feat: envoy-gateway

2025-10-02 00:34:25 +02:00 · 2025-08-19 00:13:40 +02:00
parent 5b82fd7742
commit c0dde8be0a
119 changed files with 998 additions and 1563 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -83,15 +83,6 @@ identity_providers:
    clients:
    # Genereate client_secret
    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
-      - client_id: freshrss
-        client_name: freshrss
-        client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}'
-        public: false
-        authorization_policy: two_factor
-        redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"]
-        scopes: [openid, profile, groups, email]
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
      - client_name: grafana
        client_id: grafana
        client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}'
@@ -142,20 +133,3 @@ identity_providers:
        scopes: [openid, profile, groups, email]
        redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
        userinfo_signed_response_alg: none
-      - client_id: pgadmin
-        client_name: pgAdmin
-        client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}'
-        public: false
-        authorization_policy: two_factor
-        pre_configured_consent_duration: 1y
-        scopes: [openid, profile, email]
-        redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
-        userinfo_signed_response_alg: none
-        token_endpoint_auth_method: client_secret_basic
-      - client_id: windmill
-        client_name: Windmill
-        client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}'
-        authorization_policy: two_factor
-        redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
-        scopes: [openid, profile, groups, email]
-        userinfo_signed_response_alg: none
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -22,22 +22,16 @@ spec:
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
-        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
-        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
        GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}"
        OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}"
        JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}"
-        PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}"
-        PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}"
        PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
        KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
-        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
-        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
  dataFrom:
    - extract:
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -94,34 +94,45 @@ spec:
            path: /metrics
            interval: 1m
            scrapeTimeout: 10s
-    ingress:
-      app:
-        enabled: true
-        className: external
-        annotations:
-          nginx.ingress.kubernetes.io/configuration-snippet: |
-            add_header Cache-Control "no-store";
-            add_header Pragma "no-cache";
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-XSS-Protection "1; mode=block";
-          gethomepage.dev/enabled: "true"
-          gethomepage.dev/group: Infrastructure
-          gethomepage.dev/name: Authelia
-          gethomepage.dev/icon: authelia.png
-          gethomepage.dev/pod-selector: >-
-            app in (
-              authelia
-            )
-        hosts:
-          - host: &host auth.${SECRET_EXTERNAL_DOMAIN}
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+    # ingress:
+    #   app:
+    #     enabled: true
+    #     className: external
+    #     annotations:
+    #       nginx.ingress.kubernetes.io/configuration-snippet: |
+    #         add_header Cache-Control "no-store";
+    #         add_header Pragma "no-cache";
+    #         add_header X-Frame-Options "SAMEORIGIN";
+    #         add_header X-XSS-Protection "1; mode=block";
+    #       gethomepage.dev/enabled: "true"
+    #       gethomepage.dev/group: Infrastructure
+    #       gethomepage.dev/name: Authelia9091
+    #       gethomepage.dev/icon: authelia.png
+    #       gethomepage.dev/pod-selector: >-
+    #         app in (
+    #           authelia
+    #         )
+    #     hosts:
+    #       - host: &host auth.${SECRET_EXTERNAL_DOMAIN}
+    #         paths:
+    #           - path: /
+    #             service:
+    #               identifier: app
+    #               port: http
+    #     tls:
+    #       - hosts:
+    #           - *host
+    route:
+      main:
+        hostnames: ["auth.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: external
+            namespace: network
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: *app
+                port: *port
    persistence:
      config:
        enabled: true
--- a/kubernetes/apps/default/authelia/app/kustomization.yaml
+++ b/kubernetes/apps/default/authelia/app/kustomization.yaml
@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
  - ./externalsecret.yaml
  - ./helmrelease.yaml
+  - ./referencegrant.yaml
 configMapGenerator:
  - name: authelia-configmap
    files:
--- a/kubernetes/apps/default/authelia/app/referencegrant.yaml
+++ b/kubernetes/apps/default/authelia/app/referencegrant.yaml
@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: authelia-to-default
+spec:
+  from:
+    - group: gateway.envoyproxy.io
+      kind: SecurityPolicy
+      namespace: default
+  to:
+    - group: ""
+      kind: Service
+      name: authelia
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: authelia-to-observability
+spec:
+  from:
+    - group: gateway.envoyproxy.io
+      kind: SecurityPolicy
+      namespace: observability
+  to:
+    - group: ""
+      kind: Service
+      name: authelia