From e58e2692483ed72501f968a947149d470d354f54 Mon Sep 17 00:00:00 2001 From: Dreaded_X Date: Tue, 19 Nov 2024 01:18:55 +0100 Subject: [PATCH] Use authelia to secure traefik --- apps/authelia/release.yaml | 6 +++ apps/traefik-dashboard/ingress.yaml | 4 +- apps/traefik-dashboard/kustomization.yaml | 2 - apps/traefik-dashboard/middleware.yaml | 8 --- apps/traefik-dashboard/secret.yaml | 60 ----------------------- infrastructure/controllers/traefik.yaml | 21 +++++--- 6 files changed, 21 insertions(+), 80 deletions(-) delete mode 100644 apps/traefik-dashboard/middleware.yaml delete mode 100644 apps/traefik-dashboard/secret.yaml diff --git a/apps/authelia/release.yaml b/apps/authelia/release.yaml index 00deefe..75017e3 100644 --- a/apps/authelia/release.yaml +++ b/apps/authelia/release.yaml @@ -69,3 +69,9 @@ spec: notifier: filesystem: enabled: true + + access_control: + rules: + - domain: traefik.${domain} + policy: one_factor + subject: "group:lldap_admin" diff --git a/apps/traefik-dashboard/ingress.yaml b/apps/traefik-dashboard/ingress.yaml index 2277bfb..e66b4be 100644 --- a/apps/traefik-dashboard/ingress.yaml +++ b/apps/traefik-dashboard/ingress.yaml @@ -10,8 +10,8 @@ spec: - match: Host(`traefik.${domain}`) kind: Rule middlewares: - - name: traefik-dashboard-basicauth - namespace: traefik + - name: forwardauth-authelia + namespace: authelia services: - name: api@internal kind: TraefikService diff --git a/apps/traefik-dashboard/kustomization.yaml b/apps/traefik-dashboard/kustomization.yaml index 60edceb..972f3ed 100644 --- a/apps/traefik-dashboard/kustomization.yaml +++ b/apps/traefik-dashboard/kustomization.yaml @@ -1,6 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - secret.yaml - - middleware.yaml - ingress.yaml diff --git a/apps/traefik-dashboard/middleware.yaml b/apps/traefik-dashboard/middleware.yaml deleted file mode 100644 index 2446277..0000000 --- a/apps/traefik-dashboard/middleware.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: traefik-dashboard-basicauth - namespace: traefik -spec: - basicAuth: - secret: traefik-dashboard-auth diff --git a/apps/traefik-dashboard/secret.yaml b/apps/traefik-dashboard/secret.yaml deleted file mode 100644 index 5c6e423..0000000 --- a/apps/traefik-dashboard/secret.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: traefik-dashboard-auth - namespace: traefik -type: Opaque -data: - users: ENC[AES256_GCM,data:7u9dFimVDoytlAj24o4evE69M0+rugfkhGzg8WcHIhG5NDvzJJtL0PSbaZqJLXDhshPfPuKV/Nv94qXOR5sn4nY/cI0=,iv:xO+fhVIJsLqbey/2g2mZ8gMb8zvwCsZC9j1FnWqN8Ew=,tag:ktWZYMyaeyrvD+vdbcLyzw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-09-26T20:33:22Z" - mac: ENC[AES256_GCM,data:KuBBb577toaMHiZ2xq4JFyHusbqkiORwYnj9aNfl0AFsj8j+FikPnAQl+vt0no8/Oqi1OiS/6uSbKpzju92NNb0mbmBEEVJVHoTehg3CNNV0VFI1lf+EVM05XnOVWKzCe/Plku+NB9lx5+hVE1e6p6NVlXx0gnW4JDjE+0fIXJA=,iv:XGwfCVsRtebglZo4e0qAGQfSzGzAfXDMQE1zdLAByoo=,tag:+BENzw0DKkbPho1WDW1c4Q==,type:str] - pgp: - - created_at: "2024-09-26T20:33:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA7pKPTYH5bqOAQ//X7WkMyLjQcBds79rCeEimF7h+lRlo8l4UC11ju+As/Im - EmHZ93fvTJp/hE9F75sEFUyUDlGOPUOOJHyOiOJW9gZAwxhlMIjYXzXONxKZZar1 - cznWwEjTd7GLjlKNqZt5AmGDTyXOgMGeH5anjXmsP4veXHIZBXD6nXqM0cVUqZjy - KpliXjRaPhrus6aWjzf1owolBaIQL4CoUvr5APAV/tqkSBC0BZ3AQA5mQa76HtMm - tx0+9MV7F/A7UVY45Jk7jUMhzhe6BQPGG6j1Z8UXhmAHDC30IseP6/vSUmzjN8nX - hF4aeALd78FUNE9H26eKJUxHI/aAsZMRaTNKwgoWHUqAwwqQbzdIYl9+7rSgGCRl - CEDdan++XQ4ML6SAJvBMxFDyrzafQ/GXnoK5YsnprKDw9sAe2WPgoBqgQ5YZaRJ8 - NPEcvKA5rLa6tlW9S4tcn3uceteCQ9AuDd0YByOpHsTrnWlCcfgKeDo4LD3Pthcl - J2mCAIqXyh9tCUIpAPREjpZMu3CVYxHrN8ZXmcRa65Pk9MnQeYh1HXMd5Cswwc/K - GRP3XxNBK6clHQmRHEawiAJKWi9VqC7F/nbZY0FTRecU+yMiRtnbXyG2/P4KwFx4 - /NQTJ225cpoQwo2S5ParMqoLY8UGJSidngcxdvFrExCfSg0OZtubSxRt8CdoOzvU - aAEJAhCtYGBG6qL7HHoDkDGlDX1tOcxjCaqGxzQLtZ9P+UFaGHYjWKzmgRjfCQdm - DvCMpekLpiiNoDF0DkkfDiTyToiytDpnXqP3gqoJ1oR4S5qd45dDSmtXItt47oAt - OgX1Jt4h7NPp - =H5Kw - -----END PGP MESSAGE----- - fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E - - created_at: "2024-09-26T20:33:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA51kG++kLewoAQ/9FigGY5nukmRh6vcgwQgZDdwrnKjhztHc5UEP+SRNAGr7 - Sp/6DkmRhi5ywmAN8rdMCNGO/9BCcuTGLwLZXP23si1W077NdvExqzVzZdMHo1xi - JLNnzSpvduh99nNFj6q/2mS4PlMiPM0uMm5SlHQexoJBBEC7FA66NvrpCrTXahKv - v/I+vX6HY8WuhDuril5fbv169DyKSJeEa2FR7Gp37AezmGqDsFMvIL5DSkRGliFz - R1xod9zfwFIayaDN36Zc9IaHhk10k6Nszsg3YreR8nrjZLnG3C3XzGS5qeE485hf - dXm8ShxTAO3dZMmUK+XkOQdGXGMfzwzr8u7ddDbrFWeG9UBoE26jV6y3iIRe4VYj - 9np4yZR8j3dxmkNdHXlvrWxy+qkWXml1nZ+M23+SuoV4beloFvujNxtYDrZYSNlA - bSrM5bk/D1aS836E8B+mT45Fbw9I825mXR+WVS13RNKdVrA3AF9epwJjWoIRumLC - ZogJ2lH35Aj77ytKw8JJB1nMvKNLD27MHETdmP+QaM08YjjywDa9iWYSKXiTIxur - IbU6Vtq01xHk1T9gqgc+ovwKOHxm8kKD74AbEsBn88pgp9a+yL1YfDTgTEVmd9a4 - OrCYfVRqSw5PwZPonGiU+S65PEagMa4FGo/XUy6sqtcrpMdiHRG1AE+xL9780DHS - XgEJtwphTlky5kTI27xJOTbzBaYRcCdYf+E831/BGxaEzl9OzBGlfaIUHfPGJNBm - wkINDUeyj1aPkyMc+alvadAE3QhETRJ3RcpjIv0+Jc7LcsfSHE1BlNHjCYhJq4E= - =TaW0 - -----END PGP MESSAGE----- - fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28 - encrypted_regex: ^(data|stringData)$ - version: 3.9.0 diff --git a/infrastructure/controllers/traefik.yaml b/infrastructure/controllers/traefik.yaml index bad4ea3..0d41c02 100644 --- a/infrastructure/controllers/traefik.yaml +++ b/infrastructure/controllers/traefik.yaml @@ -45,13 +45,18 @@ spec: redirectTo: port: websecure + providers: + kubernetesCRD: + allowCrossNamespace: true + # This is needed in order to properly forward the real ip to each service # There are likely better ways of handling that, but for now this works - hostNetwork: true - service: - spec: - externalTrafficPolicy: Local - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - maxSurge: 0 + # TODO(Tim): Figure out how to properly forward the IP + # hostNetwork: true + # service: + # spec: + # externalTrafficPolicy: Local + # updateStrategy: + # rollingUpdate: + # maxUnavailable: 2 + # maxSurge: 0