Moved authelia ACL rules to seperate ConfigMaps

2025-03-01 06:14:47 +01:00 · 2025-03-01 06:14:47 +01:00 · 4ae76d668e
commit 4ae76d668e
parent c7229f1112
8 changed files with 39 additions and 9 deletions
--- a/apps/grafana/config-map-authelia-acl.yaml
+++ b/apps/grafana/config-map-authelia-acl.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-acl
+  annotations:
+    config.huizinga.dev/fragment: authelia-acl
+data:
+  rules: |
+    - domain: grafana.${domain}
+      policy: one_factor
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@ -6,6 +6,7 @@ resources:
  - ./repository.yaml
  - ./release.yaml
  - ./lldap.yaml
+  - ./config-map-authelia-acl.yaml
  - ../../common/postgres
  - ../../common/dragonflydb

--- a/infra/authelia/secret-authelia-acl.yaml
+++ b/infra/authelia/secret-authelia-acl.yaml
@ -4,11 +4,6 @@ metadata:
  name: authelia-acl
 stringData:
  rules: |
-    - domain: traefik.${domain}
-      policy: one_factor
-      subject: "group:lldap_admin"
-    - domain: ceph.${domain}
-      policy: one_factor
-      subject: "group:lldap_admin"
-    - domain: grafana.${domain}
-      policy: one_factor
+    # Deny by default, mainly a placeholder to allow patching in other rules
+    - domain: "*"
+      policy: deny
--- a/infra/kyverno-policies/generate-authelia-acl.yaml
+++ b/infra/kyverno-policies/generate-authelia-acl.yaml
@ -45,7 +45,7 @@ spec:
              kinds:
                - ConfigMap
              annotations:
-                config.huizinga.dev/generate: authelia-acl
+                config.huizinga.dev/fragment: authelia-acl
      context:
        - name: rules
          apiCall:
--- a/infra/rook-ceph/config-map-authelia-acl.yaml
+++ b/infra/rook-ceph/config-map-authelia-acl.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-acl
+  annotations:
+    config.huizinga.dev/fragment: authelia-acl
+data:
+  rules: |
+    - domain: ceph.${domain}
+      policy: one_factor
+      subject: "group:lldap_admin"
--- a/infra/rook-ceph/kustomization.yaml
+++ b/infra/rook-ceph/kustomization.yaml
@ -5,3 +5,4 @@ resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
+  - ./config-map-authelia-acl.yaml
--- a/infra/traefik/config-map-authelia-acl.yaml
+++ b/infra/traefik/config-map-authelia-acl.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-acl
+  annotations:
+    config.huizinga.dev/fragment: authelia-acl
+data:
+  rules: |
+    - domain: traefik.${domain}
+      policy: one_factor
+      subject: "group:lldap_admin"
--- a/infra/traefik/kustomization.yaml
+++ b/infra/traefik/kustomization.yaml
@ -5,3 +5,4 @@ resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
+  - ./config-map-authelia-acl.yaml