diff --git a/apps/grafana/kustomization.yaml b/apps/grafana/kustomization.yaml index 2809263..f822e63 100644 --- a/apps/grafana/kustomization.yaml +++ b/apps/grafana/kustomization.yaml @@ -5,7 +5,7 @@ resources: - ./namespace.yaml - ./repository.yaml - ./release.yaml - - ./lldap.yaml + - ./service-user.yaml - ./config-map-authelia-acl.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/apps/grafana/ldap.toml b/apps/grafana/ldap.toml index 3077448..2b9e953 100644 --- a/apps/grafana/ldap.toml +++ b/apps/grafana/ldap.toml @@ -20,10 +20,10 @@ ssl_skip_verify = false # client_key = "/path/to/client.key" # Search user bind dn -bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev" +bind_dn = "uid=${LDAP_USERNAME},ou=people,dc=huizinga,dc=dev" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" -bind_password = """${LDAP_ADMIN_PASSWORD}""" +bind_password = "${LDAP_PASSWORD}" # User search filter search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))" diff --git a/apps/grafana/lldap.yaml b/apps/grafana/lldap.yaml deleted file mode 100644 index dcb4bfe..0000000 --- a/apps/grafana/lldap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: grafana-lldap -type: Opaque -stringData: - password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str] - user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-12-30T03:11:38Z" - mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str] - pgp: - - created_at: "2024-12-30T03:06:07Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti - CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU - QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2 - GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG - omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq - U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/ - kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW - mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij - 92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58 - psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT - 07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU - aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5 - E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj - 8PqQ49TpHxYC - =eBq+ - -----END PGP MESSAGE----- - fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E - - created_at: "2024-12-30T03:06:07Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll - tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi - /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9 - gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU - LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr - wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH - qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop - el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN - R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8 - IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9 - 2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S - XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4 - FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM= - =9p2Q - -----END PGP MESSAGE----- - fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28 - encrypted_regex: ^(data|stringData)$ - version: 3.9.1 diff --git a/apps/grafana/release.yaml b/apps/grafana/release.yaml index c9121d3..3c5226c 100644 --- a/apps/grafana/release.yaml +++ b/apps/grafana/release.yaml @@ -27,9 +27,13 @@ spec: traefik.ingress.kubernetes.io/router.tls: "true" envValueFrom: - LDAP_ADMIN_PASSWORD: + LDAP_USERNAME: secretKeyRef: - name: grafana-lldap + name: grafana-lldap-credentials + key: username + LDAP_PASSWORD: + secretKeyRef: + name: grafana-lldap-credentials key: password grafana.ini: diff --git a/apps/grafana/service-user.yaml b/apps/grafana/service-user.yaml new file mode 100644 index 0000000..10ee771 --- /dev/null +++ b/apps/grafana/service-user.yaml @@ -0,0 +1,5 @@ +apiVersion: lldap.huizinga.dev/v1 +kind: ServiceUser +metadata: + name: grafana +spec: {} diff --git a/infra/authelia/kustomization.yaml b/infra/authelia/kustomization.yaml index 25d8b64..e1d54c3 100644 --- a/infra/authelia/kustomization.yaml +++ b/infra/authelia/kustomization.yaml @@ -5,8 +5,8 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml + - ./service-user.yaml - ./secret-authelia-acl.yaml - - ./secret-authelia-lldap.yaml - ../../common/postgres - ../../common/dragonflydb diff --git a/infra/authelia/secret-authelia-lldap.yaml b/infra/authelia/secret-authelia-lldap.yaml deleted file mode 100644 index f51db7c..0000000 --- a/infra/authelia/secret-authelia-lldap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: authelia-lldap -type: Opaque -stringData: - password: ENC[AES256_GCM,data:t9dCqqJrS0mhJMBXLKTKUgbOpwI3LGN134OlGmIaOsZg1bzWSV4sU0YAQMU=,iv:Bp2hO34VNtqy+7ZnWtqvmUNe2GKUh7KPZmRgXzyFqqA=,tag:qJ8iV6OyuNlVmnrPs13LNg==,type:str] - user-configs.json: ENC[AES256_GCM,data:7bhp9uWOM1NcfJ8DnnUdYCIFMZeCvmGr8S5gJPzw0kzXfXQfRbI2xfq4X5GdAbOCn9HHM1F+xJLaF6tno1ZmH26NN7FkXUZQCtqK9+yZgjHY8MZYsUZHdZlV40BcaYSCk7qtefGsCrITN2X/DAjrmedNeh0CF9rdov3ZKsi8nSGWGUeLpKcouhOpvbfLRSoEEfYUyUF1r5GscTuunh9uZ8DtoCJvBf8iyQ==,iv:3YuaXKKIHUgzWL07yItqR6rgI+YXbaoTVc4xdiZ/hWU=,tag:hyObOlrQVXgRHgDxcV/R0g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-11-22T04:09:11Z" - mac: ENC[AES256_GCM,data:3o1AYP26QEIMjCUZ4y6AH+CXevoJoJ+rX3ioMLRf8KAGy0mSOtacaSY9xRdDIjATu9aJgHmFbSw9CHTBpXxmaISZxQdMPMHQAmRxHnSuQiofPRkVtD1TlvCFcDTSgITWbvG3dpUoLdM57Mgd3z7KpI/+gEoDebYfryDaYXCoH3c=,iv:1C8QMJCJtvnGVPpLJE+l0U3hOknEC3XiWTQrPAQsHKc=,tag:fn+cMj1NImJSvNiuyzX5pQ==,type:str] - pgp: - - created_at: "2024-11-22T04:09:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7pKPTYH5bqOAQ/+MgqnLWwHCWPxacANbHEEYsPENOyIywmYJnSnRqRLWhAn - 9K0/udCxwO30rnvo+p6/YLF2VSqFfz7pUm/z+MH6ypyY1B83HjCkjsaTQhPR5Q0K - CmhTR7TrQBNfa/flawhebWOjvmUJ9lJ9uqCnAB16S03Sn+PqDYlGTE6CMJ0oJuSr - VpxdvdvFZ1gfR7hlVrsKqvn47T3XIYDJohp9l819nQ1O2adTPfevZEN/JLwaWSLT - YtwJyg+6ogKD3q6UBv7hyyXH9ZlMHFxGWxmo1OXAA3E/vMvOacgmFW6pqoGMqwGU - D9Ch2x1MBobD342ZPPmsQNiI+34Q5cl+hVJJgL5jWk2kML67itM8pMUTyn+5NtWO - wWo6zu5q5IfqREwuerZtisocctrLB9QKPVGcjVihWfoenvlkf4yfCRDFzOPSAb0o - e2K+3fZknZlnb3Qb/rgD7XRiBhcif1zIHZxUQDv/Lq9GyuCM7dk8YKUVCtyeixQ4 - C+WFmp9ED8xzv1jR9lPcQhD+I2Cb7/9jlTXEetFHSzl4riYpKPjhKQedUWZ0YY1A - u0ORTBaLzcmrXTjGz24PxmWZDBjhV4Kgvn76rchqLrS8lvi1EbXoZB6ERhuhlz5Y - bm1FwUBxDRG04gFCPwWKV0AvMmhd+hOdyo4KeQbZCO+w3QqXnp/y6b3TtpEeQnPU - aAEJAhCMqxSAESN99AcEtW56mJsZmRCCi3NsRLwllDczeDfUznF2CSTCnJRDmjsU - bLf8jVjawLxfRnKmRyKX/cCYbuz9OmIFkOAWoSNVb/teiMrYYFq96kRDLHR1Llxr - EuX0poghRPqU - =tI6a - -----END PGP MESSAGE----- - fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E - - created_at: "2024-11-22T04:09:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA51kG++kLewoARAA15aOcSEfAIpEXXhmF4YToynn1NM9OsANHc3PR2uVzAPv - C4Wi8R1PNhGdV3aTuRN5WpSjkJEE3GNR0kA0Etao7Ip0d1UgXzg1wtwEd1Yyvtdh - ccK2/z0a4UJu8SMczChT1P18IASNksaxSAm+TOLFGcZeJFwQepsBaQIEfXYO3+hR - Jw+zcPmFaOzKoqdbAAWzvYhLxD2ocjZl7iiIOhz8fBSqWLO2oeJRp5Lk8Q14olTZ - 708BQ+aLlsVJyLkiV7SzlKfEDIymMDZSe7Q3i4JqOFOyHRIkIM5ZPOLoelqRNcY2 - zQphsk1U/MFp7LsR/d+5IKWBkqV5DYJWFunw+NRFHLg1/6+zmGnGbZ2gZfohvnKV - 5GUrYfWCBACIclpxY7PlVQ7d/aTDf3jdR0iVV3Jh+8Lvze1msPvI+BF67oDNMsTu - EIbRa6eHzxgSqrq3Za5eeUXd9Gxfg2g4KdkbG+FA9qQI6f5Y1q0tE9cFfOElTiBk - xTAckrBMHOMGozvx4/6xXHMmAxd80tX0ZjVyBsPBeb64oZGlsGuRngWT1Ob9gF4Q - sDfyd74kpQ9fHhIYs9XSLrPbH6yzVIFF/sHpMGgri43PCMW6vvnfP4JQgdMNdXRw - U+RWDxA6BOkP7XvNfGADiumeSGQ+PE/KP0TuUqMD7gr9X/VGH+/1e6zbI1iruhPS - XgFoSamAXKfYrYz94J9u0vA8D8ne9EKa8Ls6ybicyyZlGLri/qnoHNJAVhLWKdId - h68ksrI5l25Z1MkAcKVR1xlHUnRCwb2Xdbag0vV07So00wxAl1XNhtPeuQrykk0= - =V4Gd - -----END PGP MESSAGE----- - fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28 - encrypted_regex: ^(data|stringData)$ - version: 3.9.0 diff --git a/infra/authelia/service-user.yaml b/infra/authelia/service-user.yaml new file mode 100644 index 0000000..0997737 --- /dev/null +++ b/infra/authelia/service-user.yaml @@ -0,0 +1,5 @@ +apiVersion: lldap.huizinga.dev/v1 +kind: ServiceUser +metadata: + name: authelia +spec: {} diff --git a/infra/authelia/values.yaml b/infra/authelia/values.yaml index 93a8cfb..bfad47b 100644 --- a/infra/authelia/values.yaml +++ b/infra/authelia/values.yaml @@ -15,8 +15,8 @@ secret: additionalSecrets: postgres-app: key: postgres-app - authelia-lldap: - key: authelia-lldap + authelia-lldap-credentials: + key: authelia-lldap-credentials configMap: authentication_backend: @@ -34,9 +34,9 @@ configMap: username: uid group_name: cn mail: mail - user: uid=authelia,ou=people,dc=huizinga,dc=dev + user: uid=authelia.authelia,ou=people,dc=huizinga,dc=dev password: - secret_name: authelia-lldap + secret_name: authelia-lldap-credentials path: password session: