fixup! feat: freshrss sso

2025-09-17 18:24:14 +02:00 · 2024-06-14 11:13:00 +02:00
parent 2251b45a31
commit 1bfdbab4e7
7 changed files with 95 additions and 67 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -1,15 +1,50 @@
 ---
+authentication_backend:
+  ldap:
+    address: ldap://lldap.default.svc.cluster.local:5389
+    implementation: custom
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=home,dc=arpa
+    additional_users_dn: ou=people
+    users_filter: (&({username_attribute}={input})(objectClass=person))
+    additional_groups_dn: ou=groups
+    groups_filter: (member={dn})
+    user: uid=admin,ou=people,dc=home,dc=arpa
+    attributes:
+      username: uid
+      display_name: displayName
+      group_name: cn
+      mail: mail
+      member_of: memberOf
+  password_reset:
+    disable: true
+  refresh_interval: 1m
+
 session:
-  # redis:
-  #   high_availability:
-  #     sentinel_name: redis-master
-  #     nodes:
-  #       - host: redis-node-0.redis-headless.default.svc.cluster.local.
-  #         port: 26379
-  #       - host: redis-node-1.redis-headless.default.svc.cluster.local.
-  #         port: 26379
-  #       - host: redis-node-2.redis-headless.default.svc.cluster.local.
-  #         port: 26379
+  name: authelia-home-ops
+  same_site: lax
+  inactivity: 5m
+  expiration: 1h
+  remember_me: 1M
+  cookies:
+    - name: authelia_session
+      domain: ${SECRET_CLUSTER_DOMAIN}
+      authelia_url: https://auth.${SECRET_CLUSTER_DOMAIN}
+      default_redirection_url: https://${SECRET_CLUSTER_DOMAIN}
+  redis:
+    host: dragonfly.database.svc.cluster.local.
+    port: 6379
+    database_index: 2
+
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: smtp-relay.default.svc.cluster.local.:2525
+    disable_require_tls: true
+
+duo_api:
+  disable: true

 access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
@@ -17,25 +52,26 @@ access_control:
  default_policy: two_factor
  networks:
    - name: private
-      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
    - name: vpn
-      networks: ["10.10.0.0/16"]
+      networks: [10.10.0.0/16]
  rules:
    # bypass Authelia WAN + LAN
    - domain:
-        - auth.${SECRET_PUBLIC_DOMAIN}
+        - auth.${SECRET_CLUSTER_DOMAIN}
      policy: bypass
    # One factor auth for LAN
    - domain:
-        - "*.${SECRET_PUBLIC_DOMAIN}"
+        - "*.${SECRET_CLUSTER_DOMAIN}"
      policy: one_factor
-      subject: ["group:admins", "group:users"]
+      subject: [group:admins, group:users]
      networks:
        - private
    # Deny public resources
-    - domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"]
-      resources: ["^/metrics.*$"]
+    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
+      resources: [^/metrics.*$]
      policy: deny
+
 identity_providers:
  oidc:
    cors:
@@ -44,36 +80,42 @@ identity_providers:
    clients:
      - client_id: freshrss
        client_name: freshrss
-        client_secret:
+        client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
        public: false
        authorization_policy: two_factor
-        redirect_uris: ["https://freshrss.${SECRET_PUBLIC_DOMAIN}/i/oidc/"]
+        redirect_uris: ["https://freshrss.${SECRET_CLUSTER_DOMAIN}:443/i/oidc/"]
        scopes: [openid, profile, groups, email]
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_basic
      - client_name: grafana
        client_id: grafana
-        client_secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
+        client_secret: "$${GRAFANA_OAUTH_DIGEST}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, groups, email]
-        redirect_uris: ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
-        userinfo_signing_algorithm: none
-      - id: outline
-        description: Outline
-        secret: "${OUTLINE_OAUTH_CLIENT_SECRET}"
+        redirect_uris: ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+        userinfo_signed_response_alg: none
+      - client_id: outline
+        client_name: Outline
+        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, email, offline_access]
-        redirect_uris: ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
-        userinfo_signing_algorithm: none
+        response_types: code
+        redirect_uris: ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
      - client_name: jellyfin
        client_id: jellyfin
-        client_secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
+        client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
        public: false
        authorization_policy: two_factor
+        require_pkce: true
+        pkce_challenge_method: S256
        pre_configured_consent_duration: 1y
-        scopes: [openid, profile, groups, email]
-        redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
+        scopes: [openid, profile, groups]
+        redirect_uris: [ "https://jellyfin.${SECRET_CLUSTER_DOMAIN}/sso/OID/redirect/authelia"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_post
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -17,22 +17,26 @@ spec:
        # App
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .password }}"
        AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY }}"
-        AUTHELIA_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
+        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
        AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
        AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
+        AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres16-rw.database.svc.cluster.local
        AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
-        AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local
        AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
        AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
+        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}"
+        jwks_cert: "{{ .jwks_cert }}"
+        jwks_pem: "{{ .jwks_pem }}"
+        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
+        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
-        IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
-        WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
-        GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
+        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
        OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
+        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -63,36 +63,10 @@ spec:
              repository: ghcr.io/authelia/authelia
              tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
            env:
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=groups
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: displayName
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: (member={dn})
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false"
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: ldap://lldap.default.svc.cluster.local:5389
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: uid=admin,ou=people,dc=home,dc=arpa
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: (&({username_attribute}={input})(objectClass=person))
-              AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
-              AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m
-              AUTHELIA_DEFAULT_REDIRECTION_URL: https://auth.${SECRET_CLUSTER_DOMAIN}
-              AUTHELIA_DUO_API_DISABLE: "true"
              AUTHELIA_LOG_LEVEL: info
-              AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true"
-              AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
-              AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local.
-              AUTHELIA_NOTIFIER_SMTP_PORT: "2525"
              AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
              AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
              AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:8888
-              AUTHELIA_SESSION_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
-              AUTHELIA_SESSION_NAME: authelia-home-ops
-              AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local.
-              AUTHELIA_SESSION_REDIS_PORT: 6379
              AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
              AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
              AUTHELIA_THEME: dark
@@ -175,3 +149,9 @@ spec:
          - path: /config/configuration.yaml
            subPath: configuration.yaml
            readOnly: true
+      secret-files:
+        enabled: true
+        type: secret
+        name: authelia-secret
+        globalMounts:
+          - path: /config/secret
--- a/kubernetes/apps/default/authelia/app/kustomization.yaml
+++ b/kubernetes/apps/default/authelia/app/kustomization.yaml
@@ -13,5 +13,5 @@ configMapGenerator:
      - ./config/configuration.yaml
 generatorOptions:
  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled
+  # annotations:
+  #   kustomize.toolkit.fluxcd.io/substitute: disabled
--- a/kubernetes/apps/default/authelia/ks.yaml
+++ b/kubernetes/apps/default/authelia/ks.yaml
@@ -11,6 +11,7 @@ spec:
    labels:
      app.kubernetes.io/name: *app
  dependsOn:
+    - name: cloudnative-pg-cluster
    - name: dragonfly-cluster
    - name: external-secrets-stores
  path: ./kubernetes/apps/default/authelia/app