From 6931a8a2b86211cae76e10946d774ba0e19ba309 Mon Sep 17 00:00:00 2001 From: Mathis Date: Tue, 28 Nov 2023 21:05:30 +0000 Subject: [PATCH] authelia: Add Authelia --- authelia/basic-auth-middleware.yaml | 9 ++++++++ authelia/ingress.yaml | 14 ++++++++++++ authelia/kustomization.yaml | 21 +++++++++++++++++ authelia/namespace.yaml | 4 ++++ authelia/secret-generator.yaml | 17 ++++++++++++++ authelia/users_database.enc.yaml | 28 +++++++++++++++++++++++ authelia/values.yaml | 35 +++++++++++++++++++++++++++++ 7 files changed, 128 insertions(+) create mode 100755 authelia/basic-auth-middleware.yaml create mode 100755 authelia/ingress.yaml create mode 100755 authelia/kustomization.yaml create mode 100755 authelia/namespace.yaml create mode 100644 authelia/secret-generator.yaml create mode 100644 authelia/users_database.enc.yaml create mode 100755 authelia/values.yaml diff --git a/authelia/basic-auth-middleware.yaml b/authelia/basic-auth-middleware.yaml new file mode 100755 index 0000000..dd199a4 --- /dev/null +++ b/authelia/basic-auth-middleware.yaml @@ -0,0 +1,9 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: authelia + namespace: auth +spec: + forwardAuth: + address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com' + trustForwardHeader: true diff --git a/authelia/ingress.yaml b/authelia/ingress.yaml new file mode 100755 index 0000000..fe87728 --- /dev/null +++ b/authelia/ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: authelia-ingress + namespace: auth +spec: + entryPoints: + - websecure + routes: + - match: Host(`auth.namesny.com`) + kind: Rule + services: + - name: authelia + port: 80 diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml new file mode 100755 index 0000000..487dff0 --- /dev/null +++ b/authelia/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generatorOptions: + disableNameSuffixHash: true +namespace: auth +resources: +- namespace.yaml +- ingress.yaml +- basic-auth-middleware.yaml + +generators: +- ./secret-generator.yaml + +helmCharts: +- name: authelia + releaseName: authelia + version: 0.8.58 + repo: https://charts.authelia.com + namespace: auth + valuesFile: values.yaml + diff --git a/authelia/namespace.yaml b/authelia/namespace.yaml new file mode 100755 index 0000000..20fe7ac --- /dev/null +++ b/authelia/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth \ No newline at end of file diff --git a/authelia/secret-generator.yaml b/authelia/secret-generator.yaml new file mode 100644 index 0000000..c8e9ba5 --- /dev/null +++ b/authelia/secret-generator.yaml @@ -0,0 +1,17 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: authelia-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +secretFrom: +- metadata: + name: authelia-users-secret + namespace: auth + annotations: + kustomize.config.k8s.io/needs-hash: "false" + type: Opaque + files: + - users_database.yaml=./users_database.enc.yaml diff --git a/authelia/users_database.enc.yaml b/authelia/users_database.enc.yaml new file mode 100644 index 0000000..b7e9442 --- /dev/null +++ b/authelia/users_database.enc.yaml @@ -0,0 +1,28 @@ +users: + matus: + displayname: ENC[AES256_GCM,data:mLFikpU=,iv:Iemii72kWnE1l0py/t+0656eT8Uq1gpngDbTMMeECh8=,tag:QM1/ZMz+2bhAfCn2yvjc/g==,type:str] + password: ENC[AES256_GCM,data:nrOc1JNEew5ucfkYAlx3IzS63BWVESLjZhZ/TZf0brsLNFVKvQ35RZX9RxEfy8BbJt/ELeNlv7UBJVXVCp994UjelG0rQGdGqVKdl4d/UJ8FaMVxCKYtmHuAT4yYC9xs9BHm,iv:a7PS17bCSakhDFINBpSePKvI0dDt8CDCn4QnGp4D1W4=,tag:IQyGAAKr4hjR2bQthlw1qQ==,type:str] + email: ENC[AES256_GCM,data:eRqp61nZzcnaIDHJAQsr1Wg=,iv:m9/LLx+nVpsukFvxUs+Xtxqrzm2Gg6NuU7vVDYSvORM=,tag:nGvy4YIHgQ/Q89BRVWD41Q==,type:str] + groups: + - ENC[AES256_GCM,data:WT3SDtr1,iv:HpPaH3bYt6nuUJX4ydm30ndDpzxzTCsJS+O1GqLcT5M=,tag:ZeI+K2re1K5DoZHxbD60GA==,type:str] + - ENC[AES256_GCM,data:Vh/i,iv:6Ds1PdJtivewRQvQpAqjtTQeKjhEUDifTWL8aCWaK4A=,tag:D4k6vVlFGCo8nYVeGhRDkA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSOHcvR296TFNDTlFUV2hS + UXdqZ0tFWkl5bVBBeGlFN1ZIVFBXQjk3KzBZCllhTXdhYXBJUG5NT1JyZDF2M0xs + eHZsbWFraGVwVmpWWlZWaEs5b1V2VlEKLS0tIGpNU0VZSXYxL0xGZmJ4TktzNGcw + aCs0NnhLQnF2bStEallaZFRkRTI1d3cKtcZJoDjv/+GLrx32GALmc3MuQGLoZ9iT + 7y3kEdf+fNJGZG7zr9c2Tx8WpDzX2qb7C2VFneDp52p4OpYBIWmKCQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-28T20:30:26Z" + mac: ENC[AES256_GCM,data:uRvVIHdZ/fSi1dKGAn0QEfAwzEKw6cP4GMbpZz3DWMkHkxMnFkR2hcc4NGNg5oRAOxFP5dFTsXMkZCVNN/JiNsb6/Hji7G4YEM6wPWGy3PerWwIwipp+D9r3HvDpR6Viky/TJzCF5NsiVf+sNcN3cMZw8B/IqD0nH8/PXwg3Yvc=,iv:TCqZjgVVv/sMHEjzgFuMvHHs6hfxBgkvOx10MSna3rI=,tag:Tr+hCP5N1nf3lxuE2pfEDg==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/authelia/values.yaml b/authelia/values.yaml new file mode 100755 index 0000000..6c8dfa2 --- /dev/null +++ b/authelia/values.yaml @@ -0,0 +1,35 @@ +domain: 'namesny.com' +configMap: + authentication_backend: + file: + enabled: true + path: /users/users_database.yaml + ldap: + enabled: false + access_control: + rules: + - domain: '*.namesny.com' + policy: one_factor + session: + redis: + enabled: false + storage: + local: + enabled: true + path: /config/db.sqlite3 + postgres: + enabled: false + notifier: + smtp: + enabled: false + filesystem: + enabled: true + +pod: + extraVolumeMounts: + - name: authelia-users-vol + mountPath: /users + extraVolumes: + - name: authelia-users-vol + secret: + secretName: authelia-users-secret