Reorganized authelia and split values into seperate file

2025-02-23 06:56:16 +01:00 · 2025-02-23 06:56:16 +01:00 · 5d38d90552
commit 5d38d90552
parent ab389f65f4
13 changed files with 146 additions and 102 deletions
--- a/.kcignore
+++ b/.kcignore
@ -1 +1,2 @@
 .sops.yaml
+infra/authelia/values.yaml
--- a/apps/authelia/kustomization.yaml
+++ b/apps/authelia/kustomization.yaml
@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: authelia
-resources:
-  - ./namespace.yaml
-  - ./repository.yaml
-  - ./release.yaml
-  - ./lldap.yaml
-  - ../../common/postgres
-  - ../../common/dragonflydb
--- a/apps/authelia/release.yaml
+++ b/apps/authelia/release.yaml
@ -1,90 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authelia
-spec:
-  chart:
-    spec:
-      chart: authelia
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: authelia
-      version: 0.9.9
-  interval: 15m
-  values:
-    pod:
-      replicas: 2
-    ingress:
-      enabled: true
-      tls:
-        enabled: true
-        secret: ${domain//./-}-tls
-      traefikCRD:
-        enabled: true
-        entryPoints:
-          - websecure
-
-    secret:
-      additionalSecrets:
-        postgres-app:
-          key: postgres-app
-        authelia-lldap:
-          key: authelia-lldap
-
-    configMap:
-      authentication_backend:
-        ldap:
-          enabled: true
-          implementation: custom
-          address: ldap://lldap.lldap.svc.cluster.local:3890
-          base_dn: dc=huizinga,dc=dev
-          additional_users_dn: ou=people
-          users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
-          additional_groups_dn: ou=groups
-          groups_filter: "(member={dn})"
-          attributes:
-            display_name: displayName
-            username: uid
-            group_name: cn
-            mail: mail
-          user: uid=authelia,ou=people,dc=huizinga,dc=dev
-          password:
-            secret_name: authelia-lldap
-            path: password
-
-      session:
-        cookies:
-          - subdomain: login${subdomain}
-            domain: ${topdomain}
-        redis:
-          enabled: true
-          host: dragonflydb.authelia
-
-      storage:
-        postgres:
-          enabled: true
-          address: tcp://postgres-rw.authelia:5432
-          database: app
-          username: app
-          password:
-            secret_name: postgres-app
-            path: password
-
-      notifier:
-        filesystem:
-          enabled: true
-
-      access_control:
-        rules:
-          - domain: traefik.${domain}
-            policy: one_factor
-            subject: "group:lldap_admin"
-          - domain: ceph.${domain}
-            policy: one_factor
-            subject: "group:lldap_admin"
-          - domain: grafana.${domain}
-            policy: one_factor
-          # Deny by default, mainly a placeholder to allow patching in other rules
-          - domain: "*"
-            policy: deny
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./lldap
-  - ./authelia
  - ./grafana

  - ./whoami.yaml
--- a/apps/lldap/bootstrap/kustomization.yaml
+++ b/apps/lldap/bootstrap/kustomization.yaml
@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./bootstrap-job.yaml
-  - ../../authelia/lldap.yaml
+  - ../../../infra/authelia/secret-authelia-lldap.yaml
  - ../../grafana/lldap.yaml

 configMapGenerator:
--- a/clusters/titan.lan.huizinga.dev/infra/authelia.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/authelia.yaml
@ -0,0 +1,26 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authelia
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./infra/authelia
+  dependsOn:
+    - name: cnpg
+    - name: infra-controllers
+    - name: apps
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
--- a/common/name-reference/helm-release.yaml
+++ b/common/name-reference/helm-release.yaml
@ -0,0 +1,7 @@
+# This makes sure the field in the HelmRelease is recognized as a ConfigMap
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
--- a/infra/authelia/helm-release.yaml
+++ b/infra/authelia/helm-release.yaml
@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+spec:
+  chart:
+    spec:
+      chart: authelia
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+      version: 0.9.16
+  interval: 15m
+  valuesFrom:
+    - kind: ConfigMap
+      name: authelia-values
--- a/infra/authelia/helm-repository.yaml
+++ b/infra/authelia/helm-repository.yaml
--- a/infra/authelia/kustomization.yaml
+++ b/infra/authelia/kustomization.yaml
@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+  - ./secret-authelia-lldap.yaml
+  - ../../common/postgres
+  - ../../common/dragonflydb
+
+configurations:
+  - ../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: authelia-values
+    files:
+      - ./values.yaml
--- a/infra/authelia/namespace.yaml
+++ b/infra/authelia/namespace.yaml
--- a/infra/authelia/secret-authelia-lldap.yaml
+++ b/infra/authelia/secret-authelia-lldap.yaml
--- a/infra/authelia/values.yaml
+++ b/infra/authelia/values.yaml
@ -0,0 +1,76 @@
+pod:
+  kind: Deployment
+  replicas: 2
+ingress:
+  enabled: true
+  tls:
+    enabled: true
+    secret: ${domain//./-}-tls
+  traefikCRD:
+    enabled: true
+    entryPoints:
+      - websecure
+
+secret:
+  additionalSecrets:
+    postgres-app:
+      key: postgres-app
+    authelia-lldap:
+      key: authelia-lldap
+
+configMap:
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: lldap
+      address: ldap://lldap.lldap.svc.cluster.local:3890
+      base_dn: dc=huizinga,dc=dev
+      additional_users_dn: ou=people
+      users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
+      additional_groups_dn: ou=groups
+      groups_filter: "(member={dn})"
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+      user: uid=authelia,ou=people,dc=huizinga,dc=dev
+      password:
+        secret_name: authelia-lldap
+        path: password
+
+  session:
+    cookies:
+      - subdomain: login${subdomain}
+        domain: ${topdomain}
+    redis:
+      enabled: true
+      host: dragonflydb.authelia
+
+  storage:
+    postgres:
+      enabled: true
+      address: tcp://postgres-rw.authelia:5432
+      database: app
+      username: app
+      password:
+        secret_name: postgres-app
+        path: password
+
+  notifier:
+    filesystem:
+      enabled: true
+
+  access_control:
+    rules:
+      - domain: traefik.${domain}
+        policy: one_factor
+        subject: "group:lldap_admin"
+      - domain: ceph.${domain}
+        policy: one_factor
+        subject: "group:lldap_admin"
+      - domain: grafana.${domain}
+        policy: one_factor
+      # Deny by default, mainly a placeholder to allow patching in other rules
+      - domain: "*"
+        policy: deny