Initial commit

2022-08-16 12:40:54 +03:00
commit 7c5cad55e1
122 changed files with 51731 additions and 0 deletions
--- a/authelia/README.md
+++ b/authelia/README.md
@@ -0,0 +1,173 @@
+# Authelia
+
+## Background
+
+Authelia works in conjunction with Traefik to provide SSO with
+credentials stored in Samba (Active Directory compatible) directory tree.
+
+Samba resides outside Kubernetes cluster as it's difficuilt to containerize
+while keeping it usable from outside the cluster due to Samba's networking.
+
+The MariaDB instance is used to store MFA tokens.
+Redis is used to store session info.
+
+
+## Deployment
+
+Inspect changes with `git diff` and proceed to deploy:
+
+```
+kubectl apply -n authelia -f application.yml -f keydb.yml -f mariadb.yml
+kubectl create secret generic -n authelia mysql-secrets \
+    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
+kubectl create secret generic -n authelia mariadb-secrets \
+    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
+    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
+kubectl create secret generic -n authelia redis-secrets \
+    --from-literal=REDIS_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
+kubectl -n authelia rollout restart deployment/authelia
+```
+
+To change secrets create `secret.yml`:
+
+```
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: application-secrets
+data:
+  JWT_TOKEN: ...
+  SESSION_ENCRYPTION_KEY: ...
+  STORAGE_PASSWORD: ...
+  STORAGE_ENCRYPTION_KEY: ...
+  LDAP_PASSWORD: ...
+  STORAGE_PASSWORD: ...
+  SMTP_PASSWORD: ...
+```
+
+Apply with:
+
+```
+kubectl apply -n authelia -f application-secrets.yml 
+kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
+```
+
+## OIDC secrets
+
+OIDC secrets are separated from the main configuration until
+Authelia will add CRD-s for these.
+
+Generally speaking for untrusted applications, that is stuff that is running
+outside the Kubernetes cluster eg web browser based (JS) and
+local command line clients one
+should use `public: true` and omit `secret: ...`.
+
+Populate `oidc-secrets.yml` with approximately following:
+
+```
+identity_providers:
+  oidc:
+    clients:
+    - id: kubelogin
+      description: Kubernetes cluster
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - http://localhost:27890
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: proxmox
+      description: Proxmox Virtual Environment
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://pve.k-space.ee
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: argocd
+      description: ArgoCD
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://argocd.k-space.ee/auth/callback
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: harbor
+      description: Harbor
+      secret: ...
+      authorization_policy: two_factor
+      redirect_uris:
+      - https://harbor.k-space.ee/c/oidc/callback
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+    - id: gitea
+      description: Gitea
+      secret: ...
+      authorization_policy: one_factor
+      redirect_uris:
+      - https://git.k-space.ee/user/oauth2/authelia/callback
+      scopes:
+      - openid
+      - profile
+      - email
+      - groups
+      grant_types:
+      - refresh_token
+      - authorization_code
+      response_types:
+      - code
+      userinfo_signing_algorithm: none
+    - id: grafana
+      description: Grafana
+      secret: ...
+      authorization_policy: one_factor
+      redirect_uris:
+      - https://grafana.k-space.ee/login/generic_oauth
+      scopes:
+      - openid
+      - groups
+      - email
+      - profile
+```
+
+To upload the file to Kubernetes secrets:
+
+```
+kubectl -n authelia delete secret oidc-secrets
+kubectl -n authelia create secret generic oidc-secrets \
+    --from-file=oidc-secrets.yml=oidc-secrets.yml
+kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
+kubectl -n authelia rollout restart deployment/authelia
+```
+
+Synchronize OIDC secrets:
+
+```
+kubectl -n argocd delete secret argocd-secret
+kubectl -n argocd create secret generic argocd-secret \
+    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
+    --from-literal=oidc.config.clientSecret=$( \
+      kubectl get secret -n authelia oidc-secrets -o json \
+        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
+        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
+kubectl -n monitoring delete secret oidc-secret
+kubectl -n monitoring create secret generic oidc-secret \
+    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
+      kubectl get secret -n authelia oidc-secrets -o json \
+        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
+        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)
+```