diff --git a/.kcignore b/.kcignore index 674502c..f0992e5 100644 --- a/.kcignore +++ b/.kcignore @@ -1 +1,2 @@ .sops.yaml +infra/authelia/values.yaml diff --git a/apps/authelia/kustomization.yaml b/apps/authelia/kustomization.yaml deleted file mode 100644 index 2b1f212..0000000 --- a/apps/authelia/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: authelia -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml - - ./lldap.yaml - - ../../common/postgres - - ../../common/dragonflydb diff --git a/apps/authelia/release.yaml b/apps/authelia/release.yaml deleted file mode 100644 index 56eb8c7..0000000 --- a/apps/authelia/release.yaml +++ /dev/null @@ -1,90 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: authelia -spec: - chart: - spec: - chart: authelia - reconcileStrategy: ChartVersion - sourceRef: - kind: HelmRepository - name: authelia - version: 0.9.9 - interval: 15m - values: - pod: - replicas: 2 - ingress: - enabled: true - tls: - enabled: true - secret: ${domain//./-}-tls - traefikCRD: - enabled: true - entryPoints: - - websecure - - secret: - additionalSecrets: - postgres-app: - key: postgres-app - authelia-lldap: - key: authelia-lldap - - configMap: - authentication_backend: - ldap: - enabled: true - implementation: custom - address: ldap://lldap.lldap.svc.cluster.local:3890 - base_dn: dc=huizinga,dc=dev - additional_users_dn: ou=people - users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))" - additional_groups_dn: ou=groups - groups_filter: "(member={dn})" - attributes: - display_name: displayName - username: uid - group_name: cn - mail: mail - user: uid=authelia,ou=people,dc=huizinga,dc=dev - password: - secret_name: authelia-lldap - path: password - - session: - cookies: - - subdomain: login${subdomain} - domain: ${topdomain} - redis: - enabled: true - host: dragonflydb.authelia - - storage: - postgres: - enabled: true - address: tcp://postgres-rw.authelia:5432 - database: app - username: app - password: - secret_name: postgres-app - path: password - - notifier: - filesystem: - enabled: true - - access_control: - rules: - - domain: traefik.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: ceph.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: grafana.${domain} - policy: one_factor - # Deny by default, mainly a placeholder to allow patching in other rules - - domain: "*" - policy: deny diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index 0c6b3d9..0975d84 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./lldap - - ./authelia - ./grafana - ./whoami.yaml diff --git a/apps/lldap/bootstrap/kustomization.yaml b/apps/lldap/bootstrap/kustomization.yaml index 8c41fa0..a5bf650 100644 --- a/apps/lldap/bootstrap/kustomization.yaml +++ b/apps/lldap/bootstrap/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./bootstrap-job.yaml - - ../../authelia/lldap.yaml + - ../../../infra/authelia/secret-authelia-lldap.yaml - ../../grafana/lldap.yaml configMapGenerator: diff --git a/clusters/titan.lan.huizinga.dev/infra/authelia.yaml b/clusters/titan.lan.huizinga.dev/infra/authelia.yaml new file mode 100644 index 0000000..0c76d9a --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/infra/authelia.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: authelia + namespace: flux-system +spec: + interval: 15m + path: ./infra/authelia + dependsOn: + - name: cnpg + - name: infra-controllers + - name: apps + prune: true + timeout: 2m + sourceRef: + kind: GitRepository + name: flux-system + wait: true + postBuild: + substituteFrom: + - kind: ConfigMap + name: domain-vars + decryption: + provider: sops + secretRef: + name: sops-gpg diff --git a/common/name-reference/helm-release.yaml b/common/name-reference/helm-release.yaml new file mode 100644 index 0000000..2880fd7 --- /dev/null +++ b/common/name-reference/helm-release.yaml @@ -0,0 +1,7 @@ +# This makes sure the field in the HelmRelease is recognized as a ConfigMap +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/infra/authelia/helm-release.yaml b/infra/authelia/helm-release.yaml new file mode 100644 index 0000000..5cdfb24 --- /dev/null +++ b/infra/authelia/helm-release.yaml @@ -0,0 +1,17 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authelia +spec: + chart: + spec: + chart: authelia + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: authelia + version: 0.9.16 + interval: 15m + valuesFrom: + - kind: ConfigMap + name: authelia-values diff --git a/apps/authelia/repository.yaml b/infra/authelia/helm-repository.yaml similarity index 100% rename from apps/authelia/repository.yaml rename to infra/authelia/helm-repository.yaml diff --git a/infra/authelia/kustomization.yaml b/infra/authelia/kustomization.yaml new file mode 100644 index 0000000..ccd067e --- /dev/null +++ b/infra/authelia/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: authelia +resources: + - ./namespace.yaml + - ./helm-repository.yaml + - ./helm-release.yaml + - ./secret-authelia-lldap.yaml + - ../../common/postgres + - ../../common/dragonflydb + +configurations: + - ../../common/name-reference/helm-release.yaml + +configMapGenerator: + - name: authelia-values + files: + - ./values.yaml diff --git a/apps/authelia/namespace.yaml b/infra/authelia/namespace.yaml similarity index 100% rename from apps/authelia/namespace.yaml rename to infra/authelia/namespace.yaml diff --git a/apps/authelia/lldap.yaml b/infra/authelia/secret-authelia-lldap.yaml similarity index 100% rename from apps/authelia/lldap.yaml rename to infra/authelia/secret-authelia-lldap.yaml diff --git a/infra/authelia/values.yaml b/infra/authelia/values.yaml new file mode 100644 index 0000000..13154f8 --- /dev/null +++ b/infra/authelia/values.yaml @@ -0,0 +1,76 @@ +pod: + kind: Deployment + replicas: 2 +ingress: + enabled: true + tls: + enabled: true + secret: ${domain//./-}-tls + traefikCRD: + enabled: true + entryPoints: + - websecure + +secret: + additionalSecrets: + postgres-app: + key: postgres-app + authelia-lldap: + key: authelia-lldap + +configMap: + authentication_backend: + ldap: + enabled: true + implementation: lldap + address: ldap://lldap.lldap.svc.cluster.local:3890 + base_dn: dc=huizinga,dc=dev + additional_users_dn: ou=people + users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))" + additional_groups_dn: ou=groups + groups_filter: "(member={dn})" + attributes: + display_name: displayName + username: uid + group_name: cn + mail: mail + user: uid=authelia,ou=people,dc=huizinga,dc=dev + password: + secret_name: authelia-lldap + path: password + + session: + cookies: + - subdomain: login${subdomain} + domain: ${topdomain} + redis: + enabled: true + host: dragonflydb.authelia + + storage: + postgres: + enabled: true + address: tcp://postgres-rw.authelia:5432 + database: app + username: app + password: + secret_name: postgres-app + path: password + + notifier: + filesystem: + enabled: true + + access_control: + rules: + - domain: traefik.${domain} + policy: one_factor + subject: "group:lldap_admin" + - domain: ceph.${domain} + policy: one_factor + subject: "group:lldap_admin" + - domain: grafana.${domain} + policy: one_factor + # Deny by default, mainly a placeholder to allow patching in other rules + - domain: "*" + policy: deny