feat(authelia): add Argo CD client

vehagn · Oct 1, 2024 · 1ad1bca · 1ad1bca
1 parent 8b5d9dc
commit 1ad1bca
Show file tree

Hide file tree

Showing 5 changed files with 141 additions and 12 deletions.
diff --git a/k8s/infra/auth/authelia/http-route.yaml b/k8s/infra/auth/authelia/http-route.yaml
@@ -0,0 +1,21 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: authelia
+  namespace: authelia
+spec:
+  parentRefs:
+    - name: external
+      namespace: gateway
+    - name: internal
+      namespace: gateway
+  hostnames:
+    - "authelia.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: authelia
+          port: 80
diff --git a/k8s/infra/auth/authelia/kustomization.yaml b/k8s/infra/auth/authelia/kustomization.yaml
@@ -5,6 +5,7 @@ namespace: authelia
 resources:
   - ns.yaml
   - lldap-credentials.yaml
+  - http-route.yaml
 
 helmCharts:
   - name: authelia

diff --git a/k8s/infra/auth/authelia/values.yaml b/k8s/infra/auth/authelia/values.yaml
@@ -1,40 +1,44 @@
+# https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml
 image:
   registry: ghcr.io
   repository: authelia/authelia
   tag: 4.38.10 # renovate: docker=ghcr.io/authelia/authelia
   pullPolicy: IfNotPresent
 
+pod:
+  kind: 'Deployment'
+
 configMap:
   theme: 'dark'
 
   access_control:
     # upgrade to 'two_factor' later
     default_policy: 'one_factor'
     rules:
-     - domain_regex: '^.*\.stonegarden.dev$'
-       policy: 'one_factor'
+      - domain_regex: '^.*\.stonegarden.dev$'
+        policy: 'one_factor'
 
   authentication_backend:
     ldap:
       enabled: true
       implementation: 'lldap'
       address: 'ldap://lldap.lldap.svc.cluster.local'
-      base_dn: 'DC=stonegarden,DC=dev'
-      #users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
-      #additional_users_dn: 'OU=people'
-      #groups_filter: '(member={dn})'
-      additional_groups_dn: 'OU=groups'
+      base_dn: 'dc=stonegarden,dc=dev'
+      users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
+      additional_users_dn: 'ou=people'
+      groups_filter: '(member={dn})'
+      additional_groups_dn: 'ou=groups'
       user: 'UID=authelia,OU=people,DC=stonegarden,DC=dev'
       password:
         secret_name: 'lldap-auth'
         value: 'password'
 
-#    file:
-#      enabled: true
+  #    file:
+  #      enabled: true
 
   session:
     cookies:
-      - subdomain: auth
+      - subdomain: authelia
         domain: stonegarden.dev
 
   storage:
@@ -49,6 +53,92 @@ configMap:
     filesystem:
       enabled: true
 
+  identity_providers:
+    oidc:
+      ## Enables this in the config map. Currently in beta stage.
+      ## See https://www.authelia.com/r/openid-connect/
+      enabled: true
+      jwks:
+        - key_id: 'default'
+          algorithm: 'RS256'
+          use: 'sig'
+          # TODO: CHANGE THIS COMPROMISED TEST KEY!
+          key:
+            value: |
+              -----BEGIN PRIVATE KEY-----
+              MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOCrc4yP2ziCO
+              MUJoEMA6hIlLgwDNrKviBKHBNjAjQ0EStW3148ZxSHtLZH+xls4HyjenDp79bUDd
+              hm3kh0N8Z+loSRky6JMx+NUyA4XoWzR35MxGbt6ojx3pHdFCJRUu5/DmU2w8RgVy
+              FaC/XWQPg03w80yEsXfT6CFT7avKwn/D8KCbjGVaYlLseWUAMPPyGU/pG/31CLR/
+              VDUaT5rnRHchlM8wsHfAR9rzhWLAn7xefIgK94hkD0l/BrY93g72TkNtkQsS+bgv
+              5404F0o+sILswoAZNvLWhy2AejwIw8HN+/ssaTbvRzfkXWiyvcBWA5kCK7ltpHMN
+              Cg5hcnwzAgMBAAECggEAVRrEg7dzVEl0aRAKouZ0N/a66ifow7qqjdyAGryueR6J
+              D7e8iSBwNhb9ZrpZJ+dAFTVm3xUomE/fGBmQQLhfLyEihLhqzW+FHdK7eCWpjLNV
+              cFIOaFftjBp9S2/Csw8kMrPHpepfuEFZ+5CYiTibc9cNMx7oF0Kj1oIFxjXTCTTX
+              /5G2WN9VsduA6SC5xnZNqyd8sKboQzXmGxgop98BRdiPTE5adZZ+oOozVmayYKMD
+              Y51SAHq+lpAmVW8poAfm59fmyll0gRBsHi3Xrbhpk+1nrWFhWiqS63G6rJ1Y3SQF
+              S1aztbP45z2T96g7OehNZT+98nrPHDzi4lpeiZ6XgQKBgQDmwLEIk/MWMCgv+BUy
+              bOuIyGSP0vLRSsNZpKc2NMCln0huKjpfLcfjre41aqISV6mGkAOfk/Y0NBPCPwQP
+              hO0OXnK/3sORzCyQCTfPW6nCAafjVaMvjCBlsKA/Hjx74Gw9JkrHJiGudrNrDYtQ
+              dQN5paCtauv/vknXVrDDapExkwKBgQC/D/oo+wRlntvP61HaBJt/zF/nLo7KF9wW
+              D2HC3lohVcF35KtgB1PbzZrTjQOPFVXbMs7t88g3nBSoc+6czPGkoevvS9UeYoH9
+              dhTDooiSVn6kmH1HgwSliqpZWMVyKpyFuCZTd014++7aKBg/16KJO+DxS9Uka80C
+              48pmvcyu4QKBgHguQcX68G9M85FQPxH9QosB+8YgkxDIRIgqxl/oB7H7DIk7+xzZ
+              RjNhwiAWAoVVHNkVpp11PZSgzu2rTl0a2TBTpqYhym/kDA2Uj3my/u4pWJyBXLWF
+              4NW1sTBOeif2kckjaWzhgkdQUU/fRQDJgN7ZkZ7ggju3itPZtcSBe097AoGAVzxR
+              SRLLgCaXUIiuN7Aw25oSE7kDQyy/tWbSiSoC1wOTsU08Hj1aQZrP3VWeUV85czrw
+              ll7fhNyD5iIAyaEdl8DCu+DQ7u2lUnfupSB54O8TJc3mLZeZsIfunZrVk/n2u2tI
+              PIXVXq8Q8JSr9cJcGPK5ExM/v0BlO7OL/3sbkKECgYBTj5hTKZvBkLQwyfMLMAoY
+              rytwq9T4sOQElWpvwi/6NmT8iYSWlXEjRktBnnGOyNjNXvyoLNr2CmtV/TJ2uG0J
+              fKWga5swZ/Aq4h5kX64+q710r+xGS2s4up6XY8gyT3+WxaF8RpxiQilDFVYCzvee
+              uzpHa9dV3xVGQQK5fEtWQg==
+              -----END PRIVATE KEY-----
+          #  path: '/secrets/oidc.jwk.RS256.pem'
+#          certificate_chain:
+#            value: |
+#              -----BEGIN PUBLIC KEY-----
+#              MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDgq3OMj9s4gjjFCaBDA
+#              OoSJS4MAzayr4gShwTYwI0NBErVt9ePGcUh7S2R/sZbOB8o3pw6e/W1A3YZt5IdD
+#              fGfpaEkZMuiTMfjVMgOF6Fs0d+TMRm7eqI8d6R3RQiUVLufw5lNsPEYFchWgv11k
+#              D4NN8PNMhLF30+ghU+2rysJ/w/Cgm4xlWmJS7HllADDz8hlP6Rv99Qi0f1Q1Gk+a
+#              50R3IZTPMLB3wEfa84ViwJ+8XnyICveIZA9Jfwa2Pd4O9k5DbZELEvm4L+eNOBdK
+#              PrCC7MKAGTby1octgHo8CMPBzfv7LGk270c35F1osr3AVgOZAiu5baRzDQoOYXJ8
+#              MwIDAQAB
+#              -----END PUBLIC KEY-----
+#          #  path: '/secrets.oidc.jwk.RS256.crt'
+      clients:
+        - client_id: 'argocd'
+          # TODO: CHANGE THIS COMPROMISED TEST KEY!
+          client_secret: #'$pbkdf2-sha512$310000$ms/OlHdUjXSdHDW7xdgVhQ$6HN.cN9/MlttyYmXHMRU4JB0Ngqjs5ErSi1UIkH5k9qmMq2qHnueRrLwUjXTdMmOj6lCOAd1l2pA08VUTScPNw'
+            value: '$pbkdf2-sha512$310000$ms/OlHdUjXSdHDW7xdgVhQ$6HN.cN9/MlttyYmXHMRU4JB0Ngqjs5ErSi1UIkH5k9qmMq2qHnueRrLwUjXTdMmOj6lCOAd1l2pA08VUTScPNw'
+          #  path: '/secrets/oidc.client.argocd.value'
+          client_name: 'Argo CD'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.stonegarden.dev/auth/callback'
+            - 'https://argocd.stonegarden.dev/applications'
+          #  - 'https://argocd.stonegarden.dev/api/dex/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+        - client_id: 'argocd-cli'
+          client_name: 'Argo CD (CLI)'
+          public: true
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'http://localhost:8085/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+            - 'offline_access'
+          userinfo_signed_response_alg: 'none'
+
 secret:
   additionalSecrets:
     lldap-auth:

