feat: try to add authelia back

clempat · Oct 1, 2022 · 70e2022 · 70e2022
1 parent f07b85f
commit 70e2022
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 51 deletions.
diff --git a/cluster/core/authentication-system/configmap.yaml b/cluster/core/authentication-system/configmap.yaml
@@ -46,13 +46,22 @@ data:
     access_control:
       default_policy: deny
       rules:
+        - domain: "auth.${SECRET_DOMAIN}"
+          policy: bypass
+        ## bypass api / triggers
+        - domain: "*.domain.com"
+          resources:
+            - "^/api([/?].*)?$"
+          policy: bypass
         - domain: "*.${SECRET_DOMAIN}"
+          subject:
+            - "group:admins"
           policy: two_factor
     session:
       name: authelia_session
       expiration: 1h
       inactivity: 15m
-      remember_me_duration: 1M
+      remember_me_duration: 2M
       domain: ${SECRET_DOMAIN}
       redis:
         host: redis.default.svc.cluster.local

diff --git a/cluster/core/authentication-system/deployment.yaml b/cluster/core/authentication-system/deployment.yaml
@@ -44,9 +44,6 @@ spec:
             - name: authelia-secrets
               mountPath: /app/secrets
               readOnly: true
-            - name: pgo-cluster-pguser-authelia
-              mountPath: /db/secrets
-              readOnly: true
           startupProbe:
             httpGet:
               path: /api/health
@@ -86,27 +83,27 @@ spec:
             - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
               value: /app/secrets/session_redis_password
             - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
-              value: /db/secrets/storage_postgres_password
+              value: /app/secrets/storage_postgres_password
             - name: AUTHELIA_STORAGE_POSTGRES_HOST
               valueFrom:
                 secretKeyRef:
-                  name: pgo-cluster-pguser-authelia
-                  key: host
+                  name: authelia-secrets
+                  key: authelia_storage_postgres_host
             - name: AUTHELIA_STORAGE_POSTGRES_PORT
               valueFrom:
                 secretKeyRef:
-                  name: pgo-cluster-pguser-authelia
-                  key: port
+                  name: authelia-secrets
+                  key: authelia_storage_postgres_port
             - name: AUTHELIA_STORAGE_POSTGRES_DATABASE
               valueFrom:
                 secretKeyRef:
-                  name: pgo-cluster-pguser-authelia
-                  key: dbname
+                  name: authelia-secrets
+                  key: authelia_storage_postgres_dbname
             - name: AUTHELIA_STORAGE_POSTGRES_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: pgo-cluster-pguser-authelia
-                  key: user
+                  name: authelia-secrets
+                  key: authelia_storage_postgres_user
             - name: TZ
               value: ${TIMEZONE}
       enableServiceLinks: false
@@ -129,9 +126,5 @@ spec:
                 path: notifier_smtp_password
               - key: authelia_session_redis_password
                 path: session_redis_password
-        - name: pgo-cluster-pguser-authelia
-          secret:
-            secretName: pgo-cluster-pguser-authelia
-            items:
-              - key: password
+              - key: authelia_storage_postgres_password
                 path: storage_postgres_password
diff --git a/cluster/core/authentication-system/secret.yaml b/cluster/core/authentication-system/secret.yaml
@@ -12,6 +12,11 @@ stringData:
