Initial commit

authelia/.gitignore

@@ -0,0 +1,2 @@
+application-secrets.y*ml
+oidc-secrets.y*ml

authelia/README.md

@@ -0,0 +1,173 @@
+# Authelia
+
+## Background
+
+Authelia works in conjunction with Traefik to provide SSO with
+credentials stored in Samba (Active Directory compatible) directory tree.
+
+Samba resides outside Kubernetes cluster as it's difficuilt to containerize
+while keeping it usable from outside the cluster due to Samba's networking.
+
+The MariaDB instance is used to store MFA tokens.
+Redis is used to store session info.
+
+
+## Deployment
+
+Inspect changes with `git diff` and proceed to deploy:
+
+```
+kubectl apply -n authelia -f application.yml -f keydb.yml -f mariadb.yml
+kubectl create secret generic -n authelia mysql-secrets \
+    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
+kubectl create secret generic -n authelia mariadb-secrets \
+    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
+    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
+kubectl create secret generic -n authelia redis-secrets \
+    --from-literal=REDIS_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
+kubectl -n authelia rollout restart deployment/authelia
+```
+
+To change secrets create `secret.yml`:
+
+```
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: application-secrets
+data:
+  JWT_TOKEN: ...
+  SESSION_ENCRYPTION_KEY: ...
+  STORAGE_PASSWORD: ...
+  STORAGE_ENCRYPTION_KEY: ...
+  LDAP_PASSWORD: ...
+  STORAGE_PASSWORD: ...
+  SMTP_PASSWORD: ...
+```
+
+Apply with:
+
+```
+kubectl apply -n authelia -f application-secrets.yml 
+kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
+```
+
+## OIDC secrets
+
+OIDC secrets are separated from the main configuration until
+Authelia will add CRD-s for these.
+
+Generally speaking for untrusted applications, that is stuff that is running
+outside the Kubernetes cluster eg web browser based (JS) and
+local command line clients one
+should use `public: true` and omit `secret: ...`.
+
+Populate `oidc-secrets.yml` with approximately following:
+
+```
+identity_providers:
+  oidc:
+    clients:
+    - id: kubelogin
+      description: Kubernetes cluster
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - http://localhost:27890
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: proxmox
+      description: Proxmox Virtual Environment
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://pve.k-space.ee
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: argocd
+      description: ArgoCD
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://argocd.k-space.ee/auth/callback
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: harbor
+      description: Harbor
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://harbor.k-space.ee/c/oidc/callback
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: gitea
+      description: Gitea
+      secret: ...
+      authorization_policy: one_factor
+      redirect_uris:
+      - https://git.k-space.ee/user/oauth2/authelia/callback
+      scopes:
+      - openid
+      - profile
+      - email
+      - groups
+      grant_types:
+      - refresh_token
+      - authorization_code
+      response_types:
+      - code
+      userinfo_signing_algorithm: none
+    - id: grafana
+      description: Grafana
+      secret: ...
+      authorization_policy: one_factor
+      redirect_uris:
+      - https://grafana.k-space.ee/login/generic_oauth
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+```
+
+To upload the file to Kubernetes secrets:
+
+```
+kubectl -n authelia delete secret oidc-secrets
+kubectl -n authelia create secret generic oidc-secrets \
+    --from-file=oidc-secrets.yml=oidc-secrets.yml
+kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
+kubectl -n authelia rollout restart deployment/authelia
+```
+
+Synchronize OIDC secrets:
+
+```
+kubectl -n argocd delete secret argocd-secret
+kubectl -n argocd create secret generic argocd-secret \
+    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
+    --from-literal=oidc.config.clientSecret=$( \
+      kubectl get secret -n authelia oidc-secrets -o json \
+        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
+        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
+kubectl -n monitoring delete secret oidc-secret
+kubectl -n monitoring create secret generic oidc-secret \
+    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
+      kubectl get secret -n authelia oidc-secrets -o json \
+        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
+        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)
+```

authelia/application.yml

@@ -0,0 +1,409 @@
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: authelia-certificates
+  labels:
+    app.kubernetes.io/name: authelia
+data:
+      ldaps.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJekNDQXd1Z0F3SUJBZ0lVRzNaYnI0MGVVMlRHak1Lek5XaDhOTDJkRDRZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lURWZNQjBHQTFVRUF3d1dVMkZ0WW1FZ1lYUWdZV1F1YXkxemNHRmpaUzVsWlRBZUZ3MHlNVEV5TVRRdwpOekk0TlRGYUZ3MHlOakV5TVRNd056STROVEZhTUNFeEh6QWRCZ05WQkFNTUZsTmhiV0poSUdGMElHRmtMbXN0CmMzQmhZMlV1WldVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURub3hEZFlicjAKVFJHOEErdk0xT0I1Rzg4Z05YL1pXeFNLb0VaM2p0ekF0NEc3blV0aUhoVzI1cUhEeXZGVGEzTzJiMUFVSEhzbwpVQXpVTWNVV1FRb3J2RjF4L1VsYitpcnk0QkxFTklaVTdYMVpxb2ZKYXgwZTcrbit1YVM3R015dnB4VXliNGlYCkd3djdZZEh5SmM4WjZROHd2MTdNV2F2ejNaOE5CWFdoeG1xc3ljTlphVkl2S1lNRVpGazNUTnA3T20vSTFpdkYKWDJuNVNtb2d2NmdBVmpVODhSeWc2NlRFVStiaGY5QWdiU0VxWjhMaVd6c20xdHc0WnJXMDVVK25JVjRzTHdlaQp2SXppblFMYmFMTkc2ZUl0cUtQZGVsWWhRNHlCeHM3QXpTOCtieVVBZk9jRktzUTI5alFVdUxNbE1pUmt6MjV5Cnc5UUZxSGVuRjNIYXJqU1JTL3ZZV3J3K0RNbmo2Tit3QVdtd21SR3NzVmxPMjFSLzAzNThBK0h5VzhyLzlsTm8KV1FoMmt3VGRPdjdxMzFwRmZQQUhHUkFITnZUN0dRKzVCeFFjdG83cG1GQ2t2OTdpbmhiZG50d2ViSmM1VWI3NQpBeHNWVC9uNk9aTjJSU09NV0RKY1pjVkpXYjQxdTNTL2lBVHlvbDBuOEZMRlRRZm9xdXdvVkQ1UnpwU0NsVm50Cjd1eENyaGNsYXhTYnhUUDhqa29ERXQzc1NycWoySm5PNlhtQ3R2VlZkMmQvWVZQQ21qQm54TWc1bld1WEwwZTgKNkh3MTd5TGtYeFgzVERkdjF2VThvYTdpTmZyNmc3Vlcrd2ZsUkJoVW5WRUluNXZEdm80STVSdWRXaEJxcHN6VQo3bGQrUDVjZE5GWEdjUlRQdFFlbXkxUllKMG5ZejkybGtRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVjZ1JrCnZ4U3V1QnNFaktzbXQvN3dpRHIxbHVRd0h3WURWUjBqQkJnd0ZvQVVjZ1JrdnhTdXVCc0VqS3NtdC83d2lEcjEKbHVRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVNlNXM1aU04QjQ2agp6bXZMOUQ4dUJrQ0VIOW9mMnc1VFluL1NPZkFRVnhBOGxBYndORitlWmgyakdGSUN6citNYmlTMlhZdkxJNnVrClZ5cFJrN28vdExmdmY0alpqZnRpeEliWEM1MjYrUk1xOEcvV2xGbzJnWFZ0eW5BcXp5bXJVYjV1MVZJcG53QWYKNTBzNHlDOURFUXF1aGErYzJCWTBRQ3ZySnUvYy9KTUs3QTdYOFdRSzVDUy8wZkNPdzBPY2xkZzA0c3VWVlU2eQp0MEZmV0kvTlhURFFrU2JWVXN5OElmaXd4a0o5NmNsTjFNWVArQ015Mkh1eWF0aTZySnhVZFBEbS9tYzdRWXNPClNTSzQyNXJQOFFZMmduNlNXUXJXdUJic2dLSEpoVzRBYjdTTldkb0Q0QytwVDA2V1MzVXphMnhZd09TV1IvTWMKR1V5YXRwLzlxR05tOWM1d2RFQ3FtdkVQc2twQkp5ZWR6MUk2V2lxdjRuK0UvRk9qRGl0VVpFd3BFZXRUQktXZgoyRnZRa1pGRmpRU3VIdG5KT040cVRvWmlaNW4vbis4Z1k2Z1Y5Wnd0NHM5OGlpdnUwTFc4UlZGSTNkS0tiYm5lCkY1KzltNE9vMjF0SlU2QThXVGpqVXpLUnFKdEZSa1JpWGtOTGRoY2MrdTdMOFFlZTFOUjIyalg5N2NaVDNGUGoKYmpOUlpId3k5K1dhMG1zcC9EYUR5RnlaOStPUUhReUJJazdCSS9LdU0rT2dta3dlSHBNSE5CMUs1NHZQenZKawpHaFN1QUNIeTRybmdvQTBvMzNhZzJ6a3lEY3NocVRtK2Q3UXFWOWUzU2pONFpUUXlTeWNpa0I1bFJKVHAydVFkCk5jVjBtcG5nREl1aFVlSFRKWkJ0SVZCZnp4bHdHd2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-config
+  labels:
+    app.kubernetes.io/name: authelia
+  annotations:
+    reloader.stakater.com/match: "true"
+data:
+  authelia-config.yml: |
+    ---
+    log:
+      level: warn
+    certificates_directory: /certificates
+    theme: light
+    default_redirection_url: https://members.k-space.ee
+    totp:
+      issuer: K-SPACE
+    authentication_backend:
+      ldap:
+        implementation: activedirectory
+        url: ldaps://ad.k-space.ee
+        base_dn: dc=ad,dc=k-space,dc=ee
+        username_attribute: sAMAccountName
+        additional_users_dn: ou=Membership
+        users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
+        additional_groups_dn: cn=Users
+        groups_filter: (&(member={dn})(objectclass=group))
+        group_name_attribute: cn
+        mail_attribute: mail
+        display_name_attribute: displayName
+        user: cn=authelia,cn=Users,dc=ad,dc=k-space,dc=ee
+    session:
+      domain: k-space.ee
+      same_site: lax
+      expiration: 1M
+      inactivity: 120h
+      remember_me_duration: "0"
+      redis:
+        host: redis
+        port: 6379
+    regulation:
+      ban_time: 5m
+      find_time: 2m
+      max_retries: 3
+    storage:
+      mysql:
+        host: mariadb
+        database: authelia
+        username: authelia
+    notifier:
+      disable_startup_check: true
+      smtp:
+        host: mail.k-space.ee
+        port: 465
