diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index b9823d220..caf09264b 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -1,15 +1,50 @@ --- +authentication_backend: + ldap: + address: ldap://lldap.default.svc.cluster.local:5389 + implementation: custom + timeout: 5s + start_tls: false + base_dn: dc=home,dc=arpa + additional_users_dn: ou=people + users_filter: (&({username_attribute}={input})(objectClass=person)) + additional_groups_dn: ou=groups + groups_filter: (member={dn}) + user: uid=admin,ou=people,dc=home,dc=arpa + attributes: + username: uid + display_name: displayName + group_name: cn + mail: mail + member_of: memberOf + password_reset: + disable: true + refresh_interval: 1m + session: - # redis: - # high_availability: - # sentinel_name: redis-master - # nodes: - # - host: redis-node-0.redis-headless.default.svc.cluster.local. - # port: 26379 - # - host: redis-node-1.redis-headless.default.svc.cluster.local. - # port: 26379 - # - host: redis-node-2.redis-headless.default.svc.cluster.local. - # port: 26379 + name: authelia-home-ops + same_site: lax + inactivity: 5m + expiration: 1h + remember_me: 1M + cookies: + - name: authelia_session + domain: ${SECRET_CLUSTER_DOMAIN} + authelia_url: https://auth.${SECRET_CLUSTER_DOMAIN} + default_redirection_url: https://${SECRET_CLUSTER_DOMAIN} + redis: + host: dragonfly.database.svc.cluster.local. + port: 6379 + database_index: 2 + +notifier: + disable_startup_check: true + smtp: + address: smtp-relay.default.svc.cluster.local.:2525 + disable_require_tls: true + +duo_api: + disable: true access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any @@ -17,25 +52,26 @@ access_control: default_policy: two_factor networks: - name: private - networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16] - name: vpn - networks: ["10.10.0.0/16"] + networks: [10.10.0.0/16] rules: # bypass Authelia WAN + LAN - domain: - - auth.${SECRET_PUBLIC_DOMAIN} + - auth.${SECRET_CLUSTER_DOMAIN} policy: bypass # One factor auth for LAN - domain: - - "*.${SECRET_PUBLIC_DOMAIN}" + - "*.${SECRET_CLUSTER_DOMAIN}" policy: one_factor - subject: ["group:admins", "group:users"] + subject: [group:admins, group:users] networks: - private # Deny public resources - - domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"] - resources: ["^/metrics.*$"] + - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"] + resources: [^/metrics.*$] policy: deny + identity_providers: oidc: cors: @@ -44,36 +80,42 @@ identity_providers: clients: - client_id: freshrss client_name: freshrss - client_secret: + client_secret: "$${FRESHRSS_OAUTH_DIGEST}" public: false authorization_policy: two_factor - redirect_uris: ["https://freshrss.${SECRET_PUBLIC_DOMAIN}/i/oidc/"] + redirect_uris: ["https://freshrss.${SECRET_CLUSTER_DOMAIN}:443/i/oidc/"] scopes: [openid, profile, groups, email] userinfo_signed_response_alg: none token_endpoint_auth_method: client_secret_basic - client_name: grafana client_id: grafana - client_secret: "${GRAFANA_OAUTH_CLIENT_SECRET}" + client_secret: "$${GRAFANA_OAUTH_DIGEST}" public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: [openid, profile, groups, email] - redirect_uris: ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"] - userinfo_signing_algorithm: none - - id: outline - description: Outline - secret: "${OUTLINE_OAUTH_CLIENT_SECRET}" + redirect_uris: ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"] + userinfo_signed_response_alg: none + - client_id: outline + client_name: Outline + client_secret: "$${OUTLINE_OAUTH_DIGEST}" public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: [openid, profile, email, offline_access] - redirect_uris: ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"] - userinfo_signing_algorithm: none + response_types: code + redirect_uris: ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"] + userinfo_signed_response_alg: none + token_endpoint_auth_method: client_secret_basic - client_name: jellyfin client_id: jellyfin - client_secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}" + client_secret: "$${JELLYFIN_OAUTH_DIGEST}" public: false authorization_policy: two_factor + require_pkce: true + pkce_challenge_method: S256 pre_configured_consent_duration: 1y - scopes: [openid, profile, groups, email] - redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ] + scopes: [openid, profile, groups] + redirect_uris: [ "https://jellyfin.${SECRET_CLUSTER_DOMAIN}/sso/OID/redirect/authelia"] + userinfo_signed_response_alg: none + token_endpoint_auth_method: client_secret_post diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index 80c422b2b..f1d9f9e09 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -17,22 +17,26 @@ spec: # App AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .password }}" AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY }}" - AUTHELIA_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}" + AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}" AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}" AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}" + AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres16-rw.database.svc.cluster.local AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia - AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}" AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}" + jwks_cert: "{{ .jwks_cert }}" + jwks_pem: "{{ .jwks_pem }}" + FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" + FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}" GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" - IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}" - WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}" - GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}" + GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}" OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" + OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}" + JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}" SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" # Postgres Init INIT_POSTGRES_DBNAME: *dbName diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index 77790be6b..6fa121e75 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -63,36 +63,10 @@ spec: repository: ghcr.io/authelia/authelia tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a env: - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=groups - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: displayName - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: (member={dn}) - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false" - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: ldap://lldap.default.svc.cluster.local:5389 - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: uid=admin,ou=people,dc=home,dc=arpa - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: (&({username_attribute}={input})(objectClass=person)) - AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true" - AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m - AUTHELIA_DEFAULT_REDIRECTION_URL: https://auth.${SECRET_CLUSTER_DOMAIN} - AUTHELIA_DUO_API_DISABLE: "true" AUTHELIA_LOG_LEVEL: info - AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true" - AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true" - AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local. - AUTHELIA_NOTIFIER_SMTP_PORT: "2525" AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia " AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true" AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:8888 - AUTHELIA_SESSION_DOMAIN: ${SECRET_CLUSTER_DOMAIN} - AUTHELIA_SESSION_NAME: authelia-home-ops - AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local. - AUTHELIA_SESSION_REDIS_PORT: 6379 AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080 AUTHELIA_TELEMETRY_METRICS_ENABLED: "true" AUTHELIA_THEME: dark @@ -175,3 +149,9 @@ spec: - path: /config/configuration.yaml subPath: configuration.yaml readOnly: true + secret-files: + enabled: true + type: secret + name: authelia-secret + globalMounts: + - path: /config/secret diff --git a/kubernetes/apps/default/authelia/app/kustomization.yaml b/kubernetes/apps/default/authelia/app/kustomization.yaml index 5aa5e533b..2e5fc2024 100644 --- a/kubernetes/apps/default/authelia/app/kustomization.yaml +++ b/kubernetes/apps/default/authelia/app/kustomization.yaml @@ -13,5 +13,5 @@ configMapGenerator: - ./config/configuration.yaml generatorOptions: disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled + # annotations: + # kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/kubernetes/apps/default/authelia/ks.yaml b/kubernetes/apps/default/authelia/ks.yaml index aa6ea9009..b66fc3eb8 100644 --- a/kubernetes/apps/default/authelia/ks.yaml +++ b/kubernetes/apps/default/authelia/ks.yaml @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: cloudnative-pg-cluster - name: dragonfly-cluster - name: external-secrets-stores path: ./kubernetes/apps/default/authelia/app diff --git a/kubernetes/apps/default/freshrss/app/externalsecret.yaml b/kubernetes/apps/default/freshrss/app/externalsecret.yaml index 10c31ab3a..8559580db 100644 --- a/kubernetes/apps/default/freshrss/app/externalsecret.yaml +++ b/kubernetes/apps/default/freshrss/app/externalsecret.yaml @@ -15,7 +15,8 @@ spec: engineVersion: v2 data: # App - OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" + OIDC_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" + OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OIDC_CLIENT_CRYPTO_KEY}}" # Postgres Init INIT_POSTGRES_DBNAME: freshrss INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local @@ -24,7 +25,7 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: autthelia + key: authelia - extract: key: cloudnative-pg - extract: diff --git a/kubernetes/apps/default/freshrss/app/helmrelease.yaml b/kubernetes/apps/default/freshrss/app/helmrelease.yaml index 6b307b9c2..c47baf69f 100644 --- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml +++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml @@ -52,10 +52,10 @@ spec: OIDC_ENABLED: 1 OIDC_PROVIDER_METADATA_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration OIDC_CLIENT_ID: freshrss - OIDC_CLIENT_SECRET: insecure_secret OIDC_REMOTE_USER_CLAIM: preferred_username OIDC_SCOPES: openid groups email profile OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto + envFrom: *envFrom resources: requests: cpu: 50m