♻️ remove hardcoded authelia secrets

2025-09-17 18:24:14 +02:00 · 2024-01-25 12:50:26 +01:00
parent 44d5719e78
commit c6c8ab1651
7 changed files with 31 additions and 25 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -23,17 +23,17 @@ access_control:
  rules:
    # bypass Authelia WAN + LAN
    - domain:
-        - auth.${SECRET_CLUSTER_DOMAIN}
+        - auth.${SECRET_PUBLIC_DOMAIN}
      policy: bypass
    # One factor auth for LAN
    - domain:
-        - "*.${SECRET_CLUSTER_DOMAIN}"
+        - "*.${SECRET_PUBLIC_DOMAIN}"
      policy: one_factor
      subject: ["group:admins", "group:users"]
      networks:
        - private
    # Deny public resources
-    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
+    - domain: ["navidrome.${SECRET_PUBLIC_DOMAIN}"]
      resources: ["^/metrics.*$"]
      policy: deny
 identity_providers:
@@ -43,41 +43,49 @@ identity_providers:
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: gitea
-        secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+        secret: "${GITEA_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        scopes: ["openid", "profile", "groups", "email"]
        redirect_uris:
          [
-            "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
+            "https://gitea.${SECRET_PUBLIC_DOMAIN}/user/oauth2/authelia/callback",
          ]
        userinfo_signing_algorithm: none
      - id: grafana
        description: Grafana
-        secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
+        secret: "${GRAFANA_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "groups", "email"]
        redirect_uris:
-          ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+          ["https://grafana.${SECRET_PUBLIC_DOMAIN}/login/generic_oauth"]
        userinfo_signing_algorithm: none
      - id: outline
        description: Outline
-        secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
+        secret: "${OUTLINE_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "email", "offline_access"]
        redirect_uris:
-          ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+          ["https://docs.${SECRET_PUBLIC_DOMAIN}/auth/oidc.callback"]
        userinfo_signing_algorithm: none
      - id: immich
        description: Immich
-        secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}"
+        secret: "${IMMICH_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "email"]
-        redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"]
+        redirect_uris: ["https://photos.${SECRET_PUBLIC_DOMAIN}/auth/login", "app.immich:/"]
        userinfo_signing_algorithm: none
+      - id: jellyfin
+        description: jellyfin
+        public: false
+        secret: "${JELLYFIN_OAUTH_CLIENT_SECRET}"
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris: [ "https://jellyfin.${SECRET_PUBLIC_DOMAIN}/sso/OID/redirect/authelia" ]
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -31,6 +31,7 @@ spec:
        IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
        WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
        GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
+        SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
        # Postgres Init
        INIT_POSTGRES_DBNAME: *dbName
        INIT_POSTGRES_HOST: *dbHost
--- a/kubernetes/apps/default/authelia/app/kustomization.yaml
+++ b/kubernetes/apps/default/authelia/app/kustomization.yaml
@@ -13,3 +13,5 @@ configMapGenerator:
      - ./config/configuration.yaml
 generatorOptions:
  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
--- a/kubernetes/apps/default/outline/app/externalsecret.yaml
+++ b/kubernetes/apps/default/outline/app/externalsecret.yaml
@@ -20,6 +20,7 @@ spec:
        SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}"
        UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}"
        DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline
+        OIDC_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
        PGSSLMODE: require
        # Postgres Init
        INIT_POSTGRES_DBNAME: outline
@@ -28,6 +29,8 @@ spec:
        INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
  dataFrom:
+    - extract:
+        key: authelia
    - extract:
        key: generic
    - extract:
--- a/kubernetes/apps/default/outline/app/helmrelease.yaml
+++ b/kubernetes/apps/default/outline/app/helmrelease.yaml
@@ -59,7 +59,6 @@ spec:
              FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
              OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
              OIDC_CLIENT_ID: outline
-              OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
              OIDC_DISPLAY_NAME: Authelia
              OIDC_SCOPES: "openid profile email offline_access"
              OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"