+        username: authelia
+        sender: authelia@k-space.ee
+        subject: "[Authelia] {title}"
+        startup_check_address: lauri@k-space.ee
+    access_control:
+      default_policy: deny
+      rules:
+      # Longhorn dashboard
+      - domain: longhorn.k-space.ee
+        policy: two_factor
+        subject: group:Longhorn Admins
+      - domain: longhorn.k-space.ee
+        policy: deny
+      # Members site
+      - domain: members.k-space.ee
+        policy: bypass
+        resources:
+        - ^/?$
+      - domain: members.k-space.ee
+        policy: two_factor
+        resources:
+        - ^/login/authelia/?$
+      - domain: members.k-space.ee
+        policy: bypass
+      # Webmail
+      - domain: webmail.k-space.ee
+        policy: two_factor
+      # Etherpad
+      - domain: pad.k-space.ee
+        policy: two_factor
+        resources:
+        - ^/p/board-
+        subject: group:Board Members
+      - domain: pad.k-space.ee
+        policy: deny
+        resources:
+        - ^/p/board-
+      - domain: pad.k-space.ee
+        policy: two_factor
+        resources:
+        - ^/p/members-
+      - domain: pad.k-space.ee
+        policy: deny
+        resources:
+        - ^/p/members-
+      - domain: pad.k-space.ee
+        policy: bypass
+      # phpMyAdmin
+      - domain: phpmyadmin.k-space.ee
+        policy: two_factor
+      # Require login for everything else protected by traefik-sso middleware
+      - domain: '*.k-space.ee'
+        policy: one_factor
+    ...
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+spec:
+  type: ClusterIP
+  sessionAffinity: None
+  selector:
+    app.kubernetes.io/name: authelia
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+  annotations:
+    reloader.stakater.com/search: "true"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: authelia
+  replicas: 2
+  revisionHistoryLimit: 0
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: authelia
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: authelia
+        image: authelia/authelia:4
+        command:
+         - authelia
+         - --config=/config/authelia-config.yml
+         - --config=/config/oidc-secrets.yml
+        resources:
+          limits:
+            cpu: "4.00"
+            memory: 125Mi
+          requests:
+            cpu: "0.25"
+            memory: 50Mi
+        env:
+        - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK
+          value: "true"
+        - name: AUTHELIA_JWT_SECRET_FILE
+          value: /secrets/JWT_TOKEN
+        - name: AUTHELIA_SESSION_SECRET_FILE
+          value: /secrets/SESSION_ENCRYPTION_KEY
+        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+          value: /secrets/LDAP_PASSWORD
+        - name: AUTHELIA_SESSION_REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-secrets
+              key: REDIS_PASSWORD
+        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+          value: /secrets/STORAGE_ENCRYPTION_KEY
+        - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
+          value: /mariadb-secrets/MYSQL_PASSWORD
+        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+          value: /secrets/OIDC_HMAC_SECRET
+        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+          value: /secrets/OIDC_PRIVATE_KEY
+        - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+          value: /secrets/SMTP_PASSWORD
+        - name: TZ
+          value: Europe/Tallinn
+        startupProbe:
+          failureThreshold: 6
+          httpGet:
+            path: /api/health
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /api/health
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 30
+          successThreshold: 1
+          timeoutSeconds: 5
+        readinessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /api/health
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+        ports:
+        - name: http
+          containerPort: 9091
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /config/authelia-config.yml
+          name: authelia-config
+          readOnly: true
