kube/authelia/README.md

# Authelia

## Background

Authelia works in conjunction with Traefik to provide SSO with
credentials stored in Samba (Active Directory compatible) directory tree.

Samba resides outside Kubernetes cluster as it's difficuilt to containerize
while keeping it usable from outside the cluster due to Samba's networking.

The MariaDB instance is used to store MFA tokens.
KeyDB is used to store session info.


## Deployment

Inspect changes with `git diff` and proceed to deploy:

```
kubectl apply -n authelia -f application.yml
kubectl create secret generic -n authelia mysql-secrets \
    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
kubectl create secret generic -n authelia mariadb-secrets \
    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
kubectl -n authelia rollout restart deployment/authelia
```

To change secrets create `secret.yml`:

```
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: application-secrets
data:
  JWT_TOKEN: ...
  SESSION_ENCRYPTION_KEY: ...
  STORAGE_PASSWORD: ...
  STORAGE_ENCRYPTION_KEY: ...
  LDAP_PASSWORD: ...
  STORAGE_PASSWORD: ...
  SMTP_PASSWORD: ...
```

Apply with:

```
kubectl apply -n authelia -f application-secrets.yml 
kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
```

## OIDC secrets

OIDC secrets are separated from the main configuration until
Authelia will add CRD-s for these.

Generally speaking for untrusted applications, that is stuff that is running
outside the Kubernetes cluster eg web browser based (JS) and
local command line clients one
should use `public: true` and omit `secret: ...`.

Populate `oidc-secrets.yml` with approximately following:

```
identity_providers:
  oidc:
    clients:
    - id: kubelogin
      description: Kubernetes cluster
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - http://localhost:27890
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: proxmox
      description: Proxmox Virtual Environment
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://pve.k-space.ee
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: argocd
      description: ArgoCD
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://argocd.k-space.ee/auth/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: harbor
      description: Harbor
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://harbor.k-space.ee/c/oidc/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: gitea
      description: Gitea
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://git.k-space.ee/user/oauth2/authelia/callback
      scopes:
      - openid
      - profile
      - email
      - groups
      grant_types:
      - refresh_token
      - authorization_code
      response_types:
      - code
      userinfo_signing_algorithm: none
    - id: grafana
      description: Grafana
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://grafana.k-space.ee/login/generic_oauth
      scopes:
      - openid
      - groups
      - email
      - profile
```

To upload the file to Kubernetes secrets:

```
kubectl -n authelia delete secret oidc-secrets
kubectl -n authelia create secret generic oidc-secrets \
    --from-file=oidc-secrets.yml=oidc-secrets.yml
kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
kubectl -n authelia rollout restart deployment/authelia
```

Synchronize OIDC secrets:

```
kubectl -n argocd delete secret argocd-secret
kubectl -n argocd create secret generic argocd-secret \
    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=oidc.config.clientSecret=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
kubectl -n monitoring delete secret oidc-secret
kubectl -n monitoring create secret generic oidc-secret \
    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)
```
Initial commit 2022-08-16 09:40:54 +00:00			`# Authelia`

			`## Background`

			`Authelia works in conjunction with Traefik to provide SSO with`
			`credentials stored in Samba (Active Directory compatible) directory tree.`

			`Samba resides outside Kubernetes cluster as it's difficuilt to containerize`
			`while keeping it usable from outside the cluster due to Samba's networking.`

			`The MariaDB instance is used to store MFA tokens.`
authelia: Switch to KeyDB operator 2022-08-28 08:12:19 +00:00			`KeyDB is used to store session info.`
Initial commit 2022-08-16 09:40:54 +00:00

			`## Deployment`

			Inspect changes with `git diff` and proceed to deploy:

			```
authelia: Switch to KeyDB operator 2022-08-28 08:12:19 +00:00			`kubectl apply -n authelia -f application.yml`
Initial commit 2022-08-16 09:40:54 +00:00			`kubectl create secret generic -n authelia mysql-secrets \`
			`--from-literal=rootPassword=$(cat /dev/urandom \| base64 \| head -c 30)`
			`kubectl create secret generic -n authelia mariadb-secrets \`
			`--from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom \| base64 \| head -c 30) \`
			`--from-literal=MYSQL_PASSWORD=$(cat /dev/urandom \| base64 \| head -c 30)`
			`kubectl -n authelia rollout restart deployment/authelia`
			```

			To change secrets create `secret.yml`:

