1
0
forked from k-space/kube
kube/authelia/README.md
2022-10-14 14:38:23 +03:00

4.6 KiB

Authelia

Background

Authelia works in conjunction with Traefik to provide SSO with credentials stored in Samba (Active Directory compatible) directory tree.

Samba resides outside Kubernetes cluster as it's difficuilt to containerize while keeping it usable from outside the cluster due to Samba's networking.

The MariaDB instance is used to store MFA tokens. KeyDB is used to store session info.

Deployment

Inspect changes with git diff and proceed to deploy:

kubectl apply -n authelia -f application.yml
kubectl create secret generic -n authelia mysql-secrets \
    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
kubectl create secret generic -n authelia mariadb-secrets \
    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
kubectl -n authelia rollout restart deployment/authelia

To change secrets create secret.yml:

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: application-secrets
data:
  JWT_TOKEN: ...
  SESSION_ENCRYPTION_KEY: ...
  STORAGE_PASSWORD: ...
  STORAGE_ENCRYPTION_KEY: ...
  LDAP_PASSWORD: ...
  STORAGE_PASSWORD: ...
  SMTP_PASSWORD: ...

Apply with:

kubectl apply -n authelia -f application-secrets.yml 
kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true

OIDC secrets

OIDC secrets are separated from the main configuration until Authelia will add CRD-s for these.

Generally speaking for untrusted applications, that is stuff that is running outside the Kubernetes cluster eg web browser based (JS) and local command line clients one should use public: true and omit secret: ....

Populate oidc-secrets.yml with approximately following:

identity_providers:
  oidc:
    clients:
    - id: kubelogin
      description: Kubernetes cluster
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - http://localhost:27890
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: proxmox
      description: Proxmox Virtual Environment
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://pve.k-space.ee
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: argocd
      description: ArgoCD
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://argocd.k-space.ee/auth/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: harbor
      description: Harbor
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://harbor.k-space.ee/c/oidc/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: gitea
      description: Gitea
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://git.k-space.ee/user/oauth2/authelia/callback
      scopes:
      - openid
      - profile
      - email
      - groups
      grant_types:
      - refresh_token
      - authorization_code
      response_types:
      - code
      userinfo_signing_algorithm: none
    - id: grafana
      description: Grafana
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://grafana.k-space.ee/login/generic_oauth
      scopes:
      - openid
      - groups
      - email
      - profile

To upload the file to Kubernetes secrets:

kubectl -n authelia delete secret oidc-secrets
kubectl -n authelia create secret generic oidc-secrets \
    --from-file=oidc-secrets.yml=oidc-secrets.yml
kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
kubectl -n authelia rollout restart deployment/authelia

Synchronize OIDC secrets:

kubectl -n argocd delete secret argocd-secret
kubectl -n argocd create secret generic argocd-secret \
    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=oidc.config.clientSecret=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
kubectl -n grafana delete secret oidc-secret
kubectl -n grafana create secret generic oidc-secret \
    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)