROUND'}}"
-            operator: Equals
-            value: UPDATE
-      mutate:
-        targets:
-          - apiVersion: apps/v1
-            kind: Deployment
-            name: authelia
-            namespace: authelia
-        patchStrategicMerge:
-          spec:
-            template:
-              metadata:
-                annotations:
-                  config.huizinga.dev/triggerRestart: "{{request.object.metadata.resourceVersion}}"

infra/rook-ceph-cluster/access-control-rule.yaml

@@ -0,0 +1,8 @@
+apiVersion: authelia.huizinga.dev/v1
+kind: AccessControlRule
+metadata:
+  name: ceph
+spec:
+  domain: ceph.${domain}
+  policy: one_factor
+  subject: "group:lldap_admin"

infra/rook-ceph-cluster/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 namespace: rook-ceph
 resources:
   - ./helm-release.yaml
+  - ./access-control-rule.yaml

infra/rook-ceph/config-map-authelia-acl.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: authelia-acl
-  annotations:
-    config.huizinga.dev/fragment: authelia-acl
-data:
-  rules: |
-    - domain: ceph.${domain}
-      policy: one_factor
-      subject: "group:lldap_admin"

infra/rook-ceph/kustomization.yaml

@@ -5,4 +5,3 @@ resources:
   - ./namespace.yaml
   - ./helm-repository.yaml
   - ./helm-release.yaml
-  - ./config-map-authelia-acl.yaml

infra/traefik/access-control-rule.yaml

@@ -0,0 +1,8 @@
+apiVersion: authelia.huizinga.dev/v1
+kind: AccessControlRule
+metadata:
+  name: traefik
+spec:
+  domain: traefik.${domain}
+  policy: one_factor
+  subject: group:lldap_admin

infra/traefik/config-map-authelia-acl.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: authelia-acl
-  annotations:
-    config.huizinga.dev/fragment: authelia-acl
-data:
-  rules: |
-    - domain: traefik.${domain}
-      policy: one_factor
-      subject: "group:lldap_admin"

infra/traefik/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
   - ./namespace.yaml
   - ./helm-repository.yaml
   - ./helm-release.yaml
-  - ./config-map-authelia-acl.yaml
+  - ./access-control-rule.yaml