fixup! feat: freshrss sso

kubernetes/apps/default/authelia/app/config/configuration.yaml

@@ -1,15 +1,50 @@
 ---
+authentication_backend:
+  ldap:
+    address: ldap://lldap.default.svc.cluster.local:5389
+    implementation: custom
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=home,dc=arpa
+    additional_users_dn: ou=people
+    users_filter: (&({username_attribute}={input})(objectClass=person))
+    additional_groups_dn: ou=groups
+    groups_filter: (member={dn})
+    user: uid=admin,ou=people,dc=home,dc=arpa
+    attributes:
+      username: uid
+      display_name: displayName
+      group_name: cn
+      mail: mail
+      member_of: memberOf
+  password_reset:
+    disable: true
+  refresh_interval: 1m
+
 session:
-  # redis:
+  name: authelia-home-ops
-  #   high_availability:
+  same_site: lax
-  #     sentinel_name: redis-master
+  inactivity: 5m
-  #     nodes:
+  expiration: 1h
-  #       - host: redis-node-0.redis-headless.default.svc.cluster.local.
+  remember_me: 1M
-  #         port: 26379
+  cookies:
-  #       - host: redis-node-1.redis-headless.default.svc.cluster.local.
+    - name: authelia_session
-  #         port: 26379
+      domain: ${SECRET_CLUSTER_DOMAIN}
-  #       - host: redis-node-2.redis-headless.default.svc.cluster.local.
+      authelia_url: https://auth.${SECRET_CLUSTER_DOMAIN}
-  #         port: 26379
+      default_redirection_url: https://${SECRET_CLUSTER_DOMAIN}
+  redis:
+    host: dragonfly.database.svc.cluster.local.
+    port: 6379
+    database_index: 2
+
+notifier:
+  disable_startup_check: true
+  smtp:
+    address: smtp-relay.default.svc.cluster.local.:2525
+    disable_require_tls: true
+
+duo_api:
+  disable: true
 
 access_control:
   ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
@@ -17,25 +52,26 @@ access_control:
   default_policy: two_factor
   networks:
     - name: private
-      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+      networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
     - name: vpn
-      networks: ["10.10.0.0/16"]
+      networks: [10.10.0.0/16]
   rules:
     # bypass Authelia WAN + LAN
     - domain:
-        - auth.${SECRET_PUBLIC_DOMAIN}
+        - auth.${SECRET_CLUSTER_DOMAIN}
       policy: bypass
     # One factor auth for LAN
     - domain:
-        - "*.${SECRET_PUBLIC_DOMAIN}"
+        - "*.${SECRET_CLUSTER_DOMAIN}"
       policy: one_factor
-      subject: ["group:admins", "group:users"]
+      subject: [group:admins, group:users]
       networks:
         - private
     # Deny public resources
-    - domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"]
+    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
-      resources: ["^/metrics.*$"]
+      resources: [^/metrics.*$]
       policy: deny
+
 identity_providers:
   oidc:
     cors:
@@ -44,36 +80,42 @@ identity_providers:
     clients:
       - client_id: freshrss
         client_name: freshrss
-        client_secret:
+        client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
         public: false
         authorization_policy: two_factor
-        redirect_uris: ["https://freshrss.${SECRET_PUBLIC_DOMAIN}/i/oidc/"]
+        redirect_uris: ["https://freshrss.${SECRET_CLUSTER_DOMAIN}:443/i/oidc/"]
         scopes: [openid, profile, groups, email]
         userinfo_signed_response_alg: none
         token_endpoint_auth_method: client_secret_basic
       - client_name: grafana
         client_id: grafana
-        client_secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
+        client_secret: "$${GRAFANA_OAUTH_DIGEST}"
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
         scopes: [openid, profile, groups, email]
-        redirect_uris: ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
+        redirect_uris: ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
-        userinfo_signing_algorithm: none
+        userinfo_signed_response_alg: none
-      - id: outline
+      - client_id: outline
-        description: Outline
+        client_name: Outline
-        secret: "${OUTLINE_OAUTH_CLIENT_SECRET}"
+        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
         scopes: [openid, profile, email, offline_access]
-        redirect_uris: ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
+        response_types: code
-        userinfo_signing_algorithm: none
+        redirect_uris: ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
       - client_name: jellyfin
         client_id: jellyfin
-        client_secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
+        client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
         public: false
         authorization_policy: two_factor
+        require_pkce: true
+        pkce_challenge_method: S256
         pre_configured_consent_duration: 1y
-        scopes: [openid, profile, groups, email]
+        scopes: [openid, profile, groups]
-        redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
+        redirect_uris: [ "https://jellyfin.${SECRET_CLUSTER_DOMAIN}/sso/OID/redirect/authelia"]
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_post