+          subPath: authelia-config.yml
+        - mountPath: /config/oidc-secrets.yml
+          name: oidc-secrets
+          readOnly: true
+          subPath: oidc-secrets.yml
+        - mountPath: /secrets
+          name: secrets
+          readOnly: true
+        - mountPath: /certificates
+          name: certificates
+          readOnly: true
+        - mountPath: /mariadb-secrets
+          name: mariadb-secrets
+          readOnly: true
+      volumes:
+      - name: authelia-config
+        configMap:
+          name: authelia-config
+      - name: secrets
+        secret:
+          secretName: application-secrets
+          items:
+          - key: JWT_TOKEN
+            path: JWT_TOKEN
+          - key: SESSION_ENCRYPTION_KEY
+            path: SESSION_ENCRYPTION_KEY
+          - key: STORAGE_ENCRYPTION_KEY
+            path: STORAGE_ENCRYPTION_KEY
+          - key: STORAGE_PASSWORD
+            path: STORAGE_PASSWORD
+          - key: LDAP_PASSWORD
+            path: LDAP_PASSWORD
+          - key: OIDC_PRIVATE_KEY
+            path: OIDC_PRIVATE_KEY
+          - key: OIDC_HMAC_SECRET
+            path: OIDC_HMAC_SECRET
+          - key: SMTP_PASSWORD
+            path: SMTP_PASSWORD
+      - name: certificates
+        secret:
+          secretName: authelia-certificates
+      - name: mariadb-secrets
+        secret:
+          secretName: mariadb-secrets
+      - name: redis-secrets
+        secret:
+          secretName: redis-secrets
+      - name: oidc-secrets
+        secret:
+          secretName: oidc-secrets
+          items:
+          - key: oidc-secrets.yml
+            path: oidc-secrets.yml
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+  annotations:
+    cert-manager.io/cluster-issuer: default
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    kubernetes.io/tls-acme: "true"
+    traefik.ingress.kubernetes.io/router.entryPoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-k6-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: auth.k-space.ee
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authelia
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - auth.k-space.ee
+      secretName: authelia-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: forwardauth-k6-authelia
+  labels:
+    app.kubernetes.io/name: authelia
+spec:
+  forwardAuth:
+    address: http://authelia.authelia.svc.cluster.local/api/verify?rd=https://auth.k-space.ee/
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Remote-User
+      - Remote-Name
+      - Remote-Email
+      - Remote-Groups
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: headers-k6-authelia
+  labels:
+    app.kubernetes.io/name: authelia
+spec:
+  headers:
+    browserXssFilter: true
+    customFrameOptionsValue: "SAMEORIGIN"
+    customResponseHeaders:
+      Cache-Control: "no-store"
+      Pragma: "no-cache"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: chain-k6-authelia-auth
+  labels:
+    app.kubernetes.io/name: authelia
+spec:
+  chain:
+    middlewares:
+      - name: forwardauth-k6-authelia
+        namespace: authelia
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: chain-k6-authelia
+  labels:
+    app.kubernetes.io/name: authelia
+spec:
+  chain:
+    middlewares:
+      - name: headers-k6-authelia
+        namespace: authelia
+---
+apiVersion: mysql.oracle.com/v2
+kind: InnoDBCluster
+metadata:
+  name: mysql-cluster
+spec:
+  secretName: mysql-secrets
+  instances: 3
+  router:
+    instances: 2
+  tlsUseSelfSigned: true
+  datadirVolumeClaimTemplate:
+    storageClassName: local-path
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: "1Gi"
+  podSpec:
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+                - key: app.kubernetes.io/managed-by
+                  operator: In
+                  values:
+                    - mysql-operator
+            topologyKey: kubernetes.io/hostname
+    nodeSelector:
+      dedicated: storage
+    tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule

authelia/keydb.yml

@@ -0,0 +1 @@
+../shared/keydb.yml

authelia/mariadb.yml

@@ -0,0 +1 @@
+../shared/mariadb.yml