diff --git a/k8s/infra/auth/lldap/lldap-config.yaml b/k8s/infra/auth/lldap/lldap-config.yaml
@@ -7,8 +7,8 @@ metadata:
   namespace: lldap
 spec:
   encryptedData:
-    groups.json: AgBon9QCA1W3I+8QezEBfRFwo942+Uq/Zts6SopexeCtSUOHeP25axCVUyTpNEHNmxtxyntvzvkoR0g96FghfJgtcE4UCieP1L8OwS3voDeRBHgtGMvrE1ND0A01nBL7EW1XVAZC6kx/NU33OsnmeDdKD/brev4q1uXelpwc9JtObKYy2JGqP8Pss9J/mTDTz5lfKQDMvbfu/PBQthUckbGQA92k0tn9M4EHKmNiMZTuAkafMg19T3vN1zUYqpmovanJb+JGHqfnbxQo4hG57ACbQQG7qQsmCu8nFYkwNOxA/BE3VZLDT26gwQrktMiaqJ3XJ9oF3seKSWs0a6dtLT2pXlf4JL//wtMil+ZV6gje8iHc9Hx3HUrBAboLkO9DYTd4Jv6ArqRSPQybKtsWNlHdryghNsbDAVyZcDwRPLz0iCn7l5r4mWxY1UMkQnJNINBzV0x1TXY8UL+jIHcmAE+KomHMkRvPxIBrh7OM4YnJEQuBV6IJZrMvlCBHrGREA72frzL0am16DWjY8/2bPTlBk5w1oZpGJadOusA5dGk32dxmJqkBw+FyGZsWJ6XHHU6oMdJS4PG7B62/fzoZ0eCSvdaVT16l/j6xx6HRKAeGFwawPGn25PmnamKkWL3BIs9l7fDBjKgsfTmy2UZAdIKN4U0YguBqvR67ZFlLx2IYNU8P/aEujtxhtgJijRmzOK1U3ZJGKw8URHyYoFiGTx5k01FdWsdx
-    users.json: AgCREOH7gBZWLNka92/lViVyD8SZ2vh5yPsOSfYAsA/ixIdVhK0lmTXm2NioNc42kQj0MMOo9mHwI7H4CT2UIwJHbzhSJv093z4/yXnt9WBsBKtAUsI9gMBIGIqvUNWsHsilPE0GaegKuMQNnX62tHfrZqPdtb8K8ksRcwH5Fe89sLVglhlitKRS2z2r00m9M5MvawzIgTlWgwT+PuFwnhaqeNH7205hUj32sjuSk8f37ZQxU3iw6nur1HjmxO6dV5eJWtskuBkQzowmIy9ZbapAcHL9XV55xDsM3CXByR5ic8TsIbHt5STgV2RR5WbhbIcX3uV2CTcYOBa2/JR8ieOblzZG3PMzimrMrUQ4mi7PjpSvel1SDuk/XlzOaAoQcm1rkpfin2fAzhnmK+Z6oligWX5nkH0HPQVx6GpW3+iZfgLLNILKs9Yri5lx5GxBmUJUqorWsagfvrpRcMM7W6bXfAJ9A5h/v3N3sONvLgYYbRgz/ClBXP+N7tAyMGmk0tUeMO3xt9ubujk5d1/4yVa1xphUePPr4ndW021oLZ6AKHzrs3TFZ1eehWqGPXHayUdAuo/gOEGpVWQ6j3mzlG+vGPHroO2YH3WpRMvtfCdI3m2TeSpwOtFU6DeWOi77KiB09Z3X64OF7KmGJrLXntz5ekRBz10h/oGxcP0fWxx3GNkStqH8TOWQ/2cbR3zB9OwwGqso8T5wMQ7iLK1bb7EIxM+HCuI2avkhMnXuH29ggnXFMrUouR1wFfZJRhX0mb+vXWFCIDT35oAV3Pf8om8IBxyZ/qNp0H/Gu2TDCDqobcuHVSjxXaZK8yisd1ktae5I9JWZXyOPvNTi+2uwXFveU/XzIOIhzzRxdIxvKbNbQSnNBaoNb6faezLGiHRif+EThIr6BUO