From 5a53d28be6fb6cc9373a2f90216d40b1daf3d4c3 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Sat, 7 Sep 2024 21:14:33 +0200 Subject: [PATCH] feat(auth): add Authelia for OIDC Use Authelia in an attempt to replace Keycloak. Kanidm is another alternative we're going to try later. --- k8s/apps/homepage/blog/hugo/http-route.yaml | 2 +- k8s/infra/auth/authelia/kustomization.yaml | 14 +++++ k8s/infra/auth/authelia/ns.yaml | 4 ++ k8s/infra/auth/authelia/values.yaml | 60 +++++++++++++++++++++ k8s/infra/auth/lldap/svc.yaml | 3 ++ k8s/infra/auth/project.yaml | 2 + 6 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 k8s/infra/auth/authelia/kustomization.yaml create mode 100644 k8s/infra/auth/authelia/ns.yaml create mode 100644 k8s/infra/auth/authelia/values.yaml diff --git a/k8s/apps/homepage/blog/hugo/http-route.yaml b/k8s/apps/homepage/blog/hugo/http-route.yaml index 41eca3e1..abf20386 100644 --- a/k8s/apps/homepage/blog/hugo/http-route.yaml +++ b/k8s/apps/homepage/blog/hugo/http-route.yaml @@ -18,4 +18,4 @@ spec: value: / backendRefs: - name: hugo - port: 80 \ No newline at end of file + port: 80 diff --git a/k8s/infra/auth/authelia/kustomization.yaml b/k8s/infra/auth/authelia/kustomization.yaml new file mode 100644 index 00000000..7d28267d --- /dev/null +++ b/k8s/infra/auth/authelia/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: authelia + +resources: + - ns.yaml + +helmCharts: + - name: authelia + repo: https://charts.authelia.com + releaseName: authelia + namespace: authelia + version: 0.9.5 + valuesFile: values.yaml diff --git a/k8s/infra/auth/authelia/ns.yaml b/k8s/infra/auth/authelia/ns.yaml new file mode 100644 index 00000000..6c48a0bc --- /dev/null +++ b/k8s/infra/auth/authelia/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authelia diff --git a/k8s/infra/auth/authelia/values.yaml b/k8s/infra/auth/authelia/values.yaml new file mode 100644 index 00000000..acea6de1 --- /dev/null +++ b/k8s/infra/auth/authelia/values.yaml @@ -0,0 +1,60 @@ +image: + registry: ghcr.io + repository: authelia/authelia + tag: 4.38.10 # renovate: docker=ghcr.io/authelia/authelia + pullPolicy: IfNotPresent + +configMap: + theme: 'dark' + + access_control: + # upgrade to 'two_factor' later + default_policy: 'one_factor' + rules: + - domain_regex: '^.*\.stonegarden.dev$' + policy: 'one_factor' + + authentication_backend: + ldap: + enabled: true + implementation: 'lldap' + address: 'ldap://lldap.lldap.svc.cluster.local' + base_dn: 'DC=stonegarden,DC=dev' + additional_users_dn: 'OU=people' + # To allow sign in both with username and email, one can use a filter like + # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: '(&({username_attribute}={input})(objectClass=person))' + additional_groups_dn: 'OU=groups' + groups_filter: '(member={dn})' + user: 'UID=admin,OU=people,DC=stonegarden,DC=dev' + password: + secret_name: 'lldap-auth' + value: 'password' + +# file: +# enabled: true + + session: + cookies: + - subdomain: auth + domain: stonegarden.dev + + storage: + postgres: + enabled: false + address: 'tcp://postgres.databases.svc.cluster.local:5432' + # Switch to Postgres later + local: + enabled: true + + notifier: + filesystem: + enabled: true + +secret: + additionalSecrets: + lldap-auth: + items: + - key: 'password' + path: 'authentication.ldap.password.txt' + diff --git a/k8s/infra/auth/lldap/svc.yaml b/k8s/infra/auth/lldap/svc.yaml index ec53efd2..08401b38 100644 --- a/k8s/infra/auth/lldap/svc.yaml +++ b/k8s/infra/auth/lldap/svc.yaml @@ -11,3 +11,6 @@ spec: - name: web port: 80 targetPort: web + - name: ldap + port: 389 + targetPort: ldap diff --git a/k8s/infra/auth/project.yaml b/k8s/infra/auth/project.yaml index ba877c47..4b7766d1 100644 --- a/k8s/infra/auth/project.yaml +++ b/k8s/infra/auth/project.yaml @@ -9,6 +9,8 @@ spec: destinations: - namespace: 'argocd' server: '*' + - namespace: 'authelia' + server: '*' - namespace: 'keycloak' server: '*' - namespace: 'lldap'