     authelia_session_secret: ENC[AES256_GCM,data:xcdJ7N74EcO5hrwDk+aoBj35yWs=,iv:Veu6sBTrXgn7U18wQ9rNjWh4QQK5PqVbMQ54LArR52Y=,tag:K/bcZIjdF6yY0iovucSGXQ==,type:str]
     authelia_notifier_smtp_password: ENC[AES256_GCM,data:rHj4eUN11fZOtzavZbo+Zg==,iv:lP4KwUnN5/gY6rAHUeI0bKBRVkjBzsjR/eOwPHmfCCg=,tag:I7wHQi/s9VxRc3pF0J7ejg==,type:str]
     authelia_session_redis_password: ENC[AES256_GCM,data:aCBcTRupxPaLEXHWrmU=,iv:iZNKUbQzlhJ/xxppEWIxcVoQCDvW7RKETAFvDQBnLrM=,tag:Mk+9gGtGVFgXyb/L8yrJFg==,type:str]
+    authelia_storage_postgres_host: ENC[AES256_GCM,data:DtHmhNj0g9zxvopCbzE=,iv:nPHRWCzx+E1V8l9EPdEO82b24pHNGiYCHjDj2Qzto9E=,tag:uZDVKxFeWb1ARIKZrYambg==,type:str]
+    authelia_storage_postgres_port: ENC[AES256_GCM,data:i195nw==,iv:IHfoF0lnNcnJkYQKaT0RuEOVhqUfPU4iXGWoh3tqzlM=,tag:3N/51hZ80G+qIJenkvxXiw==,type:str]
+    authelia_storage_postgres_dbname: ENC[AES256_GCM,data:SFzjDU9temk=,iv:UoFrHYcT9Fqn5ofxGOENL/d1NzHNcbQ7qjaKOrJWXg8=,tag:DXkN+9wUvY8TV6gZ/iMn2g==,type:str]
+    authelia_storage_postgres_user: ENC[AES256_GCM,data:/M2oSTDEHnM=,iv:JU1uc9pHTJJdcOety7OGkBBY6cM4cKmZk0Qw+YMBwvQ=,tag:b7qD5ITEr3arx/21mM8gig==,type:str]
+    authelia_storage_postgres_password: ENC[AES256_GCM,data:GkNkvE7QoueGqYf/4WsXCz67hWw=,iv:SGS9VoGUrchM8IiqNrMVoemgvIJex1vbrRt14aEGBZk=,tag:msJM8/W7vSOcmb0HltQQgA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -27,37 +32,8 @@ sops:
             QlZMNEQ5Z3BsUjU3YThBN3NwWjRmNmcKhizAiOsSg31A1y3cgNb/fhM+2kb7u+V8
             VP7p2MFJoOkPVDfk1hUpoCkGSgycMjbRAMwHdcipVEXKzAOHBqpWtg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-03-30T21:32:38Z"
-    mac: ENC[AES256_GCM,data:KT8SJ78IcguO+Mgi7hvq8h4SWRLf6W4N78+8GBHra+CbJpV2/An1uLzCBa3/nqNmAqRuUrP8WlqBy7TqqR/HhAnWRkO6qEMA+2Kw9r2kdHp663gxrki8y8fxjPNljaZa+aDoYZtnsdbtPnmdXgJEe294Gk6ufzYBqLuUMDsE5ho=,iv:5KCRjHy6pez0N+FoZ/uGQygGBIbwdSqDgFgVLa+d1Lo=,tag:X9Si3BtoxigrVEPWUVKvAg==,type:str]
+    lastmodified: "2022-10-01T12:50:00Z"
+    mac: ENC[AES256_GCM,data:9ZQKs3XIGXimCyrfFAbZJuFsE3KmhY0EmIFS3A095aHy6SmoUheh+JJLLh+059YkzI8OvpcI1QosZYie1TUlbQdC9yUuwyYZW/Sv68ozRER7FCajw/q2pKFWF29AmPZPccvFHeWYds0/3GfwhReaM+jMKyD9LG/AxU8LsXaL5ug=,iv:PjfXGk5Bh31llWaphUKGX3XGTfNF1Ro+eoOfhcreuFo=,tag:3/7nPG+nQ3Rr8VUbBt4k0g==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
-    version: 3.7.2
----
-apiVersion: v1
-kind: Secret
-metadata:
-    name: pgo-cluster-pguser-authelia
-    namespace: authentication-system
-    annotations:
-        reflector.v1.k8s.emberstack.com/reflects: postgres-operator/pgo-cluster-pguser-authelia
-data: {}
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1ksuvc69hvx8eup9g4g4m5lklhkmmmh4ddjdqfdsusaq50vu2846qu56ltl
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ1YydEJMT0tySk9CakIz
-            bmN2Ri9BdXNTVFRrQW9leHZ1cjJweVdlUFVVCnFrTFBxYzRZQUpNVXMxeW5TUjc2
-            ZGVHWHVORWNBRjJncFEzZkVZRUxXc1EKLS0tIGc1RXpQMnNwcUtuYTVDbC84K0lr
-            QlZMNEQ5Z3BsUjU3YThBN3NwWjRmNmcKhizAiOsSg31A1y3cgNb/fhM+2kb7u+V8
-            VP7p2MFJoOkPVDfk1hUpoCkGSgycMjbRAMwHdcipVEXKzAOHBqpWtg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-03-30T21:32:38Z"
-    mac: ENC[AES256_GCM,data:KT8SJ78IcguO+Mgi7hvq8h4SWRLf6W4N78+8GBHra+CbJpV2/An1uLzCBa3/nqNmAqRuUrP8WlqBy7TqqR/HhAnWRkO6qEMA+2Kw9r2kdHp663gxrki8y8fxjPNljaZa+aDoYZtnsdbtPnmdXgJEe294Gk6ufzYBqLuUMDsE5ho=,iv:5KCRjHy6pez0N+FoZ/uGQygGBIbwdSqDgFgVLa+d1Lo=,tag:X9Si3BtoxigrVEPWUVKvAg==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.2
+    version: 3.7.3
diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
   - longhorn
   - default
   # - rook-ceph
-  # - authentication-system
+  - authentication-system
   - notification
   - cert-manager
   - kube-system