			```
			`---`
			`apiVersion: v1`
			`kind: Secret`
			`type: Opaque`
			`metadata:`
			`name: application-secrets`
			`data:`
			`JWT_TOKEN: ...`
			`SESSION_ENCRYPTION_KEY: ...`
			`STORAGE_PASSWORD: ...`
			`STORAGE_ENCRYPTION_KEY: ...`
			`LDAP_PASSWORD: ...`
			`STORAGE_PASSWORD: ...`
			`SMTP_PASSWORD: ...`
			```

			`Apply with:`

			```
			`kubectl apply -n authelia -f application-secrets.yml`
			`kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true`
			```

			`## OIDC secrets`

			`OIDC secrets are separated from the main configuration until`
			`Authelia will add CRD-s for these.`

			`Generally speaking for untrusted applications, that is stuff that is running`
			`outside the Kubernetes cluster eg web browser based (JS) and`
			`local command line clients one`
			should use `public: true` and omit `secret: ...`.

			Populate `oidc-secrets.yml` with approximately following:

			```
			`identity_providers:`
			`oidc:`
			`clients:`
			`- id: kubelogin`
			`description: Kubernetes cluster`
			`secret: ...`
			`authorization_policy: two_factor`
			`redirect_uris:`
			`- http://localhost:27890`
			`scopes:`
			`- openid`
			`- groups`
			`- email`
			`- profile`
			`- id: proxmox`
			`description: Proxmox Virtual Environment`
			`secret: ...`
			`authorization_policy: two_factor`
			`redirect_uris:`
			`- https://pve.k-space.ee`
			`scopes:`
			`- openid`
			`- groups`
			`- email`
			`- profile`
			`- id: argocd`
			`description: ArgoCD`
			`secret: ...`
			`authorization_policy: two_factor`
			`redirect_uris:`
			`- https://argocd.k-space.ee/auth/callback`
			`scopes:`
			`- openid`
			`- groups`
			`- email`
			`- profile`
			`- id: harbor`
			`description: Harbor`
			`secret: ...`
			`authorization_policy: two_factor`
			`redirect_uris:`
			`- https://harbor.k-space.ee/c/oidc/callback`
			`scopes:`
			`- openid`
			`- groups`
			`- email`
			`- profile`
			`- id: gitea`
			`description: Gitea`
			`secret: ...`
			`authorization_policy: one_factor`
			`redirect_uris:`
			`- https://git.k-space.ee/user/oauth2/authelia/callback`
			`scopes:`
			`- openid`
			`- profile`
			`- email`
			`- groups`
			`grant_types:`
			`- refresh_token`
			`- authorization_code`
			`response_types:`
			`- code`
			`userinfo_signing_algorithm: none`
			`- id: grafana`
			`description: Grafana`
			`secret: ...`
			`authorization_policy: one_factor`
			`redirect_uris:`
			`- https://grafana.k-space.ee/login/generic_oauth`
			`scopes:`
			`- openid`
			`- groups`
			`- email`
			`- profile`
			```

			`To upload the file to Kubernetes secrets:`

			```
			`kubectl -n authelia delete secret oidc-secrets`
			`kubectl -n authelia create secret generic oidc-secrets \`
			`--from-file=oidc-secrets.yml=oidc-secrets.yml`
			`kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true`
			`kubectl -n authelia rollout restart deployment/authelia`
			```

			`Synchronize OIDC secrets:`

			```
			`kubectl -n argocd delete secret argocd-secret`
			`kubectl -n argocd create secret generic argocd-secret \`
			`--from-literal=server.secretkey=$(cat /dev/urandom \| base64 \| head -c 30) \`
			`--from-literal=oidc.config.clientSecret=$( \`
			`kubectl get secret -n authelia oidc-secrets -o json \`
			`\| jq '.data."oidc-secrets.yml"' -r \| base64 -d \| yq -o json \`
			`\| jq '.identity_providers.oidc.clients[] \| select(.id == "argocd") \| .secret' -r)`
			`kubectl -n monitoring delete secret oidc-secret`
			`kubectl -n monitoring create secret generic oidc-secret \`
			`--from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \`
			`kubectl get secret -n authelia oidc-secrets -o json \`
			`\| jq '.data."oidc-secrets.yml"' -r \| base64 -d \| yq -o json \`
			`\| jq '.identity_providers.oidc.clients[] \| select(.id == "grafana") \| .secret' -r)`
			```