kubernetes/apps/default/authelia/app/externalsecret.yaml

@@ -17,22 +17,26 @@ spec:
         # App
         AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .password }}"
         AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY }}"
+        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
-        AUTHELIA_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
         AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
         AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
+        AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres16-rw.database.svc.cluster.local
         AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
-        AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local
         AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
         AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
         # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
         # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
+        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .jwks_pem }}"
+        jwks_cert: "{{ .jwks_cert }}"
+        jwks_pem: "{{ .jwks_pem }}"
+        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
+        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
         GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
-        IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
+        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
-        WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
-        GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
         OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
+        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
         JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
+        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
         SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: *dbName

kubernetes/apps/default/authelia/app/helmrelease.yaml

@@ -63,36 +63,10 @@ spec:
               repository: ghcr.io/authelia/authelia
               tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
             env:
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=groups
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: displayName
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: (member={dn})
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false"
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: ldap://lldap.default.svc.cluster.local:5389
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: uid=admin,ou=people,dc=home,dc=arpa
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
-              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: (&({username_attribute}={input})(objectClass=person))
-              AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
-              AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m
-              AUTHELIA_DEFAULT_REDIRECTION_URL: https://auth.${SECRET_CLUSTER_DOMAIN}
-              AUTHELIA_DUO_API_DISABLE: "true"
               AUTHELIA_LOG_LEVEL: info
-              AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true"
-              AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
-              AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local.
-              AUTHELIA_NOTIFIER_SMTP_PORT: "2525"
               AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
               AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
               AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:8888
-              AUTHELIA_SESSION_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
-              AUTHELIA_SESSION_NAME: authelia-home-ops
-              AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local.
-              AUTHELIA_SESSION_REDIS_PORT: 6379
               AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
               AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
               AUTHELIA_THEME: dark
@@ -175,3 +149,9 @@ spec:
           - path: /config/configuration.yaml
             subPath: configuration.yaml
             readOnly: true
+      secret-files:
+        enabled: true
+        type: secret
+        name: authelia-secret
+        globalMounts:
+          - path: /config/secret

kubernetes/apps/default/authelia/app/kustomization.yaml

@@ -13,5 +13,5 @@ configMapGenerator:
       - ./config/configuration.yaml
 generatorOptions:
   disableNameSuffixHash: true
-  annotations:
+  # annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled
+  #   kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/default/authelia/ks.yaml

@@ -11,6 +11,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
+    - name: cloudnative-pg-cluster
     - name: dragonfly-cluster
     - name: external-secrets-stores
   path: ./kubernetes/apps/default/authelia/app

kubernetes/apps/default/freshrss/app/externalsecret.yaml

@@ -15,7 +15,8 @@ spec:
       engineVersion: v2
       data:
         # App
-        OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
+        OIDC_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
+        OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OIDC_CLIENT_CRYPTO_KEY}}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: freshrss
         INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
@@ -24,7 +25,7 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: autthelia
+        key: authelia
     - extract:
         key: cloudnative-pg
     - extract:

kubernetes/apps/default/freshrss/app/helmrelease.yaml

@@ -52,10 +52,10 @@ spec:
               OIDC_ENABLED: 1
               OIDC_PROVIDER_METADATA_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration
               OIDC_CLIENT_ID: freshrss
-              OIDC_CLIENT_SECRET: insecure_secret
               OIDC_REMOTE_USER_CLAIM: preferred_username
               OIDC_SCOPES: openid groups email profile
               OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
+            envFrom: *envFrom
             resources:
               requests:
                 cpu: 50m