From 4ae76d668e7fbb94ffdb8a7f71c335a00022261b Mon Sep 17 00:00:00 2001 From: Dreaded_X Date: Sat, 1 Mar 2025 06:14:47 +0100 Subject: [PATCH] Moved authelia ACL rules to seperate ConfigMaps --- apps/grafana/config-map-authelia-acl.yaml | 10 ++++++++++ apps/grafana/kustomization.yaml | 1 + infra/authelia/secret-authelia-acl.yaml | 11 +++-------- infra/kyverno-policies/generate-authelia-acl.yaml | 2 +- infra/rook-ceph/config-map-authelia-acl.yaml | 11 +++++++++++ infra/rook-ceph/kustomization.yaml | 1 + infra/traefik/config-map-authelia-acl.yaml | 11 +++++++++++ infra/traefik/kustomization.yaml | 1 + 8 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 apps/grafana/config-map-authelia-acl.yaml create mode 100644 infra/rook-ceph/config-map-authelia-acl.yaml create mode 100644 infra/traefik/config-map-authelia-acl.yaml diff --git a/apps/grafana/config-map-authelia-acl.yaml b/apps/grafana/config-map-authelia-acl.yaml new file mode 100644 index 0000000..3808399 --- /dev/null +++ b/apps/grafana/config-map-authelia-acl.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia-acl + annotations: + config.huizinga.dev/fragment: authelia-acl +data: + rules: | + - domain: grafana.${domain} + policy: one_factor diff --git a/apps/grafana/kustomization.yaml b/apps/grafana/kustomization.yaml index 5e6cfdf..2809263 100644 --- a/apps/grafana/kustomization.yaml +++ b/apps/grafana/kustomization.yaml @@ -6,6 +6,7 @@ resources: - ./repository.yaml - ./release.yaml - ./lldap.yaml + - ./config-map-authelia-acl.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/infra/authelia/secret-authelia-acl.yaml b/infra/authelia/secret-authelia-acl.yaml index 62a3bc0..1c24d47 100644 --- a/infra/authelia/secret-authelia-acl.yaml +++ b/infra/authelia/secret-authelia-acl.yaml @@ -4,11 +4,6 @@ metadata: name: authelia-acl stringData: rules: | - - domain: traefik.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: ceph.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: grafana.${domain} - policy: one_factor + # Deny by default, mainly a placeholder to allow patching in other rules + - domain: "*" + policy: deny diff --git a/infra/kyverno-policies/generate-authelia-acl.yaml b/infra/kyverno-policies/generate-authelia-acl.yaml index 524da3e..f052f8b 100644 --- a/infra/kyverno-policies/generate-authelia-acl.yaml +++ b/infra/kyverno-policies/generate-authelia-acl.yaml @@ -45,7 +45,7 @@ spec: kinds: - ConfigMap annotations: - config.huizinga.dev/generate: authelia-acl + config.huizinga.dev/fragment: authelia-acl context: - name: rules apiCall: diff --git a/infra/rook-ceph/config-map-authelia-acl.yaml b/infra/rook-ceph/config-map-authelia-acl.yaml new file mode 100644 index 0000000..73274dc --- /dev/null +++ b/infra/rook-ceph/config-map-authelia-acl.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia-acl + annotations: + config.huizinga.dev/fragment: authelia-acl +data: + rules: | + - domain: ceph.${domain} + policy: one_factor + subject: "group:lldap_admin" diff --git a/infra/rook-ceph/kustomization.yaml b/infra/rook-ceph/kustomization.yaml index b6ce735..53f80c5 100644 --- a/infra/rook-ceph/kustomization.yaml +++ b/infra/rook-ceph/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml + - ./config-map-authelia-acl.yaml diff --git a/infra/traefik/config-map-authelia-acl.yaml b/infra/traefik/config-map-authelia-acl.yaml new file mode 100644 index 0000000..c3fc14a --- /dev/null +++ b/infra/traefik/config-map-authelia-acl.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia-acl + annotations: + config.huizinga.dev/fragment: authelia-acl +data: + rules: | + - domain: traefik.${domain} + policy: one_factor + subject: "group:lldap_admin" diff --git a/infra/traefik/kustomization.yaml b/infra/traefik/kustomization.yaml index a03a1df..61d1cb6 100644 --- a/infra/traefik/kustomization.yaml +++ b/infra/traefik/kustomization.yaml @@ -5,3 +5,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml + - ./config-map-authelia-acl.yaml