2/mxwaii/4qq0GVTrhVqemSzWrDbXS5WJuDnSk/8aP4X9+E4Jxdrgq6tpwC+khc8pi0MAxZZ+xaVJWZv8jt50xTSO8GlZkcENDdgQWc1gzDI4qz+9tZIyRW14GjJaJPYCSGq/Z9VKLfsLFNryv8IXORZjiuizhlJedd/BOsz2vT5GG9jKIX4RJ07C7jSj/vHdDZ9SZPgFAz3QoETsZDqerbkBY6PO+/mU3SG23LhriEvKkHgM8/JiL2u3Rno1LZ1Ovi1AIfXMSR+4KUd7Gg6eQZ/gEK9lj2DTg8VQ7Z/9lo58aS7knytX1d0sv6NyT5JLUE3B/qcRFzRojPmFbaRHGicSbYIB1PAqAGBsQPZKcmKiPMOkxVPoeMlA6DSyAQWUSHLNRStrO26sS04BQZC88BJkvyZf3uq69rrbMh+kCrjg6CDRBg61FhIARDSrxMhLyPVzwF7+fZjL2ivBgZgkCvrgQmqMCE5p0qUg55mFb5+OpSHbGJ+STKBHIMJOEdTjtOc=
+    groups.json: AgC1E86qhUQ/AoFAc3vuL9s/1UxLnTQfHkCdxyF8TPQUI/Hr3xPyrhO+xOOz/f4JKcBTV48NAY0PoIKJyjmqq9Er5aPRZnWkkaC+e8X3DNy17UheiVYLPpVsrrgrOvgOPrjFMe7aAjfYgIrz/ayNxPZpQOpjTDDrsq9MYBgxHC/8pgQPhaXhE+ILz6WQujwCzi4cVxWH/Y9E2eV8cfrUHYYo7S7GobBkfllzu2odZwHiQxkYd385zDg8U99nexdNeWG9IxEymT2bNDyjkw6p+yFKEznuLSFySphfL8kagI1IICDRdOnwOyvJImoPpIgRQrBOvoS2uIbwrCCI64S6eGsAgx4OGsXRtjrRsKzM6zOKVWUU3EUt4fMHppwcX9YXm3AwRtbKUkEspyAekcV90m4jUozY5/vpw6eNYZLmDTmcSgBKHp1fQwYUO85HPOFt/jhJZ240NXHc2xMvtrGwNXJ54KIQF18o07QbA1uAnsaF/N6tR5RLnbMFSjZSGVbJ/G0F/wgXlV8HctcMbaB63y2LTRQTASp/cfziOMLyVg64LWaW6mrTcQTA9WKoRVt5a8N3t8i5VJAoC6TDq0f8WP9+qPTvchk+tButm+Z3t4bTpcaxi3GKDoQ1imUP9mjbHS8EBZq9OGcIx62ThcUt1uu2sH6BsbOJCegqA4zp17IvwHYED6u/XZPqxoUNAiREHu+86hShC/TEn0SIRVlxm6qT341X/No7
+    users.json: AgC9I96XrIC1xqL5+jw0lWkgA+OTF94GfhVvk7Emhxy9csucA6zw6RCJyR7U5FOFgG9FhaU6C+zcBFtT/rOArrflZZ/fCtsXc9AocnnUrweQNgsvcz3ATXtZn2HqiDqJSAIvmP8uQN7l3XgyBoB3Fed5q2ZSZzxqOxNFv2A7OHw5THPUb0ocA1ZJa4CbMPy+7nAMAfN+i49gsFxwx6iZ6dLY1gfBdbxjHDCOmyenZCa0J8uyq4hUdm2XeiqLCM6pIK3Px41gYyHKZ0meLfNqr+bwq8GgH8zcXlTYM8h4YRY9pqv3KvbUbbvWlXBgDKmmRnqPUu3RKXdNuaenjpUo3qVS2Fe1Ps52ubOT83x6tgpR1CQS/uR3jxGIqp6Gp4zHVmy7csStYLEfiBs1UzU3htrP04It8zNX+3mnilDw3o+NkKAuCrAAhf+AW6mYQ1O0wG9UMhoRSWkn5ylrLZFIuLWY+U0XD7HvXZ9j8kye/fB6cXNVCqqSO8BmpTqujKBJCoM3trnS0zCGPrIQKr7xLhkpKLsk9hv7ij8uoCDegiV8pCIRaCjQS0JPC/5oXl3t5XagbmYKOVs3eZNcVQAA1TLQKITHI9s7j2ck5ZUqY8p156s+J+4RtMKdcf93W2zwveivTVAczSzypP0EffYzQgjKYqVhXldwi+GISdqUe0IE1hff6+0MhjsVMjCsrlDv4rM/KW3jQhIZGBnFWTfdyttbYYln9hxl1VDv2v1NQ0zK7Y1utA2lc4e0A4z6HdBuZxPs++/LhldTxR6PS509whodzEZf8wlV6pgI5ULEdccrATR6LD3k3cXg1NXvmFW7aNOKF80bYbic8G7jIpIcaasThZ74pHgyv8E+z1BXl++KTy1Ad+YJjMFcvPEV3roYN1M9QxBBfie2p94p9ostHzGuPCcNF84Z8/SnTp3kQ8zF5xYKl5BxeVkaVHBTqL4NpDukb7fmQzggeV3ciMBO0onNleGC2Yp6wtTzitWD8VyFkZHRKaoO4u7vE7BG5SqybeSndkpG9AJPbLbhzgFPZTtg5+avyMjpXaHmMG16XXFCIhuScbhAbSSMgC9pABcEpOmpAw1Z4hk9yWUsNxwLUtrCYAqrwIAmj8RrO5+ATkbPRD4MeGFcyZmCYVMLngUPuZX2MCBIqgAYSOIKYtr82f7aJs7uMQNHGhY5IHrvROsSFleYjoQJrzXwJk84/yizv8LG3B0gMb1RcXhuKKipa+mRVBzmX8yEWaUDWi/dl5HhGN8mIHZKBY8GvZ6vI9Biyo9ODS5+EknobBGLj6S069aOxwCKxXwMJikgsveov05JdhPuQsuw3qSsWmxpDHGxhKxw3bD9DQOwu8fmmUlsF7nVyEaRAoXo85lvEwmGJkftjXiFQeqbWs/MiRhaEhbTyj7WHReSWW7oBQz5znQqLu0=
   template:
     metadata:
       creationTimestamp: null

diff --git a/k8s/infra/controllers/argocd/values.yaml b/k8s/infra/controllers/argocd/values.yaml
@@ -2,6 +2,19 @@ configs:
   cm:
     create: true
     application.resourceTrackingMethod: "annotation+label"
+    # TODO: CHANGE THIS COMPROMISED TEST CLIENT SECRET
+    url: 'https://argocd.stonegarden.dev'
+    oidc.config: |
+      name: 'Authelia'
+      issuer: 'https://authelia.stonegarden.dev'
+      clientID: 'argocd'
+      clientSecret: 'kW2GrLDNZwpschHCU496oFKSE-mjRc8yOYbXpafRB6kJp-cF_wcfGaVF55.~rF_qSSEYUcth'
+      cliClientID: 'argocd-cli'
+      requestedScopes:
+        - 'openid'
+        - 'profile'
+        - 'email'
+        - 'groups'
   cmp:
     create: true
     plugins:
@@ -12,6 +25,10 @@ configs:
   params:
     controller.diff.server.side: true
     server.insecure: true
+  rbac-cm:
+    policy.csv: |
+      g, argocd:admin, role:admin
+    
 
 crds:
   install: true