From 70e202206a44228a59c9d0402600140f6ddf8523 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Patout?= Date: Sat, 1 Oct 2022 14:39:40 +0200 Subject: [PATCH] feat: try to add authelia back --- .../core/authentication-system/configmap.yaml | 11 ++++- .../authentication-system/deployment.yaml | 27 +++++-------- .../core/authentication-system/secret.yaml | 40 ++++--------------- cluster/core/kustomization.yaml | 2 +- 4 files changed, 29 insertions(+), 51 deletions(-) diff --git a/cluster/core/authentication-system/configmap.yaml b/cluster/core/authentication-system/configmap.yaml index 69bb8118..ba73c5dd 100644 --- a/cluster/core/authentication-system/configmap.yaml +++ b/cluster/core/authentication-system/configmap.yaml @@ -46,13 +46,22 @@ data: access_control: default_policy: deny rules: + - domain: "auth.${SECRET_DOMAIN}" + policy: bypass + ## bypass api / triggers + - domain: "*.domain.com" + resources: + - "^/api([/?].*)?$" + policy: bypass - domain: "*.${SECRET_DOMAIN}" + subject: + - "group:admins" policy: two_factor session: name: authelia_session expiration: 1h inactivity: 15m - remember_me_duration: 1M + remember_me_duration: 2M domain: ${SECRET_DOMAIN} redis: host: redis.default.svc.cluster.local diff --git a/cluster/core/authentication-system/deployment.yaml b/cluster/core/authentication-system/deployment.yaml index 1aa53775..a637ea84 100644 --- a/cluster/core/authentication-system/deployment.yaml +++ b/cluster/core/authentication-system/deployment.yaml @@ -44,9 +44,6 @@ spec: - name: authelia-secrets mountPath: /app/secrets readOnly: true - - name: pgo-cluster-pguser-authelia - mountPath: /db/secrets - readOnly: true startupProbe: httpGet: path: /api/health @@ -86,27 +83,27 @@ spec: - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE value: /app/secrets/session_redis_password - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE - value: /db/secrets/storage_postgres_password + value: /app/secrets/storage_postgres_password - name: AUTHELIA_STORAGE_POSTGRES_HOST valueFrom: secretKeyRef: - name: pgo-cluster-pguser-authelia - key: host + name: authelia-secrets + key: authelia_storage_postgres_host - name: AUTHELIA_STORAGE_POSTGRES_PORT valueFrom: secretKeyRef: - name: pgo-cluster-pguser-authelia - key: port + name: authelia-secrets + key: authelia_storage_postgres_port - name: AUTHELIA_STORAGE_POSTGRES_DATABASE valueFrom: secretKeyRef: - name: pgo-cluster-pguser-authelia - key: dbname + name: authelia-secrets + key: authelia_storage_postgres_dbname - name: AUTHELIA_STORAGE_POSTGRES_USERNAME valueFrom: secretKeyRef: - name: pgo-cluster-pguser-authelia - key: user + name: authelia-secrets + key: authelia_storage_postgres_user - name: TZ value: ${TIMEZONE} enableServiceLinks: false @@ -129,9 +126,5 @@ spec: path: notifier_smtp_password - key: authelia_session_redis_password path: session_redis_password - - name: pgo-cluster-pguser-authelia - secret: - secretName: pgo-cluster-pguser-authelia - items: - - key: password + - key: authelia_storage_postgres_password path: storage_postgres_password diff --git a/cluster/core/authentication-system/secret.yaml b/cluster/core/authentication-system/secret.yaml index 4896b4cd..8662fd8a 100644 --- a/cluster/core/authentication-system/secret.yaml +++ b/cluster/core/authentication-system/secret.yaml @@ -12,6 +12,11 @@ stringData: authelia_session_secret: ENC[AES256_GCM,data:xcdJ7N74EcO5hrwDk+aoBj35yWs=,iv:Veu6sBTrXgn7U18wQ9rNjWh4QQK5PqVbMQ54LArR52Y=,tag:K/bcZIjdF6yY0iovucSGXQ==,type:str] authelia_notifier_smtp_password: ENC[AES256_GCM,data:rHj4eUN11fZOtzavZbo+Zg==,iv:lP4KwUnN5/gY6rAHUeI0bKBRVkjBzsjR/eOwPHmfCCg=,tag:I7wHQi/s9VxRc3pF0J7ejg==,type:str] authelia_session_redis_password: ENC[AES256_GCM,data:aCBcTRupxPaLEXHWrmU=,iv:iZNKUbQzlhJ/xxppEWIxcVoQCDvW7RKETAFvDQBnLrM=,tag:Mk+9gGtGVFgXyb/L8yrJFg==,type:str] + authelia_storage_postgres_host: ENC[AES256_GCM,data:DtHmhNj0g9zxvopCbzE=,iv:nPHRWCzx+E1V8l9EPdEO82b24pHNGiYCHjDj2Qzto9E=,tag:uZDVKxFeWb1ARIKZrYambg==,type:str] + authelia_storage_postgres_port: ENC[AES256_GCM,data:i195nw==,iv:IHfoF0lnNcnJkYQKaT0RuEOVhqUfPU4iXGWoh3tqzlM=,tag:3N/51hZ80G+qIJenkvxXiw==,type:str] + authelia_storage_postgres_dbname: ENC[AES256_GCM,data:SFzjDU9temk=,iv:UoFrHYcT9Fqn5ofxGOENL/d1NzHNcbQ7qjaKOrJWXg8=,tag:DXkN+9wUvY8TV6gZ/iMn2g==,type:str] + authelia_storage_postgres_user: ENC[AES256_GCM,data:/M2oSTDEHnM=,iv:JU1uc9pHTJJdcOety7OGkBBY6cM4cKmZk0Qw+YMBwvQ=,tag:b7qD5ITEr3arx/21mM8gig==,type:str] + authelia_storage_postgres_password: ENC[AES256_GCM,data:GkNkvE7QoueGqYf/4WsXCz67hWw=,iv:SGS9VoGUrchM8IiqNrMVoemgvIJex1vbrRt14aEGBZk=,tag:msJM8/W7vSOcmb0HltQQgA==,type:str] sops: kms: [] gcp_kms: [] @@ -27,37 +32,8 @@ sops: QlZMNEQ5Z3BsUjU3YThBN3NwWjRmNmcKhizAiOsSg31A1y3cgNb/fhM+2kb7u+V8 VP7p2MFJoOkPVDfk1hUpoCkGSgycMjbRAMwHdcipVEXKzAOHBqpWtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-30T21:32:38Z" - mac: ENC[AES256_GCM,data:KT8SJ78IcguO+Mgi7hvq8h4SWRLf6W4N78+8GBHra+CbJpV2/An1uLzCBa3/nqNmAqRuUrP8WlqBy7TqqR/HhAnWRkO6qEMA+2Kw9r2kdHp663gxrki8y8fxjPNljaZa+aDoYZtnsdbtPnmdXgJEe294Gk6ufzYBqLuUMDsE5ho=,iv:5KCRjHy6pez0N+FoZ/uGQygGBIbwdSqDgFgVLa+d1Lo=,tag:X9Si3BtoxigrVEPWUVKvAg==,type:str] + lastmodified: "2022-10-01T12:50:00Z" + mac: ENC[AES256_GCM,data:9ZQKs3XIGXimCyrfFAbZJuFsE3KmhY0EmIFS3A095aHy6SmoUheh+JJLLh+059YkzI8OvpcI1QosZYie1TUlbQdC9yUuwyYZW/Sv68ozRER7FCajw/q2pKFWF29AmPZPccvFHeWYds0/3GfwhReaM+jMKyD9LG/AxU8LsXaL5ug=,iv:PjfXGk5Bh31llWaphUKGX3XGTfNF1Ro+eoOfhcreuFo=,tag:3/7nPG+nQ3Rr8VUbBt4k0g==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.7.2 ---- -apiVersion: v1 -kind: Secret -metadata: - name: pgo-cluster-pguser-authelia - namespace: authentication-system - annotations: - reflector.v1.k8s.emberstack.com/reflects: postgres-operator/pgo-cluster-pguser-authelia -data: {} -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ksuvc69hvx8eup9g4g4m5lklhkmmmh4ddjdqfdsusaq50vu2846qu56ltl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ1YydEJMT0tySk9CakIz - bmN2Ri9BdXNTVFRrQW9leHZ1cjJweVdlUFVVCnFrTFBxYzRZQUpNVXMxeW5TUjc2 - ZGVHWHVORWNBRjJncFEzZkVZRUxXc1EKLS0tIGc1RXpQMnNwcUtuYTVDbC84K0lr - QlZMNEQ5Z3BsUjU3YThBN3NwWjRmNmcKhizAiOsSg31A1y3cgNb/fhM+2kb7u+V8 - VP7p2MFJoOkPVDfk1hUpoCkGSgycMjbRAMwHdcipVEXKzAOHBqpWtg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-30T21:32:38Z" - mac: ENC[AES256_GCM,data:KT8SJ78IcguO+Mgi7hvq8h4SWRLf6W4N78+8GBHra+CbJpV2/An1uLzCBa3/nqNmAqRuUrP8WlqBy7TqqR/HhAnWRkO6qEMA+2Kw9r2kdHp663gxrki8y8fxjPNljaZa+aDoYZtnsdbtPnmdXgJEe294Gk6ufzYBqLuUMDsE5ho=,iv:5KCRjHy6pez0N+FoZ/uGQygGBIbwdSqDgFgVLa+d1Lo=,tag:X9Si3BtoxigrVEPWUVKvAg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.2 + version: 3.7.3 diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index 5ea4b34d..44bab77c 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -6,7 +6,7 @@ resources: - longhorn - default # - rook-ceph - # - authentication-system + - authentication-system - notification - cert-manager - kube-system