From 4f937581f60c18f2bdcb27bc864b6182574ca2fe Mon Sep 17 00:00:00 2001
From: auricom <27022259+auricom@users.noreply.github.com>
Date: Tue, 13 Sep 2022 01:50:32 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20authelia=20oidc?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../networking/authelia/helm-release.yaml     | 49 ++++++++++++++++++-
 .../configuration/cluster-secrets.sops.yaml   |  7 ++-
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/cluster/apps/networking/authelia/helm-release.yaml b/cluster/apps/networking/authelia/helm-release.yaml
index 49de04cfe..e06b5c3ee 100644
--- a/cluster/apps/networking/authelia/helm-release.yaml
+++ b/cluster/apps/networking/authelia/helm-release.yaml
@@ -125,7 +125,16 @@ spec:
       session:
         redis:
           enabled: false
-
+          high_availability:
+            enabled: true
+            sentinel_name: redis-master
+            nodes:
+              - host: redis-node-0.redis-headless.default.svc.cluster.local
+                port: 26379
+              - host: redis-node-1.redis-headless.default.svc.cluster.local
+                port: 26379
+              - host: redis-node-2.redis-headless.default.svc.cluster.local
+                port: 26379
       storage:
         postgres:
           enabled: true
@@ -143,6 +152,44 @@ spec:
           sender: ${SECRET_AUTHELIA_SMTP_EMAIL}
           identifier: ${SECRET_CLUSTER_DOMAIN}
 
+      identity_providers:
+        oidc:
+          enabled: true
+          cors:
+            endpoints: ["authorization", "token", "revocation", "introspection"]
+            allowed_origins_from_client_redirect_uris: true
+          clients:
+            - id: gitea
+              secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+              public: false
+              authorization_policy: one_factor
+              scopes: ["openid", "profile", "groups", "email"]
+              redirect_uris:
+                [
+                  "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
+                ]
+              userinfo_signing_algorithm: none
+            - id: grafana
+              description: Grafana
+              secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
+              public: false
+              authorization_policy: one_factor
+              pre_configured_consent_duration: 1y
+              scopes: ["openid", "profile", "groups", "email"]
+              redirect_uris:
+                ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+              userinfo_signing_algorithm: none
+            - id: outline
+              description: Outline
+              secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
+              public: false
+              authorization_policy: one_factor
+              pre_configured_consent_duration: 1y
+              scopes: ["openid", "profile", "email", "offline_access"]
+              redirect_uris:
+                ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+              userinfo_signing_algorithm: none
+
     secret:
       storage:
         key: STORAGE_PASSWORD
diff --git a/cluster/configuration/cluster-secrets.sops.yaml b/cluster/configuration/cluster-secrets.sops.yaml
index 75a6c075b..52b745fb8 100644
--- a/cluster/configuration/cluster-secrets.sops.yaml
+++ b/cluster/configuration/cluster-secrets.sops.yaml
@@ -75,6 +75,9 @@ stringData:
     SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:6kI1fYuCEZzgNSqJ0vE=,iv:QMzl/GI5Wmudv7kp4y5PtyiCygAQDJHfVzLquMkjLsY=,tag:6Dr9lwtxKL1hlskTtcyKBg==,type:str]
     SECRET_WIFI_SSID: ENC[AES256_GCM,data:ChUJY7mgQSZ1IQ==,iv:uJ8FasEK+ZvxLMulSp7l9wXOjb3Ojnnt31sfekPRm9s=,tag:QBwdk4qtLCwG7G0AqdOoQA==,type:str]
     SECRET_WIFI_PASSWORD: ENC[AES256_GCM,data:pE7jOD2WNVw6+KmyRzlXgwErVbVCSpx4p9AL3kyv,iv:51HVZpqSMVt10b96Ugx9ZDOG0Eh47QR9gypCr2s/FCc=,tag:hxhk8vuVBSZeihZoF2nwsA==,type:str]
+    SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
+    SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
+    SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -90,8 +93,8 @@ sops:
             WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
             pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-08-14T20:30:12Z"
-    mac: ENC[AES256_GCM,data:mgfG9ZEjVUdFd3DzzAl4NF/y15fX+T/XtndvmHUW/NBS5RcSJSn/EcotmOFwga9fgGb9PbcmkcUpHcp/didQWzA4qcKiEH7zYiLkwUR/yjh1i3FEGTPMMgDKWFgkZRYbV2FvknALkY7YgVgkVyYsXkbVzJ/13s1hR13XIzy1dPQ=,iv:6GBccklvwx2CwMtvgCAvipKQXT3SMH8vCMLtrUvcFtA=,tag:v9fjgZjt8lYmxKrLmQbgjw==,type:str]
+    lastmodified: "2022-09-12T23:49:49Z"
+    mac: ENC[AES256_GCM,data:/QABokir5gHB14+iJ8TJ/vemuXDcbQQj41ivyy+a9bW3uwHTvf7Xqgjx9XTWVlSpamVZFQ7u/pTiXuenAo+w0q6SqAgeUquguO/kG9TPNF/RKPJlCvkimr6N5HvS+M3ELaWMTkrssaYwOe9fI42hJ1+ztVyXnngoSdhrGagAClI=,iv:PuozwGBadG35RmUfENBZ2QMMB1GJ/mgkFGsHwmNu9OY=,tag:/gB58YNWvPLxBAU4VNt4XA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3