vehagn · luminosita · Sep 7, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,9 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
+**/.DS_Store
+**/*.tfplan
+
 *.qcow2
 *.raw
 

diff --git a/k8s/apps/homepage/blog/hugo/http-route.yaml b/k8s/apps/homepage/blog/hugo/http-route.yaml
@@ -18,4 +18,4 @@ spec:
             value: /
       backendRefs:
         - name: hugo
-          port: 80
+          port: 80
diff --git a/k8s/infra/auth/authelia/kustomization.yaml b/k8s/infra/auth/authelia/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+
+resources:
+  - ns.yaml
+
+helmCharts:
+  - name: authelia
+    repo: https://charts.authelia.com
+    releaseName: authelia
+    namespace: authelia
+    version: 0.9.5
+    valuesFile: values.yaml
diff --git a/k8s/infra/auth/authelia/ns.yaml b/k8s/infra/auth/authelia/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
diff --git a/k8s/infra/auth/authelia/values.yaml b/k8s/infra/auth/authelia/values.yaml
@@ -0,0 +1,60 @@
+image:
+  registry: ghcr.io
+  repository: authelia/authelia
+  tag: 4.38.10 # renovate: docker=ghcr.io/authelia/authelia
+  pullPolicy: IfNotPresent
+
+configMap:
+  theme: 'dark'
+
+  access_control:
+    # upgrade to 'two_factor' later
+    default_policy: 'one_factor'
+    rules:
+     - domain_regex: '^.*\.stonegarden.dev$'
+       policy: 'one_factor'
+
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'lldap'
+      address: 'ldap://lldap.lldap.svc.cluster.local'
+      base_dn: 'DC=stonegarden,DC=dev'
+      additional_users_dn: 'OU=people'
+      # To allow sign in both with username and email, one can use a filter like
+      # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+      users_filter: '(&({username_attribute}={input})(objectClass=person))'
+      additional_groups_dn: 'OU=groups'
+      groups_filter: '(member={dn})'
+      user: 'UID=admin,OU=people,DC=stonegarden,DC=dev'
+      password:
+        secret_name: 'lldap-auth'
+        value: 'password'
+
+#    file:
+#      enabled: true
+
+  session:
+    cookies:
+      - subdomain: auth
+        domain: stonegarden.dev
+
+  storage:
+    postgres:
+      enabled: false
+      address: 'tcp://postgres.databases.svc.cluster.local:5432'
+    # Switch to Postgres later
+    local:
+      enabled: true
+
+  notifier:
+    filesystem:
+      enabled: true
+
+secret:
+  additionalSecrets:
+    lldap-auth:
+      items:
+        - key: 'password'
+          path: 'authentication.ldap.password.txt'
+
diff --git a/k8s/infra/auth/lldap/svc.yaml b/k8s/infra/auth/lldap/svc.yaml
@@ -11,3 +11,6 @@ spec:
     - name: web
       port: 80
       targetPort: web
+    - name: ldap
+      port: 389
+      targetPort: ldap
diff --git a/k8s/infra/auth/project.yaml b/k8s/infra/auth/project.yaml
@@ -9,6 +9,8 @@ spec:
   destinations:
     - namespace: 'argocd'
       server: '*'
+    - namespace: 'authelia'
+      server: '*'
     - namespace: 'keycloak'
       server: '*'
     - namespace: 'lldap'

diff --git a/k8s/infra/controllers/cert-manager/values.yaml b/k8s/infra/controllers/cert-manager/values.yaml
@@ -1,5 +1,6 @@
-installCRDs: true
-
+#installCRDs: true
+crds:
+  enabled: true
 extraArgs:
   - "--enable-gateway-api"
 

diff --git a/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl b/tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl
@@ -12,6 +12,14 @@ cluster:
       name: none
   proxy:
     disabled: true
+  #need to install gateway api manifests before cilium deployment. GatewayClass acceptance 
+  extraManifests:
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml
+    - https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
   inlineManifests:
   - name: cilium-values
     contents: |