diff --git a/clusters/titan.lan.huizinga.dev/infra/authelia.yaml b/clusters/titan.lan.huizinga.dev/infra/authelia.yaml index 4df9441..d8b6ccf 100644 --- a/clusters/titan.lan.huizinga.dev/infra/authelia.yaml +++ b/clusters/titan.lan.huizinga.dev/infra/authelia.yaml @@ -10,6 +10,7 @@ spec: - name: traefik - name: cnpg - name: dragonflydb + - name: kyverno-policies prune: true timeout: 2m sourceRef: diff --git a/infra/authelia/kustomization.yaml b/infra/authelia/kustomization.yaml index ccd067e..25d8b64 100644 --- a/infra/authelia/kustomization.yaml +++ b/infra/authelia/kustomization.yaml @@ -5,6 +5,7 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml + - ./secret-authelia-acl.yaml - ./secret-authelia-lldap.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/infra/authelia/secret-authelia-acl.yaml b/infra/authelia/secret-authelia-acl.yaml new file mode 100644 index 0000000..62a3bc0 --- /dev/null +++ b/infra/authelia/secret-authelia-acl.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: authelia-acl +stringData: + rules: | + - domain: traefik.${domain} + policy: one_factor + subject: "group:lldap_admin" + - domain: ceph.${domain} + policy: one_factor + subject: "group:lldap_admin" + - domain: grafana.${domain} + policy: one_factor diff --git a/infra/authelia/values.yaml b/infra/authelia/values.yaml index 13154f8..93a8cfb 100644 --- a/infra/authelia/values.yaml +++ b/infra/authelia/values.yaml @@ -62,15 +62,5 @@ configMap: enabled: true access_control: - rules: - - domain: traefik.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: ceph.${domain} - policy: one_factor - subject: "group:lldap_admin" - - domain: grafana.${domain} - policy: one_factor - # Deny by default, mainly a placeholder to allow patching in other rules - - domain: "*" - policy: deny + secret: + existingSecret: authelia-acl diff --git a/infra/kyverno-policies/generate-authelia-acl.yaml b/infra/kyverno-policies/generate-authelia-acl.yaml new file mode 100644 index 0000000..524da3e --- /dev/null +++ b/infra/kyverno-policies/generate-authelia-acl.yaml @@ -0,0 +1,70 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-authelia-acl + annotations: + policies.kyverno.io/title: Generate Authelia ACL + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Secret + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.23" +spec: + rules: + - name: update-from-base + match: + any: + - resources: + kinds: + - Secret + name: authelia-acl + namespaces: + - authelia + context: + - name: rules + apiCall: + urlPath: "/api/v1/configmaps" + jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' + mutate: + patchStrategicMerge: + stringData: + "configuration.acl.yaml": | + access_control: + rules: + {{ replace_all(base64_decode(request.object.data.rules || ''), ' + ', ' + ') }}{{ replace_all(rules, ' + ', ' + ') }} + + - name: update-from-fragment + match: + any: + - resources: + kinds: + - ConfigMap + annotations: + config.huizinga.dev/generate: authelia-acl + context: + - name: rules + apiCall: + urlPath: "/api/v1/configmaps" + jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' + mutate: + mutateExistingOnPolicyUpdate: true + targets: + - apiVersion: v1 + kind: Secret + name: authelia-acl + namespace: authelia + patchStrategicMerge: + stringData: + "configuration.acl.yaml": | + access_control: + rules: + {{ replace_all(base64_decode(target.data.rules || ''), ' + ', ' + ') }}{{ replace_all(rules, ' + ', ' + ') }} diff --git a/infra/kyverno-policies/kustomization.yaml b/infra/kyverno-policies/kustomization.yaml index 7a7e10d..13c9e41 100644 --- a/infra/kyverno-policies/kustomization.yaml +++ b/infra/kyverno-policies/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./kube-vip-network-adapter.yaml + - ./generate-authelia-